What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-12-16 12:50:03 | Weekly OSINT Highlights, 16 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlighted a diverse range of cyber threats, emphasizing sophisticated malware, targeted attacks, and global threat actor activities. Credential theft and data exfiltration emerged as prominent attack types, as seen in campaigns like Bizfum Stealer and Meeten malware targeting cryptocurrency users. Phishing remained a key attack vector, deployed in operations like UAC-0185\'s MeshAgent campaign against Ukraine and APT-C-60\'s SpyGlace backdoor targeting Japan. Nation-state actors dominated the landscape, including North Korea\'s UNC4736 exploiting DeFi systems and China\'s espionage on critical industries, while hacktivists like Holy League targeted France amid geopolitical unrest. The attacks primarily focused on sensitive targets such as critical infrastructure, financial systems, and government entities, underscoring the rising risks to global cybersecurity. ## Description 1. [Bizfum Stealer:](https://sip.security.microsoft.com/intel-explorer/articles/b522b6ae) CYFIRMA researchers discovered "Bizfum Stealer," an advanced information-stealing malware designed to exfiltrate credentials, cookies, and sensitive files from infected systems. Targeting popular browsers and leveraging platforms like GoFile and Telegram, it employs sophisticated techniques for stealth, encryption, and evasion. 1. [IOCONTROL Malware:](https://sip.security.microsoft.com/intel-explorer/articles/5fa3e494) Team82 identified IOCONTROL, a modular malware linked to Iran\'s IRGC-CEC, targeting IoT and OT devices to disrupt fuel systems in the U.S. and Israel. The malware uses advanced techniques, including DNS-over-HTTPS and AES-256-CBC encryption, to evade detection while compromising critical infrastructure. 1. [Kimsuky\'s Million OK Campaign:](https://sip.security.microsoft.com/intel-explorer/articles/d1e1ee65) Hunt researchers uncovered infrastructure tied to North Korea\'s APT group Kimsuky, which employed domains mimicking South Korea\'s Naver platform to steal credentials. The campaign\'s infrastructure used distinctive HTTP responses, shared server configurations, and phishing techniques to target South Korean users. 1. [UNC4736 Cryptocurrency Heist](https://sip.security.microsoft.com/intel-explorer/articles/3a647a38): Mandiant attributed the $50 million cryptocurrency theft from Radiant Capital to North Korea\'s UNC4736. The attackers used malware to compromise trusted developers, executing unauthorized transactions that exploited DeFi multi-signature processes while bypassing robust security measures. 1. [PUMAKIT Malware Report](https://sip.security.microsoft.com/intel-explorer/articles/a16902ac): Elastic Security Labs detailed PUMAKIT, a modular Linux malware employing fileless execution, kernel rootkits, and syscall hooking for stealth and persistence. Its sophisticated architecture allows it to manipulate system behaviors, evade detection, and target older kernel versions with privilege escalation capabilities. 1. [Android Banking Trojan in India](https://sip.security.microsoft.com/intel-explorer/articles/5ff566b7): McAfee researchers uncovered a trojan targeting Indian Android users, masquerading as utility apps and stealing financial data via malicious APKs distributed on platforms like WhatsApp. The malware exfiltrates data using Supabase and employs stealth tactics, compromising over 400 devices and intercepting thousands of SMS messages. 1. [DarkGate Malware via Teams Call](https://sip.security.microsoft.com/intel-explorer/articles/5cac0381): Trend Micro identified an attack leveraging Microsoft Teams to distribute DarkGate malware through social engineering and remote desktop applications. The attacker used vishing to gain trust and access, deploying malware with persistence and evasion techniques before being intercepted. 1. [Socks5Systemz Botnet Resurgence](https://sip.security.microsoft.com/intel-explorer/articles/15cfbc2f): Bitsight TRACE uncovered the long-standing Socks5Systemz botnet, which peaked at 250,000 compr | Ransomware Malware Tool Vulnerability Threat Legislation Mobile Industrial Prediction Cloud | APT C 60 | ★★ |
|
2024-12-12 20:10:48 | Attack Exploiting Legitimate Service by APT-C-60 (lien direct) | #### Targeted Geolocations - Japan ## Snapshot The JPCERT Coordination Center (JPCERT/CC) released a report detailing an attack by APT-C-60 against an organization in Japan during August 2024. ## Description The attacker used a phishing email disguised as a job application to lure the victim into downloading malware via a Google Drive link. The malicious file, a VHDX virtual disk image, contained LNK files and decoy documents. Upon execution, the LNK file triggered a series of actions, including creating a downloader, SecureBootUEFI.dat, which was made persistent through COM hijacking. SecureBootUEFI.dat communicated with legitimate services Bitbucket and StatCounter, using the latter to identify infected devices by encoding unique device information into StatCounter\'s referrer data. The downloader subsequently fetched additional payloads, Service.dat, which in turn retrieved and decoded further malware components, cn.dat and sp.dat, storing them in the system. The backdoor used in the attack, dubbed SpyGlace by ESET, is a well-documented tool with advanced functionality, including encrypted communication and modular execution. The backdoor has been observed in attacks attributed to APT-C-60, notably in similar campaigns reported between August and September 2024 targeting East Asian countries. ## Microsoft Analysis and Additional OSINT Context [APT-C-60](https://malpedia.caad.fkie.fraunhofer.de/actor/apt-c-60) is a South Korea-linked cyberespionage group that focuses its targeting in East Asian countries, active since at least December 2021. In August, [ESET researchers observed](https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/) the group exploiting a remote code execution (RCE) vulnerability in WPS Office for Windows ([CVE-2024-7262](https://security.microsoft.com/intel-explorer/cves/CVE-2024-7262/)) to deploy its custom backdoor, SpyGlace, to impact users in East Asia. Previously, [the group was observed](https://threatbook.io/blog/Military-Topics-in-Focus:-APT-C-60-Threat-Continues-to-be-Exposed) using military-themed lures in phishing campaigns to gain access to victim enviornments. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential h | Malware Tool Vulnerability Threat | APT C 60 | ★★★ |
1
We have: 2 articles.
We have: 2 articles.
To see everything:
Our RSS (filtrered)
