What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-09-06 22:15:34 | (Déjà vu) Blindagle cible le secteur des assurances colombien avec Botchyquasar BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar (lien direct) |
#### Targeted Geolocations - Colombia ## Snapshot In June 2024, Zscaler ThreatLabz detected new malicious activities by BlindEagle, an advanced persistent threat (APT) group also known as AguilaCiega, APT-C-36, and APT-Q-98. ## Description This group primarily targets government and financial organizations in South America, especially in Colombia and Ecuador, using phishing emails as their main attack vector. Recent attacks focused on employees within the Colombian insurance sector, using emails impersonating the Colombian National Tax and Customs Authority (DIAN) to trick recipients into downloading a malicious ZIP archive containing the BlotchyQuasar Remote Access Trojan (RAT). This RAT, a variant of the well-known QuasarRAT, is heavily obfuscated to evade detection. BlindEagle\'s phishing emails lead victims to a Google Drive folder, which is controlled by a compromised account of a Colombian government entity. The emails create urgency by claiming there is a seizure order due to unpaid taxes. Once the victim downloads and opens the ZIP file, BlotchyQuasar is executed, giving the attacker control over the system. The malware is designed to steal payment-related data, monitor banking service interactions, log keystrokes, and extract information from browsers and FTP clients. The command-and-control (C2) infrastructure for BlotchyQuasar involves using Pastebin to retrieve encrypted C2 server details. The domains associated with these C2 servers often leverage Dynamic DNS services and are hosted on compromised VPN nodes or routers in Colombia, aligning with BlindEagle\'s typical tactics. Zscaler attributed this campaign to BlindEagle based on the use of DIAN-themed phishing lures, customized malware variants, and infrastructure patterns that match previously documented BlindEagle operations. BlindEagle continues to use obfuscation techniques to conceal its infrastructure and evade detection, indicating that this threat actor is likely to persist in launching targeted attacks in the region. ## Additional Analysis BlindEagle is a financially motivated threat actor active since at least 2018. The group has been observed targeting organizations in South America, primarily in Colombia and Ecuador. However, in February 2024, [eSentire attributed BlindEagle](https://www.esentire.com/blog/blind-eagles-north-american-journey) to a campaign targeting Spanish-speaking users in the manufacturing industry in North America. BlindEagle typically leverages phishing emails that distribute RATs. In attacks, the group has employed a variety of publicly available RATs including njRAT, ProyectoRAT, WarzoneRAT, AsyncRAT, LimeRAT, RemcosRAT, QuasarRAT, and BitRAT. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable | Ransomware Spam Malware Tool Threat Prediction | APT-C-36 | ★★ |
 |
2023-01-10 16:30:00 | Anomali Cyber Watch: Turla Re-Registered Andromeda Domains, SpyNote Is More Popular after the Source Code Publication, Typosquatted Site Used to Leak Company\'s Data (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Artificial intelligence, Expired C2 domains, Data leak, Mobile, Phishing, Ransomware, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
OPWNAI : Cybercriminals Starting to Use ChatGPT
(published: January 6, 2023)
Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool.
Analyst Comment: ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware.
MITRE ATT&CK: [MITRE ATT&CK] T1566 - Phishing | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1005: Data from Local System
Tags: ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP
Turla: A Galaxy of Opportunity
(published: January 5, 2023)
Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022.
Analyst Comment: Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated |
Ransomware Malware Tool Threat | ChatGPT APT-C-36 | ★★ |
1
We have: 2 articles.
We have: 2 articles.
To see everything:
Our RSS (filtrered)
