This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T21:28:21+00:00 www.secnews.physaphae.fr AhnLab - Korean Security Firm Pupy est une souche malveillante de rat qui offre un soutien à la plate-forme croisée.Parce qu'il s'agit d'un programme open-source publié sur GitHub, il est continuellement utilisé par divers acteurs de menace, y compris des groupes APT.Par exemple, il est connu pour avoir été utilisé par APT35 (qui aurait des liens avec l'Iran) [1] et a également été utilisé dans l'opération Earth Berberoka [2] qui ciblait les sites de jeux en ligne.Récemment, une souche de logiciels malveillante nommée Disy Dog a été découverte, qui est une version mise à jour de Pupy Rat ....

---

Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known to have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2] which targeted online gambling websites. Recently, a malware strain named Decoy Dog was discovered, which is an updated version of Pupy RAT.... ]]> 2024-04-18T07:46:32+00:00 https://asec.ahnlab.com/en/64258/ www.secnews.physaphae.fr/article.php?IdArticle=8484600 False Malware,Threat APT 35 2.0000000000000000 ProofPoint - Cyber Firms 2024-04-16T06:00:54+00:00 https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering www.secnews.physaphae.fr/article.php?IdArticle=8483299 False Malware,Tool,Threat,Conference APT 37,APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware. The packages, now taken down, are pycryptoenv, pycryptoconf, quasarlib, and swapmempool. They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most]]> 2024-02-29T13:47:00+00:00 https://thehackernews.com/2024/02/lazarus-exploits-typos-to-sneak-pypi.html www.secnews.physaphae.fr/article.php?IdArticle=8456854 False Malware APT 38 4.0000000000000000 Bleeping Computer - Magazine Américain Japan\'s Computer Security Incident Response Team (JPCERT/CC) is warning that the notorious North Korean hacking group Lazarus has uploaded four malicious PyPI packages to infect developers with malware. [...]]]> 2024-02-28T10:04:50+00:00 https://www.bleepingcomputer.com/news/security/japan-warns-of-malicious-pypi-packages-created-by-north-korean-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=8456467 False Malware APT 38 2.0000000000000000 Bleeping Computer - Magazine Américain Microsoft says the APT33 Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack defense contractors worldwide. [...]]]> 2023-12-21T15:28:06+00:00 https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8426986 False Malware APT33,APT 33 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader]]> 2023-12-14T18:00:00+00:00 https://thehackernews.com/2023/12/iranian-state-sponsored-oilrig-group.html www.secnews.physaphae.fr/article.php?IdArticle=8422615 False Malware,Threat APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Un groupe de cyber-espionnage lié au gouvernement iranien a développé plusieurs nouveaux téléchargeurs de logiciels malveillants au cours des deux dernières années et les a récemment utilisés pour cibler des organisations en Israël.Des chercheurs de la société Slovaquie ESET attribué Les téléchargeurs nouvellement découverts au groupe iranien de menace persistant avancé Oilrig, également connu sous le nom d'APT34.Selon les rapports précédents

---

A cyber-espionage group linked to the Iranian government developed several new malware downloaders over the past two years and has recently been using them to target organizations in Israel. Researchers at the Slovakia-based company ESET attributed the newly discovered downloaders to the Iranian advanced persistent threat group OilRig, also known as APT34. Previous reports said]]> 2023-12-14T16:30:00+00:00 https://therecord.media/oilrig-apt34-iran-linked-hackers-new-downloaders-israel www.secnews.physaphae.fr/article.php?IdArticle=8422737 False Malware,Threat APT 34 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cisco Talos has discovered a new campaign conducted by the Lazarus Group, called "Operation Blacksmith," which employs at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. The RATs are named "NineRAT" and "DLRAT," and the downloader is called "BottomLoader." The campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 (Log4j). Lazarus has targeted manufacturing, agricultural, and physical security companies. The malware is written in DLang, indicating a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT. #### Reference URL(s) 1. https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ #### Publication Date December 11, 2023 #### Author(s) Jungsoo An ]]> 2023-12-13T19:34:57+00:00 https://community.riskiq.com/article/04580784 www.secnews.physaphae.fr/article.php?IdArticle=8422247 False Malware,Vulnerability APT 38 3.0000000000000000 IndustrialCyber - cyber risk firms for industrial Cisco Talos discovered a new campaign conducted by the Lazarus Group that it has codenamed \'Operation Blacksmith,\' employing... ]]> 2023-12-12T09:32:48+00:00 https://industrialcyber.co/threats-attacks/cisco-reveals-operation-blacksmith-as-lazarus-targets-organizations-with-new-telegram-based-malware-in-dlang/ www.secnews.physaphae.fr/article.php?IdArticle=8421437 False Malware APT 38 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates connectés à Groupe de Lazarus de la Corée du Nord ont exploité le Vulnérabilité LOG4J Dans une campagne d'attaques ciblant les entreprises dans les secteurs de la fabrication, de l'agriculture et de la sécurité physique.Connu sous le nom de «Faire du forgeron de l'opération», la campagne a vu les pirates de Lazarus utiliser au moins trois nouvelles familles de logiciels malveillants, selon des chercheurs de Cisco Talos qui ont nommé l'un des

---

Hackers connected to North Korea\'s Lazarus Group have been exploiting the Log4j vulnerability in a campaign of attacks targeting companies in the manufacturing, agriculture and physical security sectors. Known as “Operation Blacksmith,” the campaign saw Lazarus hackers use at least three new malware families, according to researchers at Cisco Talos who named one of the]]> 2023-12-11T20:30:00+00:00 https://therecord.media/north-korean-hackers-using-log www.secnews.physaphae.fr/article.php?IdArticle=8421198 False Malware,Vulnerability APT 38 2.0000000000000000 The Register - Site journalistique Anglais 2023-12-11T18:08:15+00:00 https://go.theregister.com/feed/www.theregister.com/2023/12/11/lazarus_group_edang/ www.secnews.physaphae.fr/article.php?IdArticle=8421157 False Malware APT 38 2.0000000000000000 Bleeping Computer - Magazine Américain The notorious North Korean hacking group known as Lazarus continues to exploit CVE-2021-44228, aka "Log4Shell," this time to deploy three previously unseen malware families written in DLang. [...]]]> 2023-12-11T16:25:32+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-drop-new-rat-malware-using-2-year-old-log4j-bug/ www.secnews.physaphae.fr/article.php?IdArticle=8421215 False Malware,Threat APT 38 2.0000000000000000 Dark Reading - Informationweek Branch The infamous vulnerability may be on the older side at this point, but North Korea\'s primo APT Lazarus is creating new, unique malware around it at a remarkable clip.]]> 2023-12-11T16:15:00+00:00 https://www.darkreading.com/threat-intelligence/lazarus-group-still-juicing-log4shell-rats-written-d www.secnews.physaphae.fr/article.php?IdArticle=8421118 False Malware,Vulnerability APT 38 2.0000000000000000 Dark Reading - Informationweek Branch Lazarus and its cohorts are switching loaders and other code between RustBucket and KandyKorn macOS malware to fool victims and researchers.]]> 2023-11-28T17:30:00+00:00 https://www.darkreading.com/threat-intelligence/north-korean-apts-mix-and-match-malware-components-to-evade-detection www.secnews.physaphae.fr/article.php?IdArticle=8417572 False Malware APT 38,APT 38 2.0000000000000000 Bleeping Computer - Magazine Américain Microsoft says a North Korean hacking group has breached Taiwanese multimedia software company CyberLink and trojanized one of its installers to push malware in a supply chain attack targeting potential victims worldwide. [...]]]> 2023-11-22T13:06:25+00:00 https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-breach-cyberlink-in-supply-chain-attack/ www.secnews.physaphae.fr/article.php?IdArticle=8416021 False Malware APT 38,APT 38 3.0000000000000000 AhnLab - Korean Security Firm L'équipe d'analyse ASEC a identifié les circonstances du groupe Andariel distribuant des logiciels malveillants via une attaque en utilisant une certaine gestion des actifsprogramme.Le groupe Andariel est connu pour être dans une relation coopérative avec ou une organisation filiale du groupe Lazare.Le groupe Andariel lance généralement des attaques de phishing de lance, d'arrosage ou de chaîne d'approvisionnement pour la pénétration initiale.Il existe également un cas où le groupe a exploité une solution de gestion centrale pendant le processus d'installation de logiciels malveillants.Récemment, le groupe Andariel ...

---

The ASEC analysis team identified the circumstances of the Andariel group distributing malware via an attack using a certain asset management program. The Andariel group is known to be in a cooperative relationship with or a subsidiary organization of the Lazarus group. The Andariel group usually launches spear phishing, watering hole, or supply chain attacks for initial penetration. There is also a case where the group exploited a central management solution during the malware installation process. Recently, the Andariel group... ]]> 2023-11-20T06:31:18+00:00 https://asec.ahnlab.com/en/59073/ www.secnews.physaphae.fr/article.php?IdArticle=8414705 False Malware,Technical APT 38,APT 38 3.0000000000000000 HackRead - Chercher Cyber Par waqas Bluenoroff est un sous-groupe du plus grand groupe soutenu par l'État nord-coréen appelé Lazarus. Ceci est un article de HackRead.com Lire le post original: Bluenoroff APT lié à Lazare ciblant les macOS avec des logiciels malveillants objcshellz

---

>By Waqas BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus. This is a post from HackRead.com Read the original post: Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware]]> 2023-11-08T10:34:54+00:00 https://www.hackread.com/lazarus-bluenoroff-apt-macos-objcshellz-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8407874 False Malware APT 38,APT 38 2.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Un autre jour, une autre opération de logiciels malveillants par le tristement célèbre groupe de Lazare ciblant les ingénieurs de la blockchain et les utilisateurs de crypto. Ceci est un article de HackRead.com Lire le post original: Lazarus groupe LazarusUtilise des logiciels malveillants de Kandykorn MacOS pour le vol cryptographique

---

>By Deeba Ahmed Another day, another malware operation by the infamous Lazarus group targeting blockchain engineers and crypto users. This is a post from HackRead.com Read the original post: Lazarus Group uses KandyKorn macOS malware for crypto theft]]> 2023-11-03T20:01:17+00:00 https://www.hackread.com/lazarus-kandykorn-macos-malware-crypto/ www.secnews.physaphae.fr/article.php?IdArticle=8405492 False Malware APT 38,APT 38 3.0000000000000000 Dark Reading - Informationweek Branch Posing as fellow engineers, the North Korean state-sponsored cybercrime group Lazarus tricked crypto-exchange developers into downloading the hard-to-detect malware.]]> 2023-11-03T18:55:00+00:00 https://www.darkreading.com/endpoint/kandykorn-macos-malware-lures-crypto-engineers www.secnews.physaphae.fr/article.php?IdArticle=8405460 False Malware APT 38,APT 38 2.0000000000000000 SecurityWeek - Security News Security researchers uncover new macOS and Windows malware associated with the North Korea-linked Lazarus Group. ]]> 2023-11-03T14:10:49+00:00 https://www.securityweek.com/north-korean-hackers-use-new-kandykorn-macos-malware-in-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=8405892 False Malware APT 38,APT 38 2.0000000000000000 Bleeping Computer - Magazine Américain A new macOS malware dubbed \'KandyKorn\' has been spotted in a campaign attributed to the North Korean Lazarus hacking group, targeting blockchain engineers of a cryptocurrency exchange platform. [...]]]> 2023-11-02T15:22:01+00:00 https://www.bleepingcomputer.com/news/security/new-macos-kandykorn-malware-targets-cryptocurrency-engineers/ www.secnews.physaphae.fr/article.php?IdArticle=8404890 False Malware APT 38,APT 38 3.0000000000000000 Dark Reading - Informationweek Branch The government-backed APT\'s new malware framework represents a step up in Iran\'s cyber sophistication.]]> 2023-11-02T14:46:00+00:00 https://www.darkreading.com/dr-global/-scarred-manticore-unleashes-most-advanced-iranian-espionage www.secnews.physaphae.fr/article.php?IdArticle=8404734 False Malware APT 34 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates liés à la Corée du Nord ciblent les ingénieurs de blockchain \\ 'Apple avec de nouveaux logiciels malveillants avancés, ont révélé des chercheurs.Les tactiques et les techniques utilisées dans la campagne chevauchent l'activité du groupe de pirates nord-coréen parrainé par l'État Lazarus, comme l'a rapporté la société de cybersécurité Elastic Security Labs.L'objectif probable des pirates est de voler la crypto-monnaie comme

---

Hackers linked to North Korea are targeting blockchain engineers\' Apple devices with new, advanced malware, researchers have found. The tactics and techniques used in the campaign overlap with the activity of the North Korean state-sponsored hacker group Lazarus, as reported by cybersecurity firm Elastic Security Labs. The hackers\' likely goal is to steal cryptocurrency as]]> 2023-11-02T12:47:00+00:00 https://therecord.media/blockchain-engineers-crypto-exchange-macos-malware-north-korea www.secnews.physaphae.fr/article.php?IdArticle=8404681 False Malware APT 38,APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) State-sponsored threat actors from the Democratic People\'s Republic of Korea (DPRK) have been found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed KANDYKORN. Elastic Security Labs said the activity, traced back to April 2023, exhibits overlaps with the infamous adversarial collective Lazarus Group, citing an analysis of the]]> 2023-11-01T14:32:00+00:00 https://thehackernews.com/2023/11/north-korean-hackers-tageting-crypto.html www.secnews.physaphae.fr/article.php?IdArticle=8403987 False Malware,Threat APT 38,APT 38 2.0000000000000000 HackRead - Chercher Cyber deeba ahmed Les chercheurs pensent que l'objectif principal derrière cette campagne est l'espionnage. Ceci est un article de HackRead.com Lire le post original: L'Iran Manticore cicatriciel des Targets du Moyen-Orient avec des logiciels malveillants liontail

---

By Deeba Ahmed Researchers believe that the primary goal behind this campaign is espionage. This is a post from HackRead.com Read the original post: Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware]]> 2023-11-01T08:20:47+00:00 https://www.hackread.com/iran-scarred-manticore-middle-east-liontail-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8403968 False Malware APT 34,APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads. The current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs. Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants. While the main motivation behind Scarred Manticore\'s operation is espionage, some of the tools described in this report have been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure (referred to as DEV-0861). #### Reference URL(s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ #### Publication Date October 31, 2023 #### Author(s) Check Point Research ]]> 2023-10-31T19:45:32+00:00 https://community.riskiq.com/article/b37061cc www.secnews.physaphae.fr/article.php?IdArticle=8403717 False Malware,Tool APT 34,APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Discovered by Check Point Research (CPR) and Sygnia, the campaign peaked in mid-2023]]> 2023-10-31T16:30:00+00:00 https://www.infosecurity-magazine.com/news/scarred-manticore-targets-middle/ www.secnews.physaphae.fr/article.php?IdArticle=8403582 False Malware APT 34 3.0000000000000000 Checkpoint - Fabricant Materiel Securite Faits saillants: 1. Intrudeurs silencieux: Manticore marqué, un groupe de cyber-menaces iranien lié à Mois (Ministère des renseignements & # 38; Security), gère tranquillement une opération d'espionnage sophistiquée furtive au Moyen-Orient.En utilisant leur dernier cadre d'outils de logiciels malveillants, Liontail, ils volent sous le radar depuis plus d'un an.2. Secteurs ciblés: La campagne se concentre sur les grands joueurs-gouvernement, militaire, télécommunications, informatique, finance et ONG au Moyen-Orient.Manticore marqué est une question de données systématiquement en train de saisir des données, montrant leur engagement envers les cibles de grande valeur.3. Évolution des tactiques: le livre de jeu de Manticore Scarre est passé des attaques de base de shell sur les serveurs Windows à [& # 8230;]

---

>Highlights: 1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year. 2. Targeted Sectors: The campaign focuses on big players-government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets. 3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to […] ]]> 2023-10-31T10:56:45+00:00 https://blog.checkpoint.com/security/unraveling-the-scarred-manticore-saga-a-riveting-epic-of-high-stakes-espionage-unfolding-in-the-heart-of-the-middle-east/ www.secnews.physaphae.fr/article.php?IdArticle=8403439 False Malware,Tool,Threat APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Kaspersky unveiled the cyber campaign at the Security Analyst Summit]]> 2023-10-30T17:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-group-targets-legitimate/ www.secnews.physaphae.fr/article.php?IdArticle=8403072 False Malware APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software. The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for]]> 2023-10-27T20:27:00+00:00 https://thehackernews.com/2023/10/n-korean-lazarus-group-targets-software.html www.secnews.physaphae.fr/article.php?IdArticle=8401494 False Malware,Tool,Threat APT 38,APT 38 3.0000000000000000 Bleeping Computer - Magazine Américain The North Korean Lazarus hacking group repeatedly compromised a software vendor using flaws in vulnerable software despite multiple patches and warnings being made available by the developer. [...]]]> 2023-10-27T12:15:29+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-breached-dev-repeatedly-to-deploy-signbt-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8401514 False Malware APT 38,APT 38 3.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Résumé En octobre 2023, Netskope a analysé un document de mots malveillant et le malware qu'il contenait, surnommé «Menorah».Le malware a été attribué à un groupe de menaces persistant avancé APT34 et aurait été distribué par phisse de lance.Le fichier de bureau malveillant utilise le code VBA dispersé et obscurci pour échapper à la détection.Le groupe avancé des menaces persistantes cible [& # 8230;]

---

>Summary In October 2023, Netskope analyzed a malicious Word document and the  malware it contained, dubbed “Menorah.” The malware was attributed to an advanced persistent threat group APT34, and was reported to be distributed via spear-phishing. The malicious Office file uses dispersed and obfuscated VBA code to evade detection.  The advanced persistent threat group targets […] ]]> 2023-10-25T19:00:00+00:00 https://www.netskope.com/blog/netskope-threat-coverage-menorah www.secnews.physaphae.fr/article.php?IdArticle=8400546 False Malware,Threat APT 34 2.0000000000000000 The Register - Site journalistique Anglais LightningCan evades infosec tools in new and interesting ways The Lazarus Group, the cybercrime gang linked to the North Korean government, has been named as the perpetrator of an attack against a Spanish aerospace firm, using a dangerous new piece of malware.…]]> 2023-10-04T07:30:06+00:00 https://go.theregister.com/feed/www.theregister.com/2023/10/04/lazarus_group_lightlesscan_malware_upgrade/ www.secnews.physaphae.fr/article.php?IdArticle=8391313 False Malware,Tool APT 38 2.0000000000000000 Dark Reading - Informationweek Branch The Lazarus Group\'s "LightlessCan" malware executes multiple native Windows commands within the RAT itself, making detection significantly harder, security vendor says.]]> 2023-10-02T20:51:09+00:00 https://www.darkreading.com/cloud/north-korea-meta-complex-backdoor-aerospace www.secnews.physaphae.fr/article.php?IdArticle=8390638 False Malware APT 38 3.0000000000000000 Dark Reading - Informationweek Branch The Menorah malware can upload and download files, as well as execute shell commands.]]> 2023-10-02T17:19:00+00:00 https://www.darkreading.com/dr-global/iran-linked-apt34-spy-campaign-targets-saudis www.secnews.physaphae.fr/article.php?IdArticle=8390594 False Malware APT 34,APT 34 3.0000000000000000 CyberWarzone - Cyber News Introduction Ever wondered how a seemingly innocent LinkedIn message can turn into a cybersecurity nightmare? A Spanish aerospace company recently]]> 2023-10-01T22:55:22+00:00 https://cyberwarzone.com/lazarus-group-targets-spanish-aerospace-company-through-linkedin-unveiling-the-lightlesscan-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8390245 False Malware APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy]]> 2023-09-30T14:51:00+00:00 https://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=8389819 False Malware,Prediction APT 34 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates iraniens présumés ont récemment lancé une nouvelle opération de cyber-espionnage, infectant leurs victimes avec le malware Menorah nouvellement découvert, selon un rapport publié vendredi.Le groupe de piratage APT34, également connu sous le nom de Oilrig, Cobalt Gypsy, IRN2 et Helix Kitten, serait basé en Iran.Il cible les pays du Moyen-Orient depuis

---

Suspected Iranian hackers recently launched a new cyber espionage operation, infecting their victims with the newly discovered Menorah malware, according to a report published Friday. The hacking group APT34, also known as OilRig, Cobalt Gypsy, IRN2 and Helix Kitten, is believed to be based in Iran. It has been targeting Middle Eastern countries since at]]> 2023-09-29T18:15:00+00:00 https://therecord.media/alleged-iran-hackers-target-saudi-arabia-with-new-spy-malware www.secnews.physaphae.fr/article.php?IdArticle=8389606 False Malware APT 34 2.0000000000000000 Bleeping Computer - Magazine Américain The North Korean \'Lazarus\' hacking group targeted employees of an aerospace company located in Spain with fake job opportunities to hack into the corporate network using a previously unknown \'LightlessCan\' backdoor. [...]]]> 2023-09-29T05:30:00+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8389428 False Malware,Hack APT 38 3.0000000000000000 TrendLabs Security - Editeur Antivirus We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia.]]> 2023-09-29T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8389378 False Malware,Threat APT 34,APT 34 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-09-22T10:26:15+00:00 https://www.globalsecuritymag.fr/ESET-decouvre-que-le-groupe-OilRig-a-deploye-un-nouveau-malware-sur-des.html www.secnews.physaphae.fr/article.php?IdArticle=8386669 False Malware,Tool APT 34 3.0000000000000000 Techworm - News a écrit dans une analyse lundi. Selon les chercheurs, les APK malveillants ne sont pas distribués via Google Play Store d'Android, ce qui signifie que les victimes sont probablement socialement conçues pour télécharger et installer l'application à partir d'une source tierce. L'analyse des trois APK a révélé qu'elles contenaient le Caprarat Trojan et ont été téléchargées sur Virustotal en avril, juillet et août 2023. Deux des Caprarat APK ont été nommés \\ 'YouTube \', et l'un a été nommé \'Piya Sharma \', associée à un canal potentiellement utilisé pour les techniques d'ingénierie sociale basées sur la romance pour convaincre les cibles d'installer les applications. La liste des applications est la suivante: base.media.service moves.media.tubes videos.watchs.share Pendant l'installation, les applications demandent un certain nombre d'autorisations à risque, dont certaines pourraient initialement sembler inoffensives pour la victime pour une application de streaming médiatique comme YouTube et la traiter sans soupçon. L'interface des applications malveillantes tente d'imiter l'application YouTube réelle de Google, mais ressemble plus à un navigateur Web qu'à une application en raison de l'utilisation de WebView à partir de l'application Trojanisée pour charger le service.Ils manquaient également de certaines fonctionnalités et fonctions disponibles dans l'application Android YouTube native légitime. Une fois que Caprarat est installé sur le dispositif de victime, il peut effectuer diverses actions telles que l'enregistrement avec le microphone, les caméras avant et arrière, la collecte de SMS et les contenus de messages multimédias et les journaux d'appels, d'envoi de messages SMS, de blocage des SMS entrants, initier les appels téléphoniques, prendre des captures d'écran, des paramètres système primordiaux tels que GPS & AMP;Réseau et modification des fichiers sur le système de fichiers du téléphone \\ Selon Sentinelabs, les variantes de caprarat récentes trouvées au cours de la campagne actuelle indiquent un développement continu des logiciels malveillants par la tribu transparente. En ce qui concerne l'attribution, les adresses IP des serveurs de commande et de contrôle (C2) avec lesquels Caprarat communique sont codées en dur dans le fichier de configuration de l'application et ont été liés aux activités passées du groupe de piratage. Cependant, certaines adresses IP étaient liées à d'autres campagnes de rats, bien que la relation exacte entre ces acteurs de menace et la tribu transparente reste claire. ]]> 2023-09-19T17:06:25+00:00 https://www.techworm.net/2023/09/hacker-fake-youtube-apps-android.html www.secnews.physaphae.fr/article.php?IdArticle=8393055 False Malware,Tool,Threat APT 36 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security]]> 2023-09-19T12:26:00+00:00 https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html www.secnews.physaphae.fr/article.php?IdArticle=8385200 False Malware,Tool,Threat APT 36 1.00000000000000000000 Bleeping Computer - Magazine Américain A nation-state threat actor known as \'Charming Kitten\' (Phosphorus, TA453, APT35/42) has been observed deploying a previously unknown backdoor malware named \'Sponsor\' against 34 companies around the globe. [...]]]> 2023-09-11T12:19:26+00:00 https://www.bleepingcomputer.com/news/security/iranian-hackers-backdoor-34-orgs-with-new-sponsor-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8381418 False Malware,Threat APT 35 2.0000000000000000 AhnLab - Korean Security Firm L'équipe d'analyse du centre d'intervention d'urgence (ASEC) AHNLAB a récemment découvert que le MAC MALW, qui est le CHM, qui estsupposé avoir été créé par le groupe de menaces Redeyes, est à nouveau distribué.La distribution de logiciels malveillants CHM fonctionne de la même manière que le logiciel malveillant & # 8220; CHM déguisé en e-mail de sécurité d'une société financière coréenne & # 8221; [1] couverte en mars de cette année et utilise également les mêmes commandes utilisées dans le & #.8220; 2.3.Persistance & # 8221; [2] Étape dans le processus d'attaque des redeyes ...

---

The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] stage in the attack process of the RedEyes... ]]> 2023-09-08T00:55:10+00:00 https://asec.ahnlab.com/en/56857/ www.secnews.physaphae.fr/article.php?IdArticle=8380255 False Malware,Threat APT 37 2.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Emergency Response Center (ASEC) a confirmé que le malware [1], qui était auparavant distribué dansLe format CHM, est maintenant distribué au format LNK.Ce logiciel malveillant exécute des scripts supplémentaires situés à une URL spécifique via le processus MSHTA.Il reçoit ensuite des commandes du serveur de la menace pour effectuer des comportements malveillants supplémentaires.L'acteur de menace a distribué le fichier LNK confirmé sur un site Web ordinaire en le téléchargeant aux côtés de logiciels malveillants dans un fichier compressé.Le LNK malveillant ...

---

AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors. The threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside malware within a compressed file. The malicious LNK... ]]> 2023-09-06T01:29:24+00:00 https://asec.ahnlab.com/en/56756/ www.secnews.physaphae.fr/article.php?IdArticle=8379404 False Malware,Threat APT 37 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as Andariel has been observed employing an arsenal of malicious tools in its cyber assaults against corporations and organizations in the southern counterpart. “One characteristic of the attacks identified in 2023 is that there are numerous malware strains developed in the Go language,” the AhnLab Security Emergency Response Center (ASEC) said in a deep dive]]> 2023-09-05T15:45:00+00:00 https://thehackernews.com/2023/09/researchers-warn-of-cyber-weapons-used.html www.secnews.physaphae.fr/article.php?IdArticle=8379144 False Malware,Tool,Threat APT 38 2.0000000000000000 TechRepublic - Security News US The Cisco Talos report exposes new malware used by the group to target Internet backbone infrastructure and healthcare organizations in the U.K. and the U.S.]]> 2023-08-25T22:04:17+00:00 https://www.techrepublic.com/article/cisco-talos-lazarus-group-new-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8374666 False Malware APT 38,APT 38 3.0000000000000000 Recorded Future - FLux Recorded Future Un groupe de hackers notoire travaillant pour le compte du gouvernement nord-coréen utilise une nouvelle souche de malware pour attaquer les établissements de santé et l'infrastructure de base Internet en Europe et aux États-Unis.Des chercheurs en sécurité de Cisco Talos publié deux rapports décrivant une série d'incidents impliquant le groupe de piratage informatique Lazarus de longue date, qui ont fait la une des journaux.

---

A notorious hacking group working on behalf of the North Korean government is using a new strain of malware to attack healthcare entities and internet backbone infrastructure in Europe and the United States. Security researchers from Cisco Talos published two reports outlining a string of incidents involving the long-running Lazarus hacking group, which garnered headlines]]> 2023-08-25T13:32:00+00:00 https://therecord.media/lazarus-new-malware-manageengine-open-source www.secnews.physaphae.fr/article.php?IdArticle=8374521 False Malware APT 38,APT 38 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine QuiteRAT, the North-Korea-Backed group\'s new malware, exploits a 2022 ManageEngine ServiceDesk vulnerability]]> 2023-08-25T07:30:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-internet-healthcare/ www.secnews.physaphae.fr/article.php?IdArticle=8374396 False Malware,Vulnerability APT 38,APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT. Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis]]> 2023-08-24T20:46:00+00:00 https://thehackernews.com/2023/08/lazarus-group-exploits-critical-zoho.html www.secnews.physaphae.fr/article.php?IdArticle=8374129 False Malware,Threat APT 38,APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Chinese threat actor known as APT31 (aka Bronze Vinewood, Judgement Panda, or Violet Typhoon) has been linked to a set of advanced backdoors that are capable of exfiltrating harvested sensitive information to Dropbox. The malware is part of a broader collection of more than 15 implants that have been put to use by the adversary in attacks targeting industrial organizations in Eastern Europe]]> 2023-08-11T15:42:00+00:00 https://thehackernews.com/2023/08/researchers-shed-light-on-apt31s.html www.secnews.physaphae.fr/article.php?IdArticle=8368885 False Malware,Threat,Industrial APT 31,APT 31 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack. These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems. The main purpose of the malware has always been to act as a downloader for subsequent payloads. It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne. In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system. This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code. This activity probably represents AdLoad\'s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme. AT&T Alien Labs™ has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022. Figure 1. Histogram of AdLoad samples identified by Alien Labs. The vast numb]]> 2023-08-10T10:00:00+00:00 https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload www.secnews.physaphae.fr/article.php?IdArticle=8368296 False Spam,Malware,Threat,Cloud APT 32 2.0000000000000000 Bleeping Computer - Magazine Américain The North Korean state-sponsored Lazarus hacking group is breaching Windows Internet Information Service (IIS) web servers to hijack them for malware distribution. [...]]]> 2023-07-24T16:34:23+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-hijack-microsoft-iis-servers-to-spread-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8360915 False Malware APT 38 2.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Emergency Response Center (ASEC) a découvert que Lazarus, un groupe de menaces considéré comme des points de distribution à l'échelle nationale, attaque leurs logiciels de Windows Internet (IIS) Services Web et les utilise comme points de distribution pour leurs logiciels malveillants.Le groupe est connu pour utiliser la technique du trou d'arrosage pour l'accès initial. & # 160; [1] Le groupe pirate d'abord les sites Web coréens et modifie le contenu fourni à partir du site.Lorsqu'un système utilisant une version vulnérable d'Inisafe Crossweb Ex V6 visite ce site via un ...

---

AhnLab Security Emergency response Center (ASEC) has discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware. The group is known to use the watering hole technique for initial access. [1] The group first hacks Korean websites and modifies the content provided from the site. When a system using a vulnerable version of INISAFE CrossWeb EX V6 visits this website via a... ]]> 2023-07-24T01:00:00+00:00 https://asec.ahnlab.com/en/55369/ www.secnews.physaphae.fr/article.php?IdArticle=8360671 False Malware,Threat APT 38 2.0000000000000000 AhnLab - Korean Security Firm Rekoobe est une porte dérobée connue pour être utilisée par APT31, un groupe de menaces basé en Chine.Ahnlab Security Emergency Response Center (ASEC) reçoit des rapports sur les logiciels malveillants Rekoobe des locataires en Corée depuis plusieurs années et partagera par la présente sa brève analyse.De plus, les variantes de Rekoobe seront classées avec un résumé de celles utilisées pour cibler les entreprises coréennes.1. La vue d'ensemble Rekoobe est une porte dérobée qui cible les environnements Linux.Il a été découvert pour la première fois en 2015, [1] ...

---

Rekoobe is a backdoor known to be used by APT31, a threat group based in China. AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies. 1. Overview Rekoobe is a backdoor that targets Linux environments. It was first discovered in 2015, [1]... ]]> 2023-07-10T23:30:00+00:00 https://asec.ahnlab.com/en/55229/ www.secnews.physaphae.fr/article.php?IdArticle=8354290 False Malware,Threat APT 31 2.0000000000000000 Dark Reading - Informationweek Branch Iran-linked APT35 group crafted specific Mac malware when targeting a member of the media with new tools to add backdoors.]]> 2023-07-10T17:58:00+00:00 https://www.darkreading.com/dr-global/apt35-mac-bespoke-malware www.secnews.physaphae.fr/article.php?IdArticle=8354062 False Malware APT 35,APT 35 4.0000000000000000 ProofPoint - Firm Security 2023-07-10T11:27:38+00:00 https://www.proofpoint.com/us/newsroom/news/apt35-develops-mac-bespoke-malware www.secnews.physaphae.fr/article.php?IdArticle=8356799 False Malware APT 35,APT 35 2.0000000000000000 ProofPoint - Firm Security 2023-07-09T11:34:17+00:00 https://www.proofpoint.com/us/newsroom/news/charming-kitten-hackers-use-new-noknok-malware-macos www.secnews.physaphae.fr/article.php?IdArticle=8356800 False Malware APT 35,APT 35 2.0000000000000000 Bleeping Computer - Magazine Américain Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. [...]]]> 2023-07-09T10:13:16+00:00 https://www.bleepingcomputer.com/news/security/charming-kitten-hackers-use-new-noknok-malware-for-macos/ www.secnews.physaphae.fr/article.php?IdArticle=8353811 False Malware APT 35,APT 35 2.0000000000000000 SecurityWeek - Security News En mai 2023, le groupe de cyberespionnage lié à l'Iran Charming Kitten a ciblé un groupe de réflexion basé aux États-Unis avec un nouveau malware macOS.

---

>In May 2023, Iran-linked cyberespionage group Charming Kitten targeted a US-based think tank with new macOS malware. ]]> 2023-07-07T13:42:29+00:00 https://www.securityweek.com/iranian-cyberspies-target-us-based-think-tank-with-new-macos-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8353399 False Malware APT 35,APT 35 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates soutenant le gouvernement de l'Iran ciblent des experts des affaires du Moyen-Orient et de la sécurité nucléaire dans une nouvelle campagne qui, selon les chercheurs, impliquait des logiciels malveillants pour les produits Apple et Microsoft.Les experts en cybersécurité de Proofpoint ont attribué la campagne à un groupe qu'ils appellent TA453 mais est également connu sous le nom de Charming Kitten, Mint Sandstorm ou APT42,

---

Hackers supporting the government of Iran are targeting experts in Middle Eastern affairs and nuclear security in a new campaign that researchers said involved malware for both Apple and Microsoft products. Cybersecurity experts from Proofpoint attributed the campaign to a group they call TA453 but also is known as Charming Kitten, Mint Sandstorm or APT42,]]> 2023-07-06T17:42:00+00:00 https://therecord.media/iran-ta453-apt42-charming-kitten-espionage-nuclear-security-think-tanks www.secnews.physaphae.fr/article.php?IdArticle=8353083 False Malware APT 35,APT 42 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Charming Kitten, the nation-state actor affiliated with Iran\'s Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR. "There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence,"]]> 2023-06-30T19:24:00+00:00 https://thehackernews.com/2023/06/iranian-hackers-charming-kitten-utilize.html www.secnews.physaphae.fr/article.php?IdArticle=8351031 False Malware APT 35 2.0000000000000000 knowbe4 - cybersecurity services 2023-06-29T17:18:11+00:00 https://blog.knowbe4.com/charming-kitten-spear-phishing www.secnews.physaphae.fr/article.php?IdArticle=8350708 False Malware,Threat APT 35 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Volexity said the updated malware uses IPFS, public cloud hosting for decryption and configuration]]> 2023-06-29T15:30:00+00:00 https://www.infosecurity-magazine.com/news/charming-kittens-powerstar-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8350670 False Malware,Cloud APT 35 3.0000000000000000 Bleeping Computer - Magazine Américain Security analysts have discovered a previously undocumented remote access trojan (RAT) named \'EarlyRAT,\' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group. [...]]]> 2023-06-29T13:39:41+00:00 https://www.bleepingcomputer.com/news/security/new-earlyrat-malware-linked-to-north-korean-andariel-hacking-group/ www.secnews.physaphae.fr/article.php?IdArticle=8350710 False Malware APT 38 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Kaspersky analyzes the group\'s tactics and reveals the emergence of a new threat called EarlyRat]]> 2023-06-28T15:30:00+00:00 https://www.infosecurity-magazine.com/news/andariels-mistakes-uncover-new/ www.secnews.physaphae.fr/article.php?IdArticle=8350192 False Malware,Threat APT 38 3.0000000000000000 UnderNews - Site de news "pirate" francais Kaspersky a mené une enquête approfondie sur les activités d’Andariel, un sous-groupe notoire du groupe Lazarus. Au cours de cette enquête, les chercheurs de Kaspersky ont découvert une nouvelle famille de logiciels malveillants appelée EarlyRat, qui est utilisée par Andariel en plus de leur utilisation connue du malware DTrack et du ransomware Maui. L’analyse des […] The post Kaspersky découvre une nouvelle famille de logiciels malveillants utilisés par Andariel, le sous-groupe de Lazarus first appeared on UnderNews.]]> 2023-06-28T12:39:49+00:00 https://www.undernews.fr/malwares-virus-antivirus/kaspersky-decouvre-une-nouvelle-famille-de-logiciels-malveillants-utilises-par-andariel-le-sous-groupe-de-lazarus.html www.secnews.physaphae.fr/article.php?IdArticle=8350132 False Ransomware,Malware APT 38 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service. "The threat actor sent their commands through the Golang backdoor that is using the Ably service," the AhnLab Security Emergency response Center (]]> 2023-06-21T21:46:00+00:00 https://thehackernews.com/2023/06/scarcruft-hackers-exploit-ably-service.html www.secnews.physaphae.fr/article.php?IdArticle=8347758 False Malware,Threat APT 37 2.0000000000000000 Bleeping Computer - Magazine Américain The North Korean APT37 hacking group uses a new \'FadeStealer\' information-stealing malware containing a \'wiretapping\' feature, allowing the threat actor to snoop and record from victims\' microphones. [...]]]> 2023-06-21T16:16:11+00:00 https://www.bleepingcomputer.com/news/security/apt37-hackers-deploy-new-fadestealer-eavesdropping-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8347834 False Malware,Threat APT 37,APT 37 2.0000000000000000 AhnLab - Korean Security Firm comme couvert précédemment ici sur le blog ASEC, le groupe de menace Lazarus exploite les vulnérabilités d'Inisafe Crossweb Ex etMagicline4nx dans leurs attaques.New Malware of Lazarus Threat Group Actor Group exploitant le processus Initch (26 avril 2022) Un cas d'infection par les logiciels malveillants par le groupe d'attaque de Lazarus désactivant les programmes anti-malware avec la technique BYOVD (31 octobre 2022) tout en surveillant les activités du groupe de menaces de Lazarus, Ahnlab Security Emergency Response Center (ASEC) a récemment découvert que la vulnérabilité zéro-jour de Vestcert ...

---

As covered before here on the ASEC Blog, the Lazarus threat group exploits the vulnerabilities of INISAFE CrossWeb EX and MagicLine4NX in their attacks. New Malware of Lazarus Threat Actor Group Exploiting INITECH Process (Apr 26, 2022) A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (Oct 31, 2022) While monitoring the activities of the Lazarus threat group, AhnLab Security Emergency response Center (ASEC) recently discovered that the zero-day vulnerability of VestCert... ]]> 2023-06-14T23:00:00+00:00 https://asec.ahnlab.com/en/54195/ www.secnews.physaphae.fr/article.php?IdArticle=8345547 False Malware,Vulnerability,Threat APT 38 2.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #24  |   June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and ]]> 2023-06-13T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks www.secnews.physaphae.fr/article.php?IdArticle=8344804 False Spam,Malware,Vulnerability,Threat,Patching Uber,APT 37,ChatGPT,ChatGPT,APT 43 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces shadowVictiticoor et Coinmin de Force Group \\ (Publié: 27 mai 2023) Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor. Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor]]> 2023-05-31T17:19:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-shadow-force-targets-korean-servers-volt-typhoon-abuses-built-in-tools-cosmicenergy-tests-electric-distribution-disruption www.secnews.physaphae.fr/article.php?IdArticle=8340962 False Ransomware,Malware,Tool,Vulnerability,Threat APT 38,Guam,CosmicEnergy 2.0000000000000000 Bleeping Computer - Magazine Américain A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers. [...]]]> 2023-05-24T15:17:19+00:00 https://www.bleepingcomputer.com/news/security/new-powerexchange-malware-backdoors-microsoft-exchange-servers/ www.secnews.physaphae.fr/article.php?IdArticle=8339110 False Malware APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Researchers detail the DLL side-loading technique used to deploy malware that facilitates credential theft and lateral movement]]> 2023-05-24T15:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-group-microsoft-servers/ www.secnews.physaphae.fr/article.php?IdArticle=8339052 False Malware APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems. The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat\'s (APT) continued abuse of DLL side-loading techniques to deploy malware. "The]]> 2023-05-24T13:00:00+00:00 https://thehackernews.com/2023/05/n-korean-lazarus-group-targets.html www.secnews.physaphae.fr/article.php?IdArticle=8338945 False Malware APT 38 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution (published: May 5, 2023) McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure. MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows Eastern Asian Android Assault – FluHorse (published: May 4, 2023) Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages. Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com]]> 2023-05-09T20:02:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-custom-virtual-environment-hides-fluhorse-babyshark-evolved-into-reconshark-fleckpe-infected-apps-add-expensive-subscriptions www.secnews.physaphae.fr/article.php?IdArticle=8334939 False Malware,Tool,Threat APT 37,APT 43 3.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Emergency Response Center (ASEC) a partagé des informations concernant le groupe de menaces Redeyes (également connu sous le nom d'APT37, Scarcruft), qui a distribué CHM malware déguisé en e-mail de sécurité d'une société financière coréenne le mois dernier.Le fichier LNK contient une commande PowerShell et effectue un comportement malveillant sans la connaissance de l'individu qui utilise le fichier PDF normal en créant et en exécutant des fichiers de script ainsi que des fichiers normaux dans le chemin d'accès temporaire.Si un fichier LNK malveillant est injecté dans un ...

---

AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month. The LNK file contains a PowerShell command and performs malicious behavior without the knowledge of the individual who uses the normal pdf file by creating and executing script files along with normal files in the temp path. If a malicious LNK file is injected into a... ]]> 2023-05-07T23:30:00+00:00 https://asec.ahnlab.com/en/52172/ www.secnews.physaphae.fr/article.php?IdArticle=8334177 False Malware,Threat APT 37 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as ScarCruft began experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default. "RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate]]> 2023-05-02T12:24:00+00:00 https://thehackernews.com/2023/05/north-koreas-scarcruft-deploys-rokrat.html www.secnews.physaphae.fr/article.php?IdArticle=8332732 False Malware,Threat APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Réaction en chaîne: Rokrat & rsquo; s.Lien manquant (Publié: 1er mai 2023) Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud. Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32 Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows ]]> 2023-05-01T23:16:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt37-adopts-lnk-files-charming-kitten-uses-bellaciao-implant-dropper-vipersoftx-infostealer-unique-byte-remapping-encryption www.secnews.physaphae.fr/article.php?IdArticle=8332656 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Cloud APT 37,APT 37,APT 35 2.0000000000000000 Recorded Future - FLux Recorded Future Un groupe de piratage parrainé par l'État iranien a été accusé d'avoir déployé une nouvelle souche de logiciels malveillants nommé Bellaciao contre plusieurs victimes aux États-Unis, en Europe, en Inde, en Turquie et dans d'autres pays.Des chercheurs de la société de cybersécurité Bitdefender [attribuée] (https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciaooo-a-closer-look-at-irans-latest-malware/) le maline à APT35 / APT42 & #8211;également connu sous le nom de Mint Sandstorm ou Charming Kitten & # 8211;un groupe de menaces persistantes avancé qui

---

An Iranian state-sponsored hacking group has been accused of deploying a new strain of malware named BellaCiao against several victims in the U.S., Europe, India, Turkey and other countries. Researchers from cybersecurity firm Bitdefender [attributed](https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/) the malware to APT35/APT42 – also known as Mint Sandstorm or Charming Kitten – an advanced persistent threat group that]]> 2023-04-30T16:51:00+00:00 https://therecord.media/iran-apt-charming-kitten-bellaciao-malware-us-europe-asia www.secnews.physaphae.fr/article.php?IdArticle=8332393 False Malware,Threat APT 35,APT 42 3.0000000000000000 Dark Reading - Informationweek Branch The dropper is being used in a Charming Kitten APT campaign that has hit organizations in multiple countries.]]> 2023-04-28T20:18:35+00:00 https://www.darkreading.com/cloud/bellaciao-showcases-iran-threat-groups-modernizing-malware www.secnews.physaphae.fr/article.php?IdArticle=8331989 False Malware,Threat APT 35 2.0000000000000000 IT Security Guru - Blog Sécurité Charming Kitten, the infamous Iranian nation-state group, is actively targeting victims across Europe, U.S., India and Middle East with a new malware dubbed BellaCiao. The malware is the latest in their expansive custom tool kit. BellaCiao was discovered by Bitdefender, who describe the malware as a “personalised dropper” that’s capable of delivering malware payloads onto […] ]]> 2023-04-28T01:30:56+00:00 https://www.itsecurityguru.org/2023/04/28/charming-kitten-using-new-malware-in-multi-country-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=charming-kitten-using-new-malware-in-multi-country-attacks www.secnews.physaphae.fr/article.php?IdArticle=8331819 True Malware,Tool APT 35,APT 35 2.0000000000000000 The State of Security - Magazine Américain Iranian state-sponsored hacking group Charming Kitten has been named as the group responsible for a new wave of attacks targeting critical infrastructure in the United States and elsewhere. The group (who are also known to security researchers by a wide variety of other names including Mint Sandstorm, Phosphorous, Newscaster, and APT35) has been operating since at least 2011, making a name for itself by targeting activists and journalists in the Middle East, as well as organisations in the United States, UK, Israel, and elsewhere. Earlier this month, Microsoft announced that the group, which...]]> 2023-04-27T10:17:55+00:00 https://www.tripwire.com/state-of-security/charming-kitten-targets-critical-infrastructure-us-and-elsewhere-bellaciao www.secnews.physaphae.fr/article.php?IdArticle=8331600 False Malware APT 35,APT 35 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The prolific Iranian nation-state group known as Charming Kitten targeted multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao, adding to its ever-expanding list of custom tools. Discovered by Bitdefender Labs, BellaCiao is a "personalized dropper" that\'s capable of delivering other malware payloads onto a victim machine based on commands received]]> 2023-04-26T18:46:00+00:00 https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8331253 False Malware APT 35,APT 35 3.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Emergency Response Center (ASEC) a confirmé que le groupe de menaces Redeyes (également connu sous le nom d'APT37, Scarcruft), qui a distribué CHM malware déguisé en e-mail de sécurité d'une société financière coréenne le mois dernier, a également récemment distribué les logiciels malveillants Rokrat via des fichiers LNK.Rokrat est un logiciel malveillant capable de collecter des informations d'identification des utilisateurs et de télécharger des logiciels malveillants supplémentaires.Le malware était autrefois distribué via des fichiers HWP et Word.Les fichiers LNK qui ont été découverts cette fois contiennent des commandes PowerShell qui peuvent effectuer des malveillants ...

---

AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK files that were discovered this time contain PowerShell commands that can perform malicious... ]]> 2023-04-25T23:30:00+00:00 https://asec.ahnlab.com/en/51751/ www.secnews.physaphae.fr/article.php?IdArticle=8331109 False Malware,Threat APT 37 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters (published: April 21, 2023) A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign. Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:​​Kubernetes RBAC 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (published: April 20, 2023) Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and]]> 2023-04-25T18:22:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-two-supply-chain-attacks-chained-together-decoy-dog-stealthy-dns-communication-evilextractor-exfiltrates-to-ftp-server www.secnews.physaphae.fr/article.php?IdArticle=8331005 False Ransomware,Spam,Malware,Tool,Threat,Cloud Uber,APT 38,ChatGPT,APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A financially-motivated North Korean threat actor is suspected to be behind a new Apple macOS malware strain called RustBucket. "[RustBucket] communicates with command and control (C2) servers to download and execute various payloads," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week.  The Apple device management company attributed it]]> 2023-04-25T16:57:00+00:00 https://thehackernews.com/2023/04/lazarus-subgroup-targeting-apple.html www.secnews.physaphae.fr/article.php?IdArticle=8330891 False Malware,Threat APT 38 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-04-24T15:38:54+00:00 https://www.globalsecuritymag.fr/ESET-Research-decouvre-une-campagne-menee-par-le-groupe-APT-Lazarus-ciblant-des.html www.secnews.physaphae.fr/article.php?IdArticle=8330632 False Malware APT 38 2.0000000000000000 SecurityWeek - Security News North Korea-linked hacking group BlueNoroff/Lazarus was seen using the RustBucket macOS malware in recent attacks. ]]> 2023-04-24T13:11:29+00:00 https://www.securityweek.com/north-korean-hackers-target-mac-users-with-new-rustbucket-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8330605 False Malware APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The notorious North Korea-aligned state-sponsored actor known as the Lazarus Group has been attributed to a new campaign aimed at Linux users. The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job, ESET said in a new report published today. The findings are crucial, not least because it marks the first publicly documented example of the]]> 2023-04-20T17:26:00+00:00 https://thehackernews.com/2023/04/lazarus-group-adds-linux-malware-to.html www.secnews.physaphae.fr/article.php?IdArticle=8329661 False Malware APT 38 3.0000000000000000 Bleeping Computer - Magazine Américain A new Lazarus campaign considered part of "Operation DreamJob" has been discovered targeting Linux users with malware for the first time. [...]]]> 2023-04-20T11:43:51+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-now-push-linux-malware-via-fake-job-offers/ www.secnews.physaphae.fr/article.php?IdArticle=8329714 False Malware APT 38 2.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack ]]> 2023-04-20T09:30:34+00:00 https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ www.secnews.physaphae.fr/article.php?IdArticle=8330056 False Malware APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.]]> 2023-04-19T16:58:00+00:00 https://thehackernews.com/2023/04/pakistani-hackers-use-linux-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8329331 False Malware,Tool,Threat APT 36 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in attacks targeting the Indian education sector using a continuously maintained piece of malware called Crimson RAT. While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education]]> 2023-04-13T15:49:00+00:00 https://thehackernews.com/2023/04/pakistan-based-transparent-tribe.html www.secnews.physaphae.fr/article.php?IdArticle=8327425 False Malware,Threat APT 36 2.0000000000000000 SentinelOne (APT) - Cyber Firms SentinelLabs has been tracking a cluster of malicious documents that stage the Crimson RAT malware distributed by APT36 (Transparent Tribe).]]> 2023-04-13T09:55:44+00:00 https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/ www.secnews.physaphae.fr/article.php?IdArticle=8388351 False Malware,Threat APT 36,APT 36 3.0000000000000000 Recorded Future - FLux Recorded Future L'attaque de la chaîne d'approvisionnement contre la société de téléphone d'entreprise 3CX a utilisé le code de piratage qui «correspond exactement» au malware maltraité précédemment dans les attaques par un groupe nord-coréen notoire, selon une nouvelle analyse.L'établissement de l'étendue des dommages causés par le pirat

---

The supply-chain attack on the enterprise phone company 3CX used hacking code that “exactly matches” malware previously seen in attacks by a notorious North Korean group, according to new analysis. Establishing the extent of the damage caused by the hack has been a priority for researchers after a number of cybersecurity businesses went public with]]> 2023-03-31T12:16:00+00:00 https://therecord.media/3cx-attack-north-korea-lazarus-group www.secnews.physaphae.fr/article.php?IdArticle=8323753 False Malware,Hack APT 38 2.0000000000000000 CyberScoop - scoopnewsgroup.com special Cyber Une attaque qui pourrait être le travail du célèbre groupe de Lazare a tenté d'installer des logiciels malveillants infoséaler à l'intérieur des réseaux d'entreprise.

---

>An attack that could be the work of the notorious Lazarus Group attempted to install infostealer malware inside corporate networks. ]]> 2023-03-29T23:42:34+00:00 https://cyberscoop.com/3cx-hack-supply-chain-north-korea/ www.secnews.physaphae.fr/article.php?IdArticle=8323291 False Malware APT 38 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces campagne de phishingCible l'industrie chinoise de l'énergie nucléaire (Publié: 24 mars 2023) Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection. Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at]]> 2023-03-28T21:28:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-account-takeover-apt-banking-trojans-china-cyberespionage-india-malspam-north-korea-phishing-skimmers-ukraine-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8322667 False Malware,Tool,Threat,Cloud APT 37,APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware. According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group\'s continuous efforts to refine and retool its tactics to sidestep detection. "]]> 2023-03-22T17:54:00+00:00 https://thehackernews.com/2023/03/scarcrufts-evolving-arsenal-researchers.html www.secnews.physaphae.fr/article.php?IdArticle=8320487 False Malware,Threat,General Information,Cloud APT 37 2.0000000000000000