This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-20T19:49:32+00:00 www.secnews.physaphae.fr Global Security Mag - Site de news francais mise à jour malveillant

---

CapraTube - Transparent Tribe\'s CapraRAT mimics YouTube to hijack Android phones by SentinelOne - Malware Update]]> 2023-09-19T19:20:01+00:00 https://www.globalsecuritymag.fr/CapraTube-Transparent-Tribe-s-CapraRAT-mimics-YouTube-to-hijack-Android-phones.html www.secnews.physaphae.fr/article.php?IdArticle=8385477 False None APT 36 2.0000000000000000 Techworm - News a écrit dans une analyse lundi. Selon les chercheurs, les APK malveillants ne sont pas distribués via Google Play Store d'Android, ce qui signifie que les victimes sont probablement socialement conçues pour télécharger et installer l'application à partir d'une source tierce. L'analyse des trois APK a révélé qu'elles contenaient le Caprarat Trojan et ont été téléchargées sur Virustotal en avril, juillet et août 2023. Deux des Caprarat APK ont été nommés \\ 'YouTube \', et l'un a été nommé \'Piya Sharma \', associée à un canal potentiellement utilisé pour les techniques d'ingénierie sociale basées sur la romance pour convaincre les cibles d'installer les applications. La liste des applications est la suivante: base.media.service moves.media.tubes videos.watchs.share Pendant l'installation, les applications demandent un certain nombre d'autorisations à risque, dont certaines pourraient initialement sembler inoffensives pour la victime pour une application de streaming médiatique comme YouTube et la traiter sans soupçon. L'interface des applications malveillantes tente d'imiter l'application YouTube réelle de Google, mais ressemble plus à un navigateur Web qu'à une application en raison de l'utilisation de WebView à partir de l'application Trojanisée pour charger le service.Ils manquaient également de certaines fonctionnalités et fonctions disponibles dans l'application Android YouTube native légitime. Une fois que Caprarat est installé sur le dispositif de victime, il peut effectuer diverses actions telles que l'enregistrement avec le microphone, les caméras avant et arrière, la collecte de SMS et les contenus de messages multimédias et les journaux d'appels, d'envoi de messages SMS, de blocage des SMS entrants, initier les appels téléphoniques, prendre des captures d'écran, des paramètres système primordiaux tels que GPS & AMP;Réseau et modification des fichiers sur le système de fichiers du téléphone \\ Selon Sentinelabs, les variantes de caprarat récentes trouvées au cours de la campagne actuelle indiquent un développement continu des logiciels malveillants par la tribu transparente. En ce qui concerne l'attribution, les adresses IP des serveurs de commande et de contrôle (C2) avec lesquels Caprarat communique sont codées en dur dans le fichier de configuration de l'application et ont été liés aux activités passées du groupe de piratage. Cependant, certaines adresses IP étaient liées à d'autres campagnes de rats, bien que la relation exacte entre ces acteurs de menace et la tribu transparente reste claire. ]]> 2023-09-19T17:06:25+00:00 https://www.techworm.net/2023/09/hacker-fake-youtube-apps-android.html www.secnews.physaphae.fr/article.php?IdArticle=8393055 False Malware,Tool,Threat APT 36 2.0000000000000000 Dark Reading - Informationweek Branch Pakistani threat group Transparent Tribe targets military and diplomatic personnel in India and Pakistan with romance-themed lures in the latest spyware campaign.]]> 2023-09-19T14:30:50+00:00 https://www.darkreading.com/endpoint/caprarat-impersonates-youtube-hijack-android-devices www.secnews.physaphae.fr/article.php?IdArticle=8385347 False Threat APT 36 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security]]> 2023-09-19T12:26:00+00:00 https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html www.secnews.physaphae.fr/article.php?IdArticle=8385200 False Malware,Tool,Threat APT 36 1.00000000000000000000 SecurityWeek - Security News Nouvelles versions de la tribu transparente entièrement liée au Pakistan.

---

>New versions of Pakistan-linked APT Transparent Tribe\'s CapraRAT Android trojan mimic the appearance of YouTube. ]]> 2023-09-19T12:16:54+00:00 https://www.securityweek.com/pakistani-apt-uses-youtube-mimicking-rat-to-spy-on-android-devices/ www.secnews.physaphae.fr/article.php?IdArticle=8385303 False None APT 36 2.0000000000000000 Bleeping Computer - Magazine Américain The APT36 hacking group, aka \'Transparent Tribe,\' has been observed using at least three Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), \'CapraRAT.\' [...]]]> 2023-09-18T18:06:13+00:00 https://www.bleepingcomputer.com/news/security/apt36-state-hackers-infect-android-devices-using-youtube-app-clones/ www.secnews.physaphae.fr/article.php?IdArticle=8385032 False None APT 36 1.00000000000000000000 SentinelOne (APT) - Cyber Firms Pakistan-aligned threat actor weaponizes fake YouTube apps on the Android platform to deliver mobile remote access trojan spyware.]]> 2023-09-18T13:00:03+00:00 https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/ www.secnews.physaphae.fr/article.php?IdArticle=8388347 False Threat APT 36 3.0000000000000000 AhnLab - Korean Security Firm Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609

---

The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 ]]> 2023-07-07T02:33:29+00:00 https://asec.ahnlab.com/en/55184/ www.secnews.physaphae.fr/article.php?IdArticle=8353225 False Threat,Prediction APT 38,GoldenJackal,GoldenJackal,APT-C-36,APT 29,APT 29,APT 37,APT 37,Guam,Guam,APT 28,APT 28,APT 41,APT 36,APT 36,APT-C-17,APT-C-17 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.]]> 2023-04-19T16:58:00+00:00 https://thehackernews.com/2023/04/pakistani-hackers-use-linux-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8329331 False Malware,Tool,Threat APT 36 2.0000000000000000 Global Security Mag - Site de news francais malware / / affiche

---

SentinelLabs, die Forschungsabteilung von SentinelOne, hat eine kürzlich bekannt gewordene Gruppe bösartiger Office-Dokumente untersucht, die „Crimson RAT“ verbreiten, eine von der APT36-Gruppe verwendete Malware. APT36, auch genannt „Transparent Tribe“, hat seinen Sitz mutmaßlich in Pakistan und ist mindestens seit 2013 aktiv. Die Gruppe ist in ihrem Vorgehen sehr hartnäckig - Malware / affiche]]> 2023-04-17T11:12:52+00:00 https://www.globalsecuritymag.fr/SentinelOne-untersucht-Transparent-Tribe-APT36-Cyberspionage-Gruppe-aus.html www.secnews.physaphae.fr/article.php?IdArticle=8328580 False None APT 36,APT 36 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine APT36 targeted institutions with malicious Office documents distributing Crimson RAT]]> 2023-04-13T16:00:00+00:00 https://www.infosecurity-magazine.com/news/apt36-disrupt-indian-education/ www.secnews.physaphae.fr/article.php?IdArticle=8327485 False None APT 36 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in attacks targeting the Indian education sector using a continuously maintained piece of malware called Crimson RAT. While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education]]> 2023-04-13T15:49:00+00:00 https://thehackernews.com/2023/04/pakistan-based-transparent-tribe.html www.secnews.physaphae.fr/article.php?IdArticle=8327425 False Malware,Threat APT 36 2.0000000000000000 SentinelOne (APT) - Cyber Firms SentinelLabs has been tracking a cluster of malicious documents that stage the Crimson RAT malware distributed by APT36 (Transparent Tribe).]]> 2023-04-13T09:55:44+00:00 https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/ www.secnews.physaphae.fr/article.php?IdArticle=8388351 False Malware,Threat APT 36,APT 36 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions (published: March 10, 2023) Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network. Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor. MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android Cobalt Illusion Masquerades as Atlantic Council Employee (published: March 9, 2023) A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i]]> 2023-03-14T17:32:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-xenomorph-automates-the-whole-fraud-chain-on-android-icefire-ransomware-started-targeting-linux-mythic-leopard-delivers-spyware-using-romance-scam www.secnews.physaphae.fr/article.php?IdArticle=8318511 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference ChatGPT,ChatGPT,APT 35,APT 42,APT 36 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-03-08T10:30:00+00:00 https://www.infosecurity-magazine.com/news/officials-romance-scams-and/ www.secnews.physaphae.fr/article.php?IdArticle=8316643 False General Information APT 36 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-03-07T17:09:00+00:00 https://thehackernews.com/2023/03/transparent-tribe-hackers-distribute.html www.secnews.physaphae.fr/article.php?IdArticle=8316265 False Threat APT 36 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-03-07T13:55:18+00:00 https://www.globalsecuritymag.fr/ESET-Research-decouvre-une-campagne-d-espionnage-ciblant-des-fonctionnaires-en.html www.secnews.physaphae.fr/article.php?IdArticle=8316304 False None APT 36 2.0000000000000000 IT Security Guru - Blog Sécurité 2023-03-07T13:50:26+00:00 https://www.itsecurityguru.org/2023/03/07/transparent-tribe-apt-weaponising-android-messaging-apps-to-target-officials-in-india-and-pakistan-with-romance-scams/?utm_source=rss&utm_medium=rss&utm_campaign=transparent-tribe-apt-weaponising-android-messaging-apps-to-target-officials-in-india-and-pakistan-with-romance-scams www.secnews.physaphae.fr/article.php?IdArticle=8316292 True None APT 36 1.00000000000000000000 We Live Security - Editeur Logiciel Antivirus ESET ESET researchers analyze a cyberespionage campaign that distributes CapraRAT backdoors through trojanized and supposedly secure Android messaging apps – but also exfiltrates sensitive information ]]> 2023-03-07T10:30:37+00:00 https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/ www.secnews.physaphae.fr/article.php?IdArticle=8316293 False None APT 36 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-21T11:25:00+00:00 https://thehackernews.com/2023/02/researchers-warn-of-reverserat-backdoor.html www.secnews.physaphae.fr/article.php?IdArticle=8312059 False Threat APT 36 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2022-11-17T00:00:00+00:00 https://www.globalsecuritymag.fr/Mustang-Panda-APT29-APT36-Phobos-Cobalt-Strike-Les-acteurs-emergents-de-la.html www.secnews.physaphae.fr/article.php?IdArticle=8054151 False None APT 29,APT 36 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-11-04T19:13:00+00:00 https://thehackernews.com/2022/11/researchers-detail-new-malware-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=7823053 False Malware,Threat APT 36 None CISCO Talos - Cisco Research blog Transparent Tribe group he's written about several times. “At some point, I say 'Hey, I don't think I've seen this before.' I start analyzing public disclosures, and slowly start gaining confidence and being able to craft a narrative around the motivations and tactics around a specific threat actor or malware campaign,” he said. In the case of Transparent Tribe, Malhotra's tracked their growth as a major player in the threat landscape in Asia, as they've added several remote access trojans to their arsenal, targeted high-profile government-adjacent entities in India and expanded their scope across the region.  When he's not threat hunting, Malhotra also speaks to Cisco customers about the current state of cybersecurity in briefings and delivers presentations at conferences around the world (mainly virtually during the COVID-19 pandemic).  “I always try to find the latest and new stuff to talk about. … I've been honing my skills and trying to speak more confidently publicly, but the confidence is backed up with the right kind of knowledge and the threat intelligence, that's what helps me succeed,” he said.  Malhotra is a native of India and spent most of his life there before coming to the U.S. for his master's degree at Mississippi State University. Mississippi was a far cry from everything else he had known up until that point, but he quickly adjusted. “That was the 'Deep South,'” he said. “So there was a culture shock, but the southern hospitality is such a real thing, and it felt very normal there.” Growing up, Malhotra always knew he wanted to work with computers, starting out as a teenager reverse-engineering exploits he'd see others talk about on the internet or just poking at smaller applications. His additional interest in politics and national security made it natural for him to combine the two and focus his research on state-sponsored actors.  He enjoys continuing his research in the Indian subcontinent and sees many parallels between the state of security in India and the U.S. “Th]]> 2022-09-06T08:00:00+00:00 http://blog.talosintelligence.com/2022/09/researcher-spotlight-how-asheer.html www.secnews.physaphae.fr/article.php?IdArticle=6750298 False Ransomware,Malware,Threat,Guideline APT 36 None IT Security Guru - Blog Sécurité 2022-08-10T09:09:07+00:00 https://www.itsecurityguru.org/2022/08/10/meta-take-action-against-two-cyber-espionage-operations-in-south-africa/?utm_source=rss&utm_medium=rss&utm_campaign=meta-take-action-against-two-cyber-espionage-operations-in-south-africa www.secnews.physaphae.fr/article.php?IdArticle=6227242 False Threat,Guideline APT 36 None Bleeping Computer - Magazine Américain 2022-08-05T10:40:33+00:00 https://www.bleepingcomputer.com/news/security/facebook-finds-new-android-malware-used-by-apt-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=6143551 False Malware,Threat APT 36 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-07-14T01:15:16+00:00 https://thehackernews.com/2022/07/pakistani-hackers-targeting-indian.html www.secnews.physaphae.fr/article.php?IdArticle=5716161 False Malware,Threat APT 36 None CISCO Talos - Cisco Research blog 2022-07-13T16:08:15+00:00 http://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html www.secnews.physaphae.fr/article.php?IdArticle=5706785 False None APT 36 None ZD Net - Magazine Info 2022-03-29T12:00:00+00:00 https://www.zdnet.com/article/transparent-tribe-apt-returns-to-strike-indias-government-and-military/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=4359426 False Malware APT 36 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-03-29T05:42:02+00:00 https://thehackernews.com/2022/03/new-hacking-campaign-by-transparent.html www.secnews.physaphae.fr/article.php?IdArticle=4359355 False Threat APT 36 None CISCO Talos - Cisco Research blog 2022-03-29T05:02:08+00:00 http://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=4359198 False Malware APT 36 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors? (published: February 9, 2022) A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets. Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566 Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government Fake Windows 11 Upgrade Installers Infect You With RedLine Malware (published: February 9, 2022) Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more. Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack. MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: RedLine, Windows 11, Infostealer ]]> 2022-02-15T20:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mobile-malware-is-on-the-rise-apt-groups-are-working-together-ransomware-for-the-individual-and-more www.secnews.physaphae.fr/article.php?IdArticle=4134740 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 43,Uber,APT 36,APT-C-17 None CISCO Talos - Cisco Research blog 2022-02-09T05:06:14+00:00 http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html www.secnews.physaphae.fr/article.php?IdArticle=4099539 False Malware,Threat APT 36 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New CapraRAT Android Malware Targets Indian Government and Military Personnel (published: February 7, 2022) Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device. Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072 Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine (published: February 3, 2022) The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis. Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis]]> 2022-02-08T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-conti-ransomware-attack-iran-sponsored-apts-new-android-rat-russia-sponsored-gamaredon-and-more www.secnews.physaphae.fr/article.php?IdArticle=4094313 False Ransomware,Malware,Threat,Conference APT 35,APT 35,APT 29,APT 29,APT 36 2.0000000000000000 TrendLabs Security - Editeur Antivirus ]]> 2022-01-24T00:00:00+00:00 https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html www.secnews.physaphae.fr/article.php?IdArticle=4025239 False Malware,Threat APT 36 None CISCO Talos - Cisco Research blog ]]> 2021-09-23T05:01:25+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/q-HOEjOIE_U/operation-armor-piercer.html www.secnews.physaphae.fr/article.php?IdArticle=3417081 False None APT 36 None CISCO Talos - Cisco Research blog ]]> 2021-07-16T07:14:51+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/6ZshnDVor7s/talos-takes-ep-61-sidecopy-sounds-so.html www.secnews.physaphae.fr/article.php?IdArticle=3078351 False None APT 36 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Global Phishing Campaign Targets Energy Sector and Its Suppliers (published: July 8, 2021) Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE). Analyst Comment: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Process Injection - T1055 Tags: FormBook, AgentTesla, Phishing, Europe, Middle East SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India's Military (published: July 7, 2021) SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials. Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Third-party Software - T1072 | ]]> 2021-07-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-global-phishing-campaign-magecart-data-theft-new-apt-group-and-more www.secnews.physaphae.fr/article.php?IdArticle=3057627 False Malware,Threat APT 36 None CISCO Talos - Cisco Research blog ]]> 2021-07-07T05:01:04+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/7sPQPB7nf_U/sidecopy.html www.secnews.physaphae.fr/article.php?IdArticle=3032498 False None APT 36,APT-C-17 None CISCO Talos - Cisco Research blog ]]> 2021-05-28T07:30:24+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/yx6ko5zqIhA/talos-takes-ep-55-how-transparent-tribe.html www.secnews.physaphae.fr/article.php?IdArticle=2852396 False None APT 36 None Security Affairs - Blog Secu 2021-05-23T12:33:32+00:00 https://securityaffairs.co/wordpress/118186/breaking-news/security-affairs-newsletter-round-315.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-315 www.secnews.physaphae.fr/article.php?IdArticle=2827928 False Ransomware,Tool APT 36 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps (published: May 14, 2021) A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices. Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described. Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge Threat Actors Use MSBuild to Deliver RATs Filelessly (published: May 13, 2021) Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection. Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks. MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | ]]> 2021-05-18T19:05:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-microsoft-azure-vulnerability-discovered-msbuild-used-to-deliver-malware-esclation-of-avaddon-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2807407 False Ransomware,Malware,Vulnerability,Threat,Guideline APT 36 None Security Affairs - Blog Secu 2021-05-16T08:39:52+00:00 https://securityaffairs.co/wordpress/117963/apt/transparent-tribe-malware.html?utm_source=rss&utm_medium=rss&utm_campaign=transparent-tribe-malware www.secnews.physaphae.fr/article.php?IdArticle=2794435 False Malware APT 36 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-05-14T05:04:00+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/6_YF2n3KTQg/pakistan-linked-hackers-added-new.html www.secnews.physaphae.fr/article.php?IdArticle=2786036 False Malware APT 36 None CISCO Talos - Cisco Research blog ]]> 2021-05-13T05:09:57+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/z_NRqWmErnI/transparent-tribe-infra-and-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=2779664 False Malware APT 36 None Team Cymru - Equipe de Threat Intelligence [...] ]]> 2021-04-16T15:00:29+00:00 https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/ www.secnews.physaphae.fr/article.php?IdArticle=2653449 False Threat APT 36 None CISCO Talos - Cisco Research blog ]]> 2021-03-02T05:49:51+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/TszHfxDii4A/obliquerat-new-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=2422553 False Malware APT 36 None Anomali - Firm Blog Defending Your Organization Against COVID-19 Cyber Attacks. In this webinar, AJ, and I describe COVID-19 attacks in January through March, the groups behind them, and key MITRE ATT&CK techniques being employed. We then discuss ways an organization can keep themselves safe from these types of attacks. Pandemic Background COVID-19 is a pandemic viral respiratory disease, originally identified in Wuhan, China in December 2019. At the time of the webinar, it had infected around 1.5 million people worldwide. Within the first month, cyber actors capitalized on the opportunity.  COVID Attack Timeline December 2019 - January 2020 At the end of December 2019, China alerted the World Health Organization (WHO) that there was an outbreak in Wuhan, China. Within a month, the first cyber events were being recorded. Around January 31, 2020, malicious emails (T1566.001) using the Emotet malware (S0367) and a phishing campaign (T1566.001) using LokiBot (S0447) were tied to TA542 alias Mummy Spider. Emotet, in particular, was prolific. It originally started as a banking Trojan, then evolved into a delivery mechanism for an initial payload that infected systems to download additional malware families such as TrickBot (S0266). Around this same time, there was a marked increase in the registration of domain names with COVID-19 naming conventions, a key indicator of an uptick in phishing campaigns. February 2020 In early February, the progression of adversaries using uncertainty about and thirst for information regarding the COVID-19 pandemic became apparent. New malware variants and malware families were reported employing coronavirus related content, including NanoCore RAT (S0336) and Parallax RAT, a newer remote-access Trojan, to infect unsuspecting users. Throughout February, cybercrime actors launched several phishing campaigns (T1566.001) to deliver information stealer AZORult (S0344). With worldwide government health agencies giving advice on cyber and physical health, threat actors aligned with nation-states such as Russia (Hades APT), China (Mustang Panda), and North Korea (Kimsuky - G0094) used this messaging to lure individuals to download and/or execute malicious files disguised as legitimate documents. These state-sponsored groups used convincing lures to impersonate organizations such as the United Nations (UN), the World Health Organization (WHO), and various public health government agencies to achieve short- and long-term national objectives. March 2020 In March, we observed a flurry of nation-state and cybercrime attributed malicious activity seeking to exploit the COVID-19 pandemic. Cybercrime actors distributed a range of malware families, including NanoCore (S0336), ]]> 2020-10-15T14:00:00+00:00 https://www.anomali.com/blog/covid-19-attacks-defending-your-organization www.secnews.physaphae.fr/article.php?IdArticle=2103277 False Ransomware,Spam,Malware,Threat APT 36 3.0000000000000000 Dark Reading - Informationweek Branch 2020-08-26T18:30:00+00:00 https://www.darkreading.com/attacks-breaches/transparent-tribe-apt-group-deploys-new-android-spyware-for-cyber-espionage-/d/d-id/1338769?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=1884019 False None APT 36 None Kaspersky - Kaspersky Research blog 2020-08-26T10:00:44+00:00 https://securelist.com/transparent-tribe-part-2/98233/ www.secnews.physaphae.fr/article.php?IdArticle=1882871 False None APT 36 None Security Affairs - Blog Secu 2020-08-24T06:51:36+00:00 https://securityaffairs.co/wordpress/107446/apt/transparent-tribe-apt-2020.html?utm_source=rss&utm_medium=rss&utm_campaign=transparent-tribe-apt-2020 www.secnews.physaphae.fr/article.php?IdArticle=1878694 False None APT 36 None ZD Net - Magazine Info 2020-08-20T12:03:21+00:00 https://www.zdnet.com/article/transparent-tribe-hacking-group-spreads-malware-by-infecting-usb-devices/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1871935 False None APT 36 None Kaspersky - Kaspersky Research blog 2020-08-20T10:00:13+00:00 https://securelist.com/transparent-tribe-part-1/98127/ www.secnews.physaphae.fr/article.php?IdArticle=1871683 False None APT 36 None Malwarebytes Labs - MalwarebytesLabs A roundup of the previous week's most notable security stories and events, including COVID-19-themed threats, child identity theft, and securely working from home. Categories: A week in security Tags: APT36awiscovid-19emotetfake newsmoney muleMonitorMinorphishing scamromance scamshadow IoTSlackstalkerwaretrickbotweek in securityweekly blog roundupWHOWorld Health Organization (Read more...) ]]> 2020-03-23T16:44:58+00:00 https://blog.malwarebytes.com/a-week-in-security/2020/03/a-week-in-security-march-16-22/ www.secnews.physaphae.fr/article.php?IdArticle=1615986 False None APT 36 None IT Security Guru - Blog Sécurité 2020-03-18T10:48:32+00:00 https://www.itsecurityguru.org/2020/03/18/crimson-rat-spread-via-coronavirus-phishing/?utm_source=rss&utm_medium=rss&utm_campaign=crimson-rat-spread-via-coronavirus-phishing www.secnews.physaphae.fr/article.php?IdArticle=1604445 True Tool,Threat APT 36 2.0000000000000000 Malwarebytes Labs - MalwarebytesLabs We look at a spear phishing attack from APT36, an Advanced Persistent Threat group posing as the government of India and offering guidance on coronavirus. Instead, users are infected with a Crimson RAT that steals data. Categories: Threat analysis Tags: APTAPT36coronaviruscoronavirus malwarecovid-19credential stealercrimson ratexploitexploitsinfo-stealermacromalicious macromalwarenation-state attackratremote administration toolSocial Engineeringspear phishingspear phishing attacktransparent tribe (Read more...) ]]> 2020-03-16T15:00:00+00:00 https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/ www.secnews.physaphae.fr/article.php?IdArticle=1600364 False Threat APT 36 None Security Affairs - Blog Secu 2020-03-03T18:48:42+00:00 https://securityaffairs.co/wordpress/98878/malware/kimsuky-apt-south-korea.html www.secnews.physaphae.fr/article.php?IdArticle=1579381 False Threat APT 36,APT 34 None Security Affairs - Blog Secu 2020-02-21T13:48:11+00:00 https://securityaffairs.co/wordpress/98249/apt/operation-transparent-tribe-pakistan-india.html www.secnews.physaphae.fr/article.php?IdArticle=1556872 False None APT 36 None Malwarebytes Labs - MalwarebytesLabs Online project management tools can be not only useful, but a lifeline for developers and PMs who juggle multiple tasks with competing deadlines. How can we use them in a secure way? Categories: Business Security world Tags: breachcloudmanagementonline project managementPieter ArntzPMssecurity (Read more...) ]]> 2018-07-06T15:00:00+00:00 https://blog.malwarebytes.com/security-world/2018/07/can-trust-online-project-management-tools/ www.secnews.physaphae.fr/article.php?IdArticle=733150 False None APT 36 None TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro“Operation C-Major” Actors Also Used Android, BlackBerry Mobile Spyware Against Targets]]> 2016-04-18T14:07:50+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/oxiX-SReP2A/ www.secnews.physaphae.fr/article.php?IdArticle=557 False None APT 36 None