This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-02T16:37:43+00:00 www.secnews.physaphae.fr Techworm - News avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. » ]]> 2024-05-01T23:25:26+00:00 https://www.techworm.net/2024/05/malware-target-router-steal-password.html www.secnews.physaphae.fr/article.php?IdArticle=8491968 False Malware,Threat,Cloud,Technical APT 32 4.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack. These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems. The main purpose of the malware has always been to act as a downloader for subsequent payloads. It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne. In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system. This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code. This activity probably represents AdLoad\'s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme. AT&T Alien Labs™ has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022. Figure 1. Histogram of AdLoad samples identified by Alien Labs. The vast numb]]> 2023-08-10T10:00:00+00:00 https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload www.secnews.physaphae.fr/article.php?IdArticle=8368296 False Spam,Malware,Threat,Cloud APT 32 2.0000000000000000 Anomali - Firm Blog Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A. ]]> 2021-10-06T19:06:00+00:00 https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server www.secnews.physaphae.fr/article.php?IdArticle=3479896 False Malware,Tool,Threat APT 32,Uber None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-02-01T03:15:16+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/j5O_XD1jTuY/new-cryptojacking-malware-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=2278378 False Malware,Threat APT 32 None Security Affairs - Blog Secu 2021-01-31T11:27:14+00:00 https://securityaffairs.co/wordpress/114005/malware/pro-ocean-miner.html?utm_source=rss&utm_medium=rss&utm_campaign=pro-ocean-miner www.secnews.physaphae.fr/article.php?IdArticle=2275053 False Malware APT 32 None Bleeping Computer - Magazine Américain 2021-01-29T14:06:49+00:00 https://www.bleepingcomputer.com/news/security/new-pro-ocean-malware-worms-through-apache-oracle-redis-servers/ www.secnews.physaphae.fr/article.php?IdArticle=2268844 False Malware APT 32 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-01-28T20:06:57+00:00 https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/ www.secnews.physaphae.fr/article.php?IdArticle=2262535 False Malware APT 32 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2020-12-11T17:05:37+00:00 https://threatpost.com/facebook-accounts-apt32-cyberattacks/162186/ www.secnews.physaphae.fr/article.php?IdArticle=2092716 False Malware,Threat APT 32 None Graham Cluley - Blog Security 2020-12-02T16:26:10+00:00 https://grahamcluley.com/mac-users-warned-of-more-ocean-lotus-malware-targeted-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=2072670 False Malware APT 32 None IT Security Guru - Blog Sécurité 2020-12-01T11:11:20+00:00 https://www.itsecurityguru.org/2020/12/01/macos-users-targeted-with-updated-malware/?utm_source=rss&utm_medium=rss&utm_campaign=macos-users-targeted-with-updated-malware www.secnews.physaphae.fr/article.php?IdArticle=2070074 False Malware APT 32 None Malwarebytes Labs - MalwarebytesLabs A roundup of security news from April 15–21, including an explanation of like-farming, Ellen DeGeneres scam, flaws in VPN services, funky malware formats found in Ocean Lotus, and more. Categories: Security world Week in security Tags: a week in securitycyber resilienceEllen DeGeneresfake Airbnb sitesFlame 2.0IE vulnerabilitylike-farmingnotre dame disinformationVPN flawweek in security (Read more...) ]]> 2019-04-22T15:47:02+00:00 https://blog.malwarebytes.com/security-world/2019/04/a-week-in-security-april-15-21/ www.secnews.physaphae.fr/article.php?IdArticle=1095519 True Malware APT 32 None Malwarebytes Labs - MalwarebytesLabs Recently, one of our researchers presented at the SAS conference on "Funky malware formats"-atypical executable formats used by malware that are only loaded by proprietary loaders. In this post, we analyze one of those formats in a sample called Ocean Lotus from the APT 32 threat group in Vietnam. Categories: Malware Threat analysis Tags: APT 32atypical malware formatsBLOBCABcustom formatmalware formatocean lotusVietnam (Read more...) ]]> 2019-04-19T18:37:05+00:00 https://blog.malwarebytes.com/threat-analysis/2019/04/funky-malware-format-found-in-ocean-lotus-sample/ www.secnews.physaphae.fr/article.php?IdArticle=1095040 False Malware,Threat APT 32 None We Live Security - Editeur Logiciel Antivirus ESET Latest ESET research describes the inner workings of a recently found addition to OceanLotus's toolset for targeting Mac users ]]> 2019-04-09T09:30:05+00:00 https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ www.secnews.physaphae.fr/article.php?IdArticle=1091885 False Malware APT 32 None Security Affairs - Blog Secu 2018-10-19T07:06:03+00:00 https://securityaffairs.co/wordpress/77228/apt/operation-oceansalt.html www.secnews.physaphae.fr/article.php?IdArticle=854509 False Malware,Threat APT 32,APT 1 None ZD Net - Magazine Info 2018-10-18T04:01:00+00:00 https://www.zdnet.com/article/seasalt-cyberattack-wave-linked-to-chinese-apt-comment-crew/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=852815 False Malware APT 32,APT 1 None