This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T23:12:45+00:00 www.secnews.physaphae.fr RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - United Arab Emirates ## Snapshot Researchers at Trend Micro have identif]]> 2024-10-11T21:41:42+00:00 https://community.riskiq.com/article/bc0f3dd1 www.secnews.physaphae.fr/article.php?IdArticle=8596273 False Malware,Tool,Vulnerability,Threat,Prediction APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-19T21:39:29+00:00 https://community.riskiq.com/article/e882507d www.secnews.physaphae.fr/article.php?IdArticle=8579917 False Malware,Tool,Threat,Cloud APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. UNC1860\'s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860. UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group\'s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we belie]]> 2024-09-19T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8579617 False Malware,Tool,Vulnerability,Threat,Cloud,Technical APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-16T11:20:34+00:00 https://community.riskiq.com/article/f4ae836f www.secnews.physaphae.fr/article.php?IdArticle=8577706 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Prediction,Cloud APT 34 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig. The attacks singled out Iraqi organizations such as the Prime Minister\'s Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis. OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug,]]> 2024-09-12T16:19:00+00:00 https://thehackernews.com/2024/09/iranian-cyber-group-oilrig-targets.html www.secnews.physaphae.fr/article.php?IdArticle=8575176 False Malware,Threat APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-11T23:46:33+00:00 https://community.riskiq.com/article/6289e51f www.secnews.physaphae.fr/article.php?IdArticle=8574915 False Malware,Tool,Threat APT 34 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-04T18:51:15+00:00 https://community.riskiq.com/article/22951902 www.secnews.physaphae.fr/article.php?IdArticle=8569939 False Malware,Tool,Threat,Prediction APT 34 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-28T17:37:40+00:00 https://community.riskiq.com/article/eb5e10a2 www.secnews.physaphae.fr/article.php?IdArticle=8508725 False Ransomware,Malware,Hack,Tool,Threat APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T15:21:21+00:00 https://community.riskiq.com/article/d5d5c07f www.secnews.physaphae.fr/article.php?IdArticle=8504864 False Ransomware,Malware,Tool,Threat APT 34 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader]]> 2023-12-14T18:00:00+00:00 https://thehackernews.com/2023/12/iranian-state-sponsored-oilrig-group.html www.secnews.physaphae.fr/article.php?IdArticle=8422615 False Malware,Threat APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Un groupe de cyber-espionnage lié au gouvernement iranien a développé plusieurs nouveaux téléchargeurs de logiciels malveillants au cours des deux dernières années et les a récemment utilisés pour cibler des organisations en Israël.Des chercheurs de la société Slovaquie ESET attribué Les téléchargeurs nouvellement découverts au groupe iranien de menace persistant avancé Oilrig, également connu sous le nom d'APT34.Selon les rapports précédents

---

A cyber-espionage group linked to the Iranian government developed several new malware downloaders over the past two years and has recently been using them to target organizations in Israel. Researchers at the Slovakia-based company ESET attributed the newly discovered downloaders to the Iranian advanced persistent threat group OilRig, also known as APT34. Previous reports said]]> 2023-12-14T16:30:00+00:00 https://therecord.media/oilrig-apt34-iran-linked-hackers-new-downloaders-israel www.secnews.physaphae.fr/article.php?IdArticle=8422737 False Malware,Threat APT 34 2.0000000000000000 Dark Reading - Informationweek Branch The government-backed APT\'s new malware framework represents a step up in Iran\'s cyber sophistication.]]> 2023-11-02T14:46:00+00:00 https://www.darkreading.com/dr-global/-scarred-manticore-unleashes-most-advanced-iranian-espionage www.secnews.physaphae.fr/article.php?IdArticle=8404734 False Malware APT 34 3.0000000000000000 HackRead - Chercher Cyber deeba ahmed Les chercheurs pensent que l'objectif principal derrière cette campagne est l'espionnage. Ceci est un article de HackRead.com Lire le post original: L'Iran Manticore cicatriciel des Targets du Moyen-Orient avec des logiciels malveillants liontail

---

By Deeba Ahmed Researchers believe that the primary goal behind this campaign is espionage. This is a post from HackRead.com Read the original post: Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware]]> 2023-11-01T08:20:47+00:00 https://www.hackread.com/iran-scarred-manticore-middle-east-liontail-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8403968 False Malware APT 34,APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads. The current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs. Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants. While the main motivation behind Scarred Manticore\'s operation is espionage, some of the tools described in this report have been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure (referred to as DEV-0861). #### Reference URL(s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ #### Publication Date October 31, 2023 #### Author(s) Check Point Research ]]> 2023-10-31T19:45:32+00:00 https://community.riskiq.com/article/b37061cc www.secnews.physaphae.fr/article.php?IdArticle=8403717 False Malware,Tool APT 34,APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Discovered by Check Point Research (CPR) and Sygnia, the campaign peaked in mid-2023]]> 2023-10-31T16:30:00+00:00 https://www.infosecurity-magazine.com/news/scarred-manticore-targets-middle/ www.secnews.physaphae.fr/article.php?IdArticle=8403582 False Malware APT 34 3.0000000000000000 Checkpoint - Fabricant Materiel Securite Faits saillants: 1. Intrudeurs silencieux: Manticore marqué, un groupe de cyber-menaces iranien lié à Mois (Ministère des renseignements & # 38; Security), gère tranquillement une opération d'espionnage sophistiquée furtive au Moyen-Orient.En utilisant leur dernier cadre d'outils de logiciels malveillants, Liontail, ils volent sous le radar depuis plus d'un an.2. Secteurs ciblés: La campagne se concentre sur les grands joueurs-gouvernement, militaire, télécommunications, informatique, finance et ONG au Moyen-Orient.Manticore marqué est une question de données systématiquement en train de saisir des données, montrant leur engagement envers les cibles de grande valeur.3. Évolution des tactiques: le livre de jeu de Manticore Scarre est passé des attaques de base de shell sur les serveurs Windows à [& # 8230;]

---

>Highlights: 1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year. 2. Targeted Sectors: The campaign focuses on big players-government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets. 3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to […] ]]> 2023-10-31T10:56:45+00:00 https://blog.checkpoint.com/security/unraveling-the-scarred-manticore-saga-a-riveting-epic-of-high-stakes-espionage-unfolding-in-the-heart-of-the-middle-east/ www.secnews.physaphae.fr/article.php?IdArticle=8403439 False Malware,Tool,Threat APT 34 2.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Résumé En octobre 2023, Netskope a analysé un document de mots malveillant et le malware qu'il contenait, surnommé «Menorah».Le malware a été attribué à un groupe de menaces persistant avancé APT34 et aurait été distribué par phisse de lance.Le fichier de bureau malveillant utilise le code VBA dispersé et obscurci pour échapper à la détection.Le groupe avancé des menaces persistantes cible [& # 8230;]

---

>Summary In October 2023, Netskope analyzed a malicious Word document and the  malware it contained, dubbed “Menorah.” The malware was attributed to an advanced persistent threat group APT34, and was reported to be distributed via spear-phishing. The malicious Office file uses dispersed and obfuscated VBA code to evade detection.  The advanced persistent threat group targets […] ]]> 2023-10-25T19:00:00+00:00 https://www.netskope.com/blog/netskope-threat-coverage-menorah www.secnews.physaphae.fr/article.php?IdArticle=8400546 False Malware,Threat APT 34 2.0000000000000000 Dark Reading - Informationweek Branch The Menorah malware can upload and download files, as well as execute shell commands.]]> 2023-10-02T17:19:00+00:00 https://www.darkreading.com/dr-global/iran-linked-apt34-spy-campaign-targets-saudis www.secnews.physaphae.fr/article.php?IdArticle=8390594 False Malware APT 34,APT 34 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy]]> 2023-09-30T14:51:00+00:00 https://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=8389819 False Malware,Prediction APT 34 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates iraniens présumés ont récemment lancé une nouvelle opération de cyber-espionnage, infectant leurs victimes avec le malware Menorah nouvellement découvert, selon un rapport publié vendredi.Le groupe de piratage APT34, également connu sous le nom de Oilrig, Cobalt Gypsy, IRN2 et Helix Kitten, serait basé en Iran.Il cible les pays du Moyen-Orient depuis

---

Suspected Iranian hackers recently launched a new cyber espionage operation, infecting their victims with the newly discovered Menorah malware, according to a report published Friday. The hacking group APT34, also known as OilRig, Cobalt Gypsy, IRN2 and Helix Kitten, is believed to be based in Iran. It has been targeting Middle Eastern countries since at]]> 2023-09-29T18:15:00+00:00 https://therecord.media/alleged-iran-hackers-target-saudi-arabia-with-new-spy-malware www.secnews.physaphae.fr/article.php?IdArticle=8389606 False Malware APT 34 2.0000000000000000 TrendLabs Security - Editeur Antivirus We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia.]]> 2023-09-29T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8389378 False Malware,Threat APT 34,APT 34 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-09-22T10:26:15+00:00 https://www.globalsecuritymag.fr/ESET-decouvre-que-le-groupe-OilRig-a-deploye-un-nouveau-malware-sur-des.html www.secnews.physaphae.fr/article.php?IdArticle=8386669 False Malware,Tool APT 34 3.0000000000000000 Bleeping Computer - Magazine Américain A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers. [...]]]> 2023-05-24T15:17:19+00:00 https://www.bleepingcomputer.com/news/security/new-powerexchange-malware-backdoors-microsoft-exchange-servers/ www.secnews.physaphae.fr/article.php?IdArticle=8339110 False Malware APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-02-03T16:00:00+00:00 https://www.infosecurity-magazine.com/news/credential-stealing-campaign-apt34/ www.secnews.physaphae.fr/article.php?IdArticle=8306880 False Malware APT 34 2.0000000000000000 TrendLabs Security - Editeur Antivirus 2023-02-02T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html www.secnews.physaphae.fr/article.php?IdArticle=8306460 False Malware APT 34 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-09-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-iran-albanian-cyber-conflict-ransomware-adopts-intermittent-encryption-dll-side-loading-provides-variety-to-plugx-infections-and-more www.secnews.physaphae.fr/article.php?IdArticle=6869959 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 27,APT 34 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud Uber,APT 38,APT 37,APT 28,APT 19,APT 15,APT 10,APT 34,Guam None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d]]> 2022-05-17T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-costa-rica-in-ransomware-emergency-charming-kitten-spy-and-ransom-saitama-backdoor-hides-by-sleeping-and-more www.secnews.physaphae.fr/article.php?IdArticle=4668209 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 15,APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-09T03:25:23+00:00 https://thehackernews.com/2022/02/iranian-hackers-using-new-marlin.html www.secnews.physaphae.fr/article.php?IdArticle=4098925 False Malware,Threat APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Iran’s APT34 Returns with an Updated Arsenal (published: April 8, 2021) Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device. Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064 Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp (published: April 7, 2021) Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more. Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system. Tags: Android, FlixOnline, WhatsApp ]]> 2021-04-13T15:49:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-android-malware-government-middle-east-and-more www.secnews.physaphae.fr/article.php?IdArticle=2631341 False Ransomware,Malware,Vulnerability,Threat,Guideline APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-08T06:37:05+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/hz96-cUbfVk/researchers-uncover-new-iranian-malware.html www.secnews.physaphae.fr/article.php?IdArticle=2604912 False Malware,Threat APT 34 None Anomali - Firm Blog get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat Wannacry,Wannacry,APT 29,APT 28,APT 31,APT 34 None The State of Security - Magazine Américain Read More ]]> 2019-12-17T14:40:28+00:00 https://www.tripwire.com/state-of-security/ics-security/poison-frog-malware-samples-reveal-oilrigs-sloppiness/ www.secnews.physaphae.fr/article.php?IdArticle=1494023 False Malware,Threat APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2019-12-05T01:07:48+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/CjdnfVinShk/zerocleare-data-wiper-malware.html www.secnews.physaphae.fr/article.php?IdArticle=1493457 False Malware APT 34 None Bleeping Computer - Magazine Américain 2019-10-21T15:29:10+00:00 https://www.bleepingcomputer.com/news/security/russian-hackers-use-iranian-threat-groups-tools-servers-as-cover/ www.secnews.physaphae.fr/article.php?IdArticle=1418268 False Malware,Threat APT 34 None InformationSecurityBuzzNews - Site de News Securite Iranian Hackers Send Out Fake LinkedIn Invitations Laced With Malware]]> 2019-07-23T14:40:03+00:00 https://www.informationsecuritybuzz.com/expert-comments/iranian-hackers-send-out-fake-linkedin-invitations-laced-with-malware/ www.secnews.physaphae.fr/article.php?IdArticle=1220106 False Malware APT 34 None Security Affairs - Blog Secu 2019-07-22T08:04:00+00:00 https://securityaffairs.co/wordpress/88737/apt/apt34-cyberspionage-linkedin.html www.secnews.physaphae.fr/article.php?IdArticle=1219314 False Malware APT 24,APT 34 None SecurityWeek - Security News 2019-07-19T17:46:01+00:00 https://www.securityweek.com/iranian-hackers-use-new-malware-recent-attacks www.secnews.physaphae.fr/article.php?IdArticle=1215568 False Malware APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Background With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran\'s economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests. Fi]]> 2019-07-18T10:00:00+00:00 https://www.mandiant.com/resources/blog/hard-pass-declining-apt34-invite-to-join-their-professional-network www.secnews.physaphae.fr/article.php?IdArticle=8377692 False Malware APT 34,APT 34 4.0000000000000000 Security Affairs - Blog Secu 2019-04-18T20:47:05+00:00 https://securityaffairs.co/wordpress/84125/apt/oilrig-dns-tunneling.html www.secnews.physaphae.fr/article.php?IdArticle=1093975 False Malware APT 34 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-09-13T21:19:00+00:00 https://threatpost.com/oilrig-apt-continues-its-ongoing-malware-evolution/137444/ www.secnews.physaphae.fr/article.php?IdArticle=806896 False Malware,Tool APT 34 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload. In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables. Registry Persistence In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back. https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707 Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system. If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds. Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system.  We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query. The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters. ]]> 2018-09-06T13:00:00+00:00 http://feeds.feedblitz.com/~/568274998/0/alienvaultotx www.secnews.physaphae.fr/article.php?IdArticle=795252 False Malware,Threat APT 34 3.0000000000000000