This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T03:45:15+00:00 www.secnews.physaphae.fr RiskIQ - cyber risk firms (now microsoft) 2024-06-24T12:48:47+00:00 https://community.riskiq.com/article/efd9816a www.secnews.physaphae.fr/article.php?IdArticle=8524654 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Cloud APT-C-23 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-21T02:03:23+00:00 https://community.riskiq.com/article/19d9cd7d www.secnews.physaphae.fr/article.php?IdArticle=8522374 False Malware,Threat,Mobile APT-C-23 2.0000000000000000 Dark Reading - Informationweek Branch The Arid Viper APT group is deploying AridSpy malware with Trojanized messaging applications and second-stage data exfiltration.]]> 2024-06-17T06:00:00+00:00 https://www.darkreading.com/cyberattacks-data-breaches/hamas-hackers-stealthy-spyware-egypt-palestine www.secnews.physaphae.fr/article.php?IdArticle=8519565 False Malware APT-C-23 3.0000000000000000 HackRead - Chercher Cyber Android users in Egypt and Palestine beware! Arid Viper is distributing malicious third-party apps hiding the AridSpy trojan! Learn how this malware steals your data and how to protect yourself.]]> 2024-06-15T17:10:17+00:00 https://hackread.com/arid-vipers-aridspy-trojan-android-users-palestine-egypt/ www.secnews.physaphae.fr/article.php?IdArticle=8518688 False Malware,Mobile APT-C-23 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The threat actor known as Arid Viper has been attributed to a mobile espionage campaign that leverages trojanized Android apps to deliver a spyware strain dubbed AridSpy. "The malware is distributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app," ESET researcher Lukáš Štefanko said in a report published today. "Often]]> 2024-06-13T19:25:00+00:00 https://thehackernews.com/2024/06/arid-viper-launches-mobile-espionage.html www.secnews.physaphae.fr/article.php?IdArticle=8517163 False Malware,Threat,Mobile APT-C-23 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Arid Viper group has a long history of using mobile malware, including at least four Android spyware families and one short-lived iOS implant, Phenakite. The SpyC23 Android malware family has existed since at least 2019, though shared code between the Arid Viper spyware families dates back to 2017. It was first reported in 2020 by ESET in a campaign where the actor used a third-party app store to distribute weaponized Android packages (APK). That campaign featured several apps designed to mimic Telegram and Android application update managers. Through 2022 and early 2023, Arid Viper developed several newer SpyC23 versions that share these themes: two apps mimick Telegram, while another is internally called APP-UPGRADE but is based on a romance-themed messaging app called Skipped Messenger. Cisco Talos recently reported on the history of Skipped Messenger, revealing that the once-benign dating application was likely passed from the original developer to the Arid Viper actor. #### Reference URL(s) 1. https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/ #### Publication Date November 6, 2023 #### Author(s) Alex Delamotte ]]> 2023-11-08T21:19:17+00:00 https://community.riskiq.com/article/85abd98a www.secnews.physaphae.fr/article.php?IdArticle=8408110 False Malware,Mobile APT-C-23,APT-C-23 3.0000000000000000 SentinelOne (APT) - Cyber Firms Hamas-aligned threat actor delivers spyware through weaponized apps posing as Telegram or Skipped messenger.]]> 2023-11-06T16:13:44+00:00 https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/ www.secnews.physaphae.fr/article.php?IdArticle=8406707 False Malware,Threat,Mobile APT-C-23 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users. In this campaign, the actors leverage custom mobile malware, also known as Android Package files (APKs), to collect sensitive information from targets and deploy additional malware onto infected devices. The mobile malware used in this campaign shares similarities with a non-malicious online dating application, referred to as Skipped. The malware specifically uses a similar name and the same shared project on the applications\' development platform. This overlap suggests the Arid Viper operators are either linked to Skipped\'s developer or somehow gained illicit access to the shared project\'s database. Cisco\'s analysis uncovered an array of simulated dating applications that are linked to Skipped, leading us to assess that Arid Viper operators may seek to leverage these additional applications in future malicious campaigns. In order to coerce users into downloading their mobile malware, Arid Viper operators share malicious links masquerading as updates to the dating applications, that instead deliver malware to the user\'s device. Arid Viper\'s Android malware has a number of features that enable the operators to disable security notifications, collect users\' sensitive information, and deploy additional malicious applications on the compromised device. #### Reference URL(s) 1. https://blog.talosintelligence.com/arid-viper-mobile-spyware/ #### Publication Date October 31, 2023 #### Author(s) Cisco Talos ]]> 2023-10-31T20:56:15+00:00 https://community.riskiq.com/article/1d19d27b www.secnews.physaphae.fr/article.php?IdArticle=8403739 False Malware,Threat APT-C-23,APT-C-23 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets. "Arid Viper\'s Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims\' devices]]> 2023-10-31T19:46:00+00:00 https://thehackernews.com/2023/10/arid-viper-targeting-arabic-android.html www.secnews.physaphae.fr/article.php?IdArticle=8403559 False Malware,Threat APT-C-23,APT-C-23 2.0000000000000000 Dark Reading - Informationweek Branch The APT group uses updates from the app to get the user to download the malware.]]> 2023-10-31T17:44:00+00:00 https://www.darkreading.com/dr-global/arid-viper-camouflages-malware-in-knockoff-dating-app www.secnews.physaphae.fr/article.php?IdArticle=8403649 False Malware APT-C-23 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Cisco Talos said the group deployed customized mobile Android malware in the APK format]]> 2023-10-31T17:00:00+00:00 https://www.infosecurity-magazine.com/news/arid-viper-targets-arabic-speaking/ www.secnews.physaphae.fr/article.php?IdArticle=8403581 False Malware APT-C-23 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces cryptoclippie parle portugais (Publié: 5 avril 2023) Depuis au moins au début de 2022, une campagne de clipper de crypto-monnaie opportuniste cible des conférenciers portugais en invitant un téléchargement à partir d'un site Web contrôlé par l'acteur promu via un empoisonnement SEO et malvertiser abusant Google Ads.Le fichier imite WhatsApp Web et fournit des cryptoclippages doublés de logiciels malveillants dans le but de remplacer les adresses de crypto-monnaie dans le presse-papiers Target & Acirc; & euro; & Trade.Les deux premiers fichiers de la chaîne d'infection sont EXE et BAT ou ZIP et LNK.Les acteurs utilisent des techniques d'obscurcissement et de cryptage étendues (RC4 et XOR), la compensation des journaux et des fichiers, et un profilage approfondi des utilisateurs pour un ciblage étroit et une évasion de défense.L'utilisation du type d'obscuscation invoqué-obfuscation peut indiquer un attaquant brésilien. Commentaire de l'analyste: Les portefeuilles contrôlés par l'acteur observés ont gagné un peu plus de 1 000 dollars américains, mais leurs logiciels malveillants complexes à plusieurs étages peuvent les aider à étendre ces dégâts.Il est conseillé aux utilisateurs de vérifier les informations du destinataire avant d'envoyer une transaction financière.Des indicateurs liés à la cryptoclippie sont disponibles dans la plate-forme Anomali.Les organisations qui publient des applications pour leurs clients sont invitées à utiliser une protection contre les risques numériques anomalie premium pour découvrir des applications malveillantes et malveillantes imitant votre marque que les équipes de sécurité ne recherchent généralement ni ne surveillent. mitre att & amp; ck: [mitre att & amp; ck] t1204 - exécution de l'utilisateur | [mitre att & amp; ck] t1027 - fichiers obscurcissantsOu des informations | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1140 - déobfuscate / décode les fichiers ou informations | [mitre att & amp; ck] t1620 - chargement de code réfléchissant | [mitreAtt & amp; ck] T1547.001 - Exécution de démarrage ou de connexion Autostart: Registry Run Keys / Startup Folder | [mitre att & amp; ck] t1112: modifier le registre | [mitre att & amp; ck] t1136.001 - Crée]]> 2023-04-11T19:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aggressively-mutating-mantis-backdoors-target-palestine-fake-cracked-packages-flood-npm-rorschach-ransomware-is-significantly-faster-than-lockbit-v3 www.secnews.physaphae.fr/article.php?IdArticle=8326770 False Ransomware,Malware,Tool,Threat APT-C-23 2.0000000000000000 InformationSecurityBuzzNews - Site de News Securite Since September 2022, Palestinian entities have been targeted by Arid Viper, a threat actor observed using updated versions of its malware toolkit. According to Symantec, which monitors the group under the name Mantis, the adversary is taking significant measures to sustain a continual presence on the networks it targets.  Kaspersky, in a report published in February 2015, […]]]> 2023-04-04T16:06:23+00:00 https://informationsecuritybuzz.com/arid-viper-upgraded-malware-middle-east-cyberattacks/ www.secnews.physaphae.fr/article.php?IdArticle=8324738 False Malware,Threat APT-C-23 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022. Symantec, which is tracking the group under its insect-themed moniker Mantis, said the adversary is "going to great lengths to maintain a persistent presence on targeted networks." Also known by the names APT-C-23 and Desert]]> 2023-04-04T15:38:00+00:00 https://thehackernews.com/2023/04/arid-viper-hacking-group-using-upgraded.html www.secnews.physaphae.fr/article.php?IdArticle=8324634 False Malware,Threat APT-C-23 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New SolarMaker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns (published: April 8, 2022) Palo Alto Researchers have released their technical analysis of a new version of SolarMaker malware. Prevalent since September 2020, SolarMaker’s initial infection vector is SEO poisoning; creating malicious websites with popular keywords to increase their ranking in search engines. Once clicked on, an encrypted Powershell script is automatically downloaded. When executed, the malware is installed. SolarMaker’s main functionality is the theft of web browser information such as stored passwords, auto-fill data, and saved credit card information. All the data is sent back to an encoded C2 server encrypted with AES. New features discovered by this technical analysis include increased dropper file size, droppers are always signed with legitimate certificates, a switch back to executables instead of MSI files. Furthermore, the backdoor is now loaded into the dropper process instead of the Powershell process upon first time execution. Analyst Comment: Never click on suspicious links, always inspect the url for any anomalies. Untrusted executables should never be executed, nor privileges assigned to them. Monitor network traffic to assist in the discovery of non standard outbound connections which may indicate c2 activity. MITRE ATT&CK: [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 Tags: SolarMaker, Jupyter, Powershell, AES, C2, SEO poisoning Google is on Guard: Sharks shall not Pass! (published: April 7, 2022) Check Point researchers have discovered a series of malicious apps on the Google Play store that infect users with the info stealer Sharkbot whilst masquerading as AV products. The primary functionality of Sharkbot is to steal user credentials and banking details which the user is asked to provide upon launching the app. Furthermore, Sharkbot asks the user to permit it a wide array of permissions that grant the malware a variety of functions such as reading and sending SMS messages and uninstalling other applications. Additionally, the malware is able to evade detection through various techniques. Sharkbot is geofenced, therefore it will stop functioning if it detects the user is from Belarus, China, India, Romania, Russia or Ukraine. Interestingly for Android malware, Sharkbot also utilizes domain generation algorithm (DGA). This allows the malware to dynamically generate C2 domains to help the malware function after a period of time even i]]> 2022-04-12T19:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-zyxel-patches-critical-firewall-bypass-vulnerability-spring4shell-cve-2022-22965-the-caddywiper-malware-attacking-ukraine-and-more www.secnews.physaphae.fr/article.php?IdArticle=4436863 False Malware,Tool,Vulnerability,Threat,Patching APT-C-23 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-03T00:14:56+00:00 https://thehackernews.com/2022/02/new-wave-of-cyber-attacks-target.html www.secnews.physaphae.fr/article.php?IdArticle=4075298 False Malware APT-C-23 None CISCO Talos - Cisco Research blog 2022-02-02T05:04:10+00:00 http://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html www.secnews.physaphae.fr/article.php?IdArticle=4070224 False Malware APT-C-23 None Team Cymru - Equipe de Threat Intelligence [...] ]]> 2020-12-16T19:28:07+00:00 https://team-cymru.com/blog/2020/12/16/mapping-out-aridviper-infrastructure-using-augurys-malware-addon/ www.secnews.physaphae.fr/article.php?IdArticle=2148898 False Malware APT-C-23 None IT Security Guru - Blog Sécurité 2020-02-18T10:26:49+00:00 https://www.itsecurityguru.org/2020/02/18/israeli-soldiers-catfished-by-hacking-group/?utm_source=rss&utm_medium=rss&utm_campaign=israeli-soldiers-catfished-by-hacking-group www.secnews.physaphae.fr/article.php?IdArticle=1548884 True Malware APT-C-23 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A recent spear-phishing document from Molerats APT-C-37 Overview APT-C-37, also known as Pat-Bear or the Syrian Electronic Army (SEA), was first seen in October 2015 targeting members of a terrorist organization. Since 2015, however, APT-C-37 has broadened their objectives to include government agencies, armed forces leadership, media organizations, political activists, and diplomats. The group mostly targets victims in Western countries, with the intent of defacing their websites and social accounts while leaving a public footprint after hacking one of their victims. In previous attacks, APT-C-37 targeted Windows and Android systems, utilizing popular commercial remote access trojans (RATs) such as DroidJack, SpyNote, njRAT, SSLove, and H-Worm. Technical Analysis: APT-C-37 2019 June 2019: APT-C-37 released an Android app named after the instant messaging software “WhatsApp” as an espionage tool to reportedly spy on the Syrian opposition forces. The app was capable of installing the SSLove RAT to pull private information from the phone and exfiltrating it to a remote location. Molerats Overview Molerats has been present in the cybercriminal landscape since 2012. In an analysis released by the Kaspersky’s GReAT (Global Research & Analysis Team) earlier this year on the Gaza Hacker Team and their various subgroups, Kaspersky concluded that Molerats is Gaza Cybergang “Group1.” The report also concluded that Molerats (i.e. Cybergang Group 1) operates with a lower level of sophistication than other groups within the Gaza Hacker Team. In addition, a 2016 article in Security Week reported that one of Molerats campaigns (October 2016) heavily used popular RATs like NjRat and H-Worm (aka Houdini). Technical Analysis: Molerats 2019 October 2019: In Molerats’ October operation, the attack was distributed as a phishing campaign in the Middle East. Emails included a Microsoft Word file attachment with the title “Daily report on the most important Palestinian developments for the day 9-9-2019.doc” — content that spoke to the political situation in Palestine. When a victim opened the attachment, the malware performed the following: Displayed the Microsoft Word doc]]> 2020-01-15T14:00:00+00:00 https://feeds.feedblitz.com/~/616000598/0/alienvault-blogs~Alien-Labs-Analysis-of-Threat-Groups-Molerats-and-APTC www.secnews.physaphae.fr/article.php?IdArticle=1501589 False Malware,Tool,Threat,Guideline APT-C-23 None