Over recent months, the CrowdStrike Falcon® OverWatch™ team has tracked an ongoing, widespread intrusion campaign leveraging bundled .msi installers to trick victims into downloading malicious payloads alongside legitimate software. These payloads and scripts were used to perform reconnaissance and ultimately download and execute NIGHT SPIDER’s Zloader trojan, as detailed in CrowdStrike CROWDSTRIKE FALCON® INTELLIGENCE™ Premium reporting.…
Author: Securonix
CryptBot is back. A new and improved version of the malicious infostealer has been unleashed via compromised pirate sites, which appear to offer “cracked” versions of popular software and video games.
Making news most recently for an outbreak in early 2022, the malware first appeared in the wild in 2019, and it is now actively changing its attack and distribution methods.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program.…
By Edmund Brumaghin, with contributions from Jonathan Byrne, Perceo Lemos and Vasileios Koutsoumpogeras.
This post is also available in:日本語 (Japanese)
Українська (Ukrainian)
Executive Summary Since the beginning of the war in Ukraine, we have observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising.…
Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS).
These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.…
Read More
The emails can be jarring, but the technique used by Qakbot (aka Qbot) seems to be especially convincing: The email-borne malware has a tendency to spread itself around by inserting malicious replies into the middle of existing email conversations, using the compromised accounts of other infection victims.…
In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021.
Through our analysis, we could track their activity with precise dates in 2021 based on their samples.…
This post is also available in:
Read More
Українська (Ukrainian)
Update March 17, 2022: Cisco Talos has updated the IOC section with additional hashes and ClamAV coverage.
Executive summary Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities.…We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses.
Raccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including:
Cookies, saved logins and forms data from browsers Login credentials from email clients and messengers Files from crypto wallets Data from browser plugins and extension Arbitrary files based on commands from C&CIn addition, it’s able to download and execute arbitrary files by command from its C&C.…
What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets
Executive Summary
Read More
Since its reemergence on Nov. 14, 2021, Black Lotus Labs has once again been tracking Emotet, one of the world’s most prolific malware distribution families which previously infected more than 1.6M devices and caused hundreds of millions of dollars in damage across critical infrastructure, healthcare, government organizations and enterprises around the world.…
We analyze RURansom, a malware variant discovered to be targeting Russia. Originally suspected to be a ransomware because of its name, analysis reveals RURansom to be a wiper.
A conflict in cyberspace is unfolding parallel to the conflict between Russia and Ukraine on the ground. Cyberattacks are being lobbed against both Russian and Ukrainian sides, with a new wiper directed against Russia joining the fray.…
For additional information regarding deserialization exploits and our new hunting rule generation tool ‘HeySerial’, read our blog post, Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits.
USAHerds (CVE-2021-44207) Zero-DayIn three investigations from 2021, APT41 exploited a zero-day vulnerability in the USAHerds web application.…
Since the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.
FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals.…
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps.
Hive, which is one of the more notable ransomware families of 2021, made waves in the latter half of the year after breaching over 300 organizations in just four months — allowing the group to earn what could potentially be millions of US dollars in profit.…
Recently, Fortinet’s FortiGuard Labs captured more than 500 Microsoft Excel files that were involved in a campaign to deliver a fresh Emotet Trojan onto the victim’s device.
Emotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active, continually updating itself.…
8/24 Editor’s Note: Since the publication, SMTP2Go has updated its security measures.
Key Takeaways Proofpoint researchers have identified ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. This targeting is consistent with other activity reported by Proofpoint, showing an interest in refugee policies and logistics across the APT actor landscape which coincides with increased tensions and now armed conflict between Russia and Ukraine.…
This post was originally published as a white paper in September 2021. Get the full report as a PDF here.
Zusammenfassung (Executive Summary)
Read More
Over the past year the TeamTNT threat actor has been very active. TeamTNT is one of the predominant cryptojacking threat actors currently targeting Linux servers.…
奧義智慧團隊第一手調查,挖掘中國國家級駭客利用金融軟體系統漏洞,所引發的一系列高風險攻擊事件
Read More
隨著金融科技的技術持續發展,金融產業使用了更多的資訊系統,便也代表著比起過去任何時候,潛藏了更多未知的資安威脅,而駭客入侵所造成的影響,往往也牽一髮而動全身,有著絕不可小覷的風險。
2021 年底一連串我國證券商與期貨商遭受駭客撞庫攻擊、導致下單系統異常的新聞,在當時引發了社會上一片軒然大波。奧義智慧研究團隊在參與事件調查 (Incident Response, IR) 時,成功挖掘出關於金融攻擊事件的更多內幕,本篇文章將帶您深入瀏覽與探討,來自中國國家級駭客的金融產業供應鏈攻擊手法剖析、惡意程式技術,與對應的緩解措施等。
事件緣起去年臺灣發生多起證券、期貨商遭到撞庫攻擊,甚至出現下單異常案件的情況,研判應為系統性問題而非單一個案,並且對於交易秩序的影響相當嚴重。該攻擊事件疑似為特定組織型駭客所發起,長期且有目的性的滲透行動,從攻擊手法中可以觀察到,駭客具有針對不同目標環境開發對應後門、躲避安全軟體偵測的能力,並十分擅長於企業內網攻擊,操作手法亦相當熟稔。
奧義智慧科技 (CyCraft) 於 2021 年 11 月底到 2022 年 2 月初,監控到一系列大範圍且專門針對臺灣金融單位軟體系統的供應鏈攻擊事件,遂而開始展開進一步詳細的調查。初步發現,攻擊者準確利用了我國金融單位常用的軟體系統之漏洞,第一波攻擊於 2021 年 11 月底出現受駭案例,第二波活動的高峰期則在 2022 年 2 月 10 至 13 號之間,攻擊者來源 IP 位於香港。
經調查,本次攻擊事件所使用之後門程式為 QuasarRAT,經過分析啟動方式、保護機制與使用之 C2 中繼站等情資後,研判應為中國國家級駭客 APT10 所發起的新活動,主要針對國內金融業發動攻擊。
由於在過去的資安研究之中,源於中國的 APT 組織一般較少以經濟獲益為目標,然而,本起行動中則明確有著盜竊金融資料的行為,因此奧義研究團隊以「咬錢熊貓」(Operation Cache Panda) 這項代稱來命名此行動。
攻擊手法剖析Operation Cache Panda 行動中,利用到了一項證劵軟體系統管理介面的網站服務漏洞。首先,攻擊者上傳了中國駭客常用之 ASPXCSharp WebShell 進行網站主機控制,之後便開始利用知名內網滲透工具 Impacket 掃描內網電腦,試圖大範圍植入DotNet 後門程式,並意圖竊取受駭單位資料。
攻擊者大量使用了動態載入 DotNet 組件檔案 (DotNet Assembly) 的技術,透過攻擊手法 Reflective Code Loading(MITRE ATT&CK 編號 T1620),動態注射惡意 DotNet Assembly 程式碼到系統以合法執行程序。
此次事件除了使用到可編譯不同平台 Shellcode、透過 In-Memory 的方式執行 DotNet Assembly 的開源專案 Donut 外,亦發現使用部分 SharpSploit 程式碼注入 DotNet惡意程式,可以達到無惡意模組落地的隱匿效果,藉以降低被防毒軟體偵測機率。
其後攻擊者將會搭配 Impacket,透過 Remote Service/WMI 方式橫向擴散到內部主機。一旦成功取得內部主機的控制權,攻擊者便會建立 Reverse Tunnel RDP,使其更容易地透過遠端桌面操作受駭主機。
在本次調查當中,我們發現駭客使用了名為文叔叔的中國雲端檔案分享服務來下載相關工具,藉以達到一定程度的方便性以及匿名性;不過,也正因如此,駭客在透過 RDP 登入受駭主機時,反而容易留下更多追查線索。
本次遭駭的軟體系統在臺據稱有八成以上的市佔率,屬於金融機構的供應鏈攻擊。據悉已有多家企業遭受 Operation Cache Panda 行動不同程度的影響,建議金融單位立即修補軟體系統漏洞,限制 Web 管理介面的存取範圍,並盤點本文文末所提供的入侵指標 (Indicator of Compromise, IoC),包含網路 IP、檔案雜湊 (hash) 與惡意程式特徵等,另外也建議安裝奧義智慧的 Xensor EDR,開啟惡意程式保護模組 (Malware Protection Module) 以監控與阻擋相關的惡意活動。
奧義智慧第一時間監控,並告警駭客內網滲透活動 奧義智慧全球情資平台 CyberTotal 歸因出攻擊者疑為 APT10 攻擊技術分析 第一階段:突破與建立進入點本次攻擊所使用的 WebShell 取用於開源專案,此 Webshell 改良了中國駭客常用的蟻劍 WebShell 框架 (As-Exploits),並加強其動態加載與執行 DotNet Assembly 的能力,透過 GetType[0] 取得和建構出 Payload 的 Run類型,以確保能做到無惡意檔案落地與不會留下 Web存取紀錄之效果。
第二階段:移動與潛伏Operation Cache Panda 事件的攻擊者使用到六隻惡意程式,其中,只有三個檔案會落地,其餘皆在動態下載後載入。這六隻惡意程式各自負責了不同的功能,並串連成了本次的攻擊,整體流程請參照下方圖片。
惡意程式架構與活動分析PresentationCache.exe…
CryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools. The distribution pages are exposed at the top of the search result page of search engines such as Google, so the risk of infection is high, and the number of relevant detection cases is also relatively high.…