Executive SummaryUkraine CERT (CERT-UA) has released new details on UAC-0026, which SentinelLabs confirms is associated with the suspected Chinese threat actor known as Scarab.
The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began.…
Read More Tag: APT
We recently discovered an APT campaign we are calling Operation Dragon Castling. The campaign is targeting what appears to be betting companies in South East Asia, more specifically companies located in Taiwan, the Philippines, and Hong Kong. With moderate confidence, we can attribute the campaign to a Chinese speaking APT group, but unfortunately cannot attribute the attack to a specific group and are not sure what the attackers are after.…
Executive SummaryDeep Instinct’s Threat Research team has found a new, undocumented malware developed in Golang
The malware is attributed to APT-C-23 (Arid Viper)
Further research revealed additional, previously unseen second-stage payloadsNew Malware Variant Discovery: Arid Gopher
Read More Our Threat Research team maintains a vigilant watch over the cyber threat landscape, hunting for malware as a normal course of operations.…
ESET researchers discovered a still-ongoing campaign using a previously undocumented Korplug variant, which they named Hodur due to its resemblance to the THOR variant previously documented by Unit 42 in 2020. In Norse mythology, Hodur is Thor’s blind half-brother, who is tricked by Loki into killing their half-brother Baldr.…
The ASEC analysis team has recently discovered the distribution of malware disguised as a Windows Help File (*.chm), specifically targeting Korean users. The CHM file is a compiled HTML Help file that is executed via the Microsoft® HTML help executable program.
The recently discovered CHM file downloads additional malicious files when run.…
One Hotel to rule them all, One Hotel to find them, One Hotel to bring them all and in the darkness bind them.
By John Fokker · March 17, 2022
This story was also written by Thibault Seret
Introduction:Our advanced threat research team has discovered a first-stage malicious campaign targeting luxury hotels in Macao, China since the latter half of November 2021.…
Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the conflict in Ukraine. Source: Security Affairs.
OverviewBlackBerry Threat Intelligence has identified a new Ransomware-as-a-Service (Raas) family, and tracked its lineage to its probable beta stage release.…
背景
Read More UNC1151是疑似具有东欧国家背景的APT团伙,该APT组织与“Ghostwriter”攻击活动相关。2020年,国外安全厂商Mandiant(前身为FireEye)披露“Ghostwriter”攻击活动[1]。该活动至少自 2017 年 3 月开始,行动主要针对立陶宛、拉脱维亚和波兰等国,攻击者在这些国家散播具有反北约组织(NATO)立场观点的内容,攻击者通常借助网站入侵和伪造电子邮件账号传播虚假内容,伪造的内容还包括来自军方官员的虚假信件。此后,Mandiant观察到UNC1151组织发起与“Ghostwriter”相似的攻击活动,攻击活动涉及波兰官员和德国政客,Mandiant认为UNC1151组织为一个新的APT组织[2]。2021年11月,Mandiant发布报告将该组织归属于东欧某国政府[3]。
2022年2月,俄乌冲突爆发后,乌克兰计算机应急响应小组(CERT-UA)和乌克兰国家特殊通讯和信息保护局(SSSCIP Ukraine)发布钓鱼邮件警报,警报涉及 UNC1151针对乌克兰武装部队成员的私人电子邮件账户的广泛网络钓鱼活动。3月1日,Proofpoint披露攻击者利用疑似被窃取的乌克兰军队人员邮箱,向参与管理逃离乌克兰的难民后勤工作的欧洲政府人员发起钓鱼攻击[4],攻击手法与UNC1151此前攻击活动相似。
概述近日,奇安信威胁情报中心红雨滴团队在社交平台上发现有安全研究员发布一个针对乌克兰的攻击样本。
乌克兰CERT也于3月7日发布通告,将该攻击样本归属为UNC1151[5]。该样本使用的攻击手法与UNC1151之前被披露的攻击手法有些不同。经过深入挖掘,我们发现此类攻击样本至少从2021年9月开始出现,攻击目标涉及乌克兰、立陶宛等国,同时在早期样本中发现了与UNC1151历史攻击活动的相似之处。
样本信息本次获取的初始样本为довідка.zip,“довідка”是乌克兰语“证书”的意思,压缩包内部为dovidka.chm,chm全称Compiled Help Manual,是微软新一代的帮助文件格式,利用HTML作源文,把帮助内容以类似数据库的形式编译储存,也就是被编译并保存在一个压缩的HTML格式。当我们双击文件时,微软默认使用HTML帮助执行程序打开并显示相关内容。
诱饵内容为一张图片,图片顶部为乌克兰总统办公室,乌克兰内阁以及乌克兰安全的标志,标题翻译为中文为“我该怎么办?。图片中的具体内容为“有关战争的一些安全建议”。当我们打开此文件时会执行HTML代码,解压缩dovidka.chm得到内嵌的html代码。
样本分析 HTMLHTML中包含两段代码,一段为js代码,用于显示诱饵内容,另一段为vbs代码。vbs代码经过混淆,执行的功能主要为释放ignit.vbs并调用WScript.exe执行。
VBS释放的ignit.vbs也经过混淆,主要执行三个函数,分别释放core.dll, desktop.ini, Windows Prefetch.lnk。
desktop.ini调用“C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe”加载core.dll
Windows Prefetch.lnk 用于持久化。
core.dllcore.dll为ConfuserEx加壳的C#程序,脱掉壳之后进行反编译得到代码,RegisterClass与UnRegisterClass 功能相同,实现数据的内存加载。
两个数组存储需要内存加载的数据。
将数组中的数据解压并写入分配的可执行内存中。
然后创建线程执行。
内存加载的代码主要分为两个部分,第一部分为dll loader,用于加载第二部分的dll,dll为开源的后门程序MicroBackdoor[6]。后门首先从conf段中获取到C2地址xbeta.online和端口(8443)并建立连接。
成功与服务器连接后获取服务器下发的指令并执行,指令包含获取本机信息,执行程序,反弹shell,上传下载文件等常规远控功能,值得一提的是与原版程序的指令相比,此样本添加了截屏的功能。
关联分析经过深入挖掘,我们发现其他三个同源样本,均为chm文件,样本信息如下:
– – – –MD5 样本名称 针对国家 VT初次上传时间62b8db1d541775fba717fc76b2e89353 cert.chm…This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet.
With additional insights from Philippe Z Lin
Note: This article has been updated on March 17, 2022, 2:00 a.m.…
CryptBot is back. A new and improved version of the malicious infostealer has been unleashed via compromised pirate sites, which appear to offer “cracked” versions of popular software and video games.
Making news most recently for an outbreak in early 2022, the malware first appeared in the wild in 2019, and it is now actively changing its attack and distribution methods.…
Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS).
These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.…
Read More In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021.
Through our analysis, we could track their activity with precise dates in 2021 based on their samples.…
8/24 Editor’s Note: Since the publication, SMTP2Go has updated its security measures.
Key TakeawaysProofpoint researchers have identified ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. This targeting is consistent with other activity reported by Proofpoint, showing an interest in refugee policies and logistics across the APT actor landscape which coincides with increased tensions and now armed conflict between Russia and Ukraine.…
奧義智慧團隊第一手調查,挖掘中國國家級駭客利用金融軟體系統漏洞,所引發的一系列高風險攻擊事件
Read More 隨著金融科技的技術持續發展,金融產業使用了更多的資訊系統,便也代表著比起過去任何時候,潛藏了更多未知的資安威脅,而駭客入侵所造成的影響,往往也牽一髮而動全身,有著絕不可小覷的風險。
2021 年底一連串我國證券商與期貨商遭受駭客撞庫攻擊、導致下單系統異常的新聞,在當時引發了社會上一片軒然大波。奧義智慧研究團隊在參與事件調查 (Incident Response, IR) 時,成功挖掘出關於金融攻擊事件的更多內幕,本篇文章將帶您深入瀏覽與探討,來自中國國家級駭客的金融產業供應鏈攻擊手法剖析、惡意程式技術,與對應的緩解措施等。
事件緣起去年臺灣發生多起證券、期貨商遭到撞庫攻擊,甚至出現下單異常案件的情況,研判應為系統性問題而非單一個案,並且對於交易秩序的影響相當嚴重。該攻擊事件疑似為特定組織型駭客所發起,長期且有目的性的滲透行動,從攻擊手法中可以觀察到,駭客具有針對不同目標環境開發對應後門、躲避安全軟體偵測的能力,並十分擅長於企業內網攻擊,操作手法亦相當熟稔。
奧義智慧科技 (CyCraft) 於 2021 年 11 月底到 2022 年 2 月初,監控到一系列大範圍且專門針對臺灣金融單位軟體系統的供應鏈攻擊事件,遂而開始展開進一步詳細的調查。初步發現,攻擊者準確利用了我國金融單位常用的軟體系統之漏洞,第一波攻擊於 2021 年 11 月底出現受駭案例,第二波活動的高峰期則在 2022 年 2 月 10 至 13 號之間,攻擊者來源 IP 位於香港。
經調查,本次攻擊事件所使用之後門程式為 QuasarRAT,經過分析啟動方式、保護機制與使用之 C2 中繼站等情資後,研判應為中國國家級駭客 APT10 所發起的新活動,主要針對國內金融業發動攻擊。
由於在過去的資安研究之中,源於中國的 APT 組織一般較少以經濟獲益為目標,然而,本起行動中則明確有著盜竊金融資料的行為,因此奧義研究團隊以「咬錢熊貓」(Operation Cache Panda) 這項代稱來命名此行動。
攻擊手法剖析Operation Cache Panda 行動中,利用到了一項證劵軟體系統管理介面的網站服務漏洞。首先,攻擊者上傳了中國駭客常用之 ASPXCSharp WebShell 進行網站主機控制,之後便開始利用知名內網滲透工具 Impacket 掃描內網電腦,試圖大範圍植入DotNet 後門程式,並意圖竊取受駭單位資料。
攻擊者大量使用了動態載入 DotNet 組件檔案 (DotNet Assembly) 的技術,透過攻擊手法 Reflective Code Loading(MITRE ATT&CK 編號 T1620),動態注射惡意 DotNet Assembly 程式碼到系統以合法執行程序。
此次事件除了使用到可編譯不同平台 Shellcode、透過 In-Memory 的方式執行 DotNet Assembly 的開源專案 Donut 外,亦發現使用部分 SharpSploit 程式碼注入 DotNet惡意程式,可以達到無惡意模組落地的隱匿效果,藉以降低被防毒軟體偵測機率。
其後攻擊者將會搭配 Impacket,透過 Remote Service/WMI 方式橫向擴散到內部主機。一旦成功取得內部主機的控制權,攻擊者便會建立 Reverse Tunnel RDP,使其更容易地透過遠端桌面操作受駭主機。
在本次調查當中,我們發現駭客使用了名為文叔叔的中國雲端檔案分享服務來下載相關工具,藉以達到一定程度的方便性以及匿名性;不過,也正因如此,駭客在透過 RDP 登入受駭主機時,反而容易留下更多追查線索。
本次遭駭的軟體系統在臺據稱有八成以上的市佔率,屬於金融機構的供應鏈攻擊。據悉已有多家企業遭受 Operation Cache Panda 行動不同程度的影響,建議金融單位立即修補軟體系統漏洞,限制 Web 管理介面的存取範圍,並盤點本文文末所提供的入侵指標 (Indicator of Compromise, IoC),包含網路 IP、檔案雜湊 (hash) 與惡意程式特徵等,另外也建議安裝奧義智慧的 Xensor EDR,開啟惡意程式保護模組 (Malware Protection Module) 以監控與阻擋相關的惡意活動。
奧義智慧第一時間監控,並告警駭客內網滲透活動奧義智慧全球情資平台 CyberTotal 歸因出攻擊者疑為 APT10攻擊技術分析 第一階段:突破與建立進入點本次攻擊所使用的 WebShell 取用於開源專案,此 Webshell 改良了中國駭客常用的蟻劍 WebShell 框架 (As-Exploits),並加強其動態加載與執行 DotNet Assembly 的能力,透過 GetType[0] 取得和建構出 Payload 的 Run類型,以確保能做到無惡意檔案落地與不會留下 Web存取紀錄之效果。
第二階段:移動與潛伏Operation Cache Panda 事件的攻擊者使用到六隻惡意程式,其中,只有三個檔案會落地,其餘皆在動態下載後載入。這六隻惡意程式各自負責了不同的功能,並串連成了本次的攻擊,整體流程請參照下方圖片。
惡意程式架構與活動分析PresentationCache.exe…
Summary
Read More The criminal group behind the Arkei information stealer appears to be interested in more than just picking our pockets. While cryptocurrency remains a primary target for the malware, which has recently been tied to use of the stealthy SmokeLoader downloader, a new analysis of Arkei shows that it has now expanded its reach to collect multifactor (MFA) authentication data as well.…
The ASEC analysis team has recently discovered the distribution of Cobalt Strike targeting unsecured MS-SQL servers.
MS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of attack from the past. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers.…
Executive SummaryOur research attributes a decade of activity to a threat actor we call ModifiedElephant.
ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.
ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals.…
Read More
Summary
Read More The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals.…
Recently, we’ve been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc., that deploy a range of remote access trojans (RATs). After a hunting session in our malware sample repositories and VirusTotal while looking into these actors, we gathered a small collection of VBA code samples that eventually allowed us to connect certain IOCs to individual threat actors based on the final payload, victimology and submission locations.…
case study below, Antlion compromised the networks of at least two other organizations in Taiwan, including another financial organization and a manufacturing company. The activity the group carried out on those networks was largely similar to the activity that is detailed in the case study, with the xPack backdoor frequently deployed and a lot of evidence of credential dumping.…