Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS).
These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.…
Read More Tag: APT
In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021.
Through our analysis, we could track their activity with precise dates in 2021 based on their samples.…
8/24 Editor’s Note: Since the publication, SMTP2Go has updated its security measures.
Key TakeawaysProofpoint researchers have identified ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. This targeting is consistent with other activity reported by Proofpoint, showing an interest in refugee policies and logistics across the APT actor landscape which coincides with increased tensions and now armed conflict between Russia and Ukraine.…
奧義智慧團隊第一手調查,挖掘中國國家級駭客利用金融軟體系統漏洞,所引發的一系列高風險攻擊事件
Read More 隨著金融科技的技術持續發展,金融產業使用了更多的資訊系統,便也代表著比起過去任何時候,潛藏了更多未知的資安威脅,而駭客入侵所造成的影響,往往也牽一髮而動全身,有著絕不可小覷的風險。
2021 年底一連串我國證券商與期貨商遭受駭客撞庫攻擊、導致下單系統異常的新聞,在當時引發了社會上一片軒然大波。奧義智慧研究團隊在參與事件調查 (Incident Response, IR) 時,成功挖掘出關於金融攻擊事件的更多內幕,本篇文章將帶您深入瀏覽與探討,來自中國國家級駭客的金融產業供應鏈攻擊手法剖析、惡意程式技術,與對應的緩解措施等。
事件緣起去年臺灣發生多起證券、期貨商遭到撞庫攻擊,甚至出現下單異常案件的情況,研判應為系統性問題而非單一個案,並且對於交易秩序的影響相當嚴重。該攻擊事件疑似為特定組織型駭客所發起,長期且有目的性的滲透行動,從攻擊手法中可以觀察到,駭客具有針對不同目標環境開發對應後門、躲避安全軟體偵測的能力,並十分擅長於企業內網攻擊,操作手法亦相當熟稔。
奧義智慧科技 (CyCraft) 於 2021 年 11 月底到 2022 年 2 月初,監控到一系列大範圍且專門針對臺灣金融單位軟體系統的供應鏈攻擊事件,遂而開始展開進一步詳細的調查。初步發現,攻擊者準確利用了我國金融單位常用的軟體系統之漏洞,第一波攻擊於 2021 年 11 月底出現受駭案例,第二波活動的高峰期則在 2022 年 2 月 10 至 13 號之間,攻擊者來源 IP 位於香港。
經調查,本次攻擊事件所使用之後門程式為 QuasarRAT,經過分析啟動方式、保護機制與使用之 C2 中繼站等情資後,研判應為中國國家級駭客 APT10 所發起的新活動,主要針對國內金融業發動攻擊。
由於在過去的資安研究之中,源於中國的 APT 組織一般較少以經濟獲益為目標,然而,本起行動中則明確有著盜竊金融資料的行為,因此奧義研究團隊以「咬錢熊貓」(Operation Cache Panda) 這項代稱來命名此行動。
攻擊手法剖析Operation Cache Panda 行動中,利用到了一項證劵軟體系統管理介面的網站服務漏洞。首先,攻擊者上傳了中國駭客常用之 ASPXCSharp WebShell 進行網站主機控制,之後便開始利用知名內網滲透工具 Impacket 掃描內網電腦,試圖大範圍植入DotNet 後門程式,並意圖竊取受駭單位資料。
攻擊者大量使用了動態載入 DotNet 組件檔案 (DotNet Assembly) 的技術,透過攻擊手法 Reflective Code Loading(MITRE ATT&CK 編號 T1620),動態注射惡意 DotNet Assembly 程式碼到系統以合法執行程序。
此次事件除了使用到可編譯不同平台 Shellcode、透過 In-Memory 的方式執行 DotNet Assembly 的開源專案 Donut 外,亦發現使用部分 SharpSploit 程式碼注入 DotNet惡意程式,可以達到無惡意模組落地的隱匿效果,藉以降低被防毒軟體偵測機率。
其後攻擊者將會搭配 Impacket,透過 Remote Service/WMI 方式橫向擴散到內部主機。一旦成功取得內部主機的控制權,攻擊者便會建立 Reverse Tunnel RDP,使其更容易地透過遠端桌面操作受駭主機。
在本次調查當中,我們發現駭客使用了名為文叔叔的中國雲端檔案分享服務來下載相關工具,藉以達到一定程度的方便性以及匿名性;不過,也正因如此,駭客在透過 RDP 登入受駭主機時,反而容易留下更多追查線索。
本次遭駭的軟體系統在臺據稱有八成以上的市佔率,屬於金融機構的供應鏈攻擊。據悉已有多家企業遭受 Operation Cache Panda 行動不同程度的影響,建議金融單位立即修補軟體系統漏洞,限制 Web 管理介面的存取範圍,並盤點本文文末所提供的入侵指標 (Indicator of Compromise, IoC),包含網路 IP、檔案雜湊 (hash) 與惡意程式特徵等,另外也建議安裝奧義智慧的 Xensor EDR,開啟惡意程式保護模組 (Malware Protection Module) 以監控與阻擋相關的惡意活動。
奧義智慧第一時間監控,並告警駭客內網滲透活動奧義智慧全球情資平台 CyberTotal 歸因出攻擊者疑為 APT10攻擊技術分析 第一階段:突破與建立進入點本次攻擊所使用的 WebShell 取用於開源專案,此 Webshell 改良了中國駭客常用的蟻劍 WebShell 框架 (As-Exploits),並加強其動態加載與執行 DotNet Assembly 的能力,透過 GetType[0] 取得和建構出 Payload 的 Run類型,以確保能做到無惡意檔案落地與不會留下 Web存取紀錄之效果。
第二階段:移動與潛伏Operation Cache Panda 事件的攻擊者使用到六隻惡意程式,其中,只有三個檔案會落地,其餘皆在動態下載後載入。這六隻惡意程式各自負責了不同的功能,並串連成了本次的攻擊,整體流程請參照下方圖片。
惡意程式架構與活動分析PresentationCache.exe…
Summary
Read More The criminal group behind the Arkei information stealer appears to be interested in more than just picking our pockets. While cryptocurrency remains a primary target for the malware, which has recently been tied to use of the stealthy SmokeLoader downloader, a new analysis of Arkei shows that it has now expanded its reach to collect multifactor (MFA) authentication data as well.…
The ASEC analysis team has recently discovered the distribution of Cobalt Strike targeting unsecured MS-SQL servers.
MS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of attack from the past. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers.…
Executive SummaryOur research attributes a decade of activity to a threat actor we call ModifiedElephant.
ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.
ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals.…
Read More
Summary
Read More The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals.…
Recently, we’ve been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc., that deploy a range of remote access trojans (RATs). After a hunting session in our malware sample repositories and VirusTotal while looking into these actors, we gathered a small collection of VBA code samples that eventually allowed us to connect certain IOCs to individual threat actors based on the final payload, victimology and submission locations.…
case study below, Antlion compromised the networks of at least two other organizations in Taiwan, including another financial organization and a manufacturing company. The activity the group carried out on those networks was largely similar to the activity that is detailed in the case study, with the xPack backdoor frequently deployed and a lot of evidence of credential dumping.…
Summary
Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. In this case, the threat actor has targeted people that are looking for jobs at Boeing using a document called Boeing BDS MSE.docx (https://twitter.com/ShadowChasing1/status/1455489336850325519). The malware extracts the hostname, username, network information, a list of processes, and other information that will be exfiltrated to one out of the four C2 servers.…
February 3, 2022
by Steven Adair, Thomas Lancaster
[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. This vulnerability was later assigned CVE-2022-24682 and was fixed in version 8.8.15P30 Update 2 of Zimbra Collaboration Suite.…
Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017.
This campaign targets Palestinian entities and activists using politically themed lures. The latest iteration of the implant contains multiple RAT and information-gathering capabilities.…Over the past months, the Cybereason Nocturnus Team has been tracking the Iranian hacker group known as Moses Staff. The group was first spotted in October 2021 and claims their motivation is to harm Israeli companies by leaking sensitive, stolen data.
Views: 0…
Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019.…
Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions.
Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran’s Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command. This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise.…This blog was authored by Ankur Saini and Hossein Jazi
Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022.…
The BlackBerry Research & Intelligence and Incident Response (IR) teams have found evidence correlating attacks by the Initial Access Broker (IAB) group Prophet Spider with exploitation of the Log4j vulnerability in VMware Horizon. This article highlights the recent indicators of compromise (IoCs) that we’ve observed.
Defenders concerned that they may have been a victim of these attacks can make use of these IoCs and detection methods to identify evidence of compromise within their environment.…
概述
奇安信红雨滴团队持续关注全球APT组织的攻击活动,其中包括海莲花(OceanLotus)APT组织。近期国外厂商Netskope发布了一篇关于mht格式文件(Web归档文件)通过携带的Office宏植入恶意软件的分析报告[1],因为其中提及的样本采用的攻击手法与海莲花组织存在相似之处,报告认为此次攻击活动是海莲花组织所为。
经过红雨滴团队研究人员对此类样本的深入分析,发现攻击流程中也存在着一些不同于海莲花过往攻击活动的特点,因此不排除其他攻击团伙模仿海莲花的可能性。基于现有的公开信息,暂时还不能确定此次攻击活动背后团伙的具体身份。此外,我们注意到此类样本利用Glitch平台下发后续恶意软件,进一步发现它们与奇安信威胁情报中心去年12月披露的攻击样本[2]一脉相承。
本文将深入分析此次攻击活动涉及的样本,梳理与之关联的其他攻击活动,并与海莲花组织历史攻击手法进行比较,总结攻击活动中相似的地方以及独有的特征。此类攻击样本具有如下特点:
1. 宏代码会根据系统版本释放32位或64位恶意DLL,释放恶意DLL时会插入一段随机数据;
2. 宏代码和恶意DLL均进行了代码混淆;
3. 恶意DLL将收集的信息回传给Glitch平台托管的C2服务,然后下载经过7z压缩的后续恶意软件并执行。
样本信息
收集到的攻击样本信息如下
MD5
文件类型
文件名
0ee738b3837bebb5ce93be890a196d3e
RAR
HS.rar
11d36c3b57d63ed9e2e91495dcda3655
RAR
Tai_lieu.rar
204cb61fce8fc4ac912dcb3bcef910ad
RAR
TL-3525.rar
a7a30d88c84ff7abe373fa41c9f52422
RAR
Note.rar
b1475bdbe04659e62f3c94bfb4571394
RAR
CV.rar
b2eb3785e26c5f064b7d0c58bdd3abe0
RAR
List Product.rar
d8fa458192539d848ee7bb171ebed6bd
RAR
GiftProducts.rar
e7ce1874ab781c7a14019b6a6e206749
RAR
PaymentRequest.rar
eb6cf9da476c821f4871905547e6a2b4
RAR
DeliveryInformation.rar
f5ea39b70f747e34ae024308298f70ac
RAR
Document.rar…
We investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT with clear similarities in design to the group’s favored Windows malware, Crimson RAT.
APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, has historically targeted Indian military and diplomatic resources.…