Rootkits are malware implants which burrow themselves in the deepest corners of the operating system. Although on paper they may seem attractive to attackers, creating them poses significant technical challenges and the slightest programming error has the potential to completely crash the victim machine. In our APT predictions for 2022, we noted that despite these risks, we expected more attackers to reach the sophistication level required to develop such tools.…
Tag: CHINA
Our X-Ops teams – SophosLabs, SecOps (Sophos Managed Threat Response [MTR] and Sophos Rapid Response), and Sophos AI – operate in a virtuous Observe-Orient-Decide-Act loop, building on each teams’ work to improve customer protections. A recent set of investigations illustrates our OODA-loop process: Attacks against a pair of vulnerabilities in Microsoft SQL were researched, documented, and addressed proactively.…
Key Findings
The SECUINFRA Falcon Team identified a recent attack consitent with the campaign targeting Bangladesh conducted by the advanced persistent threat group “Bitter”, also known as T-APT-17.
Bitter employs malicious document files as lures containing different implementations of the so-called “Equation Editor exploits” to download following malware stages.…
Read More
Following on from our earlier Owowa discovery, we continued to hunt for more backdoors potentially set up as malicious modules within IIS, a popular web server edited by Microsoft. And we didn’t come back empty-handed…
In 2021, we noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities within Microsoft Exchange servers.…
ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.…
Executive Summary
Aoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.…
Read More
概述
奇安信威胁情报中心曾在2021年曾经发表过《Operation Magichm:浅谈蔓灵花组织的CHM文件投放与后续操作》一文,时隔一年我们发现蔓灵花团伙(APT-Q-37)在四月份最新的攻击活动中使用了新的攻击手法和样本,除此之外文末还会对摩耶象(APT-Q-41)近期的钓鱼活动和响尾蛇(APT-Q-39)今年以来的基础设施进行分享。
从南亚方向近两年的攻击活动来看,各个组织仍然处于“吃老本”的状态,没有推陈出新的倾向,存在针对11882和8570等古董漏洞的路径依赖,在木马免杀方向也非常不理想,往往被天擎查杀四五次后还未到达免杀状态。这令我们感到失望。我们推测产生这种现象的原因可能与南亚地区的安全环境有关。
与之前的文章类似,本文内容也仅仅是对在过去一段时间内攻击手法做一个分享。文末会分享相关组织历史或未启用的基础设施。
APT-Q-37(蔓灵花)
邮件分析
蔓灵花组织仿冒军贸客户(孟加拉海军)以维修船体声纳为主题向军工企业投递的带有chm附件的钓鱼邮件。
除了chm,蔓灵花还投递了带有DDE auto的文档作为附件。仿冒军工企业以推销反无人机系统为主题向军贸客户(孟加拉空军)投递钓鱼邮件。
攻击者拿到军贸客户的邮箱权限后,会在正常来往邮件中新增的一个恶意的DDE附件,以此来提高钓鱼的成功率。
正常PDF如下:
使用可信邮箱向列表全员发送带有新年祝福的SFX样本。
投递带有宏文档的钓鱼邮件
诱饵分析
DDE AUTO
由于Chm过于常见,故这里不做分析,DDE文档如下:
文件名
MD5
类型
Technical Proposal of Portable Anti-Drone System.docx
54ea5083ad67b15a249e07bb1a4fb3e0
DDE AUTO
China Great Wall Industry Corp (CGWIC) Profile and POC.docx
54ea5083ad67b15a249e07bb1a4fb3e0
DDE AUTO
Payment Detail.docx
54ea5083ad67b15a249e07bb1a4fb3e0
DDE AUTO
Invitation to Visit Bangladesh(Officials of Chinaship).docx…
Introduction
Read More
LuoYu is a lesser-known threat actor that has been active since 2008. It primarily goes after targets located in China, such as foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and telecommunications sectors. In their initial disclosures on this threat actor, TeamT5 identified three malware families: SpyDealer, Demsty and WinDealer.…
Table of contents
Read More
This blog post on TURLA was originally published as a FLINT report (SEKOIA.IO Flash Intelligence) sent to our clients on May 11, 2022.
Executive SummarySEKOIA.IO Threat & Detection Research (TDR) Team have expanded the search on Russian-linked TURLA’s infrastructures from a Google’s TAG blog post.…
In the past two months, we observed multiple APT groups attempting to leverage the Russia and Ukraine war as a lure for espionage operations. It comes as no surprise that Russian entities themselves became an attractive target for spear-phishing campaigns that are exploiting the sanctions imposed on Russia by western countries.…
This week, Sonatype’s automated malware detection bots have discovered malicious Python package ‘pymafka’ in the PyPI registry.…
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers’ usual victims.
As part of this, there’s a new trojan based on Apost Talos is calling “ZxxZ,” that, among other features, includes remote file execution capability.…
Read More
Overview
Read More
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims beingtargeted on a daily basis.…
Emotet was first found in the wild in 2014. Back then its main functionality was stealing user banking credentials. Since then it has survived numerous transformations, started delivering other malware and finally became a powerful botnet. In January 2021 Emotet was disrupted by a joint effort of different countries’ authorities.…
Broadcom, have found.
Activity on infected networksIn several cases, the initial activity on victim networks is seen on Microsoft Exchange Servers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.…
By Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil · March 28, 2022
For over a decade, the PlugX malware has been observed internationally with different variants found around the world. This blog covers a PlugX variant that we have named Talisman, a name we based on comparisons with other PlugX variants, and its rather long life since it first emerged in 2008.…
Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure.…
One Hotel to rule them all, One Hotel to find them, One Hotel to bring them all and in the darkness bind them.
By John Fokker · March 17, 2022
This story was also written by Thibault Seret
Introduction:Our advanced threat research team has discovered a first-stage malicious campaign targeting luxury hotels in Macao, China since the latter half of November 2021.…
Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the conflict in Ukraine. Source: Security Affairs.
OverviewBlackBerry Threat Intelligence has identified a new Ransomware-as-a-Service (Raas) family, and tracked its lineage to its probable beta stage release.…
The DirtyMoe malware is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. Complementary to this deployment, one of the DirtyMoe modules expands the malware using worm-like techniques that require no user interaction.
This research analyzes this worming module’s kill chain and the procedures used to launch/control the module through the DirtyMoe service.…