Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label TTP. Show all posts
Voldemort
Artificial Inteligence CYBER Research Cyberalert CyberCrime Cybersecurity CyberThreat Google malware Proofprint TryCloudflare TTP Voldemort

Espionage Concerns Arise from Newly Discovered Voldemort Malware

 


As a result of Proofpoint researchers' research, in August 2024, they discovered an unusual campaign in which custom malware was being delivered by a novel attack chain. Cybercriminals are believed to have named the malware "Voldemort" based on the internal file names and strings used in it.  As part of the attack chain, multiple tactics have been employed, some of which are currently popular in the threat landscape, while others are less common, such as using Google Sheets as a program for command and control (C2). 

It is noteworthy that in addition to tactical, technical, and procedural (TTPs) components, it takes advantage of a lure theme impersonating the government agencies of a variety of countries, and it uses odd file naming and passwords such as "test". Several researchers initially suspected that the activity may be a red team, but analysis of the malware and the number of messages indicated that it was a threat actor very quickly.   

There has been an aggressive malware campaign known as "Voldemort" launched against organizations all over the world, impersonating tax authorities in Europe, Asia, and the U.S. Since the malicious activity was launched on Aug. 5, more than 20,000 phishing messages were reported worldwide by dozens of companies. According to Proofpoint, over 20,000 phishing messages were reported during the last three months. 

A custom backdoor has been written in C and was designed to enable data exfiltration and the deployment of additional malicious payloads, as well as the exfiltration of data itself. The exploit is based on an exploit that takes advantage of a browser extension called 'Google Sheets' to be used as the C2 communication tool for the attack, and files that are infected with a malicious Windows search protocol are used to carry out the attack. 

As soon as the victim downloads the malware, it uses WebEx software to load a DLL that communicates with the C2 server using a legitimate version of WebEx software. There are several attack chains outlined in this attack chain, which include a variety of techniques currently common in the threat landscape, as well as a variety of rarely used methods of command and control (C2) such as the use of Google Sheets. 

Various tactics, techniques, and procedures (TTP) have been applied to it in combination with lure themes impersonating government agencies of various countries as well as its strange file naming and passwords, such as "test". Initial suspicions were that this activity might have been the work of a red team, but the large volume of messages and an analysis of the malware indicated that it was the work of a threat actor very quickly.   

In Proofpoint's assessment, there is a moderate amount of confidence that this is likely the actions of an advanced persistent threat (APT) actor that is seeking to gather intelligence. Although Proofpoint is well-versed in identifying named threat actors, it is still not confident enough with the data available to attribute a specific TA with high certainty. There is no doubt that some aspects of the malware, such as the widespread targeting and characteristics, are associated more often with cybercrime activity, but the nature of the malware does not appear to be motivated by financial gain at this time, but more by espionage.  

Powered by C, Voldemort is a custom backdoor that was written to gather information. As well as the capability to gather information, it also can drop additional payloads on the target. As Proofpoint discovered, Cobalt Strike was being hosted on the actor's infrastructure, and that would likely be one of the payloads that is being delivered by the actor.   There was a significant increase in phishing emails sent daily by the hackers beginning on August 17, when nearly 6,000 emails appeared to be impersonating tax agencies, which was high, according to the researchers. 

In addition to the Internal Revenue Service (IRS) in the United States, the HM Revenue & Customs in the United Kingdom, and the Direction Générale des Finances Publiques in France joined the list of potential regulators. A layer of credibility was added to the lures by crafting the phishing email in the native language of the respective tax authority, adding a high degree of legitimacy to the message. As part of their authenticity, the emails received from what appeared to be compromised domains contained the legitimate domain names of the tax agencies, to make them appear more genuine. 

There is no definitive answer to the overall objective of the campaign, though Proofpoint researchers say it seems likely that the campaign is aimed at espionage, given Voldemort's intelligence-gathering capacities as well as his ability to deploy additional payloads into the mainstream. There are more than half of all targeted organizations fall into the sectors of insurance, aerospace, transportation, and education. 

The threat actor behind this campaign is unknown, but Proofpoint believes that it may be engaged in cyber espionage operations as a means of obtaining information. Likewise, the messages also contain Google AMP Cache URLs that redirect to the landing page on InfinityFree, as well as a direct link to the landing page, which is included in the campaign later on. Towards the bottom of the landing page, there is a button that says "Click to view the document", which when clicked, checks the User Agent or software in the browser. 

When the User Agent contains "Windows," the browser is automatically redirected to a search-ms URI, which points to a TryCloudflare-tunneled URI ending in .search-ms. This redirection prompts the victim to open Windows Explorer, although the specific query responsible for this action remains hidden from the victim, leaving only a popup visible. Concurrently, an image is loaded from a URL ending in /stage1 on an IP address that is managed by the logging service pingb.in. This service enables the threat actor to record a successful redirect and collect additional browser and network information about the victim. 

A distinguishing feature of the Voldemort malware is its use of Google Sheets as a command and control (C2) server. The malware pings Google Sheets to retrieve new commands to execute on the compromised device and to serve as a repository for exfiltrated data. Each infected machine writes its data to specific cells within the Google Sheet, which are often designated by unique identifiers, such as UUIDs. This method ensures that data from different breached systems remains isolated, allowing for more efficient management. 

Voldemort interacts with Google Sheets using Google's API, relying on an embedded client ID, secret, and refresh token, all of which are stored in its encrypted configuration. This strategy offers malware a dependable and widely available C2 channel while minimizing the chances of its network communications being detected by security tools. Given that Google Sheets is commonly used in enterprise environments, blocking this service could be impractical, further reducing the likelihood of detection. 

In 2023, the Chinese advanced persistent threat (APT) group APT41 was observed using Google Sheets as a C2 server, employing the red-teaming GC2 toolkit to facilitate this activity. To defend against such campaigns, security firm Proofpoint recommends several measures: restricting access to external file-sharing services to trusted servers only, blocking connections to TryCloudflare when not actively required, and closely monitoring for suspicious PowerShell executions. These steps are advised to mitigate the risks posed by the Voldemort malware and similar threats.
Read more »
TTP
Cloud Cloud Servers Cyber Security Data Safety data security Data server Microsoft New Zealand TTP

Empowering Indigenous Data Sovereignty: The TTP-Microsoft Partnership

 

The recent partnership between Te Tumu Paeroa (TTP), the office of the Māori Trustee, and Microsoft for the forthcoming data centres in Aotearoa New Zealand marks a groundbreaking development with potential global implications for indigenous data sovereignty. This agreement, described as "groundbreaking," is based on TTP's Māori data sovereignty framework, which has been under development for the past three years. 

As anchor tenants for Microsoft's data centres, TTP will play a pivotal role in safeguarding Māori data as a precious asset in an increasingly digital world. Ruth Russell, Te Tumu Paeroa’s Kaitautari Pārongo Matua (Chief Information Officer), emphasized the significance of protecting Māori data, describing it as a "taonga" or treasure. Anchor tenancy enables TTP to host data in Aotearoa, ensuring it remains within the country's sovereign borders. 

The agreement aims to deepen connections between landowners and their whenua (land) and facilitate faster recovery from major weather events while supporting innovation on key issues such as climate change. TTP's services include trust administration, property management, income distribution, and client fund management, making this partnership crucial for enhancing Māori data sovereignty. One of the primary benefits of the new cloud service is that data stored at the centre will not leave New Zealand's sovereign borders, ensuring compliance with local laws and regulations. 

This advanced data residency feature offered by Microsoft instills confidence that data resides in the desired territory, aligning with TTP's framework and recognizing the sovereignty of Māori data. Dan Te Whenua Walker from Microsoft highlights the opportunity for Māori to leverage artificial intelligence (AI) while acknowledging some uncertainties regarding its cultural implications. He emphasizes the importance of TTP's framework in guiding the adoption of AI, ensuring it aligns with Māori aspirations and values. DDS IT, responsible for migrating data to Microsoft's cloud servers, considers this partnership a unique opportunity. The data migration process involves transferring data between locations and formats, with the full transfer expected to take between 12 to 24 months. 

Moreover, the new data centre is set to be the most sustainable globally, emphasizing energy efficiency and environmental considerations. The partnership between TTP and Microsoft represents a significant step towards advancing Māori data sovereignty and leveraging technology to benefit indigenous communities. By hosting data within Aotearoa's sovereign borders and adhering to Māori principles of kaitiakitanga (guardianship), this collaboration sets a precedent for indigenous data governance worldwide.
Read more »
TTP
bOOKcOVE Cyber Fraud Cyberattacks Kimsuky NIS Software Updates Spear-Phishing Emails TTP

Kimsuky's Attacks Alerted German and South Korean Agencies

 


In a joint warning issued by the German and South Korean intelligence agencies, it has been noted that a North Korean hacker group named Kimsuky has been increasing cyber-attack tactics against the South Korean network. With sophisticated phishing campaigns and malware attacks, the group has been suspected of being behind the attacks. It is believed that the North Korean government is behind them. Cyberattacks continue to pose a major threat to businesses and governments throughout the world as a result of increasing cyberattacks. 

Kimsuky (aka Thallium and SmokeScreen) is a North Korean threat group that has developed a reputation for utilizing cutting-edge tools and tactics in its operations. There have been two upcoming attack tactics developed by the group that enhances the espionage capabilities of the organization. These tactics raise no red flags on security radars. There are several malicious Android apps and YouTube extensions being abused as well as Google Chrome extensions.   

Kimsuky is believed to have expanded its tactics to attack a wide range of organizations in both countries, according to the German Office for Information Security (BSI) and South Korea's National Intelligence Service (NIS). Initially targeting U.S. government agencies, research institutions, and think tanks, the group has now spread to businesses in the technology and defense sectors as well. 

Kimsuky appears to be using a new malware called "BookCove" to steal sensitive information from its targets, according to a statement issued by the company. A spear-phishing email is designed to appear like it has been sent from a reputable source, but in reality, the message contains malware. Upon clicking the link or attachment in an email that contains malware, the user's computer is infected with the malware. The hacker can have access to the victim's data and can monitor the activities of the victim as a result of this. \

Various South Korean and German agencies suggest that organizations should implement the necessary precautions to safeguard themselves against these threats. Security measures must be taken, such as multi-factor authentication and regular updates, and employees must be educated on the risks associated with phishing. 

North Korean hacking group, Kimsuky, has been operating since 2013, providing malware for PCs. Several sources claim that the group is linked to the Reconnaissance General Bureau of the North Korean government. This Bureau gathers intelligence and conducts covert operations on behalf of the government. 

According to research, the apps, which embed FastFire and FastViewer, are distributed through Google Play's "internal testing" feature. This gives third-party developers the ability to send apps to a "small set of trusted testers." 

Nevertheless, it bears mentioning that these internal app testing exercises cannot exceed 100 users per app, regardless of the number of users. This is regardless of when the app is released into production. There is no doubt that this campaign has a very targeted nature, which indicates its focus. 

Two malware-laced apps use Android's accessibility services to steal sensitive information ranging from financial to personal information. APK packages for each app are listed below with their respective names in APK format:

  • Com. viewer. fast secure (FastFi) 
  • Com.tf.thinkdroid.secviewer (FastViewer) 
Organizations can take the following measures to protect themselves against Kimsuky's attacks 

A multi-factor authentication system protects the network and system from unauthorized access since it requires the attacker to possess at least two factors, such as a password and a physical device, such as a mobile phone. 

Even if cyber criminals could get past some existing security measures, this would make it far harder for them to access private data. In addition to the above-mentioned measures, organizations may also wish to consider taking the following measures to protect themselves: 
  • Maintaining a regular software update schedule is important. 
  • The best practices for protecting your company's information are taught to your employees. 
  • It is essential to use tools and techniques to detect and respond to advanced threats. 
A robust incident response plan is a crucial tool for organizations to develop to be prepared in case of an incident. If cyberattacks occur, they should be able to respond rapidly and effectively to mitigate their impact.

A growing number of companies are attacked by state-sponsored groups like Kimsuky due to cyberattacks. To reduce their risk of falling victim to these sophisticated cyber-espionage tactics, businesses and governments in Germany need to take proactive steps to protect themselves, including improving their security systems. 

Operating silently, Kimsuky has continuously evolved its TTPs to keep up with changing threats, as well as developing efficient tactics. The majority of attacks are conducted using phishing or spear-phishing. The most significant priority that must be addressed against this threat is to protect the accounts of individuals or organizations and other critical assets. Those involved in organizations and individuals are advised to keep abreast of the latest tactics and adhere to relevant agencies' recommendations.
Read more »
TTP
Cyberattacks Cybercrimes HTML malware Oakbot OneNote TTP

Qakbot Distributes Malware Through OneNote

 


There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot. 

Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information. 

It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets. 

In-Depth Discussion of the Subject

  • As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email. 
  • Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.  
  • Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers. 
What Are The Key Players?

  • Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
  • Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns. 
A OneNote-Qakbot Campaign is Not New

According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.

  • This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email.  · 
  • Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
  • After downloading and installing Qbot through these attachments, it is now ready to use.  
Here are the Main Points

Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well. 

TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.   
Read more »
virus
Cyber-Space malware Picus Security Swiss Army Malware TTP virus

Threats Increase With Updated "Swiss Army Malware"

 


There seems to be a slow and steady decline in the production of specialized malware. Alongside, there is a growing trend across cyber-space today for variants to be able to perform a whole host of functions and feature as many features as possible, according to recent studies released. 

It was found that “Swiss Army knife malware” was on the rise due to an analysis of more than 550,000 real-world samples by Picus Security. These strains are multipurpose and capable of performing a variety of actions. 

Among the malware analyzed for the report, a third carries more than 20 individual tactics, techniques, and procedures (TTP), according to the report, which suggests that malware in much larger numbers is involved in cyber threats. There are quite a few attacks that leverage more than ten tactics. One in ten attacks has as many as 30 tactics. Most commonly, the use of legitimate software and the movement of files in a lateral way are among the most common features of these attacks. 

Investment in a Great Deal 

Almost a third of malware samples have been observed to contain executables and script interpreters. According to MITRE's ATT&CK adversary behavior framework, these interpreters are the most prevalent ATT&CK techniques.  

This is the first time Remote System Discovery and Remote Services have appeared in the top ten of this research paper, showing that malware can now exploit built-in tools and protocols within operating systems to avoid detection and avoid being detected by security software. 

The majority of the ATT&CK techniques identified have been used to facilitate lateral movement within corporate networks. Around a quarter of the techniques have been developed to safeguard data and facilitate lateral movement. 

Research conducted by Picus found that all of these things were possible thanks to Picus' heavy investment. According to analysts, many syndicates of ransomware are well-funded, and they are happy to invest their funds back into making even more destructive malware in the future. As a result, cybercriminals have evolved their methods of identifying and eliminating malicious behavior in their attempts to infiltrate consumers' premises. They also take advantage of technological advancements to come up with more sophisticated ways to do so.   

According to Suleyman Ozarslan, Picus Security's Co-founder and VP of Picus Labs, "The objective of both ransomware (opens in new tab) and nation-state actor operators is to achieve the goal in as short and efficient a time as possible," said Ozarslan. More malware can move laterally within an IT environment. This means that adversaries of all types will need to adapt to the differences in IT environments to succeed in their attempt to exploit them. 

Security teams must continue to evolve their approaches as they face a growing threat from sophisticated malware that is becoming more sophisticated daily. There is a strong correlation between prioritizing attacks that are commonly carried out and being able to defend critical assets better. This is because organizations prioritize techniques that are commonly used. Furthermore, they will be able to guarantee that their attention and resources are focused on the areas where they can have the greatest impact. They will be able to maintain a consistent focus on those areas.
Read more »
Subscribe to: Posts (Atom)