Australian police have infiltrated encrypted messaging app Ghost, which has been used for illegal activities, and arrested dozens of people.
The post Australian Police Infiltrate Encrypted Messaging App Ghost and Arrest Dozens appeared first on SecurityWeek.
SecurityWeek – Read More
AT&T has agreed to pay $13 million in a settlement with the FCC over a 2023 data breach at a third-party vendor’s cloud environment.
The post AT&T to Pay $13 Million in Settlement Over 2023 Data Breach appeared first on SecurityWeek.
SecurityWeek – Read More
The CISA and the FBI recommended software developers to implement rigorous validation, sanitization, and input escaping to prevent malicious script injections and data manipulation.
Cyware News – Latest Cyber News – Read More
Cary, North Carolina, 18th September 2024, CyberNewsWire
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Today, let’s talk about rats. Not the long-tailed rodents, but the digital kind – Remote Access Trojans, or RATs. These are Trojans that attackers use to gain remote access to a device. Typically, these RATs can install and uninstall programs, control the clipboard and log keystrokes.
In May 2024, a new breed of RAT, SambaSpy, wandered into our rat trap. To learn how this malware infects its victims’ devices and what it does once it’s inside, read on.
SambaSpy is a feature-rich RAT Trojan obfuscated using Zelix KlassMaster, making it much more difficult to detect and analyze. However, our team was up to the challenge and discovered that this new RAT is capable of:
Managing the file system and processes
Downloading and uploading files
Controlling the webcam
Taking screenshots
Stealing passwords
Loading additional plug-ins
Remotely controlling the desktop
Logging keystrokes
Managing the clipboard
Impressed? It seems SambaSpy can do it all – the perfect tool for a 21st century James Bond villain. But even this extensive list isn’t exhaustive: read more about this RAT’s capabilities in the full version of our study.
The malicious campaign we uncovered was exclusively targeting victims in Italy. You may be surprised, but this is actually good news (for everyone except Italians). Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country. So why is that a good thing? It’s likely that the attackers are testing the waters with Italian users before expanding their operation to other countries – and we’re already one step ahead, since we’re familiar with SambaSpy and how to counter it. All that our users worldwide need to do is make sure they have a reliable security solution, and read on knowing that we’ve got this.
In short, just like many other RATs, via email. The attackers used two primary infection chains, both involving phishing emails disguised as communications from a real estate agency. The key element in the email is a CTA to check an invoice by clicking a hyperlink.
At first glance, the email appears legitimate – except that it’s sent from a German email address, but written in Italian
Clicking the link redirects users to a malicious website that checks the system language and the browser used. If the potential victim’s OS is set to Italian and they open the link in Edge, Firefox or Chrome, they receive a malicious PDF file that infects their device with either a dropper or a downloader. The difference between the two is minimal: the dropper installs the Trojan immediately, while the downloader first downloads the necessary components from the attackers’ servers.
Before starting, both the loader and the dropper check that the system isn’t running in a virtual machine and, most importantly, that the OS language is set to Italian. If both conditions are met, the device is infected.
Users who don’t meet these criteria are redirected to the website of FattureInCloud, an Italian cloud-based solution for storing and managing digital invoices. This clever disguise allows the attackers to target only a specific audience – everyone else is redirected to a legitimate website.
We’ve yet to determine which group is behind this sophisticated distribution of SambaSpy. However, circumstantial evidence has shown us that the attackers speak Brazilian Portuguese. We also know that they’re already expanding their operations to Spain and Brazil – as evidenced by malicious domains used by the same group in other detected campaigns. By the way, these campaigns no longer include the language check.
The key takeaway from this story is the method of infection, which suggests that anyone, anywhere, speaking any language could be the target of the next campaign. For the attackers, it doesn’t really matter who they hit, nor are the particulars of the phishing bait important. Today, it might be an invoice from a real estate agency; tomorrow, a tax notification; and the day after that, airline tickets or travel vouchers.
Here are a few tips and recommendations to help you stay safe from SambaSpy:
Install Kaspersky Premium before your device shows any signs of infection. Our solution reliably detects and neutralizes both SambaSpy and other malware.
Always be wary of phishing emails. Before you click on a link in your inbox, take a moment to ask yourself: “Could this be a scam?”
Kaspersky official blog – Read More
ANY.RUN‘s Threat Intelligence Lookup is a valuable resource for security professionals searching for information on the latest cyber threats.
One of the key features of Threat Intelligence Lookup is its extensive search capabilities. The service offers over 40 different search parameters that can be combined to form specific queries. These parameters allow you to filter and refine your search results based on various criteria, such as IOCs, behavioral indicators, and other relevant information.
Let’s explore each search parameter and provide examples of how they can be used in your investigations.
Threat Intelligence Lookup is a centralized platform for threat data exploration, collection, and analysis.
At the core of Threat Intelligence Lookup lies a global network of over 400,000 security experts. These individuals actively contribute by submitting suspicious samples to the ANY.RUN sandbox for advanced analysis on a daily basis.
The submission process generates a wealth of valuable threat data, including indicators of compromise (IOCs), which are then extracted and integrated into Threat Intelligence Lookup.
Thanks to its integration with ANY.RUN’s Interactive Sandbox, users can access real-time search results, each one linked to a corresponding sandbox session, enabling in-depth analysis of the identified threats.
Search parameters in TI Lookup are divided into separate groups: tasks, registry, environment, detection, module, connection, process, network threats, file, synchronization, and URL.
Task parameters refer to the characteristics of tasks (sandbox sessions).
threatName
The name of a particular threat: malware family, threat type, etc., as identified by the sandbox.
Examples: “Phishing”, “xworm”, “ransomware”, “tycoon”.
submissionCountry
The country from which the threat sample was submitted.
Examples: “es”, “us”, “de”.
Here is an example of a query for samples of the Remcos malware submitted by users in Brazil. The service provides a list of sandbox sessions that correspond to the request.
Try it:
threatLevel
A verdict on the threat level of the sample.
Examples: “malicious”, “suspicious”.
taskType
The type of the sample submitted to the sandbox.
Examples: “URL”, “file”.
In this screenshot, you can see a query for malicious URLs uploaded to the sandbox over the past 24 hours. TI Lookup displays a list of the latest one hundred sessions.
Try it:
Registry parameters refer to specific attributes related to registry modifications detected within sandbox sessions. These parameters provide insights into how a threat interacts with the Windows registry.
registryKey
The specific key within the registry hive where the modification occurred. Please note: when entering registry keys, use a double backslash () to escape the single backslash.
Examples: “Windows\CurrentVersion\RunOnce”, “Windows NT\CurrentVersionWindows”.
registryName
The name of the Windows Registry key field.
Examples: “browseinplace”, “docobject”, “isshortcut”.
registryValue
The value of the Windows Registry key.
Examples: “internet exploreriexplore.exe”.
Using the query above, we can identify threats that aim to execute malicious code through scheduled tasks.
Try it:
These parameters are used to provide context about the environment where a threat was detected or executed.
os
The specific version of Windows used in the environment.
Examples: “11”, “10”, “7”.
osSoftwareSet
The software package of applications installed on the OS.
Examples: “clean”, “office”, “complete”.
osBitVersion
The bitness of the operating system, 32-bit or 64-bit.
Examples: “32”, “64”.
We can use these parameters to, for instance, discover Windows 11 x64 sandbox sessions containing analysis of the Lumma stealer launched in the service over the past 14 days.
Try it:
These parameters are utilized to describe the detection signatures and MITRE TTPs relating to the execution of threats in the sandbox.
ruleName
The name of the detection rule.
Examples: “Executable content was dropped or overwritten”, “Phishing has been detected”.
ruleThreatLevel
The threat level assigned to a particular event.
Examples: “malicious”, “suspicious”, “info”.
MITRE
Techniques used by the malware according to the MITRE ATT&CK classification.
Examples: “T1071”, “T1114.001”.
Let’s consider a query combining the MITRE ATT&CK technique T1053.005, which describes a common persistence mechanism, with a detection rule for threats that steal browser credentials.
Try it:
Module parameters refer to specific modules or components within a threat. This can be a DLL, library, or other executable that is loaded by the main executable.
moduleImagePath
The full path to the module’s image file, the location on the disk where the module’s executable is stored.
Examples: “SysWOW64\cryptbase.dll”, “SysWOW64\msasn1.dll”.
Above you can see an example of a query that looks for all instances of sandbox sessions where KernelBase.dll was called.
Try it:
The Connection parameters describe network-related aspects of a threat.
domainName
The domain name that was recorded during the threat execution in a sandbox.
Examples: “tventyvd20sb[.]top”, “5.tcp.ngrok[.]io”.
destinationIP
The IP address of the network connection that was established or attempted.
Examples: “147[.]185[.]221[.]22”, “162[.]125[.]66[.]15”.
destinationPort
The network port through which the connection was established.
Examples: “49760”, “49780”.
destinationIpAsn
Detected ASN.
Examples: “akamai-as”, “akamai international b.v.”.
destinationIPgeo
Two-letter country or region code of the detected IP geolocation.
Examples: “ae”, “de”.
ja3, ja3s, jarm
Types of TLS fingerprints that can indicate certain threats.
Examples: “1af33e1657631357c73119488045302c” (JA3S), “a0e9f5d64349fb13191bc781f81f42e1” (JA3).
In the picture above, we can see a query that searches for threats that made connections to IP addresses located in the Czech Republic (CZ), belonging to Cogent Communications.
Try it:
The following parameters relate to processes registered during active sandbox sessions.
imagePath
Full path to process image.
Examples: “System32\conhost.exe”, “Framework\v4.0.30319\RegAsm.exe”.
commandLine
The full command line that initiated the process.
Examples: “PDQConnectAgent\pdq-connect-agent.exe –service”, “system32\cmd.exe /c”.
Using these parameters, we can find Strela stealer samples that use net.exe to mount a C2 server containing a ‘davwwwroot’ folder.
Try it:
These parameters describe network-based threats detected by the Suricata intrusion detection system (IDS).
suricataMessage
The description of the threat according to Suricata.
Examples: “ET INFO 404/Snake/Matiex Keylogger Style External IP Check”, “STEALER [ANY.RUN] Stealc HTTP POST Request”.
We can use a Suricata message to discover more samples, as well as IOCs, including those extracted directly from malware’s configs, relating to a particular threat.
Try it:
suricataClass
The category assigned to the threat by Suricata based on its characteristics.
Examples: “misc activity”, “a network trojan was detected”.
suricataID
The unique identifier of the Suricata rule.
Examples: “2044767”, “8001997”.
suricataThreatLevel
The verdict on the threat according to Suricata based on its potential impact.
Examples: “malicious”, “suspicious”, “info”
By combining this parameter with threaName, we can collect Surica rules relating to a specific malware.
Try it:
These parameters describe file-related aspects of a threat.
filePath
The full path to the file on the system.
Examples: “invoice”, “order”
We can use this parameter along with threatLevel to find specific files in sandbox sessions with malicious content.
Try it: filePath:”Users\admin\Desktop\README.TXT” AND threatLevel:”malicious”
fileExtension
The extension that indicates the file type.
Examples: “exe”, “dll”.
sha256, sha1, md5
Hash values relating to a file.
Examples: “1412faf1bfd96e91340cedcea80ee09d”, “ce554fe53b2620c56f6abb264a588616”
We can use the hash of a malicious file to discover the specific malware family it relates to.
Try it:
These parameters describe synchronization-related activities within a threat, such as mutexes.
syncObjectName
The name or identifier of the synchronization object used.
Examples: “rmc”, “m0yv”.
syncObjectType
The type of synchronization object used.
Examples: “event”, “mutex”.
syncObjectOperation
The operation performed on the synchronization object.
Examples: “create”, “open”.
By combining operation and type parameters with threatName, we can search for specific mutexes or events created during the execution of a particular malware
Try it:
These parameters describe network traffic related to HTTP requests and responses.
url
The URL called by the process.
Examples: “http://192[.]168[.]37[.]128:8880[/]zv8u”, “http://tventyvd20sb[.]top/v1/upload[.]php”.
httpRequestContentType
The content type of the HTTP request sent to the server.
Examples: “application/octet-stream”.
httpResponseContentType
The content type of the HTTP response received from the server.
Examples: “text/html”.
httpRequestFileType
The file type of the file being uploaded in the HTTP request.
Examples: “binary”.
httpResponseFileType
The file type of the file being downloaded in the HTTP response.
Examples: “binary”.
It is possible to use the parameter with threatName again to find binary files that were requested during the analysis in the sandbox.
Try it:
ANY.RUN’s Threat Intelligence Lookup offers a comprehensive set of search parameters that enable security professionals to effectively analyze and investigate threats. Using these search options, you can identify and enrich your information on emerging threats.
Try Threat Intelligence Lookup for free →
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
The post How to Collect Threat Intelligence Using Search Parameters in TI Lookup appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
After going through a background check, verified users will have a blue checkmark on their account and may even experience priority pickup.
Latest stories for ZDNET in Security – Read More
Prosecutors allege that Chinese national Wu Song targeted US academics and engineers to obtain applications used in aerospace engineering and fluid dynamics, which could be used for developing missiles and weapons.
Cyware News – Latest Cyber News – Read More
The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing a blind SOQL injection attack to retrieve customer information, including personally identifiable information (PII).
Cyware News – Latest Cyber News – Read More
Discover the RAMBO attack, a groundbreaking method that uses electromagnetic waves to steal data from air-gapped systems. Learn…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
