返回 TI 主页

2019-04-10 By 奇安信高级威胁研究团队 | 事件追踪

肚脑虫(APT-C-35),由奇安信高级威胁研究团队持续跟踪发现并命名,其主要针对巴基斯坦等南亚地区国家进行网络间谍活动的组织。 此APT组织主要针对政府机构等领域进行攻击,以窃取敏感信息为主要目的。该APT组织除了以携带Office漏洞或者恶意宏的鱼叉邮件进行恶意代码的传播之外,还格外擅长利用恶意安卓APK进行传播。 近期,经监控,本高级威胁研究团队发现该组织对其恶意安卓APK框架进行了大规模升级,无论是实用性还是稳定性都增强了不少,由于本次使用的APK框架与以往所使用的样本差异性过大,因此我们通过使用其代码中出现频率较高的词汇Job,将该框架命名为StealJob
DONOT APT-C-35 APT 肚脑虫

2019-04-10 By 奇安信高级威胁研究团队 | 事件追踪

Donot (APT-C-35), named and tracked by PatchSky Threat Intelligence Center, is an attack group that mainly targets countries such as Pakistan in South Asia. This APT group usually carries out target attacks against government agencies to steal sensitive information. In addition to spreading malware via spear fishing email with Office attachment containing either vulnerability or malicious macro, this group is particularly good at leveraging malicious Android APKs in the target attacks. Recently, we have observed a large-scale upgrade of its malicious Android APK framework to make it more stable and practical. Since the new APK framework is quite different from the one used in the past, we named it as StealJob since “job” is frequently used in the code.
DONOT APT-C-35 APT 肚脑虫

2019-03-22 By 360威胁情报中心 | 事件追踪

360威胁情报中心近期发现一例针对韩国手机银行用户的黑产活动,其最早活动可能从2018年12月22日起持续至今,并且截至文档完成时,攻击活动依然活跃,结合木马程序和控制后台均为韩语显示,我们有理由认为其是由韩国的黑产团伙实施。 其攻击平台主要为Android,攻击目标锁定为韩国银行APP使用者,攻击手段为通过仿冒多款韩国银行APP,在诱骗用户安装成功并运行的前提下,窃取用户个人信息,并远程控制用户手机,以便跳过用户直接与银行连线验证,从而 窃取用户个人财产。
KBUSTER FAKE BANK APP

2019-03-22 By 360威胁情报中心 | 事件追踪

360 Threat Intelligence Center recently found an attack against South Korean mobile banking users. First activity may back to December 22, 2018, and until this document is finished, attack is still ongoing. Both malware samples and C2 infrastructure are written in Korean. So we believe this attack is run by actors from South Korea. The main attack platform for Android, attack target as the bank of Korea APP users, means of attack by fake APP, many South Korean bank in tricking users to install and run under the premise of success, to steal personal information, and remote control mobile user, connected directly with the bank in order to skip the users authentication, thus stealing users' personal property.
KBUSTER FAKE BANK APP

2019-03-21 By 360威胁情报中心 | 事件追踪

近期,360威胁情报中心截获到一个针对伊拉克移动运营商(Korek Telecom)的定向攻击样本。该运营商是伊拉克发展最快的移动公司,服务于伊拉克的18个省份,为企业、政府和个人用户提供服务。攻击样本使用鱼叉式钓鱼邮件进行投递:诱导受害者打开附件Office Word文档,并启用恶意宏。恶意宏代码最终会释放执行PowerShell 后门,从而实现对受害者计算机的远程控制。360威胁情报中心经过溯源和关联后发现,该攻击活动疑似与MuddyWater APT组织相关,并溯源和分析了多个与之相关的恶意样本。 MuddyWater APT组织可能来自伊朗[1],其相关活动可追溯到2017年初,其主要针对政府机构、通信和石油公司。2017年11月,Palo Alto在对多个攻击进行关联分析后,将该组织命名为MuddyWater[2]。进入2018年后,其目标地区不再局限于伊朗和沙特,更是拓展到了亚洲、欧洲和非洲[3],目标性质也涵盖了军事实体、教育机构等。
APT MUDDYWATER

2019-03-19 By 360威胁情报中心 | 事件追踪

2019年3月17日,360威胁情报中心截获了一例疑似“黄金鼠”APT组织(APT-C-27)利用WinRAR漏洞(CVE-2018-20250[6])针对中东地区的定向攻击样本。该恶意ACE压缩包内包含一个以恐怖袭击事件为诱饵的Office Word文档,诱使受害者解压文件,当受害者在本地计算机上通过WinRAR解压该文件后便会触发漏洞,漏洞利用成功后将内置的后门程序(Telegram Desktop.exe)释放到用户计算机启动项目录中,当用户重启或登录系统都会执行该远控木马,从而控制受害者计算机。 360威胁情报中心通过关联分析后发现,该攻击活动疑似与“黄金鼠”APT组织(APT-C-27)相关,并且经过进一步溯源与关联,我们还发现了多个与该组织相关的Android平台的恶意样本,这类样本主要伪装成一些常用软件向特定目标人群进行攻击,结合恶意代码中与攻击者相关的文字内容,可以猜测攻击者也比较熟悉阿拉伯语。
APT-C-27 GOLDMOUSE TARGET ATTACK WINRAR EXPLOIT APT

2019-03-19 By 360威胁情报中心 | 事件追踪

On March 17, 2019, 360 Threat Intelligence Center captured a target attack sample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250[6]), and it seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a decoy Word document inside the archive regarding terrorist attacks to lure the victim into decompressing. When the archive gets decompressed on the vulnerable computer, the embedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and then triggered into execution if the victim restarts the computer or performs re-login. After that, the attacker is capable to control the compromised device. After conducting correlation analysis, we suspect the Goldmouse APT group (APT-C-27) may have a hand behind the attack. In addition, we discover multiple related Android samples that disguised as common applications to attack specific targets after performing further investigations. Considering the language being used in the malicious code is Arabic, it seems that the attacker is familiar with Arabic language as well.
APT-C-27 GOLDMOUSE TARGET ATTACK WINRAR EXPLOIT APT

2019-02-28 By 360威胁情报中心 | 事件追踪

近期,360威胁情报中心捕获到多个专门针对日本地区计算机用户进行攻击的诱饵文档,文档为携带恶意宏的Office Excel文件。通过分析相关鱼叉邮件的收件人信息,我们发现受害者均为日本高科技企业雇员。从攻击的定向性、受害者分布及过往相关背景信息来看,攻击者主要目的是为敛财,同时也不排除其有窃取商业机密和知识产权的可能性。 诱饵文档内的恶意宏代码及后续的PowerShell脚本会调用多个与系统语言区域相关的函数,并依赖于函数的返回值解密后续代码,从而实现专门针对日文系统使用者的精确投递。比如通过判断货币格式化后的长度、使用本机的LCID[1](Language Code Identifier)作为异或解密的密钥等方式来区分是否为日本地区的计算机。攻击者最终通过图片隐写技术下载并执行URLZone[2],并在随后的代码中进一步检测运行环境,以避免在沙盒、虚拟机以及分析机上暴露出恶意行为。
URLZONE TARGET JAPANESE

2019-02-28 By 360威胁情报中心 | 事件追踪

Last week, 360 Threat Intelligence Center captured multiple bait documents specifically for Japanese users. The phishing email contains an Office Excel attachment with malicious macro embedded to launch subsequent PowerShell script. By analyzing recipients of the collected phishing emails, we found that the victims are employees from Japanese high-tech enterprises. To achieve precise delivery, multiple system language and area related functions are used in the decryption phase to avoid executing payload on irrelevant systems. For example, it checks the length of the currency after formatting, generates XOR decryption key through LCID[1] (Language Code Identifier) to target Windows (Japanese Edition) specifically. Steganography is used to deliver malware URLZone[2], which contains additional code to detect runtime environment in order to avoid exposing malicious behaviors on sandboxes, virtual machines, and computers used by analysts.
URLZONE TARGET JAPANESE

2019-02-27 By 360威胁情报中心 | 事件追踪

On February 22, 360 Threat Intelligence Center captured the first ACE archive[1] to spread malware in the wild through exploiting WinRAR vulnerability (CVE-2018-20250). In the meanwhile, we also reminded users to take actions against this high-risk vulnerability. As predicted, we captured multiple samples using this vulnerability in the following days and also observed some related APT attacks. Obviously, attackers use this exploit in a more delicate way. For example, they embed lots of pictures and lure the target to decompress since those cannot be previewed in the compressed archive, encrypt the malicious ACE file before delivering, and so on.
CVE-2018-20250 WINRAR

关注我们

360威胁情报中心

分享微信