返回 TI 主页

2019-02-18 By 360威胁情报中心 | 事件追踪

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc. Till this moment, 360 Threat Intelligence Center captured 29 bait documents, 62 Trojan samples and multiple related malicious domains in total. Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia.
APT-C-36 BLIND EAGLE APT

2019-02-14 By 360威胁情报中心 | 事件追踪

Recently, 360 Threat Intelligence Center captured a bait document designed specifically for Arabic users. It is an Office Word document with malicious macros embedded to drop and execute a backdoor packed by Enigma Virtual Box. The backdoor program has a built-in keyword list containing names of people or opera movies to communicate with C2, distributes control commands to further control the victim's computer device. After investigation, we suspect this attack is carried out by Molerats.
MOLERATS APT

2019-02-14 By 360威胁情报中心 | 事件追踪

近期,360威胁情报中心捕获到一个专门为阿拉伯语使用者设计的诱饵文档。钓鱼文档为携带恶意宏的Office Word文档,恶意宏代码最终会释放并执行一个Enigma Virtual Box打包的后门程序。后门程序内置了一个包含一些人名或歌剧电影名相关的关键字表来分发控制指令,并执行对应的木马功能,进一步控制受害者的计算机设备。360威胁情报中心经过溯源和关联后发现,该攻击活动疑似为Molerats APT组织所为。
MOLERATS APT

2019-02-01 By 360威胁情报中心 | 技术研究

Windows Contacts [3] is a contact manager that is included in Windows Vista, Windows 7, Windows 8, and Windows 10. It replaced but retains most of the functionality of Windows Address Book and worked with Windows Live Mail and the Vista version of Windows Mail. Windows Contacts uses an XML-based schema format. Each contact appears as an individual .contact file, in which custom information including pictures can be stored. Window Contacts features extensibility APIs for integration with other applications and for storing custom information. The legacy *.wab format and the open standards *.vcf (vCard) and *.csv (CSV) are also supported.
VULNERABILITY

2019-02-01 By 360威胁情报中心 | 技术研究

Windows联系人[3]是Windows Vista,Windows 7,Windows 8和Windows 10中包含的联系人管理器。它取代了但保留了Windows通讯录的大部分功能,并与Windows Live Mail和Vista版本的Windows Mail一起使用。 Windows Contacts使用基于XML的架构格式。每个联系人都显示为单独的.contact文件,其中可以存储包括图片在内的自定义信息。Window Contacts具有可扩展性 API,可与其他应用程序集成并存储自定义信息。其还支持传统* .wab格式和开放标准* .vcf(vCard)和* .csv(CSV)。
VULNERABILITY

2019-01-29 By 360威胁情报中心 | 事件追踪

近期360威胁情报中心发现劫持“驱动人生”的挖矿蠕虫再次活跃并做出了预警(详情可以参见《劫持“驱动人生”的挖矿蠕虫再次活跃》一文),在分析团伙的新活动时360威胁情报中心发现了一些涉及到Mykings家族活动的现象,但未能得出确定性的结论,在此分享出来供业界参考,希望能补充更多维度的信息共同研判。
驱动人生 MYKINGS

2019-01-24 By 360威胁情报中心 | 事件追踪

2018年12月,360威胁情报中心捕获到多个利用Excel 4.0宏针对银行机构的攻击样本。钓鱼文档为携带恶意Excel 4.0宏的Office Excel文档,并通过它下载执行最终的后门程序。采用Excel 4.0宏有利于躲避安全软件的检测,对此我们曾做过相关的详细研究,相关报告可以参考:https://ti.360.net/blog/articles/excel-macro-technology-to-evade-detectio
TA505 SERVHELPER

2019-01-24 By 360威胁情报中心 | 事件追踪

Last month, 360 Threat Intelligence Center captured multiple phishing emails sent by TA505 Group to target financial institutions. These phishing emails contain Excel attachments with Excel 4.0 Macro embedded and download Backdoor at last. This approach could bypass antivirus detections and we have published another report to explain it in detail: https://ti.360.net/blog/articles/excel-macro-technology-to-evade-detection.
TA505 SERVHELPER MACRO

2019-01-19 By 360威胁情报中心 | 技术研究

2018年10月10日,卡巴斯基公开披露了其在同年8月份捕获到的一个Windows内核提权0day漏洞的相关信息[1],漏洞编号为CVE-2018-8453。CVE-2018-8453是卡巴斯基实验室于2018年8月份在一系列针对中东地区进行APT攻击的活动中捕获到的Windows提权0day漏洞,该漏洞与Windows窗口管理和图形设备接口相关(win32kfull.sys)。漏洞可以被利用于将Windows下较低级别的用户权限提升为系统权限(users->system),也可以用于穿透应用程序的沙盒保护(PDF、Office、IE等),以及轻易突破杀毒软件的防护,具有极高的利用价值。由于卡巴斯基并未披露该漏洞相关的详细技术细节,截止本文完成时,尚未有任何POC/EXP或者利用技术被公开。
CVE-2018-8453 VULNERABILITY 0DAY

2019-01-19 By 360威胁情报中心 | 技术研究

On October 10, 2018, Kaspersky disclosed a Win32k Elevation of Privilege Exploit (CVE-2018-8453) captured in August.This vulnerability was used as 0day in attacks targeting the Middle East to escalate privileges on the compromised Windows systems. It is related to window management and graphic device interfaces (win32kfull.sys) and could be used to elevate user privileges to system permissions. It can also be used to bypass sandbox protection such as PDF, Office and IE which makes the exploit extremely valuable. Kaspersky did not disclose the exploit in detail and no POC/EXP was made public till recently.
CVE-2018-8453 0DAY VULNERABILITY

关注我们

360威胁情报中心

分享微信