Mastodawn

Habr Nov 20, 2024

Ransomware: not-a-virus, или Почему антивирус — не панацея при атаке шифровальщиков

Разбирая очередной инцидент, связанный с атакой шифровальщика, и услышав в очередной раз вопрос «как же так, ведь у нас есть антивирус!?», мы решили поделиться с комьюнити информацией о возобновившейся активности группировки DсHelp. В этой статье расскажем про участившиеся атаки DсHelp, рассмотрим тактики и техники данной группы, а также отметим, почему антивирус — не панацея и как легитимное ПО может быть использовано против вас.

https://habr.com/ru/companies/jetinfosystems/articles/859974/

#ransomware #diskcryptor #DсHelp #MeshAgent #mesh #dfir #форензика #forensics #информационная_безопасность #вредоносное_по

Ransomware: not-a-virus, или Почему антивирус — не панацея при атаке шифровальщиков

Хабр

James_inthe_box Nov 4, 2024

#opendir at:

http://79.124.58.130

malicious #meshagent (https://github.com/Ylianst/MeshAgent);

c2: 94.232.43.185

GitHub - Ylianst/MeshAgent: MeshAgent used along with MeshCentral to remotely manage computers. Many variations of the background management agent are included as binaries in the MeshCentral project.

MeshAgent used along with MeshCentral to remotely manage computers. Many variations of the background management agent are included as binaries in the MeshCentral project. - Ylianst/MeshAgent

GitHub

lazarusholic May 30, 2024

"LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader" published by CiscoTalos. #InkBox, #InkLoader, #LilacSquid, #MeshAgent, #UAT-4820, #PurpleInk, #QuasarRAT, #CTI, #OSINT, #LAZARUS https://blog.talosintelligence.com/lilacsquid/

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader

Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.” Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups.

Cisco Talos Blog

lazarusholic Apr 11, 2024

"메시에이전트 C2 탐지: 잠재적 악성코드 공격을 예방하는 방법" published by CriminalIP. #Andariel, #MeshAgent, #CTI, #OSINT, #LAZARUS https://blog.criminalip.io/ko/2024/04/09/%eb%a9%94%ec%8b%9c%ec%97%90%ec%9d%b4%ec%a0%84%ed%8a%b8/

메시에이전트 C2 탐지: 잠재적 악성코드 공격을 예방하는 방법

자사 시스템에 설치된 C2 서버의 외부 노출 여부와 C2 서버가 설치된 IP 주소의 내부 접근을 탐지하는 것은 사이버 보안에서 중요하다. Criminal IP에서는 tag 필터를 활용하여 인터넷에 노출된 메시에이전트 C2 서버를 찾을 수 있다.

CIP Blog

Not Simon Mar 19, 2024

ASEC reports on activity by North Korean state-sponsored APT Andariel Group (publicly attributed to the DPRK Reconnaissance General Bureau by the US Treasury) against South Korean companies. AndarLoader and Modeloader (described as JavaScript malware) are downloaders used to take control and install Mimikatz for credential stealing. MeshAgent is (potentially unwanted application) abused as remote monitoring and management (RMM). ASEC describes a lot of TTPs that could be mapped to MITRE ATT&CK. IOC provided. 🔗 https://asec.ahnlab.com/en/63192/

#NorthKorea #cyberespionage #APT #Andariel #RGB #Modeloader #AndarLoader #MeshAgent #threatintel #IOC