Катки без геймеров и слежка за ИИ: что умеют новые вредоносы

Привет, Хабр! С вами я, Дмитрий Стрельцов, и исследовательская группа департамента аналитики ИБ Positive Technologies. Да-да, та самая группа суперспецов, про которых так захватывающе рассказала Ирина в недавней публикации . В этой статье предлагаю углубиться в тренды, связанные с ВПО, и рассмотрим самые впечатляющие образцы и техники, которые только появились и имеют большие перспективы в киберпреступном мире. Поверьте, мы откопали много интересного. Злоумышленники постарались на славу: и геймеров обокрали, и дипфейками побаловались, и секреты ИИ выведали, и защиту Android обошли. Ну что, погнали под кат? Узнать актуальные киберугрозы →

https://habr.com/ru/companies/pt/articles/838032/

#cybersecurity #впо #киберугрозы #rat #геймеры #sharp_stealer #SugarGh0st #фишинг #Snowblind #google_play_protect

Happy Monday everyone!

The Cisco Talos Intelligence Group shares their findings of APT #SneakyChef using the #SugarGh0st malware that targets a scope of contries in the EMEA region who use documents that appear to belong to government agencies. The researchers state that this campaign is on a wider scale than the previously witnessed back in November of 2023 but with all the same calling cards (link to older article is the second bullet of the summary, its a good read as well).

Looking at the older report, we get an idea of what these documents did and how the group gained access to their victims machines and some technical details:

Notable MITRE ATT&CK Tactics, Techniques, and sub-techniques:
TA0001 - Initial Access
T1566.001 - Phishing: Spearphishing Attachment - A RAR document containing an LNK file was delivered to the victims. In the recent campaign, an SFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script.

TA0003 - Persistence
T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows) - The malicious VB script gained persistence by writing a command to the registry key "UserInitMprLogonScript" which will run whatever script is defined in the value when a user that belongs to either a local workgroup or domain logs into the system. The command in this instances was "regsvr32.exe /s %temp%\update.dll (the DLL came from the malicious SFX script).

TA0004/TA0005 - Privilige Escalation or Defense Evasion
T1055 - Process Injection - After the user logs into a machine, the command that targets the DLL dropped in the attack executes. This command reads the encrypted SugarGh0st RAT "authz.lib", decrypts it and injects it into a process.

These are just some of the TTPs seen in the new attack but I would highly recommend checking out the older article to get some more technical information about past behaviors associated with SneakyChef and the SugarGh0st RAT. Enjoy and Happy Hunting!

Article Source:
SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques
https://blog.talosintelligence.com/sneakychef-sugarghost-rat/

November 2023 Article:
https://blog.talosintelligence.com/new-sugargh0st-rat/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #Intel471

A heavily obfuscated JavaScript dropper, nested within a Windows Shortcut file embedded in a RAR archive email attachment, facilitates this process.

#Cybersecurity #Malware #RAT #China #SouthKorea #Uzbekistan #Cyberattacks #SugarGh0st

https://cybersec84.wordpress.com/2023/12/02/chinese-cyber-actors-employ-sugargh0st-rat-in-targeted-attacks-on-south-korea-and-uzbekistan/