Trellix Advanced Research Center: Digest #3
Design a cyber resilience action plan to defend against #ransomware at our Ransomware Detection & Response Virtual Showcase. In just a few hours, you’ll:
???Learn what industry leading CISOs are doing to overcome attackers, including the tools they use
???See real-world defenses with a demo of the AI-powered Trellix #XDR platform
???Gain next steps to execute your detection and response plan
Save your spot for November 15 now, sponsored by @Amazon Web Services (AWS)/@AWS Partners.
Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to communicate with their friends and family. All of these make Discord one of the most used collaborative applications worldwide, gathering millions of people.
This popularity has made Discord a common application on almost any computer, including those that are used exclusively for work. Because of that, Discord traffic is frequent in corporate networks, something that malicious actors have realized.
The Trellix Advanced Research Center has analyzed malware that abuses Discord infrastructure in the past. However, most of the samples are information stealers and Remote Access Trojans (RATs) that can be obtained from the Internet, which is quite different from one sample targeting Ukrainian critical infrastructures that we were able to retrieve recently. This is the first time a sample associated with APT activity was found abusing Discord.
领英推荐
Malicious actors always seek innovative ways to bypass detection. The Trellix Advanced Research Center recently noticed an attack campaign with an acute spike of phishing emails, and another campaign that has been steadily going on since early 2022 with a slight variation in its TTPs. Both campaigns use QR codes as their primary mechanism to evade detection from email security products. Phishing emails in both campaigns were mostly devoid of text URLs, which makes most email security products ineffective because they rely on readable text and URLs for detection.
Use of QR codes for phishing is not new, but there is more to these campaigns. Analysis of these campaigns revealed that malicious actors not only used QR code as a primary means of defence, but also layered evasion tactics to make these campaigns hard to detect. This blog focuses on layered evasion techniques used to evade detections by security products. We also show targeted regions and discuss additional evasion methods that may be potentially used by attackers.
New ransomware victims are made every day by ransom gangs with a variety of ransomware malware families, one of which is the Rhysida ransomware family. Within this blog, an anonymised version of an attack by the Rhysida ransom operators is examined, along with a technical deep dive into the ransomware itself.
The main purpose of this blog is to raise the bar for defenders by detailing the malware operator’s techniques. By sharing factual observations, along with our additional insights, regardless of the security products in use, one can improve their security posture. Although the steps an actor takes might occur in a short time span, one can create additional and granular detection rules for the steps listed in this blog.
In early July 2023, the threat actor that Microsoft calls “Storm-0324” was observed sending a phishing message through Microsoft Teams. Storm-0324 is a financially motivated threat actor group previously known for distributing phishing emails to gain initial access to compromised systems via remote code execution. After gaining the initial foothold, Storm-0324 has a history of often handing-off the access to well-known Ransomware group Sangria Tempest (also known as FIN7, Carbon Spider) and TA543, which frequently use that provided access to execute ransomware attacks.
The threat actors Sangria Tempest and Storm-0324 previously had been associated with the distribution of the Gozi InfoStealer, Nymaim downloader and locker, and now Storm-0324 is distributing the JSSLoader before passing the buck to other ransomware groups.