![]() ![]() These cookies allow us to count visits and traffic sources so we can We also recommend another Sigma rule by Ariel Millahuel to detect the Winnti group campaigns: Īnd YARA rule by Emanuele De Lucia – APT41 / Wicked Panda / Group 72 / Winnti Group YARA Malware Pack: You can explore the tactics used by the Winnti group in the MITRE ATT&CK section on Threat Detection Marketplace: ![]() Techniques: Credentials in Files (T1081), Execution through Module Load (T1129) Tactics: Credential Access, Initial Access, Execution SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness, Sumo LogicĮDR: Windows Defender ATP, Carbon Black, Elastic Endpoint Threat Detection is supported for the following platforms: Ariel Millahuel’s new rule allows Floxif to be detected during installation and to respond to a threat before serious damage is done: exe files, and neutralize installed anti-malware solutions. Also, the trojan can download additional malware, execute various. Since then, the trojan has been used more than once in attacks, one of its distinctive abilities is the modification of legitimate files turning them into backdoors. ![]() During that attack, cybercriminals were interested in the largest technology companies, including Google and Microsoft. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems and deliver the next stage payload. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. In that case, as in the CCleaner attack, victims installed seemingly legitimate software from a small but trusted company, only to find that it had been silently corrupted, deeply infecting their IT systems.Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. Two months earlier, hackers hijacked the update mechanism of the Ukrainian accounting software MeDoc to deliver a destructive piece of software known as NotPetya, causing massive damage to companies in Ukraine as well as in Europe and the United States. But it already represents another serious example in the string of software supply-chain attacks that have recently rocked the internet. The exact dimensions of the CCleaner attack will likely continue to be redrawn, as analysis continues. "If you didn’t restore your system from backup, you’re at high risk of not having cleaned this up," Williams says. Instead, the researchers recommend that anyone affected fully restore their machines from backup versions prior to the installation of Avast's tainted security program. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected.įor any company that may have had computers running the corrupted version of CCleaner on their network, Cisco warns that its findings mean merely deleting that application is no guarantee the CCleaner backdoor wasn't used to plant a secondary piece of malware on their network, one with its own, still-active command and control server. It wound up installed on more than 700,000 computers. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 18 tech firms.Įarlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. Update: On September 25, Avast confirmed that of the 18 companies targeted, a total of 40 computers were successfully infected with a secondary malware installation at the following companies: Samsung, Sony, Asus, Intel, VMWare, O2, Singtel, Gauselmann, Dyn, Chunghwa and Fujitsu. ![]()
0 Comments
Leave a Reply. |