The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Byte remapping, Cloud C2s, Infostealers, Iran, North Korea, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chain Reaction: RokRAT’s Missing Link
(published: May 1, 2023)
Since 2022, North-Korea sponsored group APT37 (Group123, Ricochet Chollima) has mostly switched its delivering methods from maldocs to hiding payloads inside oversized LNK files. Check Point researchers have identified multiple infection chains used by the group from July 2022 until April 2023. These were used to deliver one of the APT37’s custom tools (GOLDBACKDOOR and ROKRAT), or the commodity malware Amadey. All of the studied lures appear to target Korean-speaking individuals with South Korea-related topics.Analyst Comment: Switching to LNK-based infection chains allows APT37 for less required user interaction as the chain can be triggered by a simple double click. The group continues the use of well-tried ROKRAT that remains a stealthy tool with its additional layers of encryption, cloud C2, and in-memory execution. Indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.MITRE ATT&CK: [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1055 - Process Injection |
Support the originator by clicking the read the rest link below.
