ä¸å›½ã®ã€ŒAPT10ã€ãŒæœ€æ–°ã®TTP(戦術ã€æŠ€è¡“ã€ãŠã‚ˆã³æ‰‹é †ï¼‰ã‚’用ã„ã€æ—¥æœ¬ä¼æ¥ã‚’標的ã«
ファイア・アイã¯ä»Šå¹´7月ã€ã€ŒAPT10ã€ï¼ˆåˆ¥å:MenuPass)ã¨æ€ã‚れるグループã«ã‚ˆã‚‹ã€æ—¥æœ¬ã®ãƒ¡ãƒ‡ã‚£ã‚¢æ¥ç•Œã‚’標的ã«ã—ãŸã‚¢ã‚¯ãƒ†ã‚£ãƒ“ティを検知・阻æ¢ã—ã¾ã—ãŸã€‚APT10ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ãƒ»ã‚¢ã‚¤ãŒ2009年より追跡ã—ã¦ã„ã‚‹ä¸å›½ã®ã‚µã‚¤ãƒãƒ¼ãƒ»ã‚¹ãƒ‘イ・グループã§ã€ã“ã‚Œã¾ã§ã‚‚日本ã®ä¼æ¥ãƒ»çµ„織を標的ã¨ã—ã¦ãã¾ã—ãŸã€‚今回ã®æ”»æ’ƒã‚ャンペーンã§ã¯ã€UPPERCUTãƒãƒƒã‚¯ãƒ‰ã‚¢ã‚’インストールã™ã‚‹ã€æ‚ªæ„ã‚る文書を添付ã—ãŸã‚¹ãƒ”アフィッシング・メールãŒã€æ—¥æœ¬ã®ãƒ¡ãƒ‡ã‚£ã‚¢æ¥ç•Œã«ãŠã‘ã‚‹ã•ã¾ã–ã¾ãªä¼æ¥ãƒ»å›£ä½“ã«é€ä»˜ã•ã‚Œã¾ã—ãŸã€‚ã“ã®ãƒãƒƒã‚¯ãƒ‰ã‚¢ã¯ã€ã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ã§ã¯ANEL ã®åã§çŸ¥ã‚‰ã‚Œã¦ãŠã‚Šã€æœ€æ–°ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒç™ºè¡¨ã•ã‚Œã‚‹ã¾ã§ã¯ã€ãƒ™ãƒ¼ã‚¿ç‰ˆã¾ãŸã¯RC(リリース候補版)ã®å½¢ã§æä¾›ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚本ブãƒã‚°ã§ã¯ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³é–“ã®æ›´æ–°å†…容や差異ã«ã¤ã„ã¦åˆ†æžã—ã¦ã„ã¾ã™ã€‚ 攻撃ã®æ¦‚è¦ æœ€åˆã®æ”»æ’ƒãƒ™ã‚¯ãƒˆãƒ«ã§ã¯ã€æ‚ªæ„ã‚ã‚‹VBAマクãƒã‚’æ ¼ç´ã—ãŸMicrosoft
Advanced Mobile Malware Campaign in India uses Malicious MDM
Summary Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using soc
プラグインをダウンãƒãƒ¼ãƒ‰ã—ã¦å®Ÿè¡Œã™ã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢TSCookie (2018-03-01) | JPCERTコーディãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CC)
2018å¹´1月17æ—¥é ƒã€æ–‡éƒ¨ç§‘å¦çœã«å½è£…ã—ãŸä¸æ£ãªãƒ¡ãƒ¼ãƒ«ãŒé€ä¿¡ã•ã‚Œã¦ã„ãŸã“ã¨ãŒä¸€éƒ¨ã§ç¢ºèªã•ã‚Œã¦ã„ã¾ã™[1]。ã“ã®ãƒ¡ãƒ¼ãƒ«ã«ã¯URLãŒè¨˜è¼‰ã•ã‚Œã¦ãŠã‚Šã€ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨ãƒžãƒ«ã‚¦ã‚¨ã‚¢TSCookieãŒãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã•ã‚Œã¾ã—ãŸã€‚(トレンドマイクãƒç¤¾ã¯ã“ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’PLEADã¨å‘¼ã‚“ã§ã„ã¾ã™[2]。PLEADã¯ã€æ”»æ’ƒã‚ャンペーンåã¨ã—ã¦ä½¿ã‚れるã“ã¨ã‚‚ã‚ã‚‹ãŸã‚ã€ã“ã“ã§ã¯ã“ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’TSCookieã¨è¨˜è¼‰ã—ã¾ã™ã€‚)TSCookieã¯ã€2015å¹´é ƒã‹ã‚‰ç¢ºèªã•ã‚Œã¦ãŠã‚Šã€BlackTech[3]ã¨å‘¼ã°ã‚Œã‚‹æ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—ã¨ã®é–¢é€£ãŒç–‘ã‚ã‚Œã¦ã„ã¾ã™ã€‚JPCERT/CCã§ã¯ã“ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’使用ã—ãŸæ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—ãŒã€éŽåŽ»ã«æ—¥æœ¬ã®çµ„織をターゲットã«æ¨™çš„型攻撃を行ã£ã¦ã„ã‚‹ã“ã¨ã‚’確èªã—ã¦ã„ã¾ã™ã€‚ 今回ã¯ã€TSCookieã®è©³ç´°ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚ TSCookieã®æ¦‚è¦ å›³1ã¯ã€TSCookie実行時ã®å‹•ä½œã®æµã‚Œã‚’示ã—ã¦ã„ã¾ã™ã€‚ 図
攻撃グループBlackTechãŒä½¿ã†ãƒžãƒ«ã‚¦ã‚¨ã‚¢PLEADダウンãƒãƒ¼ãƒ€ (2018-05-28) - JPCERTコーディãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CC)
å‰å›žã®åˆ†æžã‚»ãƒ³ã‚¿ãƒ¼ã より ã§ã¯æ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—BlackTech[1]ãŒä½¿ç”¨ã—ã¦ã„ã‚‹ã¨è€ƒãˆã‚‰ã‚Œã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢TSCookie ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã—ãŸã€‚ã“ã®æ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—ã¯ãã®ä»–ã«ã‚‚PLEADã¨å‘¼ã°ã‚Œã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’使用ã™ã‚‹ã“ã¨ãŒåˆ†ã‹ã£ã¦ã„ã¾ã™ã€‚(PLEADã¯è¤‡æ•°ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ç¨®åˆ¥å(TSCookieã‚’å«ã‚€ï¼‰ã¨ãã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’使用ã—ãŸæ”»æ’ƒã‚ャンペーンåã¨ã—ã¦ä½¿ç”¨ã•ã‚Œã¦ã„ã¾ã™[2]。ã“ã“ã§ã¯PLEADã‚’TSCookieã¨ã¯ç•°ãªã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢ç¨®åˆ¥åã¨ã—ã¦ä½¿ç”¨ã—ã¾ã™ã€‚)PLEADã«ã¯RATタイプã¨ã€ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ€ã‚¿ã‚¤ãƒ—(以é™ã€PLEADダウンãƒãƒ¼ãƒ€ã¨è¨˜è¼‰ã™ã‚‹ï¼‰ãŒå˜åœ¨ã—ã¾ã™ã€‚RATタイプã¯è¤‡æ•°ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’æŒã¡ã€å‘½ä»¤ã‚’å—ä¿¡ã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦å‹•ä½œã—ã¾ã™ã€‚(詳ã—ãã¯ã€LAC社ãŒå…¬é–‹ã—ã¦ã„るブãƒã‚°[3]ã®ã€Œæ”»æ’ƒæ‰‹å£3ã€ã‚’ã”覧ãã ã•ã„。)PLEADダウンãƒãƒ¼ãƒ€ã¯ã€TSCookieã¨åŒã˜ãモジュールをダウンãƒãƒ¼ãƒ‰ã—ã€ãƒ¡ãƒ¢ãƒªä¸Šã§å®Ÿè¡Œ
Linuxã¨Windowsã‚’ç‹™ã†ãƒžãƒ«ã‚¦ã‚¨ã‚¢WellMess(2018-06-28) | JPCERTコーディãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CC)
マルウエアã®ä¸ã«ã¯ãƒžãƒ«ãƒãƒ—ラットフォームã§å‹•ä½œã™ã‚‹ã“ã¨ã‚’æ„図ã—ã¦ä½œæˆã•ã‚ŒãŸã‚‚ã®ãŒå˜åœ¨ã—ã€ãã®éš›ã«ä½¿ç”¨ã•ã‚Œã‚‹ãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°è¨€èªžã¨ã—ã¦ä»£è¡¨çš„ãªã‚‚ã®ãŒJavaã§ã™ã€‚ãŸã¨ãˆã°ã€ä»¥å‰åˆ†æžã‚»ãƒ³ã‚¿ãƒ¼ã よりã§ç´¹ä»‹ã—ãŸAdwindã¯Javaã§ä½œæˆã•ã‚ŒãŸãƒžãƒ«ã‚¦ã‚¨ã‚¢ã§ã€Windows以外ã®OSã§ã‚‚動作ã—ã¾ã™ã€‚ã”å˜çŸ¥ã®é€šã‚Šã€Java以外ã«ã‚‚マルãƒãƒ—ラットフォームã§å‹•ä½œã™ã‚‹ã“ã¨ã‚’想定ã—ãŸãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°è¨€èªžã¯å˜åœ¨ã—ã€Golangã‚‚ãã®ï¼‘ã¤ã§ã™ã€‚Javaã§ä½œæˆã•ã‚ŒãŸãƒžãƒ«ã‚¦ã‚¨ã‚¢ã«æ¯”ã¹ã‚‹ã¨å°‘ãªã„ã§ã™ãŒã€Golangã§ä½œæˆã•ã‚ŒãŸã‚‚ã®ã‚‚確èªã•ã‚Œã¦ã„ã¾ã™ã€‚ãŸã¨ãˆã°ã€Linuxã«æ„ŸæŸ“ã™ã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã¨ã—ã¦æœ‰åãªMiraiもコントãƒãƒ¼ãƒ©ãƒ¼ã«ã¯GolangãŒä½¿ç”¨ã•ã‚Œã¦ã„ã¾ã™ã€‚ 今回ã¯ã€JPCERT/CC ã§ç¢ºèªã—ãŸãƒžãƒ«ã‚¦ã‚¨ã‚¢WellMessã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚WellMessã¯ã€Golangã§ä½œæˆã•ã‚Œã€ã‚¯ãƒã‚¹ã‚³ãƒ³ãƒ‘イルã«ã‚ˆã£ã¦Linux
Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign
Award-winning news, views, and insight from the ESET security community Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan ESET researchers have discovered a new malware campaign misusing stolen di
ãƒžãƒ¼ã‚±ãƒƒãƒˆæƒ…å ± | ビットãƒãƒ³ã‚¯ãƒ—ラス
é‹å–¶è€…æƒ…å ±æœ¬ã‚µã‚¤ãƒˆã¯ã€æ—¥æœ¬æœ€å¤§ç´šæš—å·è³‡ç”£å–引所・販売所「ビットãƒãƒ³ã‚¯ã€ãŒé‹å–¶ã™ã‚‹ã€ãƒ“ットコイン(Bitcoin)ã€ãƒ–ãƒãƒƒã‚¯ãƒã‚§ãƒ¼ãƒ³ã€æš—å·è³‡ç”£(仮想通貨)ã«é–¢ã™ã‚‹çŸ¥è˜ã€ä¸–ç•Œä¸ã®æœ€æ–°ã®ãƒˆãƒ”ックスã€æœ€å…ˆç«¯ã®æŠ€è¡“ã€ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã€è¦åˆ¶ã€ç›¸å ´ãªã©ã€æš—å·è³‡ç”£æŠ•è³‡ã®ãƒ’ントã«ãªã‚‹ãŠå½¹ç«‹ã¡æƒ…å ±ã‚’ç™ºä¿¡ã™ã‚‹ãƒ¡ãƒ‡ã‚£ã‚¢ã§ã™ã€‚ 金èžåºã®ãƒ›ãƒ¼ãƒ ページã«è¨˜è¼‰ã•ã‚ŒãŸæš—å·è³‡ç”£äº¤æ›æ¥è€…ãŒå–り扱ã†æš—å·è³‡ç”£ï¼ˆä»®æƒ³é€šè²¨ï¼‰ã¯ã€å½“該暗å·è³‡ç”£äº¤æ›æ¥è€…ã®èª¬æ˜Žã«åŸºã¥ã〠資金決済法上ã®å®šç¾©ã«è©²å½“ã™ã‚‹ã“ã¨ã‚’確èªã—ãŸã‚‚ã®ã«ã™ãŽã¾ã›ã‚“。 金èžåºãƒ»è²¡å‹™å±€ãŒã€ã“れらã®æš—å·è³‡ç”£ï¼ˆä»®æƒ³é€šè²¨ï¼‰ã®ä¾¡å€¤ã‚’ä¿è¨¼ã—ãŸã‚Šã€æŽ¨å¥¨ã™ã‚‹ã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“。 æš—å·è³‡ç”£ï¼ˆä»®æƒ³é€šè²¨ï¼‰ã¯ã€å¿…ãšã—ã‚‚è£ä»˜ã‘ã¨ãªã‚‹è³‡ç”£ã‚’æŒã¤ã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“。暗å·è³‡ç”£ï¼ˆä»®æƒ³é€šè²¨ï¼‰ã®å–引を行ã†éš›ã«ã¯ã€ä»¥ä¸‹ã®æ³¨æ„点ã«ã”ç•™æ„ãã ã•ã„。 <暗å·è³‡ç”£ï¼ˆä»®æƒ³é€šè²¨ï¼‰ã‚’利用ã™ã‚‹éš›ã®æ³¨æ„点>暗å·è³‡ç”£ï¼ˆä»®æƒ³é€šè²¨ï¼‰ã¯ã€æ—¥æœ¬å††ã‚„
SynAck targeted ransomware uses the Doppelgänging technique
The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions. In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck is not new – it has been
BadRabbit: a closer look at the new version of Petya/NotPetya | Malwarebytes Labs
Petya/NotPetya (aka EternalPetya), made headlines in June, due to it’s massive attack on Ukraine. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally. Unlike NotPetya, it doesn’t use EternalBlue and is more widely
防衛装備ã«é–¢é€£ã—ãŸèª¿æŸ»å ±å‘Šæ›¸ã‚’å½è£…ã—ãŸæ”»æ’ƒ | ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ç ”ç©¶ã‚»ãƒ³ã‚¿ãƒ¼ãƒ–ãƒã‚°
先週弊社ã§ã¯ã€é˜²è¡›è£…å‚™ã«é–¢é€£ã—ãŸèª¿æŸ»å ±å‘Šã‚’å½è£…ã—ãŸãƒ‰ã‚ュメントを使ã£ãŸæ”»æ’ƒã‚’観測ã—ã¾ã—ãŸã€‚皆様ã«æ³¨æ„喚起を促ã™ç›®çš„ã§ã€èª¿æŸ»ã®ä¸€éƒ¨ã‚’共有ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚ 防衛装備ã«é–¢é€£ã—ãŸèª¿æŸ»å ±å‘Šã‚’å½è£…ã—ãŸãƒ‰ã‚ュメントã¯ã€å›³1ã®ã‚ˆã†ã«ã€WORDã‚„PDFã‚’å½è£…ã—ãŸäºŒé‡æ‹¡å¼µåã®ãƒ•ã‚¡ã‚¤ãƒ«ã§ã€ãŠãらãメールã«æ·»ä»˜ã•ã‚ŒãŸã‹ãŸã¡ã§æ¨™çš„ä¼æ¥ã«é…é€ã•ã‚ŒãŸã¨è¦‹ã‚‰ã‚Œã¾ã™ã€‚ 図1ã€WORDã‚„PDFã§é˜²è¡›é–¢é€£ã®èª¿æŸ»å ±å‘Šæ›¸ã‚’å½è£…ã—ãŸEXEファイル SHA256 (PDFå½è£…ファイル) : dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643 SHA256 (DOCå½è£…ファイル) : 42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced [動作概è¦] ファイルを実行ã—ãŸå ´åˆã€WORD
「BlackTechã€ã«ã‚ˆã‚‹ã‚µã‚¤ãƒãƒ¼è«œå ±æ´»å‹•ã®è¶³è·¡ã‚’追ㆠ|
サイãƒãƒ¼æ”»æ’ƒè€…集団「BlackTech(ブラックテック)ã€ã¯ã€å°æ¹¾ã‚’ä¸å¿ƒã¨ã—ãŸæ±ã‚¢ã‚¸ã‚¢åœ°åŸŸã§ã‚µã‚¤ãƒãƒ¼è«œå ±æ´»å‹•ã™ã‚‹æ”»æ’ƒè€…集団ã§ã€æ—¥æœ¬ã‚„香港ã§ã®æ´»å‹•ã‚‚確èªã•ã‚Œã¦ã„ã¾ã™ã€‚彼らãŒåˆ©ç”¨ã™ã‚‹ã‚³ãƒžãƒ³ãƒ‰&コントãƒãƒ¼ãƒ«ï¼ˆC&C)サーãƒã® Mutex やドメインåã‹ã‚‰ã€BlackTech ã®ç›®çš„ã¯æ¨™çš„者ãŒæ‰€æœ‰ã™ã‚‹æŠ€è¡“ã®çªƒå–ã«ã‚ã‚‹ã¨æŽ¨æ¸¬ã•ã‚Œã¦ã„ã¾ã™ã€‚ BlackTech ãŒåˆ©ç”¨ã™ã‚‹æ‰‹æ³•ãªã©ã®å¤‰åŒ–を追跡ã—ãŸã¨ã“ã‚ã€åˆ¥ã€…ã®ã‚µã‚¤ãƒãƒ¼è«œå ±æ´»å‹•ã ã¨æ€ã‚ã‚Œã¦ã„ãŸã€ã€ŒPLEAD(プリード)ã€ã€ã€ŒShrouded Crossbow(シュラウディッド・クãƒã‚¹ãƒœã‚¦ï¼‰ã€ã€ã€ŒWaterbear(ウォーターベア)ã€ã®é–“ã«ã€ã‚る共通点ãŒæµ®ã‹ã³ä¸ŠãŒã£ã¦ãã¾ã—ãŸã€‚ 本記事ã§ã¯ã€å„攻撃ã‚ャンペーンã®æ‰‹å£ã‚’比較ã—ã€åˆ©ç”¨ã•ã‚ŒãŸãƒ„ールを解æžã—ãŸçµæžœåˆ¤æ˜Žã—ãŸ3ã¤ã®æ”»æ’ƒã‚ャンペーンãŒåŒä¸€ã®æ”»æ’ƒé›†å›£ã«ã‚ˆã£ã¦å®Ÿè¡Œã•ã‚ŒãŸã“ã¨ã‚’示ã™å…±é€šç‚¹ã«ã¤ã„ã¦è§£èª¬ã—ã¾ã™ã€‚ â–
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
Roaming Mantis, part III
https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf
JPCERT/CCã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå ±å‘Šå¯¾å¿œãƒ¬ãƒãƒ¼ãƒˆï¼»2018å¹´4月1æ—¥ ~ 2018å¹´6月30日]
Ammyy Admin hit by malware again with World Cup used as camouflage
Malware Analysis – PlugX
Redirecting...
Research, News, and Perspectives
ProtectWiseâ„¢
[PDF] 北æœé®®é–¢é€£ã‚µã‚¤ãƒˆã‚’è¸ã¿å°ã¨ã—ãŸæ°´é£²ã¿å ´åž‹æ”»æ’ƒè§£æžãƒ¬ãƒãƒ¼ãƒˆ - NTTã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ»ã‚¸ãƒ£ãƒ‘ãƒ³æ ªå¼ä¼šç¤¾
{{#tags}}- {{label}}
{{/tags}}