Access to credentials
File krb.txt Created by one of the injected processes containing Kerberos hashes of multiple accounts. Given that no dump activity was observed in process telemetry, the dump process happened in memory. No new tools or executables have been introduced to do the dump.
impact
The final payload in this case is unknown. This is because we detected and responded midway through the infection chain.
Conclusion
Our monitoring of Gootkit loader activity using SEO poisoning reveals that the malicious actors behind it are actively running campaigns. Threats targeting specific job categories, industries and geographies are becoming increasingly aggressive. In addition to continuing to target the legal sector with the word “consensus”, the current operation also uses the words “hospital”, “health” and “medical” as well as cities in Australia.
Exploitation of VLC Media Player by APT10 has been reported in the past, and some security teams may have paid attention to such exploitation. Sideloading DLLs has become a classic method of APT manipulation, and it is no longer surprising that threat researchers find it used in similar campaigns. However, exploitation of legitimate tools is now commoditized and has been observed in non-APT activities as well.
To mitigate the impact of cyberthreats, you need to know these tactics and techniques are in action. In this case, search engine results can be polluted by his SEO poisoning to download malicious files, or legitimate tools can be misused to perform malicious behavior. Therefore, security teams should always consider the possibility of sideloading DLLs and injecting malicious code, as exploitation of legitimate tools has become commonplace.
Technical solutions are updated as new attack vectors are discovered, so we encourage security teams to configure their security solutions and follow industry best practices. Additionally, security team work, human observation, and decisions may be required if there is a timing gap between fad tactics and technical solutions.
Even if your organization’s security solutions are configured correctly, they may not be enough to prevent threats. Malicious attackers can deploy new, more sophisticated variants of malware using techniques that can evade detection, so your organization’s Security Operations Center (SOC) team and threat analysts should: You must be able to effectively discover malicious activity in your network and respond in a timely manner. Method.
Security recommendations
Target industries:
As mentioned in this blog, the Gootkit loader is currently targeting the Australian healthcare industry in addition to the legal sector. Adversary tactics aren’t easy to escape, but in this case it can be helpful to let users know.
Targeted legal departments and people in the Australian healthcare industry could be mitigated by notifying them that search results could be polluted and training them with the screenshots in Figures 2 and 3. There is a nature. Along with this comes the need to properly configure and keep your security products up to date.
For security teams:
Attackers exploiting legitimate tools requires the preparation, loading, and execution of malicious code, using a variety of techniques. Legitimate tools themselves can be difficult to detect, while traditional antivirus software can detect files containing malicious code, enhanced detection and response (EDR) or human incident response , you can find it and mitigate its impact.
As we saw in this case, one such event is libvlc.dll, sideloaded by VLC Media Player. This type of DLL sideloading is typically done by the code signing process loading an unknown unsigned DLL. Observations made in this context also help security teams address threats.
process injection wabmig.exe Tools are another notable technique for this operation. With process injection, the malicious code does not exist as a standalone file, it exists only in memory.ever since wabmig.exe is the standard address book import tool that ships with Windows, but is not intended for heavy use in modern enterprise environments. For this reason, wabmig.exe That in itself is the first sign of abuse.Beware of Abuse wabmig.exe The use of Cobalt Strike was also reported in Microsoft’s Follina case.
For webmasters:
On the other hand, webmasters should keep in mind that running a vulnerable WordPress site can become part of such a threat. Therefore, it is important to follow the latest security best practices when building your website. Don’t get plugins and themes from untrusted sources, as explained in Hardening WordPress. Limit yourself to WordPress.org repositories or well-known companies. And of course, make sure your plugins are always updated.
To know if your website is affected by this threat, look at the number of pages that contain words like “consent” that are being generated. If your site has many pages with such content, this may indicate that your site has been compromised, act quickly to contain any damage that may have been caused by the attack is needed.
Trend Micro Solution
To keep this threat and others at bay, we recommend a security solution that comprehensively protects your enterprise.
Trend Micro Vision One™ gives security teams a complete picture of ongoing campaign attempts by providing an interrelated view of multiple layers including email, endpoints, servers and cloud workloads help you to Security teams gain a broader view to better understand attack attempts and can detect suspicious behavior that appears harmless from a single layer perspective.
Trend Micro™ Managed XDR monitors and analyzes activity data from deployed Trend Micro XDR and protection solutions 24/7. Correlate emails, endpoints, servers, cloud workloads, and network sources to better detect and gain insight into the sources and distribution of complex targeted attacks.