Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
This month’s spotlight is on Emotet.
With 131,496 IoCs, Emotet was the most analyzed malware in February by the LastInfoSec platform. First identified in 2014, it is a malicious code “loader” that is mainly used as “Malware as a Service” upstream of other malware (TrickBot, Qakbot,..) or offensive tools such as Cobalt Strike. In January 2021, a law enforcement action, coordinated by Europol, led to the disruption of Emotet, the disabling of its infrastructure and the arrest of some of its members.
The latest Emotet attacks are based on the following pattern: a ZIP archive containing one or more XLS files (or directly an XLS file as an attachment) with a macro that will proceed to download a DLL file directly in VBA or through Powershell. Emotet then communicates in HTTPs with its Command & Control server using a self-signed certificate and using elliptic curve cryptography.
Since its comeback last November, Emotet has been very present through spam campaigns. These e-mails are using Excel 4.0 macros (disabled by default for Microsoft 365 users) by exploiting in particular the “Very Hidden” feature which allows to hide tabs so that they are completely invisible for the user as well as the “auto open” option of the macros which allows to execute the malware when opening the file.
DEFINITION OF THE MONTH
A CVE (Common Vulnerabilities and Exposures) refers to a security vulnerability (for example: CVE-2021-44228) that is present in an official and public vulnerability list.
Each vulnerability is listed under a common, standardized CVE name (including the year and order in which they were included in the list that year). The purpose of this reference system is to help share data between different vulnerability databases and security tools, and to simplify the tracking and remediation of product vulnerabilities for information systems security professionals.
This reference list is funded by the Cybersecurity and Infrastructure Security Agency (CISA) and overseen by the MITRE organization since September 1999.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.