A new threat actor known as AtlasCross has been observed leveraging Red Cross-themed phishing lures to deliver two previously undocumented backdoors named DangerAds and AtlasAgent.
一名名为AtlasCross的新威胁行为者被观察到利用以红十字会为主题的网络钓鱼诱饵来传递两个以前未记录的后门,分别命名为DangerAds和AtlasAgent。
NSFOCUS Security Labs described the adversary as having a "high technical level and cautious attack attitude," adding that "the phishing attack activity captured this time is part of the attacker's targeted strike on specific targets and is its main means to achieve in-domain penetration."
NSFOCUS Security Labs描述了对手具有“高技术水平和谨慎的攻击态度”,并补充说“这次捕获的网络钓鱼攻击活动是攻击者对特定目标的有针对性打击的一部分,也是实现域内渗透的主要手段。”
The attack chains start with a macro-laced Microsoft document that purports to be about a blood donation drive from the American Red Cross that, when launched, runs the malicious macro to set up persistence, exfiltrate system metadata to a remote server (data.vectorse[.]com) that's a sub-domain of a legitimate website belonging to a structural and engineering firm based in the U.S.
攻击链以一个带有宏的Microsoft文档开始,声称是关于美国红十字会的献血活动,当启动时,运行恶意宏以建立持久性,将系统元数据传送到一个远程服务器(data.vectorse[.]com),该服务器是美国一家结构和工程公司合法网站的子域。
It also extracts a file named KB4495667.pkg (codenamed DangerAds), which, subsequently acts as a loader to launch shellcode that leads to the deployment of AtlasAgent, a C++ malware capable of gathering system information, shellcode operation, and running commands to obtain a reverse shell as well as inject code into a thread in the specified process.
它还提取了一个名为KB4495667.pkg(代号DangerAds)的文件,随后充当加载器,以启动导致AtlasAgent部署的shellcode,AtlasAgent是一种能够收集系统信息、shellcode操作并运行命令以获取反向shell以及将代码注入到指定进程中的C++恶意软件。
Both AtlasAgent and DangerAds incorporate evasive features to make it less likely to be discovered by security tools.
AtlasAgent和DangerAds都具有规避特征,以减少被安全工具发现的可能性。
AtlasCross is suspected to have breached public network hosts by exploiting known security vulnerabilities and turning them into command-and-control (C2) servers. NSFOCUS said it identified 12 different compromised servers in the U.S.
AtlasCross被怀疑通过利用已知的安全漏洞并将其转化为命令与控制(C2)服务器来入侵公共网络主机。NSFOCUS表示已在美国识别了12个不同的被入侵服务器。
The true identity of AtlasCross and its backers currently remains a puzzle.
AtlasCross及其支持者的真实身份目前仍然是一个谜。
"At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain," the company said. "However, the attack processes they employ are highly robust and mature."
公司表示:“在当前阶段,AtlasCross的活动范围相对有限,主要集中在网络域内特定主机的有针对性攻击上,但他们采用的攻击过程非常强大和成熟。”
原文始发于微信公众号(知机安全):AtlasCross:高级技术水平的威胁行为者
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论