{"id":420441,"date":"2022-10-19T09:31:32","date_gmt":"2022-10-19T11:31:32","guid":{"rendered":"https:\/\/teknomers.com\/fr\/les-experts-mettent-en-garde-contre-le-deguisement-furtif-de-la-porte-derobee-powershell-en-tant-que-mise-a-jour-windows\/"},"modified":"2022-10-19T09:31:33","modified_gmt":"2022-10-19T11:31:33","slug":"les-experts-mettent-en-garde-contre-le-deguisement-furtif-de-la-porte-derobee-powershell-en-tant-que-mise-a-jour-windows","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/les-experts-mettent-en-garde-contre-le-deguisement-furtif-de-la-porte-derobee-powershell-en-tant-que-mise-a-jour-windows\/","title":{"rendered":"Les experts mettent en garde contre le d\u00e9guisement furtif de la porte d\u00e9rob\u00e9e PowerShell en tant que mise \u00e0 jour Windows"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>Des d\u00e9tails sont apparus sur une porte d\u00e9rob\u00e9e PowerShell pr\u00e9c\u00e9demment non document\u00e9e et totalement ind\u00e9tectable (FUD) qui gagne en discr\u00e9tion en se d\u00e9guisant dans le cadre d&#8217;un processus de mise \u00e0 jour Windows.<\/p>\n<p>&#8220;L&#8217;outil secret auto-d\u00e9velopp\u00e9 et les commandes C2 associ\u00e9es semblent \u00eatre l&#8217;\u0153uvre d&#8217;un acteur de menace sophistiqu\u00e9 et inconnu qui a cibl\u00e9 environ 100 victimes&#8221;, a d\u00e9clar\u00e9 Tomer Bar, directeur de la recherche sur la s\u00e9curit\u00e9 chez SafeBreach, <a rel=\"nofollow noopener\" href=\"https:\/\/www.safebreach.com\/resources\/blog\/safebreach-labs-researchers-uncover-new-fully-undetectable-powershell-backdoor\/\" target=\"_blank\">a dit<\/a> dans un nouveau rapport.<\/p>\n<p>Attribu\u00e9 \u00e0 un <a rel=\"nofollow noopener\" href=\"https:\/\/securelist.com\/top-10-unattributed-apt-mysteries\/107676\/\" target=\"_blank\">acteur de menace anonyme<\/a>les cha\u00eenes d&#8217;attaque impliquant le logiciel malveillant commencent par un <a rel=\"nofollow noopener\" href=\"https:\/\/www.virustotal.com\/gui\/file\/45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50\" target=\"_blank\">Document Microsoft Word<\/a> qui, selon la soci\u00e9t\u00e9, a \u00e9t\u00e9 t\u00e9l\u00e9charg\u00e9 depuis la Jordanie le 25 ao\u00fbt 2022.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/strike-d\" target=\"_blank\" title=\"DevOps backupy\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/08\/La-nouvelle-vulnerabilite-Amazon-Ring-aurait-pu-exposer-tous-vos.png\" width=\"300\" height=\"250\" \/><\/a><\/div>\n<p>Les m\u00e9tadonn\u00e9es associ\u00e9es au document leurre indiquent que le vecteur d&#8217;intrusion initial est une attaque de harponnage bas\u00e9e sur LinkedIn, qui conduit finalement \u00e0 l&#8217;ex\u00e9cution d&#8217;un script PowerShell via un morceau de code macro int\u00e9gr\u00e9.<\/p>\n<div class=\"separator\" style=\"clear: both\"><img decoding=\"async\" alt=\"Porte d\u00e9rob\u00e9e PowerShell\" border=\"0\" data-original-height=\"538\" data-original-width=\"728\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/10\/1666179091_369_Les-experts-mettent-en-garde-contre-le-deguisement-furtif-de.jpg\" title=\"Porte d\u00e9rob\u00e9e PowerShell\" \/><\/div>\n<p>Le script PowerShell (<a rel=\"nofollow noopener\" href=\"https:\/\/www.virustotal.com\/gui\/file\/bda4484bb6325dfccaa464c2007a8f20130f0cf359a7f79e14feeab3faa62332\" target=\"_blank\">Script1.ps1<\/a>) est con\u00e7u pour se connecter \u00e0 un serveur de commande et de contr\u00f4le (C2) distant et r\u00e9cup\u00e9rer une commande \u00e0 lancer sur la machine compromise au moyen d&#8217;un second script PowerShell (<a rel=\"nofollow noopener\" href=\"https:\/\/www.virustotal.com\/gui\/file\/16007ea6ae7ce797451baec2132e30564a29ee0bf8a8f05828ad2289b3690f55\" target=\"_blank\">temp.ps1<\/a>).<\/p>\n<p>Mais une erreur de s\u00e9curit\u00e9 op\u00e9rationnelle commise par l&#8217;acteur en utilisant un identifiant incr\u00e9mental trivial pour identifier de mani\u00e8re unique chaque victime (c&#8217;est-\u00e0-dire 0, 1, 2, etc.) a permis de reconstituer les commandes \u00e9mises par le serveur C2.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowd-mid-d\" target=\"_blank\" title=\"CyberSecurity\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/08\/Google-Cloud-bloque-une-attaque-DDoS-record-de-46-millions.png\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>Certaines des commandes notables \u00e9mises consistent \u00e0 exfiltrer la liste des processus en cours d&#8217;ex\u00e9cution, \u00e0 \u00e9num\u00e9rer les fichiers dans des dossiers sp\u00e9cifiques, \u00e0 lancer whoami et \u00e0 supprimer des fichiers sous les dossiers publics des utilisateurs.<\/p>\n<p>Au moment de la r\u00e9daction, 32 fournisseurs de s\u00e9curit\u00e9 et 18 moteurs anti-malware signalent respectivement le document leurre et les scripts PowerShell comme malveillants.<\/p>\n<p>Les r\u00e9sultats surviennent alors que Microsoft a pris des mesures pour bloquer les macros Excel 4.0 (XLM ou XL4) et Visual Basic pour Applications (VBA) par d\u00e9faut dans les applications Office, incitant les acteurs de la menace \u00e0 se tourner vers des m\u00e9thodes de livraison alternatives.<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/10\/experts-warn-of-stealthy-powershell.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Des d\u00e9tails sont apparus sur une porte d\u00e9rob\u00e9e PowerShell pr\u00e9c\u00e9demment non document\u00e9e et totalement ind\u00e9tectable (FUD) qui gagne en discr\u00e9tion en se d\u00e9guisant dans le cadre d&#8217;un processus de mise \u00e0 jour Windows. &#8220;L&#8217;outil secret auto-d\u00e9velopp\u00e9 et les commandes C2 associ\u00e9es semblent \u00eatre l&#8217;\u0153uvre d&#8217;un acteur de menace sophistiqu\u00e9 et inconnu qui a cibl\u00e9 environ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":420442,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[4168,841,4158,4165,4161,86573,7084,692,76165,525,3995,4157,4159,4171,4170,65,4167,3915,2811,4160,4163,4162,2742,117776,4172,4169,1453,4166,4164,45020],"class_list":["post-420441","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-comment-pirater","tag-contre","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-deguisement","tag-derobee","tag-experts","tag-furtif","tag-garde","tag-jour","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-les","tag-logiciel-malveillant-de-ransomware","tag-mettent","tag-mise","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-porte","tag-powershell","tag-securite-informatique","tag-securite-internet","tag-tant","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-windows"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/420441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=420441"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/420441\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/420442"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=420441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=420441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=420441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}