Category: Phishing
Malspam Delivers Pony and Loki-Bot
Originally posted at malwarebreakdown.com Follow me on Twitter Sender: user1@enteronly.com.tw Subject: RE: Payment IN-2716 – MPA-PI17045 – USD Attachment(s): Payment_001.doc and Payment_002.doc Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882. Payment_001.doc: Traffic: User-Agent: Windows Installer User Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Pony Panel: Image found at hxxp://paclficinsight[.]com/new1/pony/china.jpg IOCs Network: 94.102.1.194 – hxxps://agahguner.com GET /44.msi 94.102.60.3 ...
Malspam Contains Password Protected Document That Downloads Sigma Ransomware
Follow me on Twitter I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”: The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware. ...
Phishing For Passwords via FormBuddy.com
Most InfoSec professionals have heard of “layer 8” as the unofficial layer of the OSI Model. For those of you that don’t know Layer 8 refers to people. Meaning, no matter how good your security posture there is always that very predictably unpredictable and unpatchable vulnerability known as the user. It is often easier to ...
Phishing Sites at Myjino.ru
Here is what I found in our customers traffic: myjino[.]ru/ mc.yandex[.]ru/ wildblue-net-upd.myjino[.]ru/35c6cfba69650ab1fc8ff49f3bcb4532/db.php login.wildblue[.]net/ http://www.jino[.]ru/ account.jino[.]ru/ mc.yandex[.]ru/ mc.yandex[.]ru/ jino[.]ru/help/ Staring at traffic in a SIEM for hours each day you get really good at identifying patterns of traffic that look suspicious. Obviously not ALL traffic to Russian domains is an IOC. However, when you see an ...
Malware breakdown 