An email caught my eye this morning. Not because of a unique social engineering theme or a new delivery technique, but because of the sheer number of attachments, a shotgun approach to malware delivery. There were 3 RTF files with spoofed .doc and docx.doc extensions, an ARJ archive containing an …
With the explosion of novelty domains and free DNS services, well trained staff are more critical than ever.
Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from pastebin.com. This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and …
Our neighbors in the Cofense Phishing Defense Center (PDC) recently wrote an article about an interesting phishing email and its associated malware, which can be found here: https://cofense.com/new-phishing-campaign-targets-u-s-taxpayers-dropping-amadey-botnet/
As part of their analysis, they shared an interesting VBscript and I couldn’t resist the urge to deobfuscate it. I was immediately …
The other day I decided to take a walkabout in our data and explore what the rest of the world sees. And it didn’t take long to find a poorly constructed Brazilian tax note phish spoofing their Ministry of Economy. The actor failed with his phish template and switches between …
Looks legitimate to me… wait a second is that just an IMAGE!
<html<head<title</title</head<body<h2<a href="https://rebrand.ly/41DE62"<img alt src="cid:3vfxjru.jpg" style="width: 706px; height: 637px;" /</a</h2</body</htmlLet’s follow this Phresh Catch and see where it takes us. We test the shortened link (the simplest of techniques to try and evade URL wrapping) and end up at a compromised GoDaddy hosted website – hxxp://teqzoft[.]com/websinfo/Confirm/websc_signin/.
Clean and basic, as long as you ignore the …