“Efficiency is intelligent laziness”
-David Dunham
Scripting is a great way to spend ten times the amount of time to automate something as it would have taken to just do it in the first place. Sometimes it’s worth it because it saves you time in the long run, and sometimes …
Our neighbors in the Cofense Phishing Defense Center (PDC) recently wrote an article about an interesting phishing email and its associated malware, which can be found here: https://cofense.com/new-phishing-campaign-targets-u-s-taxpayers-dropping-amadey-botnet/
As part of their analysis, they shared an interesting VBscript and I couldn’t resist the urge to deobfuscate it. I was immediately …
The other day I decided to take a walkabout in our data and explore what the rest of the world sees. And it didn’t take long to find a poorly constructed Brazilian tax note phish spoofing their Ministry of Economy. The actor failed with his phish template and switches between …
The Emotet botnet updated their clients this morning around 6am EST.
We came across these hashes for the clients:
E1
4969b8145150d8c9d92abd66db2d17b1b54efcece75812ef77e7ef72d955bd19
E2
812e7a6ebdb40271ec0f878a559c29b459527f2e21ef6208e27d34c6808cd662
The following is a list of the C2 that were pulled from the binaries. Please use these to catch any infections that may be present within your …
We have been tracking the Emotet botnet for quite some time now and noticed that they began standing up their C2 (command and control) infrastructure again on Aug 21. Our systems caught the first servers coming alive for Epoch 2 of the botnets clients around 3pm EST. The first servers …
It is interesting how paths sometimes overlap and/or converge.
In this instance, we ended up with a reported smish (an SMS-based phish). While SMS Phishing is something that is covered within Cofense’s Security Awareness training modules, it is not something that we see reported that often.
What makes this specific …
Let’s follow this Phresh Catch and see where it takes us. We test the shortened link (the simplest of techniques to try and evade URL wrapping) and end up at a compromised GoDaddy hosted website – hxxp://teqzoft[.]com/websinfo/Confirm/websc_signin/.
Clean and basic, as long as you ignore the …
Hello everyone!
As you can imagine, we look at a lot of phishing emails on a daily basis. That also means that we look into and analyze a large number of malicious files every day as well.
We leverage the open source Cuckoo sandbox as one of our sources/methods of …
Hello Everyone!
Welcome to Cofense Labs! While our name may be new, our team definitely isn’t. Over the next few weeks we will be going through the piles of research and phishing emails we’ve accumulated, so that we can pull together some great insights, projects, and information and make it …