[SANS ISC] Agent Tesla Dropped Through Automatic Click in Microsoft Help File

I published the following diary on isc.sans.edu: “Agent Tesla Dropped Through Automatic Click in Microsoft Help File‘”: Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files), others look really safe and make the victim confident

[SANS ISC] Powershell Dropping a REvil Ransomware

I published the following diary on isc.sans.edu: “Powershell Dropping a REvil Ransomware“: I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. The technique behind RunSpaces is helpful to create new threads on the existing Powershell

[SANS ISC] Malicious Word Document Delivering an Octopus Backdoor

I published the following diary on isc.sans.edu: “Malicious Word Document Delivering an Octopus Backdoor“: Here is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but two embedded objects that the victim must “activate” (click on one of them) to perform the malicious activities.

[SANS ISC] PowerShell Dropper Delivering Formbook

I published the following diary on isc.sans.edu: “PowerShell Dropper Delivering Formbook“: Here is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday, called ‘ad.jpg’ (SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it’s not a picture but a huge text file with Base64-encoded data. The VT score is therefore

1 2 3 4 18