I published the following diary on isc.sans.edu: “Ukraine & Russia Situation From a Domain Names Perspective“: For a few days, the eyes of the world are on the situation between Russia and Ukraine. Today, operations are also organized in the “cyber” dimension (besides the classic ones – land, air, sea,
Europol & Interpol Phishing Ahead?
When you keep an eye on newly registered domains, they are some of them that attract your eyes immediately. Some domains related to Europol, the European Union’s law enforcement agency, and Interpol have been recently registered. Domain Registration Date Registrar europol-belgique.com 2022-02-15 Google euro-interpol.com 2022-02-08 WebNic europol-be.com 2022-02-15 Ligne Web
[SANS ISC] A Good Old Equation Editor Vulnerability Delivering Malware
I published the following diary on isc.sans.edu: “A Good Old Equation Editor Vulnerability Delivering Malware“: Here is another sample demonstrating how attackers still rely on good old vulnerabilities… In 2017, Microsoft Office suffered from a critical vulnerability that affected its Equation Editor tool, known as CVE-2017-11882. It’s a memory corruption
[SANS ISC] Remcos RAT Delivered Through Double Compressed Archive
I published the following diary on isc.sans.edu: “Remcos RAT Delivered Through Double Compressed Archive“: One of our readers shared an interesting sample received via email. Like him, if you get access to interesting/suspicious data, please share it with us (if you’re authorized of course). We are always looking for fresh
[SANS ISC] Who Are Those Bots?
I published the following diary on isc.sans.edu: “Who Are Those Bots?“: I’m operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on
[SANS ISC] CinaRAT Delivered Through HTML ID Attributes
I published the following diary on isc.sans.edu: “CinaRAT Delivered Through HTML ID Attributes“: A few days ago, I wrote a diary about a malicious ISO file being dropped via a simple HTML file. I found another sample that again drops a malicious ISO file but this time, it is much
[SANS ISC] Obscure Wininet.dll Feature?
I published the following diary on isc.sans.edu: “Obscure Wininet.dll Feature?“: The Internet Storm Center relies on a group of Handlers who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and
[SANS ISC] RedLine Stealer Delivered Through FTP
I published the following diary on isc.sans.edu: “RedLine Stealer Delivered Through FTP“: Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that
[SANS ISC] Custom Python RAT Builder
I published the following diary on isc.sans.edu: “Custom Python RAT Builder“: This week I already wrote a diary about “code reuse” in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. When you received a malicious Word documents, it has not been
[SANS ISC] Malicious Python Script Targeting Chinese People
I published the following diary on isc.sans.edu: “Malicious Python Script Targeting Chinese People“: This week I found a lot of interesting scripts as this is my fourth diary in a row! I spotted a Python script that targets Chinese people. The script has a very low VT score (2/56) (SHA256:aaec7f4829445c89237694a654a731ee5a52fae9486b1d2bce5767d1ec30c7fb).