|
Hi. First post. Apologies if wrong thread. This morning hundreds of emails were sent from my account with the following text - "Good Morning, Please see the attached document. Password - 537DK" and a file attached called request.xip. I immediately logged all devices out of google. When I investigated it appears these were sent via outlook (I have 2FA on google). I regret having given MS access to google. I installed Norton and McAfee and neither of them detected any virus or malware. Any pointers? I assume this is a well known issue. Is there any reputable company that can help me find and remove any rogue files on my computer? Many thanks, Gavin |
Anonymous |
| thread locked Quote Subscribe |
Oct 13th 2020 1 year ago |
|
Gavin, This is the TA551 (Shathak) campaign pushing IcedID (Bokbot) malware. I'm doing a diary on it as we speak that will be published at 00:01 UTC on Wednesday 2020-10-13. The IOCs for the infection I generated may be different than the ones you'd see, unless they came from Tuesday 2020-10-13. The domains and IP addresses change for each day of malspam sent out from this campaign. Regards, Brad |
Brad 417 Posts ISC Handler |
| Thread locked. Quote |
Oct 13th 2020 1 year ago |
|
Hi Brad, Much thanks for the reply. I read your update and it’s extremely thorough. I’m grateful for all the time and effort you put in here. Two questions - how do I know if my laptop was infected? I don’t see any new files in e.g C:\ProgramData. Or any png files in AppData. (I just assume I was infected somehow since emails were sent from my gmail via outlook to not only my contacts but other people cc’d on emails I have in gmail.) - how do I clean my laptop? Will Norton / McAfee add this to their list of known malware? Best, Gavin |
Anonymous - |
| Thread locked. Quote |
Oct 14th 2020 1 year ago |
| Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man,Keep it up. |
Anonymous - |
| Thread locked. Quote |
Oct 23rd 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
