Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Gmail hacked vis MS Outlook / request.zip virus/malware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Gmail hacked vis MS Outlook / request.zip virus/malware
Hi. First post. Apologies if wrong thread.

This morning hundreds of emails were sent from my account with the following text -

"Good Morning,

Please see the attached document.

Password - 537DK" and a file attached called request.xip.

I immediately logged all devices out of google. When I investigated it appears these were sent via outlook (I have 2FA on google).

I regret having given MS access to google.

I installed Norton and McAfee and neither of them detected any virus or malware.

Any pointers?

I assume this is a well known issue.

Is there any reputable company that can help me find and remove any rogue files on my computer?

Many thanks,

Gavin
Anonymous

Gavin,

This is the TA551 (Shathak) campaign pushing IcedID (Bokbot) malware. I'm doing a diary on it as we speak that will be published at 00:01 UTC on Wednesday 2020-10-13.

The IOCs for the infection I generated may be different than the ones you'd see, unless they came from Tuesday 2020-10-13. The domains and IP addresses change for each day of malspam sent out from this campaign.

Regards,

Brad
Brad

377 Posts
ISC Handler
Hi Brad,

Much thanks for the reply.

I read your update and it’s extremely thorough. I’m grateful for all the time and effort you put in here.

Two questions
- how do I know if my laptop was infected? I don’t see any new files in e.g C:\ProgramData. Or any png files in AppData. (I just assume I was infected somehow since emails were sent from my gmail via outlook to not only my contacts but other people cc’d on emails I have in gmail.)
- how do I clean my laptop? Will Norton / McAfee add this to their list of known malware?

Best,

Gavin
Anonymous

-
Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man,Keep it up. Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!