Last week Brad mentioned malware being delivered via word documents in SPAM (https://isc.sans.edu/forums/diary/Malicious+spam+Subject+RE+Bill/20417/). Seems like this morning there was another run. Subjects vary and the messages vary slightly, the end result is however nasty. All have word attachments. Subjects Seen: "Transaction", "LM Transaction" , "ENA Invoice" Content: Good morning Regards Hello Kindest regards Greetings Best regards These are of course not a definitive list of subjects, but the pattern is fairly clear. It may be an opportunity for some user education, especially those in your organisation whose job it is to click on attachments. Cheers Mark H |
Mark 391 Posts ISC Handler Dec 6th 2015 |
Thread locked Subscribe |
Dec 6th 2015 5 years ago |
Hi Mark,
Any chance of sharing the attachment? |
Anonymous |
Quote |
Dec 7th 2015 5 years ago |
"It may be an opportunity for some user education, especially those in your organisation whose job it is to click on attachments."
OUCH! The administrators of an organisation have the controls to restrict users from running the payload (be it the VBA macros or any dropper/downloader spawned with their help) of these MS-Word documents. |
Anonymous |
Quote |
Dec 7th 2015 5 years ago |
We're seeing an interesting campaign this morning as well, where $yourdomain is the domain of the recipients. Interestingly the majority of recipients seem to be IT folks, so this is somewhat targeted somehow.
Subject: Re: $yourdomain sucks The language of your support department is unacceptable. Please check the reply I received to my support ticket. Attachment: support_ticket.doc The attachment is the usual malicious Word document social engineering folks to enable content. Haven't had time to analyze yet but we've seen attempted POSTs to the following: hxxp://botepetan.ru/gate.php hxxp://betrewhattit.ru/gate.php hxxp://hagurowrob.ru/gate.php |
Anonymous |
Quote |
Dec 7th 2015 5 years ago |
hit me up on the handlers email if you are interested in these
836ff385edd291b1e81332c7c3946508 c441b5d17fe75d4aa77f2c01b73eab08 4ad7f9f93adfe7973b5088c57a45e46b |
Mark 391 Posts ISC Handler |
Quote |
Dec 8th 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!