SANS Internet Storm Center – Page 5

[SANS ISC] Remcos RAT Delivered Through Double Compressed Archive

Posted on February 18, 2022 by Xavier

I published the following diary on isc.sans.edu: “Remcos RAT Delivered Through Double Compressed Archive“: One of our readers shared an interesting sample received via email. Like him, if you get access to interesting/suspicious data, please share it with us (if you’re authorized of course). We are always looking for fresh

The post [SANS ISC] Remcos RAT Delivered Through Double Compressed Archive appeared first on /dev/random.

Continue reading [SANS ISC] Remcos RAT Delivered Through Double Compressed Archive→

[SANS ISC] Who Are Those Bots?

Posted on February 15, 2022 by Xavier

I published the following diary on isc.sans.edu: “Who Are Those Bots?“: I’m operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on

The post [SANS ISC] Who Are Those Bots? appeared first on /dev/random.

Continue reading [SANS ISC] Who Are Those Bots?→

[SANS ISC] CinaRAT Delivered Through HTML ID Attributes

Posted on February 11, 2022 by Xavier

I published the following diary on isc.sans.edu: “CinaRAT Delivered Through HTML ID Attributes“: A few days ago, I wrote a diary about a malicious ISO file being dropped via a simple HTML file. I found another sample that again drops a malicious ISO file but this time, it is much

The post [SANS ISC] CinaRAT Delivered Through HTML ID Attributes appeared first on /dev/random.

Continue reading [SANS ISC] CinaRAT Delivered Through HTML ID Attributes→

[SANS ISC] Obscure Wininet.dll Feature?

Posted on January 21, 2022 by Xavier

I published the following diary on isc.sans.edu: “Obscure Wininet.dll Feature?“: The Internet Storm Center relies on a group of Handlers who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and

The post [SANS ISC] Obscure Wininet.dll Feature? appeared first on /dev/random.

Continue reading [SANS ISC] Obscure Wininet.dll Feature?→

[SANS ISC] RedLine Stealer Delivered Through FTP

Posted on January 20, 2022 by Xavier

I published the following diary on isc.sans.edu: “RedLine Stealer Delivered Through FTP“: Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that

The post [SANS ISC] RedLine Stealer Delivered Through FTP appeared first on /dev/random.

Continue reading [SANS ISC] RedLine Stealer Delivered Through FTP→

[SANS ISC] Custom Python RAT Builder

Posted on January 7, 2022 by Xavier

I published the following diary on isc.sans.edu: “Custom Python RAT Builder“: This week I already wrote a diary about “code reuse” in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. When you received a malicious Word documents, it has not been

The post [SANS ISC] Custom Python RAT Builder appeared first on /dev/random.

Continue reading [SANS ISC] Custom Python RAT Builder→

[SANS ISC] Malicious Python Script Targeting Chinese People

Posted on January 6, 2022 by Xavier

I published the following diary on isc.sans.edu: “Malicious Python Script Targeting Chinese People“: This week I found a lot of interesting scripts as this is my fourth diary in a row! I spotted a Python script that targets Chinese people. The script has a very low VT score (2/56) (SHA256:aaec7f4829445c89237694a654a731ee5a52fae9486b1d2bce5767d1ec30c7fb).

The post [SANS ISC] Malicious Python Script Targeting Chinese People appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Python Script Targeting Chinese People→

[SANS ISC] Code Reuse In the Malware Landscape

Posted on January 5, 2022 by Xavier

I published the following diary on isc.sans.edu: “Code Reuse In the Malware Landscape“: Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? If you publish a nice

The post [SANS ISC] Code Reuse In the Malware Landscape appeared first on /dev/random.

Continue reading [SANS ISC] Code Reuse In the Malware Landscape→

[SANS ISC] A Simple Batch File That Blocks People

Posted on January 4, 2022 by Xavier

I published the following diary on isc.sans.edu: “A Simple Batch File That Blocks People“: I found another script that performs malicious actions. It’s a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). The file hash is cc8ae359b629bc40ec6151ddffae21ec8cbfbcf7ca7bda9b3d9687ca05b1d584. The file is detected by

The post [SANS ISC] A Simple Batch File That Blocks People appeared first on /dev/random.

Continue reading [SANS ISC] A Simple Batch File That Blocks People→

[SANS ISC] McAfee Phishing Campaign with a Nice Fake Scan

Posted on January 3, 2022 by Xavier

I published the following diary on isc.sans.edu: “McAfee Phishing Campaign with a Nice Fake Scan“:

I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. It starts with a classic email tha… Continue reading [SANS ISC] McAfee Phishing Campaign with a Nice Fake Scan→