035. Is It a Must for Adversaries to Masquerade Phishing Attachments Properly?
Hello everyone! In our recent research we looked at a Nova Stealer (it's a SnakeLogger fork) campaign targeting CIS. It is noteworthy that the threat actors don't care much about masquerading: they do not use double file extensions or fake icons to make the malicious file appear as a legitimate document.
From the detection perspective, it's quite straightforward:
- Uses Add-MpPreference to bypass Windows Defender
- Uses schtasks.exe for creating a scheduled task
- Gets IP and country details using checkip[.]dyndns[.]org or reallyfreegeoip[.]org
As always, those are just a few detection opportunities, there're more!
See you tomorrow!
Comments
Post a Comment