035. Is It a Must for Adversaries to Masquerade Phishing Attachments Properly?

Hello everyone! In our recent research we looked at a Nova Stealer (it's a SnakeLogger fork) campaign targeting CIS. It is noteworthy that the threat actors don't care much about masquerading: they do not use double file extensions or fake icons to make the malicious file appear as a legitimate document.


From the detection perspective, it's quite straightforward:

  • Uses Add-MpPreference to bypass Windows Defender
  • Uses schtasks.exe for creating a scheduled task
  • Gets IP and country details using checkip[.]dyndns[.]org or reallyfreegeoip[.]org
As always, those are just a few detection opportunities, there're more! 

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!