038. Adversaries Abuse PowerShell to Steal Email Addresses
Hello everyone! Today we'll look at another example of PowerShell abuse. The SonicWall Capture Labs threat research team reported on a curious Outlook email address stealer written in PowerShell.
The stealer is downoaded to the compromised system via an HTA-file delivered via phishing. Installation phase is quite noisy as always. For example, mshta.exe is communicating with amazonaws[.]com, PowerShell is executed with -ExecutionPolicy Bypass, the script itself contains interesting strings, for example, InvokeCommand.ExpandString('$env:APPDATA\Microsoft\.Outlook'). So, lots of detection opportunities!
Also, looks like it's just the first stage - and it's the best place to detect if you failed to prevent!
See you tomorrow!
Comments
Post a Comment