038. Adversaries Abuse PowerShell to Steal Email Addresses

Hello everyone! Today we'll look at another example of PowerShell abuse. The SonicWall Capture Labs threat research team reported on a curious Outlook email address stealer written in PowerShell. 

The stealer is downoaded to the compromised system via an HTA-file delivered via phishing. Installation phase is quite noisy as always. For example, mshta.exe is communicating with amazonaws[.]com, PowerShell is executed with -ExecutionPolicy Bypass, the script itself contains interesting strings, for example, InvokeCommand.ExpandString('$env:APPDATA\Microsoft\.Outlook'). So, lots of detection opportunities!

Also, looks like it's just the first stage - and it's the best place to detect if you failed to prevent!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!