2018-10-24 Agent Telsa Malspam

This is a quick write-up of some Agent Telsa malspam that I was able to find within our email filters. For a good overview of what this malware is and how it works, please see the following links: http://krebsonsecurity.com/2018/10/who-is-agent-tesla/ http://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html For the artifacts found from this investigation, please see my…
2018-10-12 Using Visual Studio to debug VBScript
2018-09-18 Emotet maldocs labeled as “Invoices”
Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small…
2018-07-07 Remcos Malspam

A quick write-up on this Remcos malspam. Some other previous entries that I have done aboutr Remcos can be found below: http://www.herbiez.com/?p=1106 http://www.herbiez.com/?p=1073 All the emails seem to come from the sender info@yusheng-wiremesh.com with the subject of “Returned Funds fort Invoice DFER4567 July Despatch.” The malspam also comes with an…
2018-06-20 Formbook Malspam

For this post, I was able to find some Formbook malspam within the email filters. Formbook malware is considered to be a data theft/form grabber with some other add-ons under it’s tool belt. Based on the following deep dives into Formbook from FireEye (http://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html) and ThisIsSecurity (http://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/), this malware sample…
2018-06-08 LokiBot Malspam
2018-05-29 More Emotet Malspam
2018-04-21 “TOP URGENT//: REQUEST FOR QUOTAION” Malspam Leads To CVE-2017-11882/Possible Remcos Infection

Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links: http://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/ http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882 2018-02-17 REMCOS…