Bojan Zdrnja Diaries

Back to Handlers

• Malspam pushing Trickbot malware on Friday 2018-05-11
• Recent Emotet activity
• Malspam with password-protected Word docs pushes Hermes ransomware
• DHL-themed malspam reveals embedded malware in animated gif
• Heartbreaking Emails: "Love You" Malspam
• Malspam with password-protected Word docs pushing Dridex
• Fake browser update pages are "still a thing"
• June 2021 Forensic Contest: Answers and Analysis
• June 2021 Forensic Contest
• May 2021 Forensic Contest: Answers and Analysis
• May 2021 Forensic Contest
• April 2021 Forensic Quiz: Answers and Analysis
• April 2021 Forensic Quiz
• Qakbot infection with Cobalt Strike and VNC activity
• Windows MetaStealer Malware
• Loader activity for Formbook "QM18"
• GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT
• Qakbot (Qbot) activity, obama271 distribution tag
• Formbook from Possible ModiLoader (DBatLoader)
• Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT
• DocuSign-themed email leads to script-based infection
• Recent IcedID (Bokbot) activity
• Hancitor campaign abusing Microsoft's OneDrive
• BB17 distribution Qakbot (Qbot) activity
• URL files and WebDAV used for IcedID (Bokbot) infection
• Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware
• More Brazil malspam pushing Astaroth (Guildma) in January 2023
• Google ad traffic leads to stealer packages based on free software
• Google ads lead to fake software pages pushing IcedID (Bokbot)
• obama224 distribution Qakbot tries .vhd (virtual hard disk) images
• Who put the "Dark" in DarkVNC?
• sczriptzzbn inject pushes malware for NetSupport RAT
• Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
• Brazil malspam pushes Astaroth (Guildma) malware
• Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
• IcedID (Bokbot) with Dark VNC and Cobalt Strike
• Emotet infection with Cobalt Strike
• Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
• Malspam pushes Matanbuchus malware, leads to Cobalt Strike
• TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
• Bumblebee Malware from TransferXL URLs
• TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
• Password-protected Excel spreadsheet pushes Remcos RAT
• "aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
• Arkei Variants: From Vidar to Mars Stealer
• Astaroth (Guildma) infection
• Example of Cobalt Strike from Emotet infection
• Emotet Stops Using 0.0.0.0 in Spambot Traffic
• 0.0.0.0 in Emotet Spambot Traffic
• Agent Tesla Updates SMTP Data Exfiltration Technique
• December 2021 Forensic Contest: Answers and Analysis
• How the "Contact Forms" campaign tricks people
• December 2021 Forensic Challenge
• TA551 (Shathak) pushes IcedID (Bokbot)
• Emotet Returns
• October 2021 Forensic Contest: Answers and Analysis
• October 2021 Contest: Forensic Challenge
• "Stolen Images Evidence" campaign pushes Sliver-based malware
• "Stolen Images Evidence" Campaign Continues Pushing BazarLoader Malware
• STRRAT: a Java-based RAT that doesn't care if you have Java
• Example of Danabot distributed through malspam
• TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
• Hancitor tries XLL as initial malware file
• Analysis from March 2021 Traffic Analysis Quiz
• March 2021 Traffic Analysis Quiz
• Qakbot infection with Cobalt Strike
• Malspam pushes GuLoader for Remcos RAT
• Malspam pushing Trickbot gtag rob13
• Phishing message to the ISC handlers email distro
• Excel spreadsheets push SystemBC malware
• TA551 (Shathak) Word docs push Qakbot (Qbot)
• Qakbot activity resumes after holiday break
• Throwback Friday: An Example of Rig Exploit Kit
• Hancitor activity resumes after a hoilday break
• Emotet infections and follow-up malware
• End of Year Traffic Analysis Quiz
• Recent Qakbot (Qbot) activity
• Traffic Analysis Quiz: Mr Natural
• Traffic Analysis Quiz: DESKTOP-FX23IK5
• Emotet -> Qakbot -> more Emotet
• Traffic Analysis Quiz: Ugly-Wolf.net
• More TA551 (Shathak) Word docs push IcedID (Bokbot)
• Traffic Analysis Quiz: Oh No... Another Infection!
• Recent Dridex activity
• TA551 (Shathak) Word docs push IcedID (Bokbot)
• Traffic Analysis Quiz: What's the Malware From This Infection?
• Word docs with macros for IcedID (Bokbot)
• Excel spreasheet macro kicks off Formbook infection
• Job application-themed malspam pushes ZLoader
• Polish malspam pushes ZLoader malware
• Microsoft Word document with malicious macro pushes IcedID (Bokbot)
• Malspam with links to zip archives pushes Dridex malware
• German malspam pushes ZLoader malware
• Qakbot malspam sent from an infected Windows host
• Recent Dridex activity
• Trickbot gtag red5 distributed as a DLL file
• Hancitor distributed through coronavirus-themed malspam
• Malpsam pushes Ursnif through Italian language Word docs
• Emotet epoch 1 infection with Trickbot gtag mor84
• German language malspam pushes Ursnif
• Malspam with links to Word docs pushes IcedID (Bokbot)
• Emotet infection with spambot activity
• German language malspam pushes yet another wave of Trickbot
• Ursnif infection with Dridex
• Finding an Agent Tesla malware sample
• Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
• An example of malspam pushing Lokibot malware, November 2019
• More malspam pushing Formbook
• What data does Vidar malware steal from an infected host?
• A recent example of Emotet malspam
• Malspam pushing Quasar RAT
• Emotet malspam is back
• Malspam using password-protected Word docs to push Remcos RAT
• Recent example of MedusaHTTP malware
• Recent AZORult activity
• Rig Exploit Kit sends Pitou.B Trojan
• An infection from Rig exploit kit
• Email roulette, May 2019
• Blue + Red: An Infosec Purple Pyramid
• Malspam pushes Emotet with Qakbot as the follow-up malware
• Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
• More Russian language malspam pushing Shade (Troldesh) ransomware
• Fake Updates campaign still active in 2019
• Hancitor malspam and infection traffic from Tuesday 2019-02-05
• Malspam with Word docs uses macro to run Powershell script and steal system data
• Malspam links to password-protected Word docs that push IcedID (Bokbot)
• Campaign evolution: Hancitor changes its Word macros
• Malspam pushing Lokibot malware
• Russian language malspam pushing Shade (Troldesh) ransomware
• Emotet infection with IcedID banking Trojan
• Day in the life of a researcher: Finding a wave of Trickbot malspam
• More malspam using password-protected Word docs
• Campaign evolution: Hancitor malspam starts pushing Ursnif this week
• One Emotet infection leads to three follow-up malware infections
• Sextortion Spam and the Infinite Monkey Theorem
• More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware
• More malspam pushing Lokibot
• Malspam pushing coin miner and other malware
• Cryptocurrency-themed phishing emails
• Phishing emails for fake MyEtherWallet login page
• Malspam pushing ransomware using two layers of password protection to avoid detection
• Glitch in malspam campaign temporarily reduces spread of GandCrab
• Malspam pushing Sigma ransomware
• Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
• Malspam pushing Formbook info stealer
• GandCrab Ransomware: Now Coming From Malspam
• 3 examples of malspam pushing Loki-Bot malware
• RTF files for Hancitor utilize exploit for CVE-2017-11882
• Reviewing the spam filters: Malspam pushing Gozi-ISFB
• Fake anti-virus pages popping up like weeds
• Pornographic malspam pushes coin miner malware
• More Malspam pushing Emotet malware
• One month later, Magniber ransomware is still out there
• Resume-themed malspam pushing Smoke Loader
• Necurs Botnet malspam pushes Locky using DDE attack
• HSBC-themed malspam uses ISO attachments to push Loki Bot malware
• Hancitor malspam uses DDE attack
• Malspam pushing Formbook info stealer
• Malspam pushing Word documents with Hancitor malware
• Emails threatening DDoS allegedly from Phantom Squad
• Email attachment using CVE-2017-8759 exploit targets Argentina
• Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox
• Malspam pushing Trickbot banking Trojan
• How are people fooled by this? Email to sign a contract provides malware instead.
• Malspam pushing Emotet malware
• NemucodAES and the malspam that distributes it
• Catching up with Blank Slate: a malspam campaign still going strong
• Petya? I hardly know ya! - an ISC update on the 2017-06-27 ransomware outbreak
• Checking out the new Petya variant
• Wide-scale Petya variant ransomware attack noted
• A Tale of Two Phishies
• Jaff ransomware gets a makeover
• Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan
• Malspam on 2017-04-11 pushes yet another ransomware variant
• April 2017 Microsoft Patch Tuesday
• Dridex malspam seen on Monday 2017-04-10
• "Blank Slate" malspam still pushing Cerber ransomware
• Malspam with password-protected Word documents
• Brazilian malspam sends Autoit-based malware
• Hancitor/Pony malspam
• CryptoShield Ransomware from Rig EK
• Ticketbleed vulnerability affects some f5 appliances
• Sage 2.0 Ransomware
• Upatre/Dyre - the daily grind of botnet-based malspam
• Traffic pattern change noted in Fiesta exploit kit
• Dalexis/CTB-Locker malspam campaign
• Actor using Fiesta exploit kit
• Hancitor/Pony/Vawtrak malspam
• Merry X-Mas ransomware from Sunday 2017-01-08
• One, if by email, and two, if by EK: The Cerbers are coming!
• Domaincop malpsam
• 2016-11-18 example of KaiXin EK activity
• Malspam distributing Troldesh ransomware
• Exploit kit roundup: Less Angler, more Nuclear
• Malspam delivers NanoCore RAT
• pseudoDarkleech Rig EK
• Rig Exploit Kit from the Afraidgate Campaign
• Those never-ending waves of Locky malspam
• 1 compromised site - 2 campaigns
• Follow-up to: Stop calling it a ransomware "attack"
• Stop calling it a ransomware "attack"
• CryptXXX ransomware updated
• Change in patterns for the pseudoDarkleech campaign
• APT and why I don't like the term
• Searching for malspam
• Neutrino EK and CryptXXX
• EITest campaign still going strong
• ImageTragick: Another Vulnerability, Another Nickname
• Neutrino exploit kit sends Cerber ransomware
• Angler Exploit Kit, Bedep, and CryptXXX
• The importance of ongoing dialog
• Recent example of KaiXin exploit kit
• Angler exploit kit generated by "admedia" gates
• A trip through the spam filters: more malspam with zip attachments containing .js files
• Dridex malspam example from January 2016
• OpenSSH 7.1p2 released with security fix for CVE-2016-0777
• CryptoWall sent by Angler and Neutrino exploit kits or through malicious spam
• A recent example of wire transfer fraud
• Actor using Rig EK to deliver Qbot - update
• Actor using Rig EK to deliver Qbot
• ScreenOS vulnerability affects Juniper firewalls
• TeslaCrypt ransomware sent using malicious spam
• Everything old is new again - Blackhole exploit kit since November 2015
• New variant of CryptoWall - Is it right to call it 4.0?
• Malicious spam - Subject: RE: Bill
• BizCN gate actor sends CryptoWall 4.0
• Actors using exploit kits - How they change tactics
• Malicious spam with links to CryptoWall 3.0 - Subject: Domain [name] Suspension Notice
• Botnets spreading Dridex still active
• Compromised Magento sites led to Neutrino exploit kit
• Malicious spam with Word document
• BizCN gate actor update
• Recent trends in Nuclear Exploit Kit activity
• Mistakenly-deployed test patch leads to suspicious Windows update
• Malicious spam with zip attachments containing .js files
• A look through the spam filters - examining waves of Upatre malspam
• Actor that tried Neutrino exploit kit now back to Angler
• What's the situation this week for Neutrino and Angler EK?
• A recent decline in traffic associated with Operation Windigo
• Actor using Angler exploit kit switched to Neutrino
• Adwind: another payload for botnet-based malspam
• Nuclear EK traffic patterns in August 2015
• Malicious spam continues to serve zip archives of javascript files
• Bartalex malspam pushing Pony/Dyre
• After Flash, what will exploit kits focus on next?
• BizCN gate actor changes from Fiesta to Nuclear exploit kit
• Another example of Angler exploit kit pushing CryptoWall 3.0
• Botnet-based malicious spam seen this week
• Updates to OpenSSL fix vulnerabilities related to Logjam
• Increase in CryptoWall 3.0 from malicious spam and Angler exploit kit
• Exploit kit roundup - early June 2015
• Myfax malspam wave with links to malware and Neutrino exploit kit
• Angler exploit kit pushing CryptoWall 3.0
• Exploit kits delivering Necurs
• Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
• Upatre/Dyre malspam - Subject: eFax message from "unknown"
• Recent Dridex activity
• Angler exploit kit pushes new variant of ransomware
• SOC Analyst Pyramid
• Exploit kits (still) pushing Teslacrypt ransomware
• An example of the malicious emails sometimes sent to the ISC handler addresses
• Angler Exploit Kit - Recent Traffic Patterns
• Rig Exploit Kit Changes Traffic Patterns
• Threatglass has pcap files with exploit kit activity
• What Happened to You, Asprox Botnet?
• An Example of Evolving Obfuscation