Discover and read the best of Twitter Threads about #CoinMiner
Most recents (2)
1/ Customer receives an email from a network monitoring device that a host is supposedly infected with a #CoinMiner. The Task Manager on the said system shows the following screenshot 🤕.
A story of an unpatched system, incorrect scoping, and 🍀. 🧵
#CyberSecurity
A story of an unpatched system, incorrect scoping, and 🍀. 🧵
#CyberSecurity
2/ The affected (and remotely accessible) server have had Confluence installed.
One of my first questions I asked the customer was if the system was up to date (Spoiler: it wasn't).
Confluence 6.0.4 was installed at the time of the incident.
One of my first questions I asked the customer was if the system was up to date (Spoiler: it wasn't).
Confluence 6.0.4 was installed at the time of the incident.
3/ Confluence 6.0.4 was released in January 2017 🤯
Today we’re tracking an active #spam campaign that employs multiple components to distribute #Pliskal (aka #QuantLoader), a known downloader trojan. The email subject and attachment file name contains the date (27032018) and "Purchase", "Order", "Purchase Order", or "PO".
While emails in this campaign indicate an "attached PDF", the attachments are .zip archives containing a .url file. The .url files point to a remote location hosting an obfuscated .wsf file, which in turn downloads the payload from several URLs.
The multi-component approach is meant to evade detection. But we block the emails, related malicious URLs, components, and payload. The payload (SHA-256: 674b84d4d2da5141870576dfe1e05463ad5e5c1a050d1e68fd92426084942052) is detected by #WindowsDefenderAV as Trojan:Win32/Pliskal.B.
