Discover and read the best of Twitter Threads about #WindowsDefenderAV
Most recents (2)
Today we’re tracking an active #spam campaign that employs multiple components to distribute #Pliskal (aka #QuantLoader), a known downloader trojan. The email subject and attachment file name contains the date (27032018) and "Purchase", "Order", "Purchase Order", or "PO". 
While emails in this campaign indicate an "attached PDF", the attachments are .zip archives containing a .url file. The .url files point to a remote location hosting an obfuscated .wsf file, which in turn downloads the payload from several URLs.
The multi-component approach is meant to evade detection. But we block the emails, related malicious URLs, components, and payload. The payload (SHA-256: 674b84d4d2da5141870576dfe1e05463ad5e5c1a050d1e68fd92426084942052) is detected by #WindowsDefenderAV as Trojan:Win32/Pliskal.B.
Malicious HTML applications (.hta) hosted on compromised websites continue to plague the Internet, delivering malware payloads like #Kovter, which is known for its #fileless persistence techniques. Just this year, we’ve blocked these threats on almost 1M machines.
These malicious HTML applications typically use the file name FlashPlayer.hta. Newer versions use microsoft-patch.hta as a social engineering tactic and an attempt to avoid detection. Apart from file name, though, no other apparent update in the code.
#WindowsDefenderAV stops the attack kill chain using generic, behavioral, and contextual detections. It also leverages #AMSI to inspect PowerShell and other script types, even with multiple layers of obfuscation.
