Today we’re tracking an active #spam campaign that employs multiple components to distribute #Pliskal (aka #QuantLoader), a known downloader trojan. The email subject and attachment file name contains the date (27032018) and "Purchase", "Order", "Purchase Order", or "PO".
While emails in this campaign indicate an "attached PDF", the attachments are .zip archives containing a .url file. The .url files point to a remote location hosting an obfuscated .wsf file, which in turn downloads the payload from several URLs.
The multi-component approach is meant to evade detection. But we block the emails, related malicious URLs, components, and payload. The payload (SHA-256: 674b84d4d2da5141870576dfe1e05463ad5e5c1a050d1e68fd92426084942052) is detected by #WindowsDefenderAV as Trojan:Win32/Pliskal.B.
The #spam campaign that delivers .url files in .zip archives is still very active. Today attackers are using “Voice Message” in subject & email body. Yesterday "discount","sale","coupon","offer","promo" were used. But it's the same campaign that leads to #Pliskal (#QuantLoader).
#Pliskal (aka #QuantLoader) is a known family of trojan downloaders. Our analysis of related domains shows that the malware can download a wide range of payloads, including #ransomware, #coinminer, #infostealers, and other threats.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.