Microsoft Threat Intelligence Profile picture
Oct 1, 2018 3 tweets 2 min read Read on X
The first #Emotet spam run of the last quarter of 2018 adds malicious PDF files in the infection chain. PDF attachments have malicious link that downloads a doc with malicious macro. If allowed to run, the macro in the doc executes a PowerShell code that downloads the payload. ImageImageImageImage
Notably, some emails ditch the PDF and carry the malicious document itself (as per usual). No matter, antivirus capabilities in Windows Defender ATP block the malicious PDF and doc files in this campaign as Trojan:O97M/Sonbokli.A!cl. Office 365 ATP blocks the malicious emails.
The payload of this campaign is #Emotet (SHA-256: 86770d8bd51a10131e0b4b3b1bc3f49578d05b372d7f19ace910bb7abc5f70a8)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Threat Intelligence

Microsoft Threat Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Oct 29
Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. msft.it/6011W3CGX
Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection.
The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.
Read 4 tweets
Sep 18
Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States. Image with the Tempest icon for financially motivated threat actors, and the text Vanilla Tempest in white font on blue background
Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool.
The threat actor then performs lateral movement through Remote Desktop Protocol (RDP) and uses the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.
Read 5 tweets
Jul 15
In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Image with a blue background, white icon displaying a computer with a lock and warning sign, and the word "Ransomware" in white text.
Octo Tempest, known for its sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware, accounts for a significant bulk of our investigations and incident response engagements.
RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware payloads (like BlackCat), making it one of the most widespread ransomware families today.
Read 12 tweets
Dec 21, 2023
Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector.
FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. It was first observed being used against targets in early November 2023.
The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft.
Read 6 tweets
Dec 16, 2023
Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee. Screenshot of email from a user masquerading as an IRS employee
The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export “hvsi” execution of an embedded DLL. The MSI package was signed with the SignerSha1/Thumbprint 50e22aa4b3b145fe1193ebbabed0637fa381fac3.
Screenshot of PDF document used in Qakbot campaign
Screnshot of properties of the MSI used in Qakbot campaign
An embedded configuration EPOCH timestamp indicates the payload was generated on December 11. The campaign code was tchk06. Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500.
Observed Qakbot C2:
45[.]138.74.191
65[.]108.218.24
Read 4 tweets
Dec 13, 2023
Microsoft has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793.
Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2.
Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(