Today we’re tracking an active #spam campaign that employs multiple components to distribute #Pliskal (aka #QuantLoader), a known downloader trojan. The email subject and attachment file name contains the date (27032018) and "Purchase", "Order", "Purchase Order", or "PO".
While emails in this campaign indicate an "attached PDF", the attachments are .zip archives containing a .url file. The .url files point to a remote location hosting an obfuscated .wsf file, which in turn downloads the payload from several URLs.
The multi-component approach is meant to evade detection. But we block the emails, related malicious URLs, components, and payload. The payload (SHA-256: 674b84d4d2da5141870576dfe1e05463ad5e5c1a050d1e68fd92426084942052) is detected by #WindowsDefenderAV as Trojan:Win32/Pliskal.B.
The #spam campaign that delivers .url files in .zip archives is still very active. Today attackers are using “Voice Message” in subject & email body. Yesterday "discount","sale","coupon","offer","promo" were used. But it's the same campaign that leads to #Pliskal (#QuantLoader).
#Pliskal (aka #QuantLoader) is a known family of trojan downloaders. Our analysis of related domains shows that the malware can download a wide range of payloads, including #ransomware, #coinminer, #infostealers, and other threats.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. msft.it/6011W3CGX
Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection.
The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.
Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States.
Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool.
The threat actor then performs lateral movement through Remote Desktop Protocol (RDP) and uses the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.
In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns.
Octo Tempest, known for its sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware, accounts for a significant bulk of our investigations and incident response engagements.
RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware payloads (like BlackCat), making it one of the most widespread ransomware families today.
Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector.
FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. It was first observed being used against targets in early November 2023.
The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft.
Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee.
The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export “hvsi” execution of an embedded DLL. The MSI package was signed with the SignerSha1/Thumbprint 50e22aa4b3b145fe1193ebbabed0637fa381fac3.
An embedded configuration EPOCH timestamp indicates the payload was generated on December 11. The campaign code was tchk06. Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500.
Observed Qakbot C2:
45[.]138.74.191
65[.]108.218.24
Microsoft has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793.
Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2.
Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities.