Blended threat begins with malware delivered via email attachment on Monday morning. As is all too often the case, the AV Vendors were asleep at the wheel (although 29 of 57 AV Engines are detecting at the time of this post):
Per this Websense File Sandbox Report, you'll see that the malware downloads an additional exe from lichtermmigration... which only 2 of 63 Web Security Vendors were blocking:
Still with us? Good... because the bouncing ball now takes us to a site in Russia. Per the Websense File Sandbox report referenced above, the malware also phones home to an HTTPS site in Russia, 146.185.128.226. An nmap scan shows something interesting. The svc running on TCP Port 8443 has a cert referencing southnorth.org in Montana:
Hmmm... I guess you really can't trust everything on the Internet. :-)
No comments:
Post a Comment