Category: Phishing

Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)

IOCs: 77.246.149.178 – ledintutat[.]com/ls5/gate.php – Hancitor C2 81.169.145.93 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony 77.246.149.178 – ledintutat[.]com/zapoy/gate.php – Pony C2 104.31.87.182 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak 185.75.46.13 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC) Traffic: IDS Events: Hashes: SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8 File name: contract_54262.doc SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926 File name: hancitor.dll SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495 File name: ...

Phishing For Passwords via FormBuddy.com

Most InfoSec professionals have heard of “layer 8” as the unofficial layer of the OSI Model. For those of you that don’t know Layer 8 refers to people. Meaning, no matter how good your security posture there is always that very predictably unpredictable and unpatchable vulnerability known as the user. It is often easier to ...

Phishing Sites at Myjino.ru

Here is what I found in our customers traffic: myjino[.]ru/ mc.yandex[.]ru/ wildblue-net-upd.myjino[.]ru/35c6cfba69650ab1fc8ff49f3bcb4532/db.php login.wildblue[.]net/ http://www.jino[.]ru/ account.jino[.]ru/ mc.yandex[.]ru/ mc.yandex[.]ru/ jino[.]ru/help/ Staring at traffic in a SIEM for hours each day you get really good at identifying patterns of traffic that look suspicious. Obviously not ALL traffic to Russian domains is an IOC. However, when you see an ...