2018-01-22 - MORE RESUME MALSPAM PUSHING SMOKE LOADER AND OTHER MALWARE

ASSOCIATED FILES:

  • 2018-01-22-malspam-pushing-smoke-loader-and-other-malware.pcap   (6,040,488 bytes)
  • 2018-01-22-GlobeImposter-READ__ME.html   (2,808 bytes)
  • 2018-01-22-GlobeImposter-artifact-tmp3AFC.tmp.bat.txt   (448 bytes)
  • 2018-01-22-GlobeImposter-decryptor-style.css   (1,930 bytes)
  • 2018-01-22-GlobeImposter-decryptor.html   (9,180 bytes)
  • 2018-01-22-GlobeIposter-ransomware-sample.exe   (286,720 bytes)
  • 2018-01-22-Smoke-Loader-sample.exe   (286,720 bytes)
  • 2018-01-22-Zeus-Panda-Banker-sample.exe   (1,104,896 bytes)
  • 2018-01-22-another-executable-retrieved-from-the-pcap.exe   (568,832 bytes)

NOTES:

RECENT DOCUMENTATION:


Shown above:  The malicious Word document.

Shown above:  The messiness of an infected Windows host from that Word document.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URL and domains:

 

TRAFFIC


Shown above:  Traffic caused by macro from the Word document.

 


Shown above:  Traffic from an infected Windows host filtered in Wireshark.

 

MALICIOUS TRAFFIC:

 

FILE HASHES

ORIGINAL DOCUMENT:

FOLLOW-UP MALWARE:

 

IMAGES


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.1

 


Shown above:  GlobeImposter ransomware now more VM aware, and it uses a ..docx file extension for encrypted files.

 


Shown above:  Had to open the decryption instructions in a Tor browser to get to the follow-up decryptor page.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.