[SANS ISC] 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th)

Introduction Emotet often uses information from emails and address books stolen from infected Windows hosts.  Malicious spam (malspam) from Emotet spoofs legitimate senders to trick potential victims into running malicious files. Additionally, Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary […]

Read More

[SANS ISC] Phishing e-mail with…an advertisement?, (Tue, Jan 18th)

Authors of phishing and malspam messages like to use various techniques to make their creations appear as legitimate as possible in the eyes of the recipients. To this end, they often try to make their messages look like reports generated by security tools[1], responses to previous communication initiated by the recipient[2], or instructions from someone at […]

Read More

[SANS ISC] Log4Shell Attacks Getting “Smarter”, (Mon, Jan 17th)

Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (%%cve:2021-44228%%). Initial attempts where rather “blunt”, and attempted to insert the JNDI exploit string into various fields without much concern how and where the string may be logged. More recently, we did some however […]

Read More

[SANS ISC] Use of Alternate Data Streams in Research Scans for index.jsp., (Fri, Jan 14th)

Our network of web application honeypots delivered some odd new URLs in the last 24 hrs: /index.jsp::$DATA /jsp/index.jsp::$DATA /cgi-bin/index.jsp::$DATA /cgi-bin/jsp/index.jsp::$DATA /demo/../index.jsp::$DATA /demo/../jsp/index.jsp::$DATA /scripts/index.jsp::$DATA /scripts/jsp/index.jsp::$DATA I am not 100% sure what these scans are after, but my best guess right now is that they are attempting to bypass filters using NTFS alternate data streams. The Windows […]

Read More