TLP-GREEN
Threat actors utilize HTML Smuggling techniques in recent campaigns to deliver Qakbot XWorm Cobalt Strike and IcedID.
Initially a spear-phishing email is sent to the target with an HTML attachment once opened the HTML file may directly drop an archive file containing a malicious LNK file to the victim machine or present a file impersonating well know vendors such as Adobe Google or Dropbox.
The victim is then coerced into executing the archive or saving and executing a malicious file in the form of an .ISO .IMG or VHD image file.
In either scenario the file contains an LNK file that executes commands to load a decoy file and uses the native binary rundll32 to load the malware payload.
SkyWatchSM Alert Legend
Warning
Active Threat
Malware
Ransomware
Phishing
Network/IOT
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
TLP-White
Disclosure is Not Limited.
TLP-Green
Limited Disclosure, Restricted Only to the Community.
TLP-Amber
Limited Disclosure, restricted to the Participant's Organization.
TLP-Red
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.
Discover Glesec.
Authority. Consistency.
Sign-up today for SkywatchSM Alerts.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.