silence-is-best
silence-is-best
/ gist:2688f9486b0447bc128949289d27bfae
Created
November 4, 2024 14:59
October Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Email Payload Type,Users Targeted | |
| 10/1/2024,FACTURA N.º 240073; lzh -> xloader,Attachment,46 | |
| 10/1/2024,Payment Advice ***** Advice Ref:[A20A9o6tNQd2] / ACH; rar -> xloader,Attachment,3 | |
| 10/3/2024,SOA AUG 2024 - / CMA CGM; rar -> xloader,Attachment,4 | |
| 10/3/2024,Payment Reference SOA Pending Balance Updated; rar -> xloader,Attachment,4 | |
| 10/6/2024,Re: Ref: Payment Advice 081 // Customer Ref:23486903|NEW ORDER; rar -> xloader,Attachment,4 | |
| 10/6/2024,SOA (Statement Of Account); rar -> xloader,Attachment,4 | |
| 10/7/2024,Request for Quotation Plug Valve; z -> vipkeylogger,Attachment,4 | |
| 10/7/2024,Quotation Accepted; lzh -> xloader,Attachment,3 | |
| 10/9/2024,NEW PO; z -> xloader,Attachment,4 |
silence-is-best
/ gist:2efe46038a58d20e173fb5ca0a3f7f43
Created
October 2, 2024 17:14
September Malspam Campaign
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Email Payload Type,Users Targeted | |
| 9/2/2023,<email address> You have an incoming invoice; rar -> formbook,Attachment,3 | |
| 9/2/2024,QUOTE - REQUIRED ITEMS_4001244; rar -> viplogger,Attachment,2 | |
| 9/2/2024,Business /lease agreements.; 7z -> vbe -> snakekeylogger,Attachment,2 | |
| 9/2/2024,JUSTIFICANTE -Carta de pago; rar -> viplogger,Attachment,3 | |
| 9/2/2024,Quote #011698; lzh -> xloader,Attachment,3 | |
| 9/3/2024,New Order PO#86637 03_09_2024; lzh -> xloader,Attachment,3 | |
| 9/3/2024,Re: Urgent; 7z -> vbe -> snakekeylogger,Attachment,3 | |
| 9/4/2024,New Shipment - Order 103; lzh -> xloader,Attachment,3 | |
| 9/5/2024,New Order PO 011824; lzh -> xloader,Attachment,3 |
silence-is-best
/ gist:252f23cff687506a22f36b6286794b23
Created
September 4, 2024 16:13
August Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Summary ,Details,Email Payload Type,Users Targeted | |
| 8/1/2024,Malicious email campaign; morning,Purchase Order; rar ->,Attachment,3 | |
| 8/1/2024,Malicious email campaign; evening,SIGNED ORDER CONFIRMATION FOR; zip -> xloader continued to 8/5,Attachment,4 | |
| 8/1/2024,Malicious email campaign; evening,ARRIVAL NOTICE FOR YOUR; zip -> originlogger continued to 8/5,Attachment,9 | |
| 8/2/2024,Malicious email campaign; evening,Purchase Order PO0001277 - N34 PAX SUITES SO0002124; z -> xloader,Attachment,5 | |
| 8/3/2024,Malicious email campaign; evening,RE: UPDATED SOA FOLLOW UP PAYMENT; rar|zip -> originlogger,Attachment,3 | |
| 8/3/2024,Malicious email campaign; evening,Fw: PAYMENT NOTIFICATION; zip -> snakekeylogger,Attachment,2 | |
| 8/6/2024,Malicious email campaign; morning,DHL BILL OF LANDING SHIPPING INVOICE DOCUMENTS; lzh -> originlogger,Attachment,2 | |
| 8/6/2024,Malicious email campaign; evening,Re: Payment for Proforma Invoice 0000000056789007689-pdf; zip -> purelogs,Attachment,3 | |
| 8/7/2024,Malicious email campaign; morning, PI-J/005 : PF |
silence-is-best
/ gist:36613184c0cd98db1aa6fd78f79f98a1
Created
August 1, 2024 14:29
July Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Summary ,Details,Category,Sub Category,Email Payload Type,Users Targeted | |
| 7/1/2024,Malicious email campaign; morning,Top Urgent Order; 7z -> vbs -> guloader,Email,Malware,Attachment,4 | |
| 7/1/2024,Malicious email campaign; morning,Re: Solicita��o de Pagamento - Fatura Proforma 924318184; 7z -> formbook,Email,Malware,Attachment,2 | |
| 7/1/2024,Malicious email campaign; evening,Urgent files; 7z -> vbs -> guloader continued to 7/2,Email,Malware,Attachment,3 | |
| 7/2/2024,Malicious email campaign; morning,INQUIRY 2024-SP0006-B(01) INQ24-012207; rar -> xloader continued to 7/8,Email,Malware,Attachment,16 | |
| 7/2/2024,Malicious email campaign; morning,Re: Revised Proforma; tar -> vbs -> guloader,Email,Malware,Attachment,3 | |
| 7/4/2024,Malicious email campaign; morning,Attachment name is revised pi_2024.lzh; lzh -> originlogger continued to 7/12,Email,Malware,Attachment,8 | |
| 7/8/2024,Malicious email campaign; evening,Re: Your Proforma Pending Payments; 7z -> vbs -> guloader,Email,Malware,Attachment,2 | |
| 7/9/2024,Malicious email campaign; m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Get ConfigStateUpdate and SensorHeartbeat events | |
| #event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/ event_platform=Win | |
| // Narrow search to Channel File 291 and extract version number; accept all SensorHeartbeat events within impact window | |
| | case{ | |
| #event_simpleName=ConfigStateUpdate | regex("\|1,123,(?<CFVersion>.*?)\|", field=ConfigStateData, strict=false) | parseInt(CFVersion, radix=16); | |
| #event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]); | |
| } | |
| | case{ |
silence-is-best
/ gist:b2528667d6e1527fcae55afcdda50bc2
Created
July 8, 2024 17:23
June Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Summary ,Details,Email Payload Type,Users Targeted | |
| 6/2/2024,Malicious email campaign; morning,AW: RE: Payment; ace -> originlogger,Attachment,6 | |
| 6/3/2024,Malicious email campaign; morning,Aw:Aw: Aw:New order - Revised Invoice/Advanced payment; doc -> remcos,Attachment,7 | |
| 6/3/2024,Malicious email campaign; evening,Quotation Request - RFQ018232901983234; zip -> vbs -> formbook,Attachment,8 | |
| 6/4/2024,Malicious email campaign; morning,"New PO for Project - 00775, 00875 & 02195; zip -> remcos",Attachment,7 | |
| 6/4/2024,Malicious email campaign; evening,New order PO00211 - Delivery next month; xlam -> originlogger,Attachment,3 | |
| 6/5/2024,Malicious email campaign; morning,RE: Request For Quote; z -> originlogger,Attachment,4 | |
| 6/5/2024,Malicious email campaign; evening,Your Shipment Just Arrived -SGS; xlam:rar -> originlogger continued to 6/10,Attachment,4 | |
| 6/6/2024,Malicious email campaign; evening,Advice from Standard Chartered Bank; xz -> originlogger,Attachment,2 | |
| 6/7/2024,Malicious email campaign; evening,ROQ // NYMPH |
silence-is-best
/ gist:1b672b44563901fa3d55065436cc4716
Created
June 3, 2024 19:36
May Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Summary ,Details,Email Payload Type,Users Targeted | |
| 5/2/2024,Malicious email campaign; morning,RE:AW:AW:AW SHIPMENT ARRIVAL NOTICE AWB5889829680; zip -> formbook,Attachment,6 | |
| 5/2/2024,Malicious email campaign; morning,Fw: MT103 Failed /Returned; zip -> formbook,Attachment,6 | |
| 5/2/2024,Malicious email campaign; morning,Re: Telecon follow up / Purchase order; zip -> formbook,Attachment,6 | |
| 5/2/2024,Malicious email campaign; afternoon,Aw: Proforma Invoice; rar -> originlogger,Attachment,4 | |
| 5/3/2024,Malicious email campaign; morning,Request For Quotation; lzh -> vbs -> originlogger,Attachment,3 | |
| 5/6/2024,Malicious email campaign; morning,PO 211436; zip -> originlogger,Attachment,4 | |
| 5/8/2024,Malicious email campaign; morning,"Eurofins Tsing Hua Environment Testing Co., Ltd Purchase Order; lzh ->",Attachment,20 | |
| 5/12/2024,Malicious email campaign; afternoon,Pre-production Samples; img -> originlogger,Attachment,5 | |
| 5/12/2024,Malicious email campaign; afternoon,NEW PO DTL20-041 FOB Quote Best Prices; doc -> lokibot,Attach |
silence-is-best
/ gist:b7be65cc7e0f6bbee4d148686681824c
Created
May 2, 2024 15:17
April Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Email Payload Type,Users Targeted | |
| 4/2/2024,Booking.com invoice 1467466252; pdf -> js -> originlogger,Attachment,3 | |
| 4/2/2024,RE: New Urgent Order; zip -> originlogger,Attachment,3 | |
| 4/4/2024,RES: RES : Request For Quotation; gz -> remcos,Attachment,4 | |
| 4/7/2024,Quotation request _?FL202306200039?; z -> originlogger,Attachment,4 | |
| 4/8/2024,Request for Quotation; xls -> remcos,Attachment,4 | |
| 4/8/2024,Payment Advice - Advice Ref:[A22D4YdWsbE4] / Priority payment / Customer Ref; z -> originlogger,Attachment,4 | |
| 4/8/2024,Attachment name is document.r15; -> originlogger,Attachment,3 | |
| 4/15/2024,Top Order Inquiry; gz -> vbs -> guloader,Attachment,3 | |
| 4/16/2024,Shipping Invoice & AWB; 7z -> vbs -> guloader,Attachment,2 |
silence-is-best
/ gist:e0fa9b5c4d5028a2e853d98b702cacdf
Created
April 3, 2024 13:38
March Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Summary ,Details,Email Payload Type,Users Targeted | |
| 3/1/2024,Malicious email campaign; morning,Re: lnvoice copy.; zip -> img -> wsf -> xworm,Attachment,8 | |
| 3/4/2024,Malicious email campaign; morning,RE: ADVANCE TT SLIP // FEB 2024 SOA PAYMENT; zip -> originlogger,Attachment,4 | |
| 3/4/2024,Malicious email campaign; morning,DELIVERY RELEASE ORDER Ref-no: <<A3_DB2TH84T.CNT>>; zip -> originlogger continued to 3/19,Attachment,4 | |
| 3/4/2024,Malicious email campaign; morning,New PO - PO#2024EH001; rar -> originlogger,Attachment,4 | |
| 3/4/2024,Malicious email campaign; morning,Inquiry & Orders; rar -> formbook,Attachment,3 | |
| 3/4/2024,Malicious email campaign; morning,Payment Advice - Advice; img -> originlogger,Attachment,3 | |
| 3/4/2024,Malicious email campaign; morning,ARRIVAL NOTICE EVER BEADY 0732-081S Ref-no|RE: Release Payment; zip -> originlogger,Attachment,16 | |
| 3/5/2024,Malicious email campaign; morning,Invoice copy.; zip -> img -> wsf|vbs -> xworm continued to 3/7,Attachment,14 | |
| 3/5/2024,Malicious email campaign; evening,Şubat |
silence-is-best
/ gist:177d5540f10cf10990af41e4aea27b61
Created
March 1, 2024 18:36
February Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Payload Type,Users Targeted | |
| 2/1/2024,SOA PAYMENT SETTLEMENT; r01 -> dbatloader -> remcos,Attachment,5 | |
| 2/1/2024,Request for Quotation; z -> originlogger continued to 02/04,Attachment,8 | |
| 2/4/2024,Re:New Order; 7z -> originlogger,Attachment,2 | |
| 2/5/2024,Quote; z -> origin logger,Attachment,4 | |
| 2/6/2024,AmBank Remittance Advice/SOA SETTLEMENT/BL-FEB-2024/APPROVED; tar -> modiloader -> remcos,Attachment,6 | |
| 2/7/2024,Header from [email protected]|[email protected]; pdf -> wikiloader continied to 2/8,Attachment,162 | |
| 2/8/2024,FW: Re: Quotation Request - Feb 2024 quotation.// New Supplier; lzh -> originlogger,Attachment,25 | |
| 2/8/2024,RE: RFQ - 07.02.2024; xla -> doc -> vbs -> remcos,Attachment,3 | |
| 2/12/2024,Payment remittance from Our Client/ Your Customer; 7z -> originlogger,Attachment,2 |
NewerOlder