Fropper partner search dating results
Ultimately the script would reach out to a set of different C2s which would reply with a binary that was saved to the user’s Temp directory and executed.
It should be noted that Word documents were also being served up by the first download site, which resulted in the same outcome. This executable contained several layers of unpacking.
The image below depicts how the Java Script looks as is was downloaded from the malicious site.
The additional screenshots that are used in the section below have been altered and variables renamed for analysis.
Contained in the email is a PDF file that does not contain any malicious code or exploits.
The PDF purports to be a legitimate document, which request that the user follows a hyperlink to a legitimate website.
For specific information on Carbon Black product detections, please review the TAU-TIN writeup, which is listed on our User Exchange.
The image below is an example of a PDF document that was sent to targets as part of this campaign.
In this example the PDF is purporting to be from Citibank, and attempts to incite additional actions by informing the reader that their bank account has been suspended.
The actual hyperlink will direct the user to a compromised site, which will download different payloads, dependent upon what is being served at that time of the request.
In the scenario that was being investigated a zip file was downloaded and extracted.The malicious dropper masquerades as a legitimate file.