Subscribe: SANS Internet Storm Center, InfoCON: green
Preview: SANS Internet Storm Center, InfoCON: green

SANS Internet Storm Center, InfoCON: green

SANS Internet Storm Center - Cooperative Cyber Security Monitor

Published: Tue, 21 Nov 2017 03:37:03 GMT

Last Build Date: Tue, 21 Nov 2017 16:10:04 +0000

Copyright: (C) SANS Institute 2017

Resume-themed malspam pushing Smoke Loader, (Sun, Nov 19th)

Sun, 19 Nov 2017 22:40:22 GMT


BTC Pickpockets, (Sat, Nov 18th)

Sat, 18 Nov 2017 11:15:54 GMT

I observed requests to my webserver to retrieve Bitcoin wallet files:

Top-100 Malicious IP STIX Feed, (Fri, Nov 17th)

Fri, 17 Nov 2017 07:56:20 GMT

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.

Suspicious Domains Tracking Dashboard, (Thu, Nov 16th)

Thu, 16 Nov 2017 08:27:01 GMT

Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page[1] dedicated to domain names. But how can we detect potentially malicious DNS activity if domains are not (yet) present in a blacklist? The typical case is DGA's of Domain Generation Algorithm[2] used by some malware families.

If you want something done right, do it yourself!, (Wed, Nov 15th)

Wed, 15 Nov 2017 07:16:17 GMT

Another day, another malicious document! I like to discover how the bad guys are creative to write new pieces of malicious code. Yesterday, I found another interesting sample. It’s always the same story, a malicious document is delivered by email. The document was called 'Saudi Declare war Labenon.doc’ (interesting name by the way!). According to VT, it is already flagged as malicious by many antivirus[1] (SHA267: 7f39affc9649606f57058b971c0c5a7612f7d85ef7ed54c95034cd2b9ae34602/detection). The document is a classic RTF file that triggers the well-known %%cve:2017-0199%%. When started, it downloads the first file from: