Beware of Phishing Emails Disguised as Money Transfer Confirmations
ID: 59a0cc8d-b602-5167-b2ce-a7c0f97e3bf5
STIX ID: report--59a0cc8d-b602-5167-b2ce-a7c0f97e3bf5
Feed Name: ASEC
AhnLab ASEC identified a phishing campaign impersonating employees that delivers a malicious XLS exploiting CVE-2017-0199 (OLE2Link) to download an HTA which launches an obfuscated PowerShell script; the script fetches a steganographically embedded PNG containing a Base64 .NET loader that then downloads and executes the Remcos RAT. The report provides C2 URLs, multiple MD5 hashes, screenshots, and user guidance to verify senders, inspect links/attachments, and avoid entering credentials on suspicious pages.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
