Malspam activity was observed on February 13th delivering a variant of ISR password stealer. ISR was reportedly used in spear phishing attacks against food and machine industries. In this blog post we will discuss the network activity using RSA NetWitness Packets.
Opening the malicious document with an un-patched Microsoft Word application led to the following network activity:
Once 99v.exe executes on the victim machine, it starts to communicate with what looks to be a compromised Wordpress website transeagleperu[.]com:
Since the User-Agent string used in this session is common to ISR variants, it was tagged with the value known bad ua credentialleak under Indicators of Compromise meta key:
It is worth mentioning that the delivery domain menorasarainc[.]info has been active over the past week:
Payment receipt.doc (SHA256):