Kevin Beaumont

Great #malware sample caught by @k3dg3 #threatintel

Exploits #ZippyReads (read only file for bypass of Mark-of-the-Web) and #DefenderExplode, a large file zero day in Microsoft Defender AV which breaks their telemetry and detection.

Targets Italy. Calls michaelpagerecruitment-ukoffers.]com

https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7

VirusTotal

VirusTotal

Nov 23, 2022 at 1:16pmWeb
Show threadtborosoraNov 23, 2022

@GossiTheDog @k3dg3

Are defender ASR rules an effective control for this?

Show threadRich WarrenNov 23, 2022

@k3dg3 @GossiTheDog that recruiter name is the same one used in this itw 0day sample:

d599c99968765eddfed0f9c8a3e6d1f4531eb2bbaadfbab6d0cf3bdbad0c8b3c

Another domain in there too:

michael-page-uk-s04[.]com

Show threadJason Haar Nov 23, 2022

@GossiTheDog @k3dg3 WHY.DOES.WINDOWS.ALLOW.SCRIPTS.IN.LNK.FILES!?!?!

People say LNK files are the Windows equivalent of Unix symbolic links. No - No they are not...