Like many security researchers, I not only run my own mail servers, but I generally do not have spam filtering on many of them so I can see the interesting attacks that come in. Then, dig into them as time allows. Yesterday, I got an interesting take on the ever-present invoice maldocs campaign, this time it was spoofing a DocuSign email suggesting I had an invoice to sign.

ThreatSTOP recently had the ASN 64484 Jupiter 25 (also known as DMZHOST) brought to our attention as the source of some DDoS attacks. This AS is a fascinating one that has a single upstream (Quasi Networks – a hosting provider formerly and notoriously known as Ecatel) and announces just a single /24.

The single /24 is not, of itself, an indicator of badness. (ThreatSTOP’s AS also announces a single /24) However, it does suggest that the AS is not a major hosting provider since only about 250 separate unNATed hosts can be run on that network.

Recently, fellow researcher Vitali Kremez took a look at some new binaries from the Gamaredon Group. This is a Russian state-sponsored group that has been active since about 2013. The malware specifically is the Pteranodon implant, which provides a variety of functions such as remote command execution, downloading and executing other files, and collecting system data. It was the subject of a recent CERT UA blog post here (note: this site is in Ukrainian).

Image via Technology Times

In recent weeks, reports have emerged that various government entities have been the target of DNS hijacking attacks. These attacks would redirect those attempting to interact with legitimate government sites and instead send them to malicious infrastructure who could engage in phishing attacks, email theft, or a wide variety of misconduct.