Severity
Medium
Analysis Summary
An email campaign distributing malspam. A potential victim receives an email with a subject of “Order Inquiry”. The sender was observed as “Sales hofbraurestaurant[@]windstream[.]net”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Order1002 Quotation.zip” to review the order. The infection process begins once the .zip attachment is opened and the malicious content executed, ultimately leading to the Orion keylogger being installed on the victim’s system. It is important to note that it appears the email service for “windstream.net” has been compromised, allowing the threat actor to pass through authentication checks.
Indicators of Compromise
IP(s) / Hostname(s)
URLs
Filename
Order1002 Quotation.zip
Email Address
hofbraurestaurant[@]windstream[.]net
Email Subject
Order Inquiry
Malware Hash (MD5/SHA1/SH256)
Remediation