Lipshitz сказал(а):
I should clarify. I see some guys that spam en mass from compromised boxes by hijacking a pre-existing conversation.
Here is an article explaining more:
https://www.hornetsecurity.com/en/security-information/email-conversation-thread-hijacking/
I think they are using a script or maybe certain botnets have this option, but it's super cool and I want to learn.
From the article : "An email thread hijacking attack begins when a first victim is compromised. Next, their emails and often email login credentials are stolen. The attackers will then reply to the victim’s emails with their malicious messages."
Like Emotet, mostly in the past with Office Macros, you infect the first machine,deploy the main payload etc and search for email list in the outlook for example.
From there you reply to email threads in the victim logged email with a default subject and the malicious office attachment.
Same logic applies with any payload or phishing : First machine > search for future targets > hijacked threads(trusted sender, higher rate of clicking) > send > repeat.
Edited : Basically everything I said was already in the article,which now I see :
"The module steals emails and login credentials from victims and sends them to Emotet’s C2 servers, which distribute them to the systems of other victims infected with Emotet’s spam module, where they are used in attacks against new victims."
The article you posted already has the answer.
Последнее редактирование: 01.04.2023