Article Blog Image

Targeted phishing past defender

Network Monitoring

Incident with unknown and undetected malware

Responding to an alert at one of our customers we came across the following incident.

The customer was phished with a seemingly targetted phishing attack back in late April through the site diymania[.]eu (behind cloudflare) (URL: hxxp://diymania[.]eu/hvilke-fordele-er-der-ved-bredygtig-energi.html (dead now)). The original link was most probably delivered through a mail to the user (not recovered).

Article Blog Image

Only a single client machine was affected. The language of the page seems to have been Danish, so rather specific. The topic on the page was energy related. The client was a Win10 machine using Edge. It was fully updated and running Defender.

The site references /wp-content/qilil.js that does some random behavior obfuscation and then loads javascript from arendatdsinojosa[.]info.

Article Blog Image

Looking at the network traffic from the machine in the seconds after the initial access we can see access to both http and ssl sites. The QUIC connections seems unrelated.

Article Blog Image

These connections looked unusual. Some of them are flagged as DGA-domains in AlienVaults OTX. (ignore the interleaved microsoft domains)

Article Blog Image

The only domain known for malicious behavior seems to be rockstorageplace[.]com, but that only seems to be present in commercial CTI lists.


Signature based detections has shortcomings that matter in real scenarios. Depending only on prevention through an EDR like Defender is not enough in a modern attack scenario. Detection and response are needed to handle the incidents getting past the traditional preventive measures.


  • diymania\[.\]eu
  • arendatdsinojosa\[.\]info
  • ehsugtomol\[.\]cf
  • sdfswt.rightarrangemade\[.\]xyz
  • rockstorageplace\[.\]com

  • Author: Rasmus Have

    Co-founder and IT-security specialist at Derant Rasmus has 20+ years of experience doing operational blue- and red-team work in various organisations.