Share This with your friends and contacts. Help THEM to stay safe:
This blog will help keep you up to date with Security warnings, Phishing, Currently spreading Malware and Email spoofs, Windows updates and my general thoughts about the online world today and how to keep yourself safe online and not become a victim.
The majority of posts are about malware and phishing scams received via emails. Most people don't really want to know what the malware is that was attached to an email. They just want to know if it is good or bad. Everybody just looks at the email quickly, so it can be very hard to decide if it comes from a genuine sender or a scumbag trying to scam you, steal your money or infect you.
All you want to know quickly: Is the email likely to be safe or dangerous?
We try to post as many examples of currently spreading emails as quickly as we can to alert everybody to the latest fast spreading method of scamming or infecting you.
Are you frustrated with your computer?
Do you want to do this when the computer won't work properly?
Don't get all worked up, Don't panic, Don't get upset.
Do you have any problems with malware, viruses or trojans?
Is your computer plagued with pop ups?
Do you get diverted to wrong sites when searching?
For help with these and any malware related or other computer problems visit the computer help and malware cleaning forum: Techguy.org
You usually get infected because your security settings are too low or you blindly click yes to everything. This article will show you How to protect yourself, keep yourself safe online and tighten security.
Do you cyber-blab? Are you a compulsive Tweeter or Facebooker? Think carefully about what you post. A simple post about your daily visit to the local coffee shop could be enough to tell a burglar when it is safe to rob your house. Remember EVERYTHING on a Social Media site is public.
You can submit suspicious files and Web sites ( URLs) for examination and submission to Antivirus companies, Other Malware Researchers that I co-operate with and Phishing Block lists.
You can also upload copies of the email you received ( that helps to track down and report the sending email servers so they can be cleaned up )
One of the very popular methods of spreading malware and infecting you are emails with malformed or infected Word docs and Excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious Office files
Share This with your friends and contacts. Help THEM to stay safe:
I have seen some pretty lame malware campaigns over time, but this one must rank as one of the lamest ones. Whichever bad actor sending these needs to step up his game. He is using csv attachments that will open in Excel or any other spreadsheet program. He is trying to use the Excel DDE “feature” to download and run the nanocore payload. This is one of the simplest & most basic files I have seen in a long time. it is all in plain text & opens in notepad so you can read it. Using the DDE feature pops …Continue reading →
Following on from Today’s earlier Formbook campaign using exploits in RTF files we are now seeing another campaign that appears to be coming from the same bad actors using .exe files disguised as a bat file inside a zip. The email pretends to be a Statement of Account with 2 outstanding invoices for hundreds of thousands of USD$ They use email addresses and subjects that will shock, scare, entice or scare a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better …Continue reading →
I can’t remember previously seeing a malware delivery campaign using a malformed, malicious RTF file like this one. It definitely is using one of the multiple Equation Editor exploits.There is some dispute on VirusTotal whether it is CVE-2017-11882 or CVE-2018-0802 or even whether it is a new exploit. It definitely involved embedded OLE objects being extracted and dropped from the RTF file. The RTF header / Control word is somewhat different to usual and starts with \rtfSP\ whereas we normally see \rtf\ ,\rtf0\ or \rtf1\ in the majority of malicious RTF files. I am not exactly sure what \rtfSP\ means …Continue reading →
I was sent these 2 emails via the malware submission system on this site. 2 different emails coming from different senders, imitating or spoofing different companies. Both have iso attachments that extract to .exe files that try to pretend to be a pdf. These were sent to a German Recipient. You can now submit suspicious sites, emails and files via our Submissions system Neither of the alleged senders hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these …Continue reading →
Following on from this post from last week. We are seeing another what looks like Hawkeye or Agent Tesla keylogger campaign using identical methods. All the same sites and hosting companies are involved with the same possibility of the DNS on Godaddy being compromised to allow this scummy domain to work. In exactly the same way I saw last week, the email body content on the mail server is different to the body content in the email, when it is delivered to the prospective victim. Once again the XLS file attachment uses CVE-2017-11882 to download the Hawkeye or Agent Tesla …Continue reading →
Following on from my slightly earlier post about Lokibot, this is yet another version with 2 XLS spreadsheet attachments coming in a fake Overdue Invoices November – December 2018 email. This version uses CVE-2017-11882 or is trying to, but only 1 of the attachments actually worked properly in Anyrun to download & deliver the payload. I don’t know what is wrong with the other version, it looks just about identical, although has a slightly different file size. Both copies display a multi page spreadsheet, pretending to be a shipping Quotation / invoice from Maesrk shipping lines. This one actually arrived earlier …Continue reading →
A slightly different Lokibot campaign this morning. The email is nothing special with a typical subject of CONFIRM OVERDUE INVOICE coming from various email addresses including what is likely to be either a compromised or fraudulently set up email account in Taiwan and a fake Apple spoofed email address that was also likely used for a previous phishing scam The body content spoofs a Thailand company, that might or might not exist, with an email address and weblink to a different Philippines company. There are 2 different sized attachments to the email, both are renamed RTF files containing multiple embedded …Continue reading →
We see lots of phishing attempts for banking credentials. This is new entry to the lists. We normally see the traditional banks being used in this sort of phishing scam / identity theft in the UK on an almost hourly basis. I probably see 20 or 30 every day. However there are starting to be lots of people now using the new Fintech services, which are online only. There are hundreds of these new services and no one can keep up with them. Some of the names of these new services are completely weird and don’t sound like a bank …Continue reading →
I am seeing a bit of changes today from the scumbags who are distributing the Hawkeye Keylogger Trojan. The email template is a typical fake Purchase Order with a malicious word doc attachment. The word doc is actually a RTF that uses the CVE-2017-11882 equation editor exploits. Where the changes come is the obfuscation or encoding of the rtf file that makes analysis slightly more complicated and is intended to bypass existing detections from antiviruses & network perimeter defences. This malicious RTF / Word doc has 87 pages of pure garbage displayed. The first page is blank, then dozens of …Continue reading →
A slightly different malware than usual to report on this morning. I haven’t previously seen an out and out destructive malware like this sent in mass malspam for many years. It must be intended to act as some sort of ransomware but there is no ransom note or instruction. It initially copies itself to C:\Users\admin\AppData\Roaming\Paint.exe and then sets a startup for that file then it searches for & finds any .exe files, initially in downloads folder or desktop renames them to voriginalfilename.exe & copies itself to the original filename, so it runs when that file is opened by the victim. …Continue reading →