Share This with your friends and contacts. Help THEM to stay safe:
This blog will help keep you up to date with Security warnings, Phishing, Currently spreading Malware and Email spoofs, Windows updates and my general thoughts about the online world today and how to keep yourself safe online and not become a victim.
The majority of posts are about malware and phishing scams received via emails. Most people don't really want to know what the malware is that was attached to an email. They just want to know if it is good or bad. Everybody just looks at the email quickly, so it can be very hard to decide if it comes from a genuine sender or a scumbag trying to scam you, steal your money or infect you.
All you want to know quickly: Is the email likely to be safe or dangerous?
We try to post as many examples of currently spreading emails as quickly as we can to alert everybody to the latest fast spreading method of scamming or infecting you.
Are you frustrated with your computer?
Do you want to do this when the computer won't work properly?
Don't get all worked up, Don't panic, Don't get upset.
Do you have any problems with malware, viruses or trojans?
Is your computer plagued with pop ups?
Do you get diverted to wrong sites when searching?
For help with these and any malware related or other computer problems visit the computer help and malware cleaning forum: Techguy.org
You usually get infected because your security settings are too low or you blindly click yes to everything. This article will show you How to protect yourself, keep yourself safe online and tighten security.
Do you cyber-blab? Are you a compulsive Tweeter or Facebooker? Think carefully about what you post. A simple post about your daily visit to the local coffee shop could be enough to tell a burglar when it is safe to rob your house. Remember EVERYTHING on a Social Media site is public.
You can submit suspicious files and Web sites ( URLs) for examination and submission to Antivirus companies, Other Malware Researchers that I co-operate with and Phishing Block lists.
You can also upload copies of the email you received ( that helps to track down and report the sending email servers so they can be cleaned up )
One of the very popular methods of spreading malware and infecting you are emails with malformed or infected Word docs and Excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious Office files
Share This with your friends and contacts. Help THEM to stay safe:
We see lots of phishing attempts for email credentials. This one is quite strange and weird, It pretends to be a message from Barclays Bank to update card details. I don’t know what is happening but several times I tried, I get redirected to the genuine Barclays Bank website. But from anyrun using MITM and sometimes from my home IP address in UK I can get sometimes get to the phishing site. https://barclays-form.icu/ This is a very complicated chain of events, I ran this through anyrun using several different settings and got different results many times. Anyrun reports:   …Continue reading →
It looks like we are seeing a few changes to the Remcos RAT install & persistence method. Over the last couple of weeks I have noticed a few tweaks to the persistence & auto start of several Remcos Rat versions. Today it has changed again to try to bypass protections. This all starts with the usual spam email, today’s ( or rather last night’s) was a fake invoice in a .iso / .img container. As you c an see from the virustotal reports .img containers are generally pretty poorly detected so are more likely to bypass perimeter defences. Once the …Continue reading →
We don’t see a lot of malware at weekends in UK, so it was a bit of a surprise to get a whole swathe on emails overnight pretending to be an invoice from indofuels. The keylogger and info / credential stealer the criminals are using this weekend is Keybase,. I personally haven’t seen keybase for a couple of years, although reports of sporadic campaigns & infected computers are seen occasionally with a slight resurgence over the last week or so. I thought keybase had effectively stopped being distributed or used a couple of years ago, when the original developer stopped …Continue reading →
It seems to be the week for harder to analyse & dodgy delivery systems that more carefully target specific countries / regions or even specific isps. Yesterday we saw a fake e-fax notification in German language that eventually led to a Buran ransomware. I couldn’t analyse that one properly or get the full payload, but with lots of help from many Twitter contacts, the ransomware payload was soon discovered, downloaded and submitted. Today I have received a fake TNT delivery / collection notice that has a link in the email body that downloads a zip file. Inside the zip is …Continue reading →
This is a strange & slightly more difficult than usual to analyse malware, mainly because the bad actor appears to have made a total mess of the distribution. I do not know if this will actually run on a proper computer, it obviously doesn’t like a sandbox / VM . The email was received with a .dat extension, which is what Outlook or the mail server often changes unknown extensions to. This dat file is actually a zip file. It does extract to a .pif and a jpg image file of an invoice. The pif is not a windows shortcut …Continue reading →
It looks like Friday the 13th is unlucky for this malware bad actor, trying to deliver yet another AgentTesla keylogger / info-stealer because as far as I can tell this malware chain is broken so the victim should not get the payload. WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times …Continue reading →
WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers. Today’s other versions are tweeted Here & Here This version today is more noticeable and worth mentioning for several reasons. The alleged sender pricolcargo.com has appeared in the lists of spoofed companies for literally ages, …Continue reading →
WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. I don’t often post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers. Today’s version is very slightly different and pretends to be a Bank Transfer Payment Notification allegedly coming from The Hongkong and Shanghai Banking Limited. The email is the usual junk email that should be blocked by most spam filters. The attachment is a .rar file …Continue reading →
I was extremely surprised to wake up this Sunday Morning to a whole slew of fake DHL delivery notice emails with a macro enabled word doc attachment that eventually downloads some sort of Keylogger. There is some dispute as to what the actual Keylogger is. Some AV on VirusTotal describe it as an AgentTesla generic, whereas Anyrun app calls it Sentinel. I don’t think either are 100% correct. DHL_FORM.doc Current Virus total detections: Anyrun | This malware doc downloads from https://heritagebank.ga/Quotation.exe ( Virustotal) which is behind cloudflare and also is a phishing site for the genuine heritage …Continue reading →
It has been very quiet with regards to malware in the UK for the last month or so. All I have been seeing has been the commodity malware like AgentTesla, Hawkeye & Lokibot that is frequently used by Skiddies and low grade bad actors who buy an off the shelf exploit kit and just fill in a few variables. These are so common that I haven’t bothered with them, except to submit any poorly detected samples to Antivirus companies. I have also been quite ill for the last month, so haven’t been able to do very much anyway, so the …Continue reading →