Category: macro virus | My Online Security

Lokibot via abusing the ngrok proxy service

Posted on 28 May 2019 5:55 am by Myonlinesecurity28 May 2019 5:55 am 1

It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN from the miscreant’s home computer or server that effectively puts the malware in the cloud & bypasses all firewalls etc. I can’t see anything in their TOS prohibiting malware, phishing, scams etc, just a general no … Continue reading →

Fake order delivering AveMaria stealer with difficult office doc.

Posted on 22 April 2019 1:59 pm by Myonlinesecurity23 April 2019 3:08 am 3

I had a bit of a problem trying to analyse this malware today. The word doc looks pretty average at first glance, but trying to run it in Anyrun on a W7 32 or 64 bit version of windows. gave me VBA errors. It also wouldn’t run on 64 bit versions of W8.1 or W10, giving the same VBA errors I then tried to upload to IRIS-H analysis where it crashed. It wouldn’t even upload to Hybrid analysis using either 32 bit W7 or 64 bit. I think Anyrun uses Office 2010 on W7 and Office 2013 on W8.1. I … Continue reading →

Trickbot via fake Efax message using Squiblydoo, Active X, macro and abusing pastebin

Posted on 20 March 2019 4:59 am by Myonlinesecurity20 March 2019 4:59 am

We are seeing massive changes with the Trickbot delivery campaign overnight. I have only seen 1 mention on Twitter about this campaign and 1 on a private malware research mailing list, so it can’t be affecting too many recipients. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “You have a new eFax message! ” pretends to come from Efax but actually comes from “service@efax.delivery” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the … Continue reading →

Fake DHL Urgent Delivery notice delivers Gandcrab 5.2 ransomware

Posted on 15 March 2019 4:33 am by Myonlinesecurity15 March 2019 4:33 am 1

Yet another Gandcrab ransomware campaign. This time spoofing DHL Express with a fake delivery notification email. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. This bad actor is getting a bit lazy and has reused the same word template that we saw earlier in the week with the CDC version to deliver the malware. All they have done is changed the file download url in the macro. It is highly likely that they are using an off the shelf exploit kit, rather than actually creating the docs themselves. However they are using different sending … Continue reading →

Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware

Posted on 13 March 2019 5:12 am by Myonlinesecurity13 March 2019 5:12 am 6

A somewhat interesting and slightly alarming malware campaign, spreading worldwide but supposed to be targeting the USA that pretends to be an urgent message from the CDC ( Centre for Disease Control ) warning about a flu outbreak. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. They are using email addresses and subjects that will scare, shock, persuade or entice a recipient to read the email and open the attachment. Remember many email clients or webmail services, especially on a mobile phone or tablet, only show the Name in the From: and not the … Continue reading →

Fake Paychex Tax verification documents delivers Trickbot

Posted on 7 March 2019 8:25 pm by Myonlinesecurity7 March 2019 8:25 pm

There are still using this new version of the Trickbot delivery system where Bitsadmin is used to download the payload in small sections to a victims computer where it is all joined together to make 1 file. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Tax verification documents ” pretends to come from Paychex but actually comes from “J.Clark@paychex.email” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have … Continue reading →

Fake Dun & Bradstreet Company Complaint delivers Trickbot

Posted on 6 March 2019 6:56 pm by Myonlinesecurity6 March 2019 6:56 pm

Continuing with the recent changes to the Trickbot delivery system and possibly the payloads and configs today. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” FW: Company Complaint #DNBC920201TF” pretends to come from Dun & Bradstreet but actually comes from “service@dnbcomplaint.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using macro enabled word docs that fire off on both … Continue reading →

Fake ADP Tax Billing Records delivers Trickbot

Posted on 5 March 2019 4:10 am by Myonlinesecurity5 March 2019 4:10 am

There are lots of changes to the Trickbot delivery system and possibly the payloads and configs today. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “FW: CASE #90ADP28TEFT – tax billing records” pretends to come from ADP but actually comes from “noreply@adpnote.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using macro enabled XLS Excel spreadsheet files. These are primarily … Continue reading →

Fake Royal Bank of Canada Payment Receipt Advise/Avis de Reception de paiement delivers Trickbot

Posted on 27 February 2019 6:17 pm by Myonlinesecurity27 February 2019 6:17 pm 2

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Receipt Advise/Avis de Reception de paiement” pretends to come from RBC Royal Bank of Canada but actually comes from “noreply@achaft-rbc.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. Today they are using XLSM Excel spreadsheet files. RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not … Continue reading →

Fake TD Bank Secure Mail delivers Trickbot

Posted on 27 February 2019 5:38 am by Myonlinesecurity27 February 2019 5:38 am

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “TD Bank Secure Mail ” pretends to come from TD Bank, but actually comes from “service@securemail-td.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have a link to download the malicious file from a remote website with another very similar domain name. This came in last night at about 6pm UTC but I wasn’t around to look at it. By … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: macro virus