Category: macro virus | My Online Security

Fake DHL email delivers an unknown keylogger coupled with a phishing scam

Posted on 8 September 2019 10:33 am by Myonlinesecurity9 September 2019 7:15 am

I was extremely surprised to wake up this Sunday Morning to a whole slew of fake DHL delivery notice emails with a macro enabled word doc attachment that eventually downloads some sort of Keylogger. There is some dispute as to what the actual Keylogger is. Some AV on VirusTotal describe it as an AgentTesla generic, whereas Anyrun app calls it Sentinel. I don’t think either are 100% correct. DHL_FORM.doc Current Virus total detections: Anyrun | This malware doc downloads from https://heritagebank.ga/Quotation.exe ( Virustotal) which is behind cloudflare and also is a phishing site for the genuine heritage … Continue reading →

Fake order eventually drops Lokibot but something else happens

Posted on 10 July 2019 6:33 am by Myonlinesecurity10 July 2019 6:33 am

I am not entirely sure what the in initial binary download with this one is, but there are indications it might be Dark Comet RAT. What we do know is that it drops a Lokibot binary The word doc is actually a RTF file containing embedded ole objects. This appears to contain 5 identical ole objects that in turn drop an Excel macro enabled worksheet that when examined appears to be something to do with lottery numbers. I don’t know if this is some sort of red herring or someone in the masses of code ( which I have only … Continue reading →

More AgentTesla keylogger info-stealer campaigns hitting UK

Posted on 7 July 2019 6:54 am by Myonlinesecurity7 July 2019 6:54 am 1

We are still seeing continuous AgentTesla keylogger / Info-Stealer campaigns hitting the UK. We sill aren’t seeing a lot of other malware at the moment. I have received about 20 different versions over the last week that have all been nothing special, with no outstanding features worth mentioning, so I have just submitted to AV companies and tweeted details to other researchers. Today however we have received a slightly different email that is “interesting”. There appear to be some errors in the way the macros / embedded ole objects the bad actors have used to download / move or extract … Continue reading →

Lokibot via abusing the ngrok proxy service

Posted on 28 May 2019 5:55 am by Myonlinesecurity28 May 2019 5:55 am 1

It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN from the miscreant’s home computer or server that effectively puts the malware in the cloud & bypasses all firewalls etc. I can’t see anything in their TOS prohibiting malware, phishing, scams etc, just a general no … Continue reading →

Fake order delivering AveMaria stealer with difficult office doc.

Posted on 22 April 2019 1:59 pm by Myonlinesecurity23 April 2019 3:08 am 3

I had a bit of a problem trying to analyse this malware today. The word doc looks pretty average at first glance, but trying to run it in Anyrun on a W7 32 or 64 bit version of windows. gave me VBA errors. It also wouldn’t run on 64 bit versions of W8.1 or W10, giving the same VBA errors I then tried to upload to IRIS-H analysis where it crashed. It wouldn’t even upload to Hybrid analysis using either 32 bit W7 or 64 bit. I think Anyrun uses Office 2010 on W7 and Office 2013 on W8.1. I … Continue reading →

Trickbot via fake Efax message using Squiblydoo, Active X, macro and abusing pastebin

Posted on 20 March 2019 4:59 am by Myonlinesecurity20 March 2019 4:59 am

We are seeing massive changes with the Trickbot delivery campaign overnight. I have only seen 1 mention on Twitter about this campaign and 1 on a private malware research mailing list, so it can’t be affecting too many recipients. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “You have a new eFax message! ” pretends to come from Efax but actually comes from “service@efax.delivery” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the … Continue reading →

Fake DHL Urgent Delivery notice delivers Gandcrab 5.2 ransomware

Posted on 15 March 2019 4:33 am by Myonlinesecurity15 March 2019 4:33 am 1

Yet another Gandcrab ransomware campaign. This time spoofing DHL Express with a fake delivery notification email. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. This bad actor is getting a bit lazy and has reused the same word template that we saw earlier in the week with the CDC version to deliver the malware. All they have done is changed the file download url in the macro. It is highly likely that they are using an off the shelf exploit kit, rather than actually creating the docs themselves. However they are using different sending … Continue reading →

Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware

Posted on 13 March 2019 5:12 am by Myonlinesecurity13 March 2019 5:12 am 7

A somewhat interesting and slightly alarming malware campaign, spreading worldwide but supposed to be targeting the USA that pretends to be an urgent message from the CDC ( Centre for Disease Control ) warning about a flu outbreak. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. They are using email addresses and subjects that will scare, shock, persuade or entice a recipient to read the email and open the attachment. Remember many email clients or webmail services, especially on a mobile phone or tablet, only show the Name in the From: and not the … Continue reading →

Fake Paychex Tax verification documents delivers Trickbot

Posted on 7 March 2019 8:25 pm by Myonlinesecurity7 March 2019 8:25 pm

There are still using this new version of the Trickbot delivery system where Bitsadmin is used to download the payload in small sections to a victims computer where it is all joined together to make 1 file. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Tax verification documents ” pretends to come from Paychex but actually comes from “J.Clark@paychex.email” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have … Continue reading →

Fake Dun & Bradstreet Company Complaint delivers Trickbot

Posted on 6 March 2019 6:56 pm by Myonlinesecurity6 March 2019 6:56 pm

Continuing with the recent changes to the Trickbot delivery system and possibly the payloads and configs today. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” FW: Company Complaint #DNBC920201TF” pretends to come from Dun & Bradstreet but actually comes from “service@dnbcomplaint.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using macro enabled word docs that fire off on both … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: macro virus