Category: macro virus | My Online Security

Fake Royal Bank of Canada RE: Instructions de transfert delivers Trickbot

Posted on 11 February 2019 11:33 pm by Myonlinesecurity11 February 2019 11:33 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Instructions de transfert ” pretends to come from RBC Royal Bank of Canada but actually comes from “3SERVICEGROUPMTL3@R0YALBANK.COM” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. You need to look very carefully to see the 0 (zero) in the fake domain name instead of the O. It is slightly clearer in lowercase, but still close enough to confuse many recipients (r0yalbank.com.). … Continue reading →

trickbot via Fake Deloitte Canada Tax Billing

Posted on 6 February 2019 6:08 pm by Myonlinesecurity7 February 2019 5:30 am

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Tax billing ” pretends to come from Deloitte but actually comes from “Pierre.Laporte@deloitte-canada.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using XLS Excel spreadsheet files. Deloitte has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent … Continue reading →

trickbot via fake Scotia Bank Incoming Wire Name and Account Mismatch

Posted on 5 February 2019 9:33 pm by Myonlinesecurity5 February 2019 9:33 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “ALERT – BB Wire: Extra Due Diligence* RE: Incoming Wire Name and Account Mismatch ” pretends to come from Scotia Bank but actually comes from “penny.tam@scotiabanksec.com” or “penny.tam@scotiabank-ses.com” both of which are look-a-like, typo-squatted or other domains that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using XLSM Excel spreadsheet files. Again these are targeted at North American recipients, primarily Canadian. … Continue reading →

Making it Bleeding Obvious

Posted on 5 February 2019 8:46 am by Myonlinesecurity5 February 2019 8:46 am

Some days we have lots of problems trying to decide what malware is being delivered. Today is an exception. The bad actor has made it bleeding obvious by his use of the file names & url paths. I suppose this semi-clueless Skiddie has purchased an off the shelf exploit kit and either can’t read instructions or doesn’t care enough to change the file names & url paths. So we definitely have Pony and probably an Azorult control panel. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A … Continue reading →

Malspam emails overnight Monday 4 February to Tuesday 5 February 2019

Posted on 5 February 2019 6:33 am by Myonlinesecurity5 February 2019 6:33 am

Continuing with the masses of different malspam emails arriving overnight to start off this Tuesday Morning 5th February 2019 with its usual early start while I am eating breakfast. They are all typical subjects & email content and all deliver various well known malware, using a variety of compressed (zip) files, some of which don’t natively extract on windows without special tools ( or are broken & misconfigured). and various office docs using macros or exploits. [1] salesmanlmtd@gmail.com Confirm availability with a word doc attachment Delivering Lokibot [2]Terrence Wong <twong@chemo.my> EURO CHEMO-PHARMA SDN BHD-PURCHASE ORDER Delivering Pony / Fareit [3] John … Continue reading →

Godaddy DNS system still compromised to deliver yet another Gandgrab Ransomware campaign

Posted on 2 February 2019 8:28 am by Myonlinesecurity3 February 2019 5:20 am 8

Last week we reported on a fairly large scale Gandcrab ransomware campaign that was assisted in delivery via a security hole in Godaddy (and almost certainly other major DNS providers). Some of the major tech sites reported on the DNS compromise with a message that Godaddy was aware of it & was “fixing” the problem. Well 10 days later it still isn’t fixed and the criminals are continuing to use the “exploit”, Misconfiguration, or security hole in Godaddy DNS system. Update 3 February 2019: I have heard back from a member of Godaddy Security team, who assures me the misconfiguration … Continue reading →

Trickbot with multiple changes via fake Chase JP Morgan incoming confirmation

Posted on 31 January 2019 5:42 am by Myonlinesecurity31 January 2019 5:42 am 1

Trickbot is back with a vengeance. I have seen a couple of mentions on Twitter earlier this week but haven’t actually been able to find any copies myself. However that all changed last night with several emails to various email addresses on my server. These are targeted at the USA rather than the UK, but I expect the UK targeting to resume very soon. In previous campaigns, I did often see USA appear 1 or 2 days before any UK campaigns. There are also some changes to the delivery method and the Trickbot binary & configs, that I will document … Continue reading →

Gandcrab 5.1 via Uр to date emergenсy exit maр malspam from Rosie L. Ashton

Posted on 23 January 2019 5:03 am by Myonlinesecurity24 January 2019 6:11 am 8

Last night we received several emails to various email addresses on this server using a template we first saw back in Early December 2018. They are still using Rosie L. Ashton as the sender. Then it delivered Ursnif banking trojan. Today it is delivering Gandcrab 5.1 ransomware. This might be a new / updated version of Gandcrab because I haven’t seen this particular ransomware note before ( but I don’t follow Gandcrab closely) or the file extension for the encrypted files “.IOAHHZNEW ” which contains a key & PC data in encrypted format, although the Tor address is well known http://gandcrabmfe6mnef.onion/5124d7737cd9e0e6 … Continue reading →

new Ransomware possibly criakl version

Posted on 24 December 2018 3:33 am by Myonlinesecurity24 December 2018 3:33 am

It looks like we have a new Ransomware spreading as a nice Christmas Present. This is being identified as Criakl by Anyrun , but if it is criakl, then it is a new version . Criakl was around in 2014 and has been seen sporadically since then, but hasn’t been an extremely active or well spread ransomware previously, particularly in the UK. I received 2 different emails overnight containing this ransomware both very similar and written in bad English or machine translated from a foreign language. These emails all come from admin@floraman.ru and pass all authentication checks SPF & DKIM so … Continue reading →

Password Protected word docs malware campaigns continue

Posted on 17 December 2018 7:30 am by Myonlinesecurity18 December 2018 4:45 am 2

I am seeing changes to the password protected word docs campaign we have been seeing for ages. I am not sure what malware payload we are getting today. It looks different to all the usual previous ones. Last week they changed from Nymaim to IceD. They frequently use some sort of ransomware. But This looks different again today. I am pretty sure it is IceD ( BOKBot) from the naming convention of the C2 URL, using .PW domains. However this is not a well known url to AV companies Normally the subjects are either Invoices or resumes / Job applications. … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: macro virus