Category: macro virus | My Online Security

False Invoice Due email with password protected attachment delivers malware

Posted on 17 August 2018 6:25 am by Myonlinesecurity17 August 2018 6:25 am

This generic email with the subject of “Invoice Due” coming from help@simplexhealthcare.info with a malicious password protected word doc attachment does eventually deliver some sort of malware. Recently password protected word docs have been delivering some sort of Ransomware frequently Hermes Ransomware via Azorult intermediate download. This is probably Azorult on the first stage, based on the file name azo.exe but I can’t see any encryption happening using the online sandboxes. It probably is Hermes ransomware based on the file names. These criminals don’t tend to be very original. The details in this campaign do match the details shown in this … Continue reading →

Fake HMRC “Submission 5DW8 F36N MG2A 9HJ not processed ” delivers trickbot

Posted on 15 August 2018 3:10 pm by Myonlinesecurity15 August 2018 3:10 pm

Today’s Trickbot campaign is a pretty lame example from this prolific malware gang. The email containing the subject of “Submission 5DW8 F36N MG2A 9HJ not processed ” pretending to come from noreply.taxreg@notifications.hmrc.gov.uk but actually coming from “noreply.taxreg@notification-hmrc-gov.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, containing a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email is very badly done and doesn’t look anything like a genuine HMRC email and definitely is not up to the … Continue reading →

Fake “You have received a Secure Doc message from Citi Secure Email Server” delivers Trickbot

Posted on 14 August 2018 7:48 pm by Myonlinesecurity14 August 2018 7:48 pm

This example is an email containing the subject of ” You have received a Secure Doc message from Citi Secure Email Server ” pretending to come from Citi Group but actually coming from “noreply@securemailcenter-citigroup.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. As in today’s earlier example of Trickbot targeting the UK, this also copies the system default PowerShell files to the user temp folder and runs it from … Continue reading →

Fake “Scanned from a Xerox Multifunction Printer ” delivers Trickbot

Posted on 14 August 2018 12:18 pm by Myonlinesecurity14 August 2018 12:18 pm 2

Yet another change to the Trickbot Banking Trojan distribution system again today. Today the Trickbot gang are pretending that a scanner or multifunction device is emailing you a scanned document. We used to see this lure all the time from other malware distribution services, but they generally pretended that the email was coming from a device on your network, not a remote server like this example of Trickbot banking Trojan. This example is an email containing the subject of “Scanned from a Xerox Multifunction Printer ” pretending to come from Xerox Device but actually coming from “service@scandevice.uk” which is a look-a-like, typo-squatted or … Continue reading →

Fake HMRC “Critical Notice: Statement of Liabilities” delivers Trickbot

Posted on 13 August 2018 5:07 pm by Myonlinesecurity13 August 2018 5:07 pm 1

This example is an email containing the subject of “Critical Notice: Statement of Liabilities” pretending to come from HMRC but actually coming from “service@hmrcemail.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email is a typical spoofed HMRC email delivering Trickbot banking trojan, that we see very frequently, saying you owe large sums of money and see the details in the attached document. The delivery chain for the … Continue reading →

Fake Brightpay payslip notification attempts to deliver Trickbot

Posted on 8 August 2018 6:50 pm by Myonlinesecurity9 August 2018 5:34 am

A bit of a change to the Trickbot delivery system today, In fact quite a lot of changes. This example is an email containing the subject of “FW: Payslip ” pretending to come from Brightpay payroll services but actually coming from a look-a-like or typo-squatted domain “Debra.Mitchel@bright-pay.co.uk” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority that attempts to deliver Trickbot banking Trojan. This particular version fails with errors in all online sandboxes. I don’t know if it will run on a real computer. The word doc with a complicated macro runs OK but … Continue reading →

Hancitor delivered via fake This is an electronic efax Notification

Posted on 7 August 2018 7:12 pm by Myonlinesecurity7 August 2018 7:12 pm

An email with the subject of “This is an electronic efax Notification” pretending to come from efax but coming from efax@ramatmed.com with a link to download a malicious word doc that delivers Hancitor They are using email addresses and subjects that will scare, persuade or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: macro virus