Category: Malware | Page 3 | My Online Security

Trickbot with multiple changes via fake Chase JP Morgan incoming confirmation

Posted on 31 January 2019 5:42 am by Myonlinesecurity31 January 2019 5:42 am 1

Trickbot is back with a vengeance. I have seen a couple of mentions on Twitter earlier this week but haven’t actually been able to find any copies myself. However that all changed last night with several emails to various email addresses on my server. These are targeted at the USA rather than the UK, but I expect the UK targeting to resume very soon. In previous campaigns, I did often see USA appear 1 or 2 days before any UK campaigns. There are also some changes to the delivery method and the Trickbot binary & configs, that I will document … Continue reading →

Unknown malware via VBS & fake eml file

Posted on 30 January 2019 3:33 pm by Myonlinesecurity30 January 2019 3:33 pm

Got a very strange one that I can’t quite work out. I received a submission via our system with the message that he had quite few “phishing” type emails with all the same link, but couldn’t get anything. I tried the link from A UK BT dynamic IP address & got diverted to a payload. I then ran that payload through Anyrun which decoded the powershell script in the vbs file. Anyrun couldn’t get any payload from that. I could however manually. And that is where I am stuck. I have run the final payload through anyrun which shows various … Continue reading →

Fake Autec Power purchase Order delivers Nanocore RAT

Posted on 30 January 2019 8:33 am by Myonlinesecurity30 January 2019 8:33 am

This is a version of Nanocore RAT being delivered via a fake Purchase Order. The file has an invalid, Expired Digital Signature that says Google. It is reasonably well detected by Antiviruses although most of them are Generic / Heuristic detections. This attempts to connect to a dynamic DNS service youngboss84.ddns.net. It looks like the dynamic dns service that has shut it down because we are given a 0.0.0.0 IP address as a look up . They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted … Continue reading →

Azorult via fake inquiry email using Microsoft Office Equation Editor exploits

Posted on 30 January 2019 5:33 am by Myonlinesecurity30 January 2019 5:33 am

Another malware campaign using malformed RTF files involving Microsoft Office Equation Editor exploits to extract or drop a zip file from an embedded ole object containing the payload and an “innocent” lure doc to be displayed. Today it looks like CVE-2017-8570. The payload is Azorult. This is quite an involved, devious chain of delivery which after opening the word doc ( RTF) attachment to the email it very quickly partially opens & then immediately closes and extracts the contents of a zip containing a Fake Word doc & the malware payload. It then displays the fake word doc in place … Continue reading →

Formbook campaigns continue via malspam emails

Posted on 29 January 2019 6:51 am by Myonlinesecurity29 January 2019 6:51 am

A quick post detailing another Formbook campaign with what looks like a few changes.Recently the criminals distributing this malware have been using .exe files inside various forms of archive, including .iso, .ace, .rar. ,zip. Frequently they use various Microsoft Office Equation Editor exploits to contact a remote site & download the payload. Very occasionally I have seen Macros used. Today, they are still using CVE-2017-11882 Equation Editor Exploit in malformed RTF word docs to deliver the malware. But the method has slightly changed with a massive 2mb word doc that when opened only displays a couple of words and a … Continue reading →

Lokibot via fake Fedex customs clearance notice

Posted on 24 January 2019 5:03 am by Myonlinesecurity24 January 2019 5:03 am

Yet another Lokibot campaign via Malspam emails. In today’s Internet based world parcel delivery messages are so common. Most of us will receive at least 1 every week, if not several each day. Today the lure pretends to be a delivery notification from Fedex saying they need more details to clear customs. To try to help avoid spam filters ( unsuccessfully) all the email content is a single embedded image. ( We grabbed the text using an OCR software) Once again the criminals are using .ace attachments. Many common unzipping tools, including most versions of Winzip or windows inbuilt unzipping … Continue reading →

Gandcrab 5.1 via Uр to date emergenсy exit maр malspam from Rosie L. Ashton

Posted on 23 January 2019 5:03 am by Myonlinesecurity24 January 2019 6:11 am 8

Last night we received several emails to various email addresses on this server using a template we first saw back in Early December 2018. They are still using Rosie L. Ashton as the sender. Then it delivered Ursnif banking trojan. Today it is delivering Gandcrab 5.1 ransomware. This might be a new / updated version of Gandcrab because I haven’t seen this particular ransomware note before ( but I don’t follow Gandcrab closely) or the file extension for the encrypted files “.IOAHHZNEW ” which contains a key & PC data in encrypted format, although the Tor address is well known http://gandcrabmfe6mnef.onion/5124d7737cd9e0e6 … Continue reading →

Fake Quotation Request with malformed RTF file attachments delivering Lokibot

Posted on 22 January 2019 4:51 am by Myonlinesecurity22 January 2019 4:51 am

Another day and yet another malformed. malicious word doc attachment that is a renamed RTF file delivering Lokibot malware. These criminal gangs are really playing around with RTF files and constantly changing the header control word to try to bypass Anti-Virus & Next Gen protection. Today’s version is using a {\rtv0 header which isn’t of course any approved header, but Microsoft Office Word will open anything that starts with {\rt and just about ignores the rest of the control word. There is some dispute which Equation editor exploit is involved in this campaign. Anyrun says CVE-2017-11882, whereas various detections on … Continue reading →

More Formbook via fake order using broken .rar attachments

Posted on 21 January 2019 12:34 pm by Myonlinesecurity21 January 2019 12:34 pm

The next Formbook campaign today is a bit of a cock-up from the malware bad actors. The email invites you to quote for 720 of an unspecified object, the details being in the attached file. This is where they have made the mistake and made it less likely that anybody receiving the email will easily be infected. Firstly the attachment has a .ace suffix. .ace are a sort of zip that needs special software to extract them. Windows and many common unzipping utilities don’t natively deal with .ace files. But to add the icing to the cake, it is not … Continue reading →

Formbook from fake order via complicated chain using multiple equation editor exploits

Posted on 21 January 2019 6:52 am by Myonlinesecurity21 January 2019 6:52 am

Another Formbook campaign this morning using a somewhat complicated and devious chain to get on the victim’s computer. It all starts with a very basic & simple email that pretends to be an order but contains what appear to be a set of previous emails between the 2 parties, which is all fake. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: Malware