Category Archives: Malware

Fake HSBC “FW: Account Review” delivers Trickbot

My Online Security Posted on by  

We are back to a more complicated or involved Trickbot download campaign today with links in the email to download the XLS file instead of attachments. This malware campaign delivery method was first mentioned on 22 October 2018 when I missed the onslaught.   These do tend to have a much shorter “shelf life” or campaign duration than the more usual office file attachment version, sometimes only between a few minutes and 2 or 3 hours, but in that very short period of time hundreds if not thousands of victims can still be infected. This is because it is much easier Continue reading →

Fake HSBC “Are all above transactions recognisable to you” delivers malware

My Online Security Posted on by  

I haven’t seen Dridex banking trojan hitting the UK in absolutely ages. In fact I can’t remember when I last saw one. This is detected as Dridex by some VirusTotal detections but online sandbox analysis aren’t showing typical Dridex SSl connections, so I am not sure exactly what this is. Update: I am informed reliably that it is Gozi/ Ursnif Banking trojan An email with the subject of  “Are all above transactions recognisable to you”  pretending to come from   HSBC Protection Support but actually coming from mail@rockinghamdental.com  with a link in the email body going to https://rockinghamdental.com/main.php?YHKeGpEamn4XDDA45X%2FX58xslDwVkwOIlhvoXlCIsjs1oacGQ6f7%2Ffq5ljqjDQvnt45QJjDuum5wJUNrVDOXq5rfskJnM3a6ZYlmYvi8zZevaVtFLU8q5y5Mb%2FFv4XrwoosR0%2BY%2BzdzN6fdoJC6Mr9eo4lDT0NfeTQbMd5oNiC0Wjpvlcm2c5HNvNMOufQ7dPcFrZf8I%2FeC4Sz%2BXQpnHLOZquT4FT9FyLQas1%2BbjXo8%3D  where a file is downloaded. Transaction_Log.exe Continue reading →

Fake Pricewaterhouse Coopers LLP “Overdue Invoice” delivers Trickbot

My Online Security Posted on by 1

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Overdue Invoice ” pretends to come from Pricewaterhouse Coopers LLP but actually comes from “James.McMillan@pwcuk.co.uk” which is a look-a-like,  typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have either a malicious office file attachment or link to download the malicious office doc or XLS file from a remote website. Pricewaterhouse Coopers LLP / https://www.pwc.co.uk/  has not been hacked or had their email or other servers Continue reading →

Fake Companies House “Company report” delivers Trickbot

My Online Security Posted on by  

We are back to a slightly more complicated or involved Trickbot download campaign today with links in the email to download the XLS file instead of attachments. This malware campaign delivery method was first mentioned on 22 October 2018 when I missed the onslaught.   These do tend to have a much shorter “shelf life” or campaign duration than the more usual office file attachment version, sometimes only between a few minutes and 2 or 3 hours, but in that very short period of time hundreds if not thousands of victims can still be infected. This is because it is much Continue reading →

Fake Lloyds Bank “Case Number: 238963BACS” delivers Trickbot

My Online Security Posted on by  

After the last couple of weeks of the Trickbot gang playing around with weird & wonderful and slightly more complicated delivery methods, they have today reverted to the tried & trusted formats.  This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Case Number: 238963BACS” pretends to come from Lloyds Bank but actually comes from “noreply@lloydsbank-bacs.com” which is a look-a-like,  typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have a malicious office file attachment. Continue reading →

Malware using Excel XLAM Excel Macro enabled addins to bypass protections

My Online Security Posted on by 1

We have been noticing a change in the malware delivery pattern with Lokibot ( and possibly other malware) over the last few days. Instead of using the more normal Excel file extensions like XLS or XLSX  they have started to use .XLAM extensions. According to Lifewire the XLAM extension is A file with the XLAM file extension is an Excel Macro-Enabled Add-In file that’s used to add new functions to Excel. Similar to other spreadsheet file formats, XLAM files contain cells that are divided into rows and columns that can contain text, formulas, charts, images and more. Now in theory this extension should not Continue reading →

Fake DHL READ : (DHL Express) -Delivery Address Confirmation delivers Remcos Rat

My Online Security Posted on by 3

Yet another fake or spoofed DHL delivery notification delivering what today turns out to be Remcos RAT . An email with the subject of “READ : (DHL Express) -Delivery Address Confirmation” Pretending to come  from dhlSender@dhl.com <noreply@dhI.com> with a link in the email to download a word doc that in turn will download & run Remcos Rat They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Continue reading →

Fake Facebook reported photo scam delivering malware

My Online Security Posted on by  

I have no idea at this time what malware is being delivered with this campaign. However it is abusing  Microsoft,  Google  and Amazon AWS services. When I first saw the email, I thought it was likely to be a phishing email, so was quite surprised when the link delivered a zip file. The email is all in Portuguese. It pretends to come from your own email address but is coming from www-data@zwzcvmz17pmr3k3.d2pou50uofcu5f3q45lfq2s31h.ex.internal.cloudapp.net   Email looks like Facebook Inc. Caro Usuário, Alguém denunciou uma foto em seu álbum do Facebook recentemente. Dados da imagem denunciada: IMG-20161224-WA0023.jpg – Data: 25/10/2018 ás 08:00 Uma imagem Continue reading →

Fake Resume campaign downloading Nymaim still hitting UK

My Online Security Posted on by  

Just a quick post. We are currently being slaughtered by fake resume job applications again today. Some of the emails come with a password protected word doc attachment. Some come with links to download the malicious password protected word doc.  They all come from random names at Random companies. Some email addresses will exist & some won’t. The password in all cases is 1234 So far the links I have found include: http://inmotionframework.com/sbnsirii http://inmotionframework.com/tikrbzkf http://activenavy.com/brftyfis http://gigazip.com/dhyakass http://crypto-db.com/zbyhadkf http://bluestarpaymentsolutions.com/izaatffb http://borderlands3.com/nifdfaed http://galtdentalcambridge.com/hnysrzbi http://galtdentalcambridge.com/tzyfzdfy http://cactopelli.com/ssdhyytd http://activenavy.com/hhkznkht http://ecigarettestudies.com/stseyfke http://ieltsonlinetest.com/abrihkez http://indicasativas.com/ttbrsstt http://cactopelli.com/aeffdsyi http://gigazip.com/nzisyfrf http://greatwp.com/zkbtsisr http://cclawsuit.com/fdhkzats http://antinomics.com/nfzayyth http://internationalboardingandpetservicesassociation.com/dfbahiia I am sure there will be hundreds if Continue reading →

trickbot via fake Ernst & Young overdue invoice

My Online Security Posted on by  

We are back to a more complicated or involved Trickbot download campaign today with links in the email to download the XLS file instead of attachments. This malware campaign delivery method was first mentioned on 22 October 2018 when I missed the onslaught.   These do tend to have a much shorter “shelf life” or campaign duration than the more usual office file attachment version, sometimes only between a few minutes and 2 or 3 hours, but in that very short period of time hundreds if not thousands of victims can still be infected. This is because it is much easier Continue reading →