Category: Malware | Page 3 | My Online Security

Hawkeye keylogger via fake Proforma Invoice that probably fails delivery

Posted on 1 March 2019 9:53 am by Myonlinesecurity1 March 2019 9:53 am

A marginally interesting malware campaign trying to deliver Hawkeye Keylogger/ Infostealer. The email is nothing special and is a typical fake invoice. Where the bad actor has gone wrong with this campaign is he or she attached a .exe to the email as well as a malformed XLS spreadsheet using one of the Microsoft Equation Editor Exploits ( probably CVE-2017-11882). I don’t know many email servers that generally accept .exe files in an email. My mailserver quarantined all these, so I had to release a copy to investigate. Further Outlook and almost all other modern email clients block access … Continue reading →

Fake PO Inquiry email delivers Agent Tesla Keylogger via rtf exploits

Posted on 28 February 2019 4:26 am by Myonlinesecurity28 February 2019 4:26 am

An email with the subject of POQEA inquiry for order pretending to come from Balwinder Singh <sanjayl.sherma@gmail.com> with a link to download a malicious word doc delivers Agent Tesla Keylogger / Remote Access Trojan. This campaign is using Malformed RTF files that use the Microsoft Equation Editor CVE-2017-11882 with embedded ole objects that call out to a remote URL to download the actual payload. All this is nothing new & we see this type of malware delivery method frequently. I really can’t understand why so many recipients do apparently still get infected by it. There have been numerous windows & … Continue reading →

Fake Royal Bank of Canada Payment Receipt Advise/Avis de Reception de paiement delivers Trickbot

Posted on 27 February 2019 6:17 pm by Myonlinesecurity27 February 2019 6:17 pm 2

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Receipt Advise/Avis de Reception de paiement” pretends to come from RBC Royal Bank of Canada but actually comes from “noreply@achaft-rbc.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. Today they are using XLSM Excel spreadsheet files. RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not … Continue reading →

Fake Packing List and LPO delivers malware via onedrive

Posted on 27 February 2019 6:10 am by Myonlinesecurity27 February 2019 6:10 am

I am not completely sure what we have got here today. An email with the subject of Packing List and LPO coming from Jidapa Dongbang <jidapa.d@asrservice.co.th> with a link to download a rar file from a onedrive address I am being told it is possibly a new Netwire RAT, although existing yara detections are not firing off on it. There are some known Netwire strings in running memory. Update a revised Anyrun does confirm netwire. It looks like the C2 was down on the original run, but is live now. Probably we were too quick for them & they … Continue reading →

Fake TD Bank Secure Mail delivers Trickbot

Posted on 27 February 2019 5:38 am by Myonlinesecurity27 February 2019 5:38 am

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “TD Bank Secure Mail ” pretends to come from TD Bank, but actually comes from “service@securemail-td.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have a link to download the malicious file from a remote website with another very similar domain name. This came in last night at about 6pm UTC but I wasn’t around to look at it. By … Continue reading →

Fake order with 2 lnk files delivers Formbook

Posted on 23 February 2019 5:00 am by Myonlinesecurity23 February 2019 5:00 am 1

A somewhat involved and slightly complicated and devious chain in this Formbook campaign. What is slightly concerning are some of the sites involved, especially the live download site http://globalbank.us/ which looks like it has been been purchased by criminals several months ago intending to be used in some sort of banking fraud. It was registered in June 2018 and is parked by the registrar & hosting company Namecheap. The registrant behind this domain name has registered at least 10 other obvious fraud domains that we can easily find https://domainbigdata.com/gmail.com/mj/MMWhkxyk-VrMXoRNQX7zDw I am sure that somebody who is a lot better than me … Continue reading →

Azorult via fake Chinese Government New Import Export Regulations

Posted on 22 February 2019 10:30 am by Myonlinesecurity25 February 2019 3:31 pm

I am quite impressed with the level of Social Engineering with this malware delivery Malspam campaign. With Brexit fast approaching and the likelihood of no deal between UK and Europe, many companies are increasingly trying to build a relationship with companies in China. This scam email pretending to be a Circular on New China Import/ Export Regulation Effective February 28th, 2019 spoofing noreply@customs.gov.cn with lots of detail in the email is likely to be a surprisingly effective avenue of infection in both small and larger Business. This malware word doc is actually a RTF file that contains 70 odd pages that are … Continue reading →

Fake Court summonses, Judgements, Subpoenas delivering malware

Posted on 20 February 2019 1:20 pm by Myonlinesecurity20 February 2019 1:20 pm

Starting Yesterday evening and continuing steadily all day so far today, we saw what was supposed to be a malspam campaign with a lure of court summonses. None of the links I followed actually delivered any malware but did instead lead to a zip file that contained the configuration details for the spamming and supposed malware campaign. So somewhere along the line, somebody messed up big time. I am not going to go into this particular one much more, except to say that researchers who are a lot better than me are looking at it & investigating further. We are … Continue reading →

Fake TD Bank Confirm account status delivers Trickbot

Posted on 19 February 2019 9:06 pm by Myonlinesecurity19 February 2019 9:06 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” Confirm account status ” pretends to come from TD Bank but actually comes from “J.McMillan@tdbanksec.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they have returned to using word docs. Again this is targeted at North American recipients rather than UK ones. I was sent the email via our submissions system, but the … Continue reading →

Agent Tesla keylogger delivered inside a Power ISO .daa archive

Posted on 19 February 2019 7:11 am by Myonlinesecurity19 February 2019 7:11 am

We never fail to be astonished by the ingenuity and attempts from malware bad actors to get their malware delivered to their intended victims. However in many cases, like this one, their attempts spectacularly backfire where such a tiny, minuscule number of recipients will be able to open the malware attachment and stand a possibility of being infected. They have used a type of archive that is virtually unknown and none of the commonly used extraction tools will extract the content. They have used a .daa file which is a proprietary format created by and only used by Power ISO, … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: Malware