Category: Malware | Page 3 | My Online Security

Fake Fedex Express Shipment For Pickup in iso delivers nanocore using Sendgrid

Posted on 8 May 2019 6:43 am by Myonlinesecurity8 May 2019 6:43 am

The next in the overnight malware campaigns is a fake Fedex Express email delivering Nanore RAT via an img ( Iso) file. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. You can now submit suspicious sites, emails and files via our Submissions system Fedex has not been hacked or had their email or other servers compromised. They are not sending the emails to you. … Continue reading →

Lokibot via fake purchase order but won’t run in W7 or W8.1

Posted on 8 May 2019 5:55 am by Myonlinesecurity8 May 2019 5:55 am

I have got a very unusual and somewhat difficult to analyse set of malware files here. I received 2 different versions of this email. The first with just an XLSX attachment, the second with both an XLSX and a .rar attachment. Running the xlsx file through Anyrun using W7 64 bit resulted in a system freeze where it took so much memory & created so many versions of itself. The same happened trying to run the .exe file through Anyrun on W7 as well. Windows 8.1 does run the XLSX file but freezes up with numerous running copies of the … Continue reading →

Hawkeye keylogger using fileless delivery system via Amazon AWS

Posted on 6 May 2019 5:52 am by Myonlinesecurity7 May 2019 6:23 am

We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan. The vast majority have either a zip file containing the trojan itself or a malformed word doc either containing macros or using one of the Microsoft Equation Editor Exploits like CVE-2017-0199, CV-2017-11882 or CVE 2017-8570 that download the Hawkeye keylogger from a remote site which is either a compromised site or a site set up to distribute malware. It was quite a change this morning to see a tiny zip file attachment with a shortcut file that is using the Amazon AWS cloud services … Continue reading →

Fake Payment receipt vbs drops njrat bladabindi downloads Agent Tesla via Sendspace.

Posted on 2 May 2019 4:45 am by Myonlinesecurity2 May 2019 4:45 am

A rather interesting malware campaign from overnight. It all starts with an email pretending to be a payment receipt that contains a .tar attachment which contains a vbs file. As per usual the email is just generic enough to entice a recipient to open it, read it & possibly extract & run the malware file. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS/vbs file it really is, so making it … Continue reading →

Multiple Hawkeye malspam campaigns via GreenCloudVPS

Posted on 26 April 2019 12:41 pm by Myonlinesecurity26 April 2019 12:41 pm

Another Hawkeye keylogger campaign again today. We see these most days and the emails are always such a generic invoice, order or Request for quotation so I don’t bother to post all versions we receive. I normally just tweet to the other researchers and submit to antivirus companies. These are all using CVE-2017-11882 RTF Today we are seeing a much more aggressive campaign than usual with multiple senders and subjects. But all coming from the same IP number and server. None of the email addresses or companies mentioned in this campaign are sending the emails to you. Their details have … Continue reading →

Lokibot via fake order email. Massive document.xml.rels obscuring analysis

Posted on 24 April 2019 6:32 am by Myonlinesecurity24 April 2019 6:32 am

Earlier this morning I received a spam email, pretending to be a new order asking me to quote a price, with a word docx attachment. That is normal for me & many others to receive this sort of malware laden spam. The subjects are so generic, the alleged senders might be a company or type of company / business your small or medium size business will deal with. The attachment on this appears to be blank when opened. However this document is using an exploit that some Antiviruses describe as CVE-2017-0199. The malicious content is contained in the document.xml.rels which … Continue reading →

Fake order delivering AveMaria stealer with difficult office doc.

Posted on 22 April 2019 1:59 pm by Myonlinesecurity23 April 2019 3:08 am 3

I had a bit of a problem trying to analyse this malware today. The word doc looks pretty average at first glance, but trying to run it in Anyrun on a W7 32 or 64 bit version of windows. gave me VBA errors. It also wouldn’t run on 64 bit versions of W8.1 or W10, giving the same VBA errors I then tried to upload to IRIS-H analysis where it crashed. It wouldn’t even upload to Hybrid analysis using either 32 bit W7 or 64 bit. I think Anyrun uses Office 2010 on W7 and Office 2013 on W8.1. I … Continue reading →

Fake Hillconmining Incoming20414 email delivers Formbook

Posted on 16 April 2019 5:53 am by Myonlinesecurity16 April 2019 5:53 am

A very slightly strange and less usual malware campaign this morning that does eventually deliver Formbook. The email is nothing special, very terse & bland that just says ” Kindly find the attachment”. It has 2 Microsoft Word Doc attachments, both very small. the first is 4kb, the second 6kb. Both are actually malformed RTF files that contain CVE2017-11882 Microsoft Equation Editor exploits. These exploits have been fixed in all currently supported versions of Microsoft Office, so in theory, should not affect anybody. But we do see hundreds of victims from these exploits, where lax security patching or the use … Continue reading →

Fake DHL Shipment Notification delivers Netwire Trojan

Posted on 15 April 2019 5:40 am by Myonlinesecurity15 April 2019 5:40 am

We have been noticing a “new ” netwire Trojan recently being delivered by multiple different spam emails, abusing Microsoft OneDrive, either through compromised or fraudulently set up accounts. This particular version says that asecorp ( a Spanish management company) has sent you a delivery via DHL express. However the body suggests it comes from HSA Systems ApS ( a Scandanavian industrial printer supplier & manufacturer). They use email addresses and subjects that will entice a user to read the email and open the attachment or follow thew link in the email. Almost all are being targeted at small and medium … Continue reading →

Fake Bank Detail For Funds Transfer delivers info stealer malware

Posted on 9 April 2019 6:59 am by Myonlinesecurity9 April 2019 6:59 am

We have been in a bit of lull with a quiet couple of weeks on the malware front in the UK, but that seems to have come to an end overnight and early this morning. Most of the malware are very common, well known versions of Lokibot, Hawkeye and a marginally interesting phishing scam in Korean language . Then we had an Orcus RAT which we don’t see a great deal of in UK. Then we come to this one, an ISR stealer. They pop up from time to time, but I don’t see a fantastic amount of them. This … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: Malware