Category: Malware | Page 3 | My Online Security

Remcos Rat via fake invoice using multiple delivery methods.

Posted on 19 June 2019 6:22 am by Myonlinesecurity19 June 2019 6:22 am

I have heard of the “Belt and Braces ” approach to delivering malware before, but this malware campaign delivering Remcos Rat is using the belt and 2 pairs of braces to try make sure the malware gets delivered. The email is a fairly typical Invoice Request that appears to a part of an ongoing conversation and contains 3 different attachments. A zip file that contains a Remcos binary An RTF file using CVE-2017-11882 to contact a remote site & download a different Remcos binary A Word doc that is a renamed RTF file using CVE-2017-11882 to contact the same remote … Continue reading →

AgentTesla Keylogger and Binary Options scam

Posted on 12 June 2019 12:31 pm by Myonlinesecurity12 June 2019 12:31 pm

We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis. Today’s example of an AgentTesla campaign is somewhat more interesting than usual. The email is nothing special and pretends to be the typical fake invoice we frequently see as the lure with these campaigns. What is different today is firstly the email is actually coming from the sender it says it is and passes all authentication. ( see email headers below) The home page … Continue reading →

More compromised windstream email sending malspam with Orion keylogger

Posted on 10 June 2019 7:33 am by Myonlinesecurity10 June 2019 7:33 am

Following on from Last Friday, it is looking like Windstream, Zimbra & Synacor still have a problem with accounts being compromised and mass malspam being sent. Generally speaking the majority of ISPs are pretty good with blocking outgoing spam & malware emails. They generally restrict the numbers of emails sent per hour / day for each account and the limit is normally very low, in the 10’s or low 100’s, unless you have a business account where the sending limits are much higher. That is why we normally see the majority of malspam coming from fraudulently set up, or compromised … Continue reading →

compromised windstream email sending malspam

Posted on 7 June 2019 6:04 am by Myonlinesecurity7 June 2019 6:04 am

Got a bit of a dodgy one here today, where it looks like the email service for windstream.net has been compromised to allow a miscreant to send malicious emails that are passing all authentication. It is highly likely that it is an individual customer of Windstream that has been compromised, rather than the entire system, but the whole idea of a company outsourcing mailing services to a 3rd party like Zimbra / Synacor is their filtering systems that is supposed to detect & block malware, spam and other malicious content Windstream are a major US ISP / Telecoms company / … Continue reading →

Lokibot via abusing the ngrok proxy service

Posted on 28 May 2019 5:55 am by Myonlinesecurity28 May 2019 5:55 am 1

It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN from the miscreant’s home computer or server that effectively puts the malware in the cloud & bypasses all firewalls etc. I can’t see anything in their TOS prohibiting malware, phishing, scams etc, just a general no … Continue reading →

multiple malware delivered from compromised website run on a domestic BT IP address

Posted on 24 May 2019 6:55 am by Myonlinesecurity24 May 2019 6:55 am

As I mentioned earlier in the week, we aren’t seeing massive amounts of malware, especially in the UK at the moment BUT we do see a steady lowish volume stream of commodity malware. These are the standard easy to purchase and use malware tools like Nanocore, Hawkeye, Agent Tesla and other keyloggers or remote access trojans that are so easy to use that they get used by both Skiddies & the criminal malware gangs. Today’s first example is a Nanocore remote access Trojan that was delivered via a fake Swift Payment advice pretending to come from Citi Bank. So far … Continue reading →

nanocore RAT via fake order in password protected word doc with wrong password

Posted on 23 May 2019 4:24 am by Myonlinesecurity23 May 2019 4:24 am

I was sent a message via the submissions system last night with the email the victim received attached. At first glance it looked like the typical password protected word docs we see regularly pretending to be either an order, invoice or resume, that frequently drop or download some sort of ransomware. At first I could not open this word doc using the password in the email body “doc2019” after trying a few variations I found the correct password is “DOC2019”. Windows ( or at least Microsoft Office) does see the differences in upper & lower case on passwords. When I … Continue reading →

Hawkeye keylogger via fake receipt. Stolen data sent to another keylogger site.

Posted on 21 May 2019 7:15 am by Myonlinesecurity21 May 2019 7:15 am 2

Over the last month or 6 weeks we, along with many other researchers, have noticed quite a drop in Malspam, in fact in spam generally. Nobody quite knows why but generally this means one or other of the major spam sending botnets has been taken down or is retooling & getting ready for a new set of campaigns. One of the few constant malware versions we are all seeing on a steady, almost daily basis, but using lowish volumes to stay somewhat under the radar is Hawkeye Keylogger. These generally aren’t worth posting about. They tend to use such generic … Continue reading →

Gootkit banking Trojan via Fake UKPC parking penalty appeals

Posted on 16 May 2019 5:23 am by Myonlinesecurity16 May 2019 5:23 am 1

I am hearing about a return of the fake UKPC parking charge appeals scam which has been quiet for about 1 year. At this time I don’t have a copy of the email that was received by the victim, only the link that was in it. I assume the email will be very similar to the ones described in these 2 posts [1] [2]. UKPC are a nationwide company that controls parking on private property throughout many parts of the UK. They do not ( as far as I can tell) control on street parking on behalf of any Local … Continue reading →

ISRStealer via fake Prudential Assurance Company Purchase Order

Posted on 15 May 2019 10:50 am by Myonlinesecurity15 May 2019 10:50 am

Every now & again we see a resurgence of ISRStealer info-stealer / Keylogger Trojan Malware. This malware has been around since 2011 and gets intermittent distribution campaigns. You can now submit suspicious sites, emails and files via our Submissions system Prudential Assurance Company Singapore has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails Purchase order #693641_3451483.zip : Extracts to: Purchase order #693641_3451483.exe Current Virus total detections: Anyrun | The C2 & … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: Malware