Category: Malware | Page 3 | My Online Security

Quick update to Emotet delivery campaign

Posted on 4 April 2019 5:42 am by Myonlinesecurity4 April 2019 5:42 am 1

Just a quick update to Emotet delivery campaigns that have plagued us for ages. I don’t normally post much about Emotet. There are lots of other researchers keeping an eye on it, who post regular updates via Twitter etc, Until recently Emotet was normally delivered via a malicious word doc attachment. Then about 10 days ago we noticed some versions using js attachments inside zip files. Yesterday evening we noticed yet another change. This time using js files inside password protected zips with a previously unknown password that might be different in each version received. Using password protected zip files … Continue reading →

Fake sentencing report delivers some sort of malware via a complicated chain.

Posted on 28 March 2019 10:15 am by Myonlinesecurity28 March 2019 10:15 am

I really don’t know what I have got here. I am totally and utterly confused by it. I don’t know if it even works or runs, or whether it just fails in anyrun or any other online sandbox, but will run on a “normal” computer. It all starts with an email pretending to come from a lawyer with loads of gobbledegook nonsense that just doesn’t sound or look in way correct. It just tries to confuse you with various legal sounding terminology. It has the subject of “Notification report sentence #3975252142 date 16.02.2019” which has an HTML attachment to it. … Continue reading →

Fake order confirmation for refurbished Samsung TV delivers Malware

Posted on 27 March 2019 5:02 am by Myonlinesecurity27 March 2019 5:02 am

I have a bit of a strange one here from yesterday evening. I received a couple of different copies of this email, both coming from the same server and IP number but with different alleged senders. I am not exactly sure what it is. although some detections on VirusTotal suggest TinyNuke Banking Trojan. Anyrun doesn’t show any strange connections or indications of anything when trying to contact a couple of different UK banking sites. Update confirmed as TinyNuke Banking Trojan which only appears to become active after rebooting the computer it is installed on. The C2 locations are m0pedx9.ru and … Continue reading →

Fake HMRC submission email delivers some sort of malware

Posted on 21 March 2019 5:02 am by Myonlinesecurity21 March 2019 5:02 am 1

I am having difficulty working out what is happening with this malware. The details about it were uploaded via our submissions system yesterday afternoon when I was out for a medical appointment. I don’t have a copy of the original email, only the body content which was pasted in to the message and the link it led to, with details of the alleged original sender. I think it is a banking trojan / Info-stealer UPDATE: Being told it is Ursnif / Gozi banking trojan that is heavily geo-ip restricted The email pretends to be from HMRC with a link in … Continue reading →

Trickbot via fake Efax message using Squiblydoo, Active X, macro and abusing pastebin

Posted on 20 March 2019 4:59 am by Myonlinesecurity20 March 2019 4:59 am

We are seeing massive changes with the Trickbot delivery campaign overnight. I have only seen 1 mention on Twitter about this campaign and 1 on a private malware research mailing list, so it can’t be affecting too many recipients. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “You have a new eFax message! ” pretends to come from Efax but actually comes from “service@efax.delivery” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the … Continue reading →

Fake DHL Urgent Delivery notice delivers Gandcrab 5.2 ransomware

Posted on 15 March 2019 4:33 am by Myonlinesecurity15 March 2019 4:33 am 1

Yet another Gandcrab ransomware campaign. This time spoofing DHL Express with a fake delivery notification email. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. This bad actor is getting a bit lazy and has reused the same word template that we saw earlier in the week with the CDC version to deliver the malware. All they have done is changed the file download url in the macro. It is highly likely that they are using an off the shelf exploit kit, rather than actually creating the docs themselves. However they are using different sending … Continue reading →

Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware

Posted on 13 March 2019 5:12 am by Myonlinesecurity13 March 2019 5:12 am 6

A somewhat interesting and slightly alarming malware campaign, spreading worldwide but supposed to be targeting the USA that pretends to be an urgent message from the CDC ( Centre for Disease Control ) warning about a flu outbreak. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. They are using email addresses and subjects that will scare, shock, persuade or entice a recipient to read the email and open the attachment. Remember many email clients or webmail services, especially on a mobile phone or tablet, only show the Name in the From: and not the … Continue reading →

Fake Bitcoin investment scam delivers malware

Posted on 12 March 2019 6:06 am by Myonlinesecurity12 March 2019 6:06 am 16

This is a weird one and I can’t determine what the final payload does via running the files in an online sandbox. I really don’t know if the bad actor has messed up or whether it is an anti-vm or anti-sandbox protection on it. The .z attachment on the emails is not correct and the actual attachment is a .iso file that has been renamed or mistakenly given a .z extension. I received 2 different copies of this email with the same payload and email content but coming from different email addresses and domains both on the same server with … Continue reading →

Fake Paychex Tax verification documents delivers Trickbot

Posted on 7 March 2019 8:25 pm by Myonlinesecurity7 March 2019 8:25 pm

There are still using this new version of the Trickbot delivery system where Bitsadmin is used to download the payload in small sections to a victims computer where it is all joined together to make 1 file. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Tax verification documents ” pretends to come from Paychex but actually comes from “J.Clark@paychex.email” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have … Continue reading →

Fake Dun & Bradstreet Company Complaint delivers Trickbot

Posted on 6 March 2019 6:56 pm by Myonlinesecurity6 March 2019 6:56 pm

Continuing with the recent changes to the Trickbot delivery system and possibly the payloads and configs today. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” FW: Company Complaint #DNBC920201TF” pretends to come from Dun & Bradstreet but actually comes from “service@dnbcomplaint.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using macro enabled word docs that fire off on both … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: Malware