My Online Security | Keep yourself safe online

trickbot via fake Ernst & Young overdue invoice

Posted on 24 October 2018 1:26 pm by Myonlinesecurity25 October 2018 7:03 am

We are back to a more complicated or involved Trickbot download campaign today with links in the email to download the XLS file instead of attachments. This malware campaign delivery method was first mentioned on 22 October 2018 when I missed the onslaught. These do tend to have a much shorter “shelf life” or campaign duration than the more usual office file attachment version, sometimes only between a few minutes and 2 or 3 hours, but in that very short period of time hundreds if not thousands of victims can still be infected. This is because it is much easier … Continue reading →

trickbot via Fake HMRC Business VAT Reclaim RE: Reference Number: 20515522

Posted on 23 October 2018 1:21 pm by Myonlinesecurity23 October 2018 1:21 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Reference Number: 20515522” pretends to come from HMRC Business VAT Reclaim but actually comes from “noreply@hmrc-vat.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have a malicious office file attachment. HMRC has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the … Continue reading →

Trickbot campaigns 22 October 2018 hitting UK and Canada

Posted on 23 October 2018 7:06 am by Myonlinesecurity23 October 2018 7:06 am 3

I am a bit late reporting on these Trickbot campaigns from yesterday 22 October 2018. I saw a tweet this morning saying about 2 campaigns yesterday. the first hitting UK Spoofing Microsoft Office and the second hitting USA / Canada Which spoofs BMO Bank of Montreal. After digging through my server quarantine I found 2 examples of the UK campaign, but of course, by now, all the sites are not responding so I can’t get anything. All I can do is link to the Malware Traffic post with details. I have added the email I received, but because the sites are … Continue reading →

Agent Tesla Keylogger via fake new Order using Equation Editor RTF exploit

Posted on 17 October 2018 11:07 am by Myonlinesecurity17 October 2018 11:07 am

Something slightly different to start with this morning. There is nothing special about the email lure, but the attached word doc seems to be a bit different to the ones we are used to seeing with equation editor exploits. I don’t know if this is a different or unknown exploit using Microsoft Equation editor or whether it has anti-sandbox / Anti-VM protections. It definitely behaved very differently to the usual behaviour in the online sandboxes. Neither Anyrun nor Hybrid analysis were initially actually able to retrieve any working malicious content, although they did both show the initial download link ( … Continue reading →

Lokibot via fake enquiry CVE-2017-8570 malware campaign error

Posted on 16 October 2018 7:08 am by Myonlinesecurity16 October 2018 7:08 am

decoy word doc displayed after running the malicious attachment

An email with the subject of “Re: Inquiry” pretending to come from AL SRAIYA HOLDING GROUP, a large consulting group in Qatar but actually coming from “purchase manager <jairus_miguel@bsdnetwork.com.br>” with a malicious word doc attachment delivers Lokibot This malware campaign is marginally more interesting for a malware researcher because of the way the malware bad actor has misconfigured the word docs and displays this message in English & Russian. Decoy document which is opened after successful hit. Документ для пользователя который открывается после успешного пробива. These criminal gangs normally display an innocent word doc with genuine data like a list of … Continue reading →

trickbot via Fake HMRC “Month End Report Sep 2018.xls ” email

Posted on 10 October 2018 11:22 am by Myonlinesecurity10 October 2018 11:22 am 3

This example is an email containing the subject of “Month End Report Sep 2018.xls ” pretending to come from HMRC but actually coming from “Brenda.Kimbell@hrmc-reports.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious Excel Spreadsheet attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan You can now submit suspicious sites, emails and files via our Submissions system Email Details From: Brenda Kimbell <Brenda.Kimbell@hrmc-reports.co.uk> Date: Tue 24/07/2018 13:26 Subject: Month End Report Sep 2018.xls Attachment: Month End Report Sep 2018.xls Body … Continue reading →

trickbot via “New fax message” malspam

Posted on 5 October 2018 12:08 pm by Myonlinesecurity5 October 2018 12:08 pm 1

This example is an email containing the subject of “New fax message” coming from “noreply@confidentialfax.com ” . For a change the Trickbot criminals are not spoofing or typo-squatting any well known brand, company or Government department. Instead they are using a generic domain that looks realistic & believable. They have also added the recipients email address into the body of the email to make it look more personalised and possibly more likely to be opened & read. You can now submit suspicious sites, emails and files via our Submissions system Email Details From: Confidential Fax <noreply@confidentialfax.com> Date: Fri 05/10/2018 11:27 Subject: New fax … Continue reading →

Trickbot via Fake HSBC “Incoming high value CHAPS payments” emails

Posted on 4 October 2018 1:15 pm by Myonlinesecurity4 October 2018 1:15 pm 2

This example is an email containing the subject of “Incoming high value CHAPS payments” pretending to come from HSBC but actually coming from “Olivia.Brown@hsbcemail.net” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan There is something different about the network connections being shown in the Anyrun report today. It looks like Trickbot might have updated with new modules and injects. You can now submit suspicious sites, emails and files via … Continue reading →

trickbot via Fake Lloyds bank “Reference: BACS09280981 ” malspam emails

Posted on 3 October 2018 12:32 pm by Myonlinesecurity3 October 2018 12:32 pm

A nice simple, straightforward Trickbot campaign hitting UK this Morning. This example is an email containing the subject of “Reference: BACS09280981 ” pretending to come from Lloyds Bank but actually coming from “O.Wilson@lloydsbankcorp.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious excel spreadsheet attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. At least today they have made a bit of an effort & given us a spreadsheet that almost looks like it might contain information if you are unwise … Continue reading →

Trickbot via Fake Bank Of America Secure Message

Posted on 3 October 2018 5:39 am by Myonlinesecurity3 October 2018 5:39 am 5

A bit of a change with the Trickbot delivery system with this example. Instead of directly attaching a malicious macro enabled word doc or other Microsoft Office file to the email, it instead has a html attachment and a link in the email body that when opened shows a web page that looks like a secure message with another link to download the malicious word doc. By the time I received the email and investigated, the website was down & not responding. I did manage to find a copy that somebody else had uploaded to VirusTotal and Anyrun and went … Continue reading →