My Online Security | Keep yourself safe online

Formbook via fake statement of account

Posted on 16 January 2019 1:26 pm by Myonlinesecurity16 January 2019 1:26 pm

Following on from Today’s earlier Formbook campaign using exploits in RTF files we are now seeing another campaign that appears to be coming from the same bad actors using .exe files disguised as a bat file inside a zip. The email pretends to be a Statement of Account with 2 outstanding invoices for hundreds of thousands of USD$ They use email addresses and subjects that will shock, scare, entice or scare a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better … Continue reading →

Formbook via fake Unicredit Bank swift transfer using different malformed RTF files

Posted on 16 January 2019 5:14 am by Myonlinesecurity16 January 2019 5:14 am

I can’t remember previously seeing a malware delivery campaign using a malformed, malicious RTF file like this one. It definitely is using one of the multiple Equation Editor exploits.There is some dispute on VirusTotal whether it is CVE-2017-11882 or CVE-2018-0802 or even whether it is a new exploit. It definitely involved embedded OLE objects being extracted and dropped from the RTF file. The RTF header / Control word is somewhat different to usual and starts with \rtfSP\ whereas we normally see \rtf\ ,\rtf0\ or \rtf1\ in the majority of malicious RTF files. I am not exactly sure what \rtfSP\ means … Continue reading →

Nanocore RAT via fake order emails

Posted on 15 January 2019 4:32 am by Myonlinesecurity15 January 2019 4:32 am

I was sent these 2 emails via the malware submission system on this site. 2 different emails coming from different senders, imitating or spoofing different companies. Both have iso attachments that extract to .exe files that try to pretend to be a pdf. These were sent to a German Recipient. You can now submit suspicious sites, emails and files via our Submissions system Neither of the alleged senders hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these … Continue reading →

Agent Tesla reborn via fake order

Posted on 14 January 2019 7:13 am by Myonlinesecurity16 January 2019 1:36 pm 2

Following on from this post from last week. We are seeing another what looks like Hawkeye or Agent Tesla keylogger campaign using identical methods. All the same sites and hosting companies are involved with the same possibility of the DNS on Godaddy being compromised to allow this scummy domain to work. In exactly the same way I saw last week, the email body content on the mail server is different to the body content in the email, when it is delivered to the prospective victim. Once again the XLS file attachment uses CVE-2017-11882 to download the Hawkeye or Agent Tesla … Continue reading →

More Lokibot via fake Maersk Quotation / Invoice

Posted on 14 January 2019 5:41 am by Myonlinesecurity14 January 2019 5:41 am

Following on from my slightly earlier post about Lokibot, this is yet another version with 2 XLS spreadsheet attachments coming in a fake Overdue Invoices November – December 2018 email. This version uses CVE-2017-11882 or is trying to, but only 1 of the attachments actually worked properly in Anyrun to download & deliver the payload. I don’t know what is wrong with the other version, it looks just about identical, although has a slightly different file size. Both copies display a multi page spreadsheet, pretending to be a shipping Quotation / invoice from Maesrk shipping lines. This one actually arrived earlier … Continue reading →

Lokibot via multiple embedded OLE objects in fake invoice rtf word docs

Posted on 14 January 2019 3:52 am by Myonlinesecurity14 January 2019 3:52 am

A slightly different Lokibot campaign this morning. The email is nothing special with a typical subject of CONFIRM OVERDUE INVOICE coming from various email addresses including what is likely to be either a compromised or fraudulently set up email account in Taiwan and a fake Apple spoofed email address that was also likely used for a previous phishing scam The body content spoofs a Thailand company, that might or might not exist, with an email address and weblink to a different Philippines company. There are 2 different sized attachments to the email, both are renamed RTF files containing multiple embedded … Continue reading →

Cashplus new Fintech service phishing scam

Posted on 11 January 2019 6:09 am by Myonlinesecurity11 January 2019 6:09 am

We see lots of phishing attempts for banking credentials. This is new entry to the lists. We normally see the traditional banks being used in this sort of phishing scam / identity theft in the UK on an almost hourly basis. I probably see 20 or 30 every day. However there are starting to be lots of people now using the new Fintech services, which are online only. There are hundreds of these new services and no one can keep up with them. Some of the names of these new services are completely weird and don’t sound like a bank … Continue reading →

Some changes to malicious RTF docs delivering Hawkeye

Posted on 11 January 2019 4:45 am by Myonlinesecurity11 January 2019 4:45 am

I am seeing a bit of changes today from the scumbags who are distributing the Hawkeye Keylogger Trojan. The email template is a typical fake Purchase Order with a malicious word doc attachment. The word doc is actually a RTF that uses the CVE-2017-11882 equation editor exploits. Where the changes come is the obfuscation or encoding of the rtf file that makes analysis slightly more complicated and is intended to bypass existing detections from antiviruses & network perimeter defences. This malicious RTF / Word doc has 87 pages of pure garbage displayed. The first page is blank, then dozens of … Continue reading →

renamer destructive malware via fake inquiry email

Posted on 10 January 2019 12:39 pm by Myonlinesecurity10 January 2019 12:39 pm

A slightly different malware than usual to report on this morning. I haven’t previously seen an out and out destructive malware like this sent in mass malspam for many years. It must be intended to act as some sort of ransomware but there is no ransom note or instruction. It initially copies itself to C:\Users\admin\AppData\Roaming\Paint.exe and then sets a startup for that file then it searches for & finds any .exe files, initially in downloads folder or desktop renames them to voriginalfilename.exe & copies itself to the original filename, so it runs when that file is opened by the victim. … Continue reading →

Lokibot via Fake DHL quotation using .ace attachments

Posted on 8 January 2019 11:54 am by Myonlinesecurity8 January 2019 11:54 am

With Christmas over we are starting to see an increase in malware campaigns. It is not up to the usual level yet because the Russian Gangs are still on their Xmas breaks, but the rest of the scumbags are trying to make up for it. Some like this one are a bit too obvious. I mean, why would DHL express send me an email asking me to quote for supplying products to a Taiwan company. I think the apprentice that the criminals have left in charge while they recover from an excess of good spirit has messed up various templates … Continue reading →