My Online Security | Page 4 | Keep yourself safe online

Fake Danske Bank FW: Recent BACs delivers Trickbot

Posted on 12 July 2018 1:08 pm by Myonlinesecurity16 July 2018 1:17 pm

This example is an email containing the subject of “FW: Recent BACs ” pretending to come from Danske Bank but actually coming from a look-a-like or typo-squatted domain “Jacob.Schiander@danskebankco.uk” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan Note: one of the compromised delivery sites http://myparamountcare.com was also used in Yesterday’s trickbot campaign. This is not good for a health care company who don’t seem able to keep their website protected. The other download site today is what should be a lawyers office http://jbarbourlaw.com but it just has a holding page saying … Continue reading →

Trickbot campaign spoofing Chase Bank “Important account documents”

Posted on 11 July 2018 7:13 pm by Myonlinesecurity11 July 2018 7:13 pm

The second in today’s trickbot campaigns targets USA. I wonder if the hacked/ compromised healthcare company involved in the distribution has also lost or leaked any patient details. This example is an email containing the subject of “Important account documents” pretending to come from Chase Bank but actually coming from a look-a-like or typo-squatted domain “no-reply@chase-docs.com” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan You can now submit suspicious sites, emails and files via our Submissions system Email Details From: Chase <no-reply@chase-docs.com> Date: Wed 11/07/2018 18:31 Subject: Important account … Continue reading →

Trickbot via Fake Companies House E-billing “June’s Invoices / Documents ” malspam

Posted on 11 July 2018 2:14 pm by Myonlinesecurity11 July 2018 2:14 pm

Trickbot is back targeting the UK again today after a short break. This example is an email containing the subject of “June’s Invoices / Documents ” pretending to come from Companies House eBilling but actually coming from a look-a-like or typo-squatted domain “no-reply@ebilling-companieshouse-gov.uk” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan You can now submit suspicious sites, emails and files via our Submissions system Email Details From: Companies House eBilling <no-reply@ebilling-companieshouse-gov.uk> Date: Wed 11/07/2018 12:55 Subject: June’s Invoices / Documents Attachment: 489237490.doc Body content: Companies House eBilling This message … Continue reading →

Fake DHL “Alert! Shipment Notification” delivers Remcos RAT

Posted on 10 July 2018 6:57 am by Myonlinesecurity10 July 2018 6:57 am

A bit of a strange one to start off today. The word doc doesn’t want to run or run properly in most of the online sandboxes available to me. An email with the subject of “Alert! Shipment Notification” pretending to come from DHL but actually coming from DhlExpress <dhl@paperattention.com> with a malicious word doc delivering Remcos Rat. The macro is quite different to many previous ones that I have seen and very highly obfuscated and encoded, making it difficult to manually analyse. To make sure you get the malware, the email has a word attachment and a link to download … Continue reading →

Fake ” ENQUIRY NO-64743″ malspam using multiple exploits delivers malware.

Posted on 5 July 2018 6:35 am by Myonlinesecurity5 July 2018 6:35 am

An email with the subject of ” ENQUIRY NO-64743″ pretending to come from “isaac_w@highgatelimited.com” with a malicious word doc attachment eventually delivers some sort of malware that looks like a keylogger or password stealer using a complicated and devious delivery system. These are using a new (to me) French short url service that doesn’t appear to have any way of checking the link redirect location except by following the link. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small … Continue reading →

Fake delivery notification delivers some sort of keylogger, possibly Ramnit Banking Trojan

Posted on 30 June 2018 11:13 am by Myonlinesecurity30 June 2018 11:13 am

I have received something a bit weird and wonderful this Saturday morning. I can’t quite work out what malware it is supposed to deliver. I can’t get anything & Anyrun fails using a 32 bit VM. ( a subsequent run using a W10 64 VM and setting to MITM did give the complete chain, but I still don’t know what is actually is. It looks like some sort of keylogger. I saw a similar campaign spoofing well known delivery companies back in March 2018 where it was discovered that the delivery chain was being called ” Snatchloader” which was delivering … Continue reading →

Slight changes to Trickbot delivery system

Posted on 30 June 2018 7:40 am by Myonlinesecurity30 June 2018 7:40 am

Over the last week of so, there has been a bit of a change to the Trickbot delivery system. For quite a while they used the Microsoft Equation Editor Exploit CVE-2017-11882 in word docs to deliver the payload. Sometimes using 2 or 3 different exploits and badly documented features in word. Then in Early June 2018 they reverted to the more standard “auto-open” macro in word They started to experiment on Monday 25 June 2018 with using CVE-2018-8174 but because that is an Internet Explorer specific exploit, relying on that will drastically cut down the amount of available victims. After … Continue reading →