My Online Security | Keep yourself safe online

Lokibot via fake purchase order but won’t run in W7 or W8.1

Posted on 8 May 2019 5:55 am by Myonlinesecurity8 May 2019 5:55 am

I have got a very unusual and somewhat difficult to analyse set of malware files here. I received 2 different versions of this email. The first with just an XLSX attachment, the second with both an XLSX and a .rar attachment. Running the xlsx file through Anyrun using W7 64 bit resulted in a system freeze where it took so much memory & created so many versions of itself. The same happened trying to run the .exe file through Anyrun on W7 as well. Windows 8.1 does run the XLSX file but freezes up with numerous running copies of the … Continue reading →

Fake Council Tax refund phishing scam

Posted on 7 May 2019 2:23 pm by Myonlinesecurity7 May 2019 2:23 pm

fake Council Tax refund PDF attached to scam, phishing email

I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine Gov.uk site complete with all branding & Postcode lookup. I don’t have the original email, so I can’t get any sender’s details or what the email said. I do have an image of the PDF that was attached to the email. I am assuming it was pretending to come from HMRC in some way The scammer has gone … Continue reading →

Hawkeye keylogger using fileless delivery system via Amazon AWS

Posted on 6 May 2019 5:52 am by Myonlinesecurity7 May 2019 6:23 am

We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan. The vast majority have either a zip file containing the trojan itself or a malformed word doc either containing macros or using one of the Microsoft Equation Editor Exploits like CVE-2017-0199, CV-2017-11882 or CVE 2017-8570 that download the Hawkeye keylogger from a remote site which is either a compromised site or a site set up to distribute malware. It was quite a change this morning to see a tiny zip file attachment with a shortcut file that is using the Amazon AWS cloud services … Continue reading →

Fake Payment receipt vbs drops njrat bladabindi downloads Agent Tesla via Sendspace.

Posted on 2 May 2019 4:45 am by Myonlinesecurity2 May 2019 4:45 am

A rather interesting malware campaign from overnight. It all starts with an email pretending to be a payment receipt that contains a .tar attachment which contains a vbs file. As per usual the email is just generic enough to entice a recipient to open it, read it & possibly extract & run the malware file. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS/vbs file it really is, so making it … Continue reading →

Multiple Hawkeye malspam campaigns via GreenCloudVPS

Posted on 26 April 2019 12:41 pm by Myonlinesecurity26 April 2019 12:41 pm

Another Hawkeye keylogger campaign again today. We see these most days and the emails are always such a generic invoice, order or Request for quotation so I don’t bother to post all versions we receive. I normally just tweet to the other researchers and submit to antivirus companies. These are all using CVE-2017-11882 RTF Today we are seeing a much more aggressive campaign than usual with multiple senders and subjects. But all coming from the same IP number and server. None of the email addresses or companies mentioned in this campaign are sending the emails to you. Their details have … Continue reading →

Lokibot via fake order email. Massive document.xml.rels obscuring analysis

Posted on 24 April 2019 6:32 am by Myonlinesecurity24 April 2019 6:32 am

Earlier this morning I received a spam email, pretending to be a new order asking me to quote a price, with a word docx attachment. That is normal for me & many others to receive this sort of malware laden spam. The subjects are so generic, the alleged senders might be a company or type of company / business your small or medium size business will deal with. The attachment on this appears to be blank when opened. However this document is using an exploit that some Antiviruses describe as CVE-2017-0199. The malicious content is contained in the document.xml.rels which … Continue reading →

Fake order delivering AveMaria stealer with difficult office doc.

Posted on 22 April 2019 1:59 pm by Myonlinesecurity23 April 2019 3:08 am 3

I had a bit of a problem trying to analyse this malware today. The word doc looks pretty average at first glance, but trying to run it in Anyrun on a W7 32 or 64 bit version of windows. gave me VBA errors. It also wouldn’t run on 64 bit versions of W8.1 or W10, giving the same VBA errors I then tried to upload to IRIS-H analysis where it crashed. It wouldn’t even upload to Hybrid analysis using either 32 bit W7 or 64 bit. I think Anyrun uses Office 2010 on W7 and Office 2013 on W8.1. I … Continue reading →

fake holly-wilson shipping notification – Phishing

Posted on 18 April 2019 11:46 am by Myonlinesecurity18 April 2019 11:46 am 3

A rather well done phishing scam dropped in my inbox this morning. The email comes from what is alleged to be an online e-commerce site, saying your order has been shipped, follow the link to view the order details. The domain sending these does exist and the sending service is listed as the correct MX & service for the domain, although DNS lookups do show a different set of IPs for the server. ( This isn’t unusual with Godaddy and many other large domain & webhosting providers hosted email services) This domain holly-wilson.com has been around for a while, so … Continue reading →

Fake Hillconmining Incoming20414 email delivers Formbook

Posted on 16 April 2019 5:53 am by Myonlinesecurity16 April 2019 5:53 am

A very slightly strange and less usual malware campaign this morning that does eventually deliver Formbook. The email is nothing special, very terse & bland that just says ” Kindly find the attachment”. It has 2 Microsoft Word Doc attachments, both very small. the first is 4kb, the second 6kb. Both are actually malformed RTF files that contain CVE2017-11882 Microsoft Equation Editor exploits. These exploits have been fixed in all currently supported versions of Microsoft Office, so in theory, should not affect anybody. But we do see hundreds of victims from these exploits, where lax security patching or the use … Continue reading →

Fake DHL Shipment Notification delivers Netwire Trojan

Posted on 15 April 2019 5:40 am by Myonlinesecurity15 April 2019 5:40 am

We have been noticing a “new ” netwire Trojan recently being delivered by multiple different spam emails, abusing Microsoft OneDrive, either through compromised or fraudulently set up accounts. This particular version says that asecorp ( a Spanish management company) has sent you a delivery via DHL express. However the body suggests it comes from HSA Systems ApS ( a Scandanavian industrial printer supplier & manufacturer). They use email addresses and subjects that will entice a user to read the email and open the attachment or follow thew link in the email. Almost all are being targeted at small and medium … Continue reading →