Tag Archives: Azorult

Azorult via fake Chinese Government New Import Export Regulations

My Online Security Posted on by  

I am quite impressed with the level of Social Engineering with this malware delivery Malspam campaign. With Brexit fast approaching and the likelihood of no deal between UK and Europe, many companies are increasingly  trying to build a relationship with companies in China. This scam email pretending to be a Circular on New China Import/ Export Regulation Effective February 28th, 2019 spoofing noreply@customs.gov.cn with lots of detail in the email is likely to be a surprisingly effective avenue of infection in both small and larger Business.  This malware word doc is actually a RTF file that contains 70 odd pages that are Continue reading →

Making it Bleeding Obvious

My Online Security Posted on by  

Some days we have lots of problems trying to decide what malware is being delivered. Today is an exception. The bad actor has made it bleeding obvious by his use of the file names & url paths. I suppose this semi-clueless Skiddie has purchased an off the shelf exploit kit and either can’t read instructions or doesn’t care enough to change the file names & url paths. So we definitely have Pony and probably an Azorult control panel. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A Continue reading →

Fake Fax message email delivers Azorult trojan

My Online Security Posted on by  

An email with the subject of Fax Message ID: 8118 896 972 coming from Hunt Sharon <kekhang@kekhang.hu>  with  a zip attachment containing 2 files arrived to an email address on my server yesterday. This malware attack is slightly unusual and I don’t think very effective. However it is very interesting. When you open the zip file, you see 2 files inside it: A word doc named Fax_ID_45436426.doc that appears to be password protected and a .js file called Password. Now when you have Windows set to its stupidly set, dumbded down, default state of do not show file extensions you see this on Continue reading →

False Invoice Due email with password protected attachment delivers malware

My Online Security Posted on by  

This generic email with the subject of “Invoice Due”  coming from  help@simplexhealthcare.info with a malicious password protected word doc attachment  does eventually deliver some sort of malware. Recently password protected word docs have been delivering some sort of Ransomware frequently Hermes Ransomware via Azorult intermediate download. This is probably Azorult on the first stage, based on the file name azo.exe but I can’t see any encryption happening using the online sandboxes. It probably is Hermes ransomware based on the file names. These criminals don’t tend to be very original. The details in this campaign do match the details shown in this Continue reading →