Tag Archives: Azorult

Making it Bleeding Obvious

My Online Security Posted on by  

Some days we have lots of problems trying to decide what malware is being delivered. Today is an exception. The bad actor has made it bleeding obvious by his use of the file names & url paths. I suppose this semi-clueless Skiddie has purchased an off the shelf exploit kit and either can’t read instructions or doesn’t care enough to change the file names & url paths. So we definitely have Pony and probably an Azorult control panel. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A Continue reading →

Fake Fax message email delivers Azorult trojan

My Online Security Posted on by  

An email with the subject of Fax Message ID: 8118 896 972 coming from Hunt Sharon <kekhang@kekhang.hu>  with  a zip attachment containing 2 files arrived to an email address on my server yesterday. This malware attack is slightly unusual and I don’t think very effective. However it is very interesting. When you open the zip file, you see 2 files inside it: A word doc named Fax_ID_45436426.doc that appears to be password protected and a .js file called Password. Now when you have Windows set to its stupidly set, dumbded down, default state of do not show file extensions you see this on Continue reading →

False Invoice Due email with password protected attachment delivers malware

My Online Security Posted on by  

This generic email with the subject of “Invoice Due”  coming from  help@simplexhealthcare.info with a malicious password protected word doc attachment  does eventually deliver some sort of malware. Recently password protected word docs have been delivering some sort of Ransomware frequently Hermes Ransomware via Azorult intermediate download. This is probably Azorult on the first stage, based on the file name azo.exe but I can’t see any encryption happening using the online sandboxes. It probably is Hermes ransomware based on the file names. These criminals don’t tend to be very original. The details in this campaign do match the details shown in this Continue reading →