A bit of a change with the Trickbot delivery system this morning in UK. They are using macro enabled XLS spreadsheet files instead of the usual word docs. This example is an email containing the subject of “September 2018 Payroll Timetable” pretending to come from PricewaterhouseCoopers LLP but actually coming from “Claire.Rhodes@pwc-payroll.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious office attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan You can now submit suspicious sites, emails and files via … Continue reading →
We have got a new delivery method appearing this afternoon via what looks like the Necurs botnet, using iqy files which are Excel Web Query and Internet Inquiry files. Basically they are a simple text file with a url that when opened in Excel ( the default for iqy files) will download whatever is at the end of the chain. These blow past all antiviruses because they have no malicious content. I saw something mentioned about these type of files last week somewhere, but can’t find it now. ( Update: It was THIS post on Sans Diary mentioning SLK files which … Continue reading →
Back to Italian language malspam today with another fake invoice with an excel XLS attachment. Like most of these non English emails that I have recently received, there seems to be some degree of malformation and the body content comes as an html attachment rather than being displayed in the body as intended. This looks like it is probably downloading sagecrypt ransomware Update I am reliably informed that it is not sage or any other ransomware but Zeus Panda banking Trojan targeting Italian Banks. Once again I was mislead by the detections on VirusTotal by what are frequently reliable antivirus detections … Continue reading →
It looks like the Japanese malspams are still continuing to deliver Ursnif /Gozi / ISFB banking Trojans. This one is yet another fake invoice email with the subject of 請求書添付書類について (About invoice attachment documents) , pretending to come from random Japanese email addresses with a malicious Excel XLS attachment that contains macros They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. As is … Continue reading →
An email with the subject of BILL pretending to come from Store-Nellimarla Jute Mills Co Ltd.
An email with the subject of XL Copy Invoice – 997063 pretending to come from Claire Runagall <ClaireR@xljoinery.co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do … Continue reading →