Tag: spam | My Online Security

new AgentTesla Keylogger install method – Choice.exe

Posted on 27 July 2019 7:07 am by Myonlinesecurity27 July 2019 7:07 am

We continue to see AgentTesla keylogger / Infostealer on a daily basis. The UK generally has been fairly quiet for malware over the last few months ( since Easter 2019) and we are only seeing the “commodity” malware like AgentTesla, Hawkeye, Nanocore, Lokibot etc on a very frequent basis. Over the last week or 10 days we have noticed a slight change in the delivery / install method for AgentTesla. They are using choice.exe silently to install the malware. Choice.exe is a Microsoft default file in all current Microsoft OS versions that is supposed to be used with bat files … Continue reading →

Formbook back hitting UK in fake order emails

Posted on 26 July 2019 10:18 am by Myonlinesecurity26 July 2019 10:18 am

We haven’t seen any Formbook malware / Trojan / Info-Stealer hitting the UK for ages, so it was quite surprising to see this one arrive overnight. Unlike previous versions who generally used exploits or macros / embedded ole objects in Microsoft Office to deliver the payload, this is a simple .exe file inside a zip that pretends to be an Excel Spreadsheet if you don’t have “show known file types” enabled in windows, so making it more likely for an unsuspecting user to click on it & open & run the file. As usual for Formbook, as soon as the … Continue reading →

Fake PrivatBank email delivers AgentTesla and Phishing

Posted on 15 July 2019 12:23 pm by Myonlinesecurity15 July 2019 12:23 pm

I received a rather interesting email earlier today. It pretends to be an email from Privatbank.com and written mainly in Ukranian. There is not a known bank using PrivatBank.com anywhere I can find listed although a website for this domain was registered many years ago (2001). The closest legitimate bank that I can find is privatbank.ua which is a well known Ukranian Bank that just happens to use the same logo as this scam email. The attachment in the email contains an AgentTesla keylogger / Infostealer version. However that is not the end of this sorry saga. I like … Continue reading →

Fake order eventually drops Lokibot but something else happens

Posted on 10 July 2019 6:33 am by Myonlinesecurity10 July 2019 6:33 am

I am not entirely sure what the in initial binary download with this one is, but there are indications it might be Dark Comet RAT. What we do know is that it drops a Lokibot binary The word doc is actually a RTF file containing embedded ole objects. This appears to contain 5 identical ole objects that in turn drop an Excel macro enabled worksheet that when examined appears to be something to do with lottery numbers. I don’t know if this is some sort of red herring or someone in the masses of code ( which I have only … Continue reading →

banload and stealer

Posted on 27 June 2019 11:59 am by Myonlinesecurity27 June 2019 11:59 am

Some weird malware possibly banload and a stealer. Details were uploaded to our submissions system Starts with email link that downloads tax.zip from http://199.192.29.182/Folder/Downloader.php?1409 This zip contains genuine google updater & a bat file which downloads a powershell script from http://51.75.142.21/l2406/uk/kk/20938092830482 Then a zip from http://51.91.248.86/uk/M2406/kk/md.zip which contains genuine autoit files & a malicious file It then shuts down computer On reboot another powershell script is dropped that appears to be the stealer. Sends stolen data to https://salvavidasonline.club Main object- “tax_receipt.zip” sha256 967ebdb78f55bd6640e5e4dc94f640758764851f1429c017d586da93ed536bf2 sha1 3b47fde59daa506967a609ed8e434ef92a327c37 md5 2cb79ca3702b9e08e2012d511b7ee2e1 ssdeep_parts [object Object] Dropped executable file sha256 C:\Users\Public\Java_jkwbzg3_\exe.png 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d sha256 C:\Users\Public\Java_jkwbzg3_\libeay32.dll 963b313eb11d5ea78d9d5f4e03df9265e472db892a4b406ee73f0216fd4d6f38 sha256 … Continue reading →

Nanocore RAT via fake DHL failed delivery in Chinese

Posted on 19 June 2019 12:39 pm by Myonlinesecurity20 June 2019 5:44 am 1

A quick post about the latest in a long, long, long, very, very long line of fake DHL delivery failure emails delivering all sorts of malware. Today’s version is slightly different to the ones we frequently see in UK. Today it is delivering Nanocore RAT in a zip file attachment. Firstly it is written entirely in Chinese, so most recipients won’t be able to read it. It is also worth mentioning the email server /account this malware laden email came from. kate@xapps.link Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and … Continue reading →

Remcos Rat via fake invoice using multiple delivery methods.

Posted on 19 June 2019 6:22 am by Myonlinesecurity19 June 2019 6:22 am

I have heard of the “Belt and Braces ” approach to delivering malware before, but this malware campaign delivering Remcos Rat is using the belt and 2 pairs of braces to try make sure the malware gets delivered. The email is a fairly typical Invoice Request that appears to a part of an ongoing conversation and contains 3 different attachments. A zip file that contains a Remcos binary An RTF file using CVE-2017-11882 to contact a remote site & download a different Remcos binary A Word doc that is a renamed RTF file using CVE-2017-11882 to contact the same remote … Continue reading →

AgentTesla Keylogger and Binary Options scam

Posted on 12 June 2019 12:31 pm by Myonlinesecurity12 June 2019 12:31 pm

We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis. Today’s example of an AgentTesla campaign is somewhat more interesting than usual. The email is nothing special and pretends to be the typical fake invoice we frequently see as the lure with these campaigns. What is different today is firstly the email is actually coming from the sender it says it is and passes all authentication. ( see email headers below) The home page … Continue reading →

Bitcoin verify your Identity phishing scam hosted on Microsoft Azure hosting

Posted on 11 June 2019 5:07 am by Myonlinesecurity11 June 2019 5:07 am 1

I am seeing a bitcoin phishing scam campaign this morning hosted on Microsoft Azure/windows.net. The emails pretend to come from your own email address and are addressed to the same email address. All hosting companies get abused and used for malware, scams and phishing. Recently Microsoft Azure Hosting seems to be the flavour of the month. It is not helped by the fact that Microsoft make it overly complicated to report these scams, malware or phishing via the https://portal.msrc.microsoft.com/en-us/engage/cars where you have to give loads of details. Using the very simple report to Microsoft form on https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site is just about … Continue reading →

It looks like another DNS compromise hack happening

Posted on 10 June 2019 11:30 am by Myonlinesecurity10 June 2019 11:30 am 8

I saw a fairly short-lived, reasonably low volume, malspam campaign earlier this morning that looks like it comes via Necurs Botnet and is somehow using a “new” compromise or security hole in the DNS system. These appear to be targeted at UK only and as far as I can tell ONLY a UK IP number will get a redirect to the scumware site. Other users don’t, at this time get anything. So far today the eventual target site has been https://appteslerapp.com/ which is pushing a very high risk stock trading scheme. Beware: the only people who get rich on these … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: spam