Tag: spam | My Online Security

Another Agenttesla campaign using a compromised Iraq Government site

Posted on 8 October 2019 7:14 am by Myonlinesecurity8 October 2019 7:14 am 3

WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers. This version is noteworthy because the Exfil / C2 is an Iraq government site which “should” be 100% secure but obviously isn’t. The email is the usual junk email that should be blocked by most … Continue reading →

Very strange Barclays bank Phishing Scam

Posted on 23 September 2019 7:11 am by Myonlinesecurity23 September 2019 7:11 am

We see lots of phishing attempts for email credentials. This one is quite strange and weird, It pretends to be a message from Barclays Bank to update card details. I don’t know what is happening but several times I tried, I get redirected to the genuine Barclays Bank website. But from anyrun using MITM and sometimes from my home IP address in UK I can get sometimes get to the phishing site. https://barclays-form.icu/ This is a very complicated chain of events, I ran this through anyrun using several different settings and got different results many times. Anyrun reports: [1] [2] … Continue reading →

Some changes to Remcos Rat persistence method

Posted on 22 September 2019 6:55 am by Myonlinesecurity22 September 2019 6:55 am

It looks like we are seeing a few changes to the Remcos RAT install & persistence method. Over the last couple of weeks I have noticed a few tweaks to the persistence & auto start of several Remcos Rat versions. Today it has changed again to try to bypass protections. This all starts with the usual spam email, today’s ( or rather last night’s) was a fake invoice in a .iso / .img container. As you c an see from the virustotal reports .img containers are generally pretty poorly detected so are more likely to bypass perimeter defences. Once the … Continue reading →

Keybase keylogger via fake indofuels invoice

Posted on 21 September 2019 12:14 pm by Myonlinesecurity21 September 2019 12:14 pm 1

We don’t see a lot of malware at weekends in UK, so it was a bit of a surprise to get a whole swathe on emails overnight pretending to be an invoice from indofuels. The keylogger and info / credential stealer the criminals are using this weekend is Keybase,. I personally haven’t seen keybase for a couple of years, although reports of sporadic campaigns & infected computers are seen occasionally with a slight resurgence over the last week or so. I thought keybase had effectively stopped being distributed or used a couple of years ago, when the original developer stopped … Continue reading →

Fake TNT delivery drops WSHRAT via DiscordApp

Posted on 19 September 2019 6:52 am by Myonlinesecurity20 September 2019 6:06 am

It seems to be the week for harder to analyse & dodgy delivery systems that more carefully target specific countries / regions or even specific isps. Yesterday we saw a fake e-fax notification in German language that eventually led to a Buran ransomware. I couldn’t analyse that one properly or get the full payload, but with lots of help from many Twitter contacts, the ransomware payload was soon discovered, downloaded and submitted. Today I have received a fake TNT delivery / collection notice that has a link in the email body that downloads a zip file. Inside the zip is … Continue reading →

Fake invoice tries to deliver Remcos RAT

Posted on 18 September 2019 6:25 am by Myonlinesecurity18 September 2019 6:25 am

This is a strange & slightly more difficult than usual to analyse malware, mainly because the bad actor appears to have made a total mess of the distribution. I do not know if this will actually run on a proper computer, it obviously doesn’t like a sandbox / VM . The email was received with a .dat extension, which is what Outlook or the mail server often changes unknown extensions to. This dat file is actually a zip file. It does extract to a .pif and a jpg image file of an invoice. The pif is not a windows shortcut … Continue reading →

A Friday the 13th failure for Agenttesla campaign

Posted on 13 September 2019 7:57 am by Myonlinesecurity13 September 2019 7:57 am

It looks like Friday the 13th is unlucky for this malware bad actor, trying to deliver yet another AgentTesla keylogger / info-stealer because as far as I can tell this malware chain is broken so the victim should not get the payload. WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times … Continue reading →

More AgentTesla keylogger campaigns

Posted on 12 September 2019 9:12 am by Myonlinesecurity12 September 2019 9:12 am

WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers. Today’s other versions are tweeted Here & Here This version today is more noticeable and worth mentioning for several reasons. The alleged sender pricolcargo.com has appeared in the lists of spoofed companies for literally ages, … Continue reading →

AgentTesla keylogger campaigns continue

Posted on 11 September 2019 7:52 am by Myonlinesecurity11 September 2019 7:52 am

WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. I don’t often post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers. Today’s version is very slightly different and pretends to be a Bank Transfer Payment Notification allegedly coming from The Hongkong and Shanghai Banking Limited. The email is the usual junk email that should be blocked by most spam filters. The attachment is a .rar file … Continue reading →

Fake DHL email delivers an unknown keylogger coupled with a phishing scam

Posted on 8 September 2019 10:33 am by Myonlinesecurity9 September 2019 7:15 am

I was extremely surprised to wake up this Sunday Morning to a whole slew of fake DHL delivery notice emails with a macro enabled word doc attachment that eventually downloads some sort of Keylogger. There is some dispute as to what the actual Keylogger is. Some AV on VirusTotal describe it as an AgentTesla generic, whereas Anyrun app calls it Sentinel. I don’t think either are 100% correct. DHL_FORM.doc Current Virus total detections: Anyrun | This malware doc downloads from https://heritagebank.ga/Quotation.exe ( Virustotal) which is behind cloudflare and also is a phishing site for the genuine heritage … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: spam