Tag: spam | My Online Security

Agent Tesla Keylogger via fake new Order using Equation Editor RTF exploit

Posted on 17 October 2018 11:07 am by Myonlinesecurity17 October 2018 11:07 am

Something slightly different to start with this morning. There is nothing special about the email lure, but the attached word doc seems to be a bit different to the ones we are used to seeing with equation editor exploits. I don’t know if this is a different or unknown exploit using Microsoft Equation editor or whether it has anti-sandbox / Anti-VM protections. It definitely behaved very differently to the usual behaviour in the online sandboxes. Neither Anyrun nor Hybrid analysis were initially actually able to retrieve any working malicious content, although they did both show the initial download link ( … Continue reading →

trickbot via Fake HMRC “Month End Report Sep 2018.xls ” email

Posted on 10 October 2018 11:22 am by Myonlinesecurity10 October 2018 11:22 am 3

This example is an email containing the subject of “Month End Report Sep 2018.xls ” pretending to come from HMRC but actually coming from “Brenda.Kimbell@hrmc-reports.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious Excel Spreadsheet attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan You can now submit suspicious sites, emails and files via our Submissions system Email Details From: Brenda Kimbell <Brenda.Kimbell@hrmc-reports.co.uk> Date: Tue 24/07/2018 13:26 Subject: Month End Report Sep 2018.xls Attachment: Month End Report Sep 2018.xls Body … Continue reading →

trickbot via “New fax message” malspam

Posted on 5 October 2018 12:08 pm by Myonlinesecurity5 October 2018 12:08 pm 1

This example is an email containing the subject of “New fax message” coming from “noreply@confidentialfax.com ” . For a change the Trickbot criminals are not spoofing or typo-squatting any well known brand, company or Government department. Instead they are using a generic domain that looks realistic & believable. They have also added the recipients email address into the body of the email to make it look more personalised and possibly more likely to be opened & read. You can now submit suspicious sites, emails and files via our Submissions system Email Details From: Confidential Fax <noreply@confidentialfax.com> Date: Fri 05/10/2018 11:27 Subject: New fax … Continue reading →

Trickbot via Fake HSBC “Incoming high value CHAPS payments” emails

Posted on 4 October 2018 1:15 pm by Myonlinesecurity4 October 2018 1:15 pm 2

This example is an email containing the subject of “Incoming high value CHAPS payments” pretending to come from HSBC but actually coming from “Olivia.Brown@hsbcemail.net” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan There is something different about the network connections being shown in the Anyrun report today. It looks like Trickbot might have updated with new modules and injects. You can now submit suspicious sites, emails and files via … Continue reading →

trickbot via Fake Lloyds bank “Reference: BACS09280981 ” malspam emails

Posted on 3 October 2018 12:32 pm by Myonlinesecurity3 October 2018 12:32 pm

A nice simple, straightforward Trickbot campaign hitting UK this Morning. This example is an email containing the subject of “Reference: BACS09280981 ” pretending to come from Lloyds Bank but actually coming from “O.Wilson@lloydsbankcorp.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious excel spreadsheet attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. At least today they have made a bit of an effort & given us a spreadsheet that almost looks like it might contain information if you are unwise … Continue reading →

Trickbot via Fake Bank Of America Secure Message

Posted on 3 October 2018 5:39 am by Myonlinesecurity3 October 2018 5:39 am 4

A bit of a change with the Trickbot delivery system with this example. Instead of directly attaching a malicious macro enabled word doc or other Microsoft Office file to the email, it instead has a html attachment and a link in the email body that when opened shows a web page that looks like a secure message with another link to download the malicious word doc. By the time I received the email and investigated, the website was down & not responding. I did manage to find a copy that somebody else had uploaded to VirusTotal and Anyrun and went … Continue reading →

trickbot still being delivered by fake payroll emails

Posted on 2 October 2018 2:22 pm by Myonlinesecurity2 October 2018 2:22 pm

We have had just over a one week break from Trickbot being distributed via Malspam and Spear phishing style emails. But it is a new month and the Trickbot gang have their quotas to meet, so they are back with their usual malspam campaigns. They continue to imitate well known companies dealing with Payrolls or other financial matters in the UK again today with this example. They are continuing to use Excel spreadsheet attachments instead of word docs again this week. They are trying to make the email slightly more believable by personalising the subject and adding the recipient’s email … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: spam