Tag Archives: Trickbot

malspam email GDS – New Fax Message delivers malware

My Online Security Posted on by  

An email with the subject of  GDS – New Fax Message pretending to come from GDS Fax <service@gov-fax.co.uk> with a malicious word doc containing macros which downloads what looks like Trickbot banking Trojan from the IP addresses it connects to, although VirusTotal are showing conflicting detections where a couple are detecting it as Cerber ransomware. I am not seeing the usual hundreds of connections that Cerber traditionally uses. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium Continue reading →

malspam email Payment has been made delivers Trickbot banking Trojan

My Online Security Posted on by  

An email with the subject of Payment has been made -9999 ( random number)  pretending to come from  random names @ random companies with a malicious word doc attachment delivers Trickbot banking Trojan. Trickbot is the successor to Dyre / Dyreza banking Trojan They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. None of the companies alleged to be the senders or mentioned in the Continue reading →

Important – New fax received malspam delivers Trickbot banking trojan

My Online Security Posted on by 2

A slightly unusual  email with the subject of  Important – New fax received pretending to come from Administrator <Administrator@internalfax.net> or  Administrator <Administrator@internalfax.com> with either a malicious word doc attachment  or a zip file containing a .js file which downloads Trickbot banking Trojan. It is very unusual to see the same banking Trojan, (although different versions )   being malspammed out concurrently, using the same email template but different file attachments and coming from 2 almost identical domains  a .net and a.com They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. Continue reading →

Document from random name at your own email domain malspam delivers trickbot banking Trojan

My Online Security Posted on by  

An email with the subject of Document from random name  pretending to come from  random name <random.name@victim domain.tld> with a malicious word doc attachment delivers a trickbot banking Trojan ( the successor to Dyre) . This uses a somewhat complicated method of delivery to try to bypass antivirus and content protection, but basically the macro inside the word doc creates a lnk file,  calls on powershell to run the lnk file which connects to the web server to download a file, which is in turn renamed, moved & autorun by the powershell instruction inside the macro. The alleged senders name matches the subject line, the name Continue reading →

ACH Payment Notification malspam delivers trickbot / dyre banking Trojan

My Online Security Posted on by 1

The next in the never ending series of malware downloaders is an email with the subject of  ACH Payment Notification pretending to come from ap_vendor_pay2@bankofamerica.com with a  with a random named / numbered  zip attachment  containing a .scr file. The icon on this SCR file looks like an adobe PDF icon. so any recipient that has windows set by default to NOT show file extensions will think this is a pdf  and unwittingly open it and get infected with this dangerous banking Trojan and have all their money stolen They use email addresses and subjects that will entice a user to read Continue reading →