Tag Archives: vbs

fake Google Drive shared documents notification

My Online Security Posted on by 3

Today’s first malspam example is an  email pretending to be a Google drive shared documents notification with the subject of  Documents  coming from UAE Exchange <res@fairviewres.co.uk>   with a link in the email body to download a zip which contains a very large encrypted / encoded/ obfuscated VBS file. I have absolutely no idea what this file does. None of the online sandboxes could tell me anything really useful. I have absolutely no idea how to decode / decrypt or de-obfuscate it. All I can find out is that it contacts shkis.publicvm.com on IP 141.255.155.6 but didn’t appear to respond for me or Continue reading →

Fake HMRC “Important : Outstanding Amount ” delivers Trickbot via CVE-2018-8174

My Online Security Posted on by 3

We have had a break from Trickbot hitting the UK in last week or so, that generally means that the criminals are experimenting with new delivery systems. The reappearance on Monday 25 June 2018 confirms this. I am not sure how successful this new system will be because it uses an exploit CVE-2018-8174 ( which only affected Internet Explorer) which was fixed in May 2018 windows updates, so I doubt there are enough vulnerable systems around that makes this worthwhile continuing with the campaign. Instead of the usual word docs with either macros, embedded ole objects or using the Microsoft Continue reading →

Fake Barclays Secured Message: New Message Received delivers Trickbot via CVE-2018-8174

My Online Security Posted on by  

We have had a break from Trickbot hitting the UK in last week or so, that generally means that the criminals are experimenting with new delivery systems.  The reappearance on Monday 25 June 2018  confirms this. I am not sure how successful this new system will be because it uses an exploit CVE-2018-8174 ( which only affected Internet Explorer) which was fixed in May 2018 windows updates, so I doubt there are enough vulnerable systems around that makes this worthwhile continuing with the campaign.  Instead of the usual word docs with either macros, embedded ole objects or using the Microsoft Continue reading →

Dridex delivered by fake scan pdf attachment via link hidden behind fake recaptcha

My Online Security Posted on by 3

The next in the never ending series of malware downloaders  is an email with the subject of  SCAN_0502_MUVJVDF ( random characters after the 0502)  pretending to come  from random names at sailslowdance.com eventually delivering Dridex banking trojan They use email addresses and subjects that will entice, persuade, scare or shock  a recipient to read the email and open the attachment. These emails have a genuine PDF attachment that when opened looks like this screenshot. The Google recaptcha is fake and is just an image that when clicked leads to a website where you download a 7z ( zip) file. In this example the site was http://witsemehat.net/info/SCAN_0502_5F27.7z You Continue reading →

Account Statement- pineislandweb.com malspam delivers Dridex banking trojan

My Online Security Posted on by  

The next in the never ending series of malware downloaders is an email with the subject of  Account Statement  coming from Morton  Lintern <Morton.2825@pineislandweb.com> delivers  Dridex banking trojan I am also seeing other similar subjects including: Outstanding Statement There will be numerous different versions of this malware coming from random names@pineislandweb.com and very probably a load of other newly created and registered domains sending this banking trojan. Update: we are also seeing different emails with the subject of Scanned image_272744 ( random numbers) coming from random names@teoshandspun.com  31.131.27.171 with links to various google drive urls to download a zip file containing a vbs Continue reading →

Necurs Botnet back after Christmas break. Still delivering Globeimposter ransomware via fake documents.

My Online Security Posted on by 2

After more than a 2 week break for the holidays, Necurs botnet has kicked back into gear tonight.The next in the never ending series of malware downloaders from the Necurs botnet is an email with the subject of  Document No 21941954 ( random numbers)   pretending to come from accounts at your own email address or company domain., delivering Globeimposter ransomware. They use email addresses and subjects that will entice, persuade, scare or shock  a recipient to read the email and open the attachment. tayloredgroup.co.uk has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are Continue reading →

Formbook trojan delivered by Fake Quotation embedded inside an extremely large VBS file

My Online Security Posted on by 1

Continuing with the never ending series of malware downloaders is an email with the subject of send quotation coming from  Elsayed Yusuf < walll@winsgates.xyz > ( It is highly likely that the Sender name will be different in other versions of this). This delivers Formbook Trojan The most interesting thing about this malware campaign is the VBS file inside the zip. This one is a massive 1.5 MB ( 1582247 bytes )  and contains the Formbook Trojan executable embedded inside it in a base64 format. ( Most mass spammed malware VBS files act as downloaders not droppers and tend to be very small in the Continue reading →

Another Necurs mistake tries to deliver globeimposter ransomware but fails

My Online Security Posted on by  

The Necurs botnet has messed up again today.  The next in the never ending series of malware downloaders is an email with the subject of  Scan pretending to come from random names and email addresses. However the apprentice dealing with the botnet while everybody else is taking part in Christmas parties has misconfigured the emails, so the attachment appears as a base64 text content in the email rather than as an attachment. It is trivially easy to decode the base64 section, create the 7z file & extract the vbs to get the Globeimposter ransomware they are attempting to deliver. Over the Continue reading →

Globeimposter ransomware continues to be delivered via Necurs botnet using fake scanner or printer messages

My Online Security Posted on by  

The next in the never ending series of malware  downloaders from the Necurs botnet  is an email with the subject of   Message from “G10PR0378651.victimsdomain.com”   pretending to come from random names at your own email address or company domain. They use email addresses and subjects that will entice, persuade, scare or shock  a recipient to read the email and open the attachment. Once again the criminal gang sending these have partially shot themselves in the foot, trying to be clever & bypassing filters. The attachment says it is a zip file but is actually a 7z file renamed to zip. This has the effect of many Continue reading →

Necurs trying to deliver Globeimposter ransomware via fake invoices with broken attachments

My Online Security Posted on by  

The next in the never ending series of downloaders coming from the Necurs botnet  is an email with the subject of  12_Invoice_6856 ( random numbers)  coming from random email addresses. They use email addresses and subjects that will entice, persuade, scare or shock  a recipient to read the email and open the attachment. As usual these criminals are trying to be too clever in avoiding detection and making a total mess up of the malware delivery. The bland email has what pretends to be a word doc attachment. It is NOT a word doc but a wrongly named .7z ( zip) file. If Continue reading →