Tag Archives: vbs

Gootkit banking Trojan via Fake UKPC parking penalty appeals

My Online Security Posted on by 1

I am hearing about a return of the fake UKPC parking charge appeals scam which has been quiet for about 1 year. At this time I don’t have a copy of the email that was received by the victim, only the link that was in it. I assume the email will be very similar to the ones described in these 2 posts  [1] [2]. UKPC are a nationwide company that controls parking on private property throughout many parts of the UK. They do not ( as far as I can tell) control on street parking on behalf of any Local Continue reading →

Fake Payment receipt vbs drops njrat bladabindi downloads Agent Tesla via Sendspace.

My Online Security Posted on by  

A rather interesting malware campaign from overnight. It all starts with an email pretending to be a payment receipt that contains a .tar attachment which contains a vbs file. As per usual the email is just generic enough to entice a recipient to open it, read it & possibly extract & run the malware file. This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for  a genuine  DOC / PDF / JPG or other common file instead of the .EXE / .JS/vbs  file it really is, so making it Continue reading →

Fake Court summonses, Judgements, Subpoenas delivering malware

My Online Security Posted on by  

Starting Yesterday evening and continuing steadily all day so far today,  we saw what was supposed to be a malspam campaign with a lure of court summonses. None of the links I followed actually delivered any malware but did instead lead to a zip file that contained the configuration details for the spamming and supposed malware campaign. So somewhere along the line, somebody messed up big time. I am not going to go into this particular one much more, except to say that researchers who are a lot better than me are looking at it & investigating further. We are Continue reading →

fake Google Drive shared documents notification

My Online Security Posted on by 3

Today’s first malspam example is an  email pretending to be a Google drive shared documents notification with the subject of  Documents  coming from UAE Exchange <res@fairviewres.co.uk>   with a link in the email body to download a zip which contains a very large encrypted / encoded/ obfuscated VBS file. I have absolutely no idea what this file does. None of the online sandboxes could tell me anything really useful. I have absolutely no idea how to decode / decrypt or de-obfuscate it. All I can find out is that it contacts shkis.publicvm.com on IP 141.255.155.6 but didn’t appear to respond for me or Continue reading →

Fake HMRC “Important : Outstanding Amount ” delivers Trickbot via CVE-2018-8174

My Online Security Posted on by 3

We have had a break from Trickbot hitting the UK in last week or so, that generally means that the criminals are experimenting with new delivery systems. The reappearance on Monday 25 June 2018 confirms this. I am not sure how successful this new system will be because it uses an exploit CVE-2018-8174 ( which only affected Internet Explorer) which was fixed in May 2018 windows updates, so I doubt there are enough vulnerable systems around that makes this worthwhile continuing with the campaign. Instead of the usual word docs with either macros, embedded ole objects or using the Microsoft Continue reading →

Fake Barclays Secured Message: New Message Received delivers Trickbot via CVE-2018-8174

My Online Security Posted on by  

We have had a break from Trickbot hitting the UK in last week or so, that generally means that the criminals are experimenting with new delivery systems.  The reappearance on Monday 25 June 2018  confirms this. I am not sure how successful this new system will be because it uses an exploit CVE-2018-8174 ( which only affected Internet Explorer) which was fixed in May 2018 windows updates, so I doubt there are enough vulnerable systems around that makes this worthwhile continuing with the campaign.  Instead of the usual word docs with either macros, embedded ole objects or using the Microsoft Continue reading →

Dridex delivered by fake scan pdf attachment via link hidden behind fake recaptcha

My Online Security Posted on by 3

The next in the never ending series of malware downloaders  is an email with the subject of  SCAN_0502_MUVJVDF ( random characters after the 0502)  pretending to come  from random names at sailslowdance.com eventually delivering Dridex banking trojan They use email addresses and subjects that will entice, persuade, scare or shock  a recipient to read the email and open the attachment. These emails have a genuine PDF attachment that when opened looks like this screenshot. The Google recaptcha is fake and is just an image that when clicked leads to a website where you download a 7z ( zip) file. In this example the site was http://witsemehat.net/info/SCAN_0502_5F27.7z You Continue reading →

Account Statement- pineislandweb.com malspam delivers Dridex banking trojan

My Online Security Posted on by  

The next in the never ending series of malware downloaders is an email with the subject of  Account Statement  coming from Morton  Lintern <Morton.2825@pineislandweb.com> delivers  Dridex banking trojan I am also seeing other similar subjects including: Outstanding Statement There will be numerous different versions of this malware coming from random names@pineislandweb.com and very probably a load of other newly created and registered domains sending this banking trojan. Update: we are also seeing different emails with the subject of Scanned image_272744 ( random numbers) coming from random names@teoshandspun.com  31.131.27.171 with links to various google drive urls to download a zip file containing a vbs Continue reading →

Necurs Botnet back after Christmas break. Still delivering Globeimposter ransomware via fake documents.

My Online Security Posted on by 2

After more than a 2 week break for the holidays, Necurs botnet has kicked back into gear tonight.The next in the never ending series of malware downloaders from the Necurs botnet is an email with the subject of  Document No 21941954 ( random numbers)   pretending to come from accounts at your own email address or company domain., delivering Globeimposter ransomware. They use email addresses and subjects that will entice, persuade, scare or shock  a recipient to read the email and open the attachment. tayloredgroup.co.uk has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are Continue reading →

Formbook trojan delivered by Fake Quotation embedded inside an extremely large VBS file

My Online Security Posted on by 1

Continuing with the never ending series of malware downloaders is an email with the subject of send quotation coming from  Elsayed Yusuf < walll@winsgates.xyz > ( It is highly likely that the Sender name will be different in other versions of this). This delivers Formbook Trojan The most interesting thing about this malware campaign is the VBS file inside the zip. This one is a massive 1.5 MB ( 1582247 bytes )  and contains the Formbook Trojan executable embedded inside it in a base64 format. ( Most mass spammed malware VBS files act as downloaders not droppers and tend to be very small in the Continue reading →