{"id":16350,"date":"2022-07-04T15:18:31","date_gmt":"2022-07-04T15:18:31","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?page_id=16350"},"modified":"2022-07-04T15:18:31","modified_gmt":"2022-07-04T15:18:31","slug":"java-jacksbot-delivered-by-spoofed-western-union-malspam-final-warning-for-sending-limit-breach","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/java-jacksbot-delivered-by-spoofed-western-union-malspam-final-warning-for-sending-limit-breach\/","title":{"rendered":"Java Jacksbot Delivered By Spoofed Western Union Malspam Final Warning For Sending Limit Breach"},"content":{"rendered":"
The next in the never ending series of\u00a0malware deliveries\u00a0is an email with the subject of\u00a0 FINAL WARNING FOR SENDING LIMIT BREACH pretending to come from Western Union \u2013 Agent Support Team <emeagentsupports.westernunion@gmail.com> delivers java Adwind \/ Java Jacksbot . They are using a totally different delivery method today, with the download link buried in the email that delivers a.exe file that in turn is renamed to a legitimate windows process winlogin.exe that extracts the embedded java,jar file to run the jacksbot Trojan.<\/p>\n
We continue to be plagued daily by these fake financial themed emails containing\u00a0java adwind<\/a>\u00a0or Java Jacksbot attachments. I have previously mentioned many of these\u00a0\u00a0HERE. We have been seeing these sort of emails almost every day. Today\u2019s has a\u00a0\u00a0different subject, email content and delivery method to previous ones.\u00a0 From what I can see until recently many antivirus companies detected these as Java Adwind.<\/p>\n Now they are calling them Java Jacksbot. From what I can see there is almost no difference between the functionality of the 2, although adwind tends to have a smaller file size. Many Antiviruses on Virus Total detect these heuristically.<\/p>\n Make Note:\u00a0Java Adwind \u00a0\/ Java Jacksbot<\/a>\u00a0are both\u00a0very dangerous remote access backdoor Trojans, that have cross OS capabilities and can potentially run and infect any computer or operating system including windows, Apple Mac, Android and Linux. It however can only be active or infect you if you have Sun \/ Oracle Java installed.<\/p>\n Along with most security professionals, I strongly urge you to uninstall java and not use it, unless you have a pressing need for it. The majority of domestic ( home ) users and small businesses have no need for Java on their computers.\u00a0This Article<\/a>\u00a0from a couple of years ago explains why you should remove it. If you cannot remove it then it must be kept\u00a0up to date\u00a0and be extremely careful with what you download or open.<\/p>\n They\u00a0use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n 18\u00a0November \u00a02016 :\u00a0\u00a0Exceeded Limit Spreadsheet.exe \u00a0\u00a0Current Virus total detections<\/u><\/a>:\u00a0\u00a0Payload Security<\/a>\u00a0shows lots of files being dropped \/extracted from this file which is\u00a0renamed by itself to\u00a0winlogin.exeand \u00a0in turn drops multitude of identical xml files and a java.jar file which is Java Jacksbot\u00a0(\u00a0VirusTotal<\/a><\/u>)<\/p>\n They\u00a0use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n One of the \u00a0emails looks like:<\/p>\n From<\/strong>: Western Union \u2013 Agent Support Team <emeagentsupports.westernunion@gmail.com><\/p>\n Date<\/strong>: Fri 18\/11\/2016 07:17<\/p>\n Subject<\/strong>: FINAL WARNING FOR SENDING LIMIT BREACH.<\/p>\n Attachment<\/strong>: see links<\/p>\n Body content<\/strong>:<\/p>\n\n