Following on from my slightly earlier post about Lokibot, this is yet another version with 2 XLS spreadsheet attachments coming in a fake Overdue Invoices November – December 2018 email. This version uses CVE-2017-11882 or is trying to, but only 1 of the attachments actually worked properly in Anyrun to download & deliver the payload. I don’t know what is wrong with the other version, it looks just about identical, although has a slightly different file size. Both copies display a multi page spreadsheet, pretending to be a shipping Quotation / invoice from Maesrk shipping lines. This one actually arrived earlier … Continue reading →