Author Archives: Derek

Document1 pretending to come from your own email address – JS malware leads to Locky ransomware

Posted on by

Last revised or Updated on: 16th March, 2016, 12:21 PMA blank/empty  email with the subject of   Document1 pretending to come from your own email address and sent to your own email address  with a zip attachment is another one from the current bot runs which downloads Locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: your own email address Date: Wed 16/03/2016 11:58 Subject: Document1 Attachment: Document1.zip Body content: totally blank   Screenshot: NONE   These malicious attachments normally have a password … Continue reading → Continue reading Document1 pretending to come from your own email address – JS malware leads to Locky ransomware

Unpaid Invoice – word doc macro malware

Posted on by

Last revised or Updated on: 16th March, 2016, 11:52 AMAn email with the subject of Unpaid Invoice pretending to come from Dave.Maule@tiscali.co.uk ( probably random )  with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Dave.Maule@tiscali.co.uk Date: Wed 16/03/2016 11:08 Subject: Unpaid Invoice Attachment: … Continue reading → Continue reading Unpaid Invoice – word doc macro malware

Bestellung 69376 david.favella123@buhlergroup.com – JS malware leads to Dridex or locky

Posted on by

Last revised or Updated on: 16th March, 2016, 11:54 AMAn email written partly in English and partly in German supposedly from  Buhler group with the subject of  Bestellung 69376 [ random numbered]  pretending to come from  david.favella654@buhlergroup.com ( random numbers after david.favella )  with a zip attachment is another one from the current bot runs which downloads either Dridex banking Trojan or Locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Update: I am reliably informed this is Locky ransomware not Dridex banking Trojan The … Continue reading → Continue reading Bestellung 69376 david.favella123@buhlergroup.com – JS malware leads to Dridex or locky

Your order summary from 365 Electrical Order number: 93602 – word doc macro malware – delivers Dridex

Posted on by

Last revised or Updated on: 16th March, 2016, 11:03 AMAn email saying Thank you for shopping with 365 Electrical with the subject of  Your order summary from 365 Electrical. Order number: 93602  ( random numbers) coming from random names and email addresses  with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than … Continue reading → Continue reading Your order summary from 365 Electrical Order number: 93602 – word doc macro malware – delivers Dridex

Dropbox spreading malware via spoofed emails about orders – fake PDF malware

Posted on by

Last revised or Updated on: 15th March, 2016, 1:41 PMContinuing on from these earlier malspam runs [1] [2]  we now have a series of emails with the basic subject of  orders  pretending to come from  different companies with  a link to Dropbox to download a  zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than … Continue reading → Continue reading Dropbox spreading malware via spoofed emails about orders – fake PDF malware

Itinerary #13B0B450E no-reply@clicktravel.com – JS malware leads to locky ransomware

Posted on by

Last revised or Updated on: 15th March, 2016, 12:09 PMAn email with the subject of  Itinerary #13B0B450E [ random numbered]  pretending to come from no-reply@clicktravel.com  with a zip attachment is another one from the current bot runs which downloads They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. At least this one has an almost  believable content, attachment  and sender that matches. It looks like a new Dridex / Locky email creator has appeared on the scene The email looks like: From: no-reply@clicktravel.com Date:Tue 15/03/2016 10:44 Subject: … Continue reading → Continue reading Itinerary #13B0B450E no-reply@clicktravel.com – JS malware leads to locky ransomware

Document Enclosed – fake PDF malware

Posted on by

Last revised or Updated on: 15th March, 2016, 11:56 AMI haven’t seen a good old fashioned malware spreading email like this one in ages and today we get what looks like the start of a return to the ” good old days with a full blown malware being malspammed out as an attachment, rather than .JS files or Word docs being used to download malware from websites . It is a refreshing change to the bad actors reverting to these old fashioned simple social engineering tricks An email with the subject of Document Enclosed   pretending to come from Ka2521@hotmail.co.uk with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential … Continue reading → Continue reading Document Enclosed – fake PDF malware

photo,my photo,image,pic Sent from my iPhone – fake jpg malware

Posted on by

Last revised or Updated on: 15th March, 2016, 11:30 AMI haven’t seen a good old fashioned malware spreading email like this one in ages. It is a refreshing change to the bad actors reverting to these old fashioned social engineering tricks pretending to send a photo from their iPhone. An email with the subject of photo,my photo,image,pic  pretending to come from lyle.house@hotmail.co.uk ( probably random addresses) with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They use email addresses and subjects that will entice a user to read the email … Continue reading → Continue reading photo,my photo,image,pic Sent from my iPhone – fake jpg malware

Insufficient Funds Transaction ID:12719734 – JS malware leads to Teslacrypt

Posted on by

Last revised or Updated on: 15th March, 2016, 8:03 AMThe Ransomware  bots seems to have settled on a generic  financial theme so far  this week. The most recent one is an email with the subject of  Insufficient Funds Transaction ID:12719734 [ random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The attachments all have a 2 part naming convention. They start with a … Continue reading → Continue reading Insufficient Funds Transaction ID:12719734 – JS malware leads to Teslacrypt

Incoming Transaction Declined ID: 21287178 – JS malware leads to teslacrypt

Posted on by

Last revised or Updated on: 14th March, 2016, 11:30 PMAn email with the subject of  Incoming Transaction Declined ID: 21287178 [ random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: random names & email addresses Date: Mon 14/03/2016 23:19 Subject: Incoming Transaction Declined ID: 21287178 Attachment: confirmation_30816188.zip Body content: Your Purchase  Sender’s Details: 21287178Amount: USD123,75ACH Routing / Transit Number: … Continue reading → Continue reading Incoming Transaction Declined ID: 21287178 – JS malware leads to teslacrypt