Author Archives: Derek

GreenLand Consulting Unpaid Issue No. 14599 – JS malware leads to teslacrypt

Posted on by

Last revised or Updated on: 10th March, 2016, 5:17 PMAn email with the subject of  GreenLand Consulting   Unpaid Issue No. 14599 [ random numbered]  pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Update: Hybrid analysis screenshots shows it as Locky ransomware, which is weird because the websites that are being used to download the ransomware and the file naming convention  have … Continue reading → Continue reading GreenLand Consulting Unpaid Issue No. 14599 – JS malware leads to teslacrypt

Attached File / Doc / Document pretending to come from scanner /printer at your own domain – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 10th March, 2016, 10:22 AMAn email with the subject of  Attached File / Attached Doc / Attached Document  pretending to come from a scanner or printer at your own domain  with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan EDIT: it is LOCKY ransomware not Dridex They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The attachment name is created from the recipients email address and 2 sets of random numbers … Continue reading → Continue reading Attached File / Doc / Document pretending to come from scanner /printer at your own domain – JS malware leads to Locky Ransomware

random invoice or bill – word doc macro leads to unknown malware

Posted on by

Last revised or Updated on: 10th March, 2016, 9:46 AMAn email with random invoice or bill subjects coming from random names and emails addresses  with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. A high proportion of these are not getting caught by the spam or content filters because they pass … Continue reading → Continue reading random invoice or bill – word doc macro leads to unknown malware

random named doc pretending to come from admin at your own domain – JS malware leads to ransomware

Posted on by

Last revised or Updated on: 9th March, 2016, 1:18 PMAn email with the subject of  DOC-AA25400B [ random numbered]  pretending to come from admin <adm323@victim_domain.tld> the numbers after adm are random Your own email domain  with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: admin <adm323@victim_domain.tld> Date: Wed 09/03/2016 12:05 Subject: DOC-AA25400B Attachment: DOC-AA25400B.zip Body content: Totally blank body content Screenshot: NONE   These malicious attachments normally … Continue reading → Continue reading random named doc pretending to come from admin at your own domain – JS malware leads to ransomware

FW: Invoice 2016-M#184605 – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 9th March, 2016, 11:51 AMAn email saying Please find attached 2 invoices for processing with the subject of  FW: Invoice 2016-M#184605[ random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The name of the account manager matches the alleged sender. The invoice number matches the attachment number The email looks like: From: Ann Guerrero <GuerreroAnn36420@ono.com> Date: Wed 09/03/2016 10:38 … Continue reading → Continue reading FW: Invoice 2016-M#184605 – JS malware leads to Locky Ransomware

Voice Message Attached from +44163311902 – name unavailable inclarity voicemail – JS malware leads to Dridex

Posted on by

Last revised or Updated on: 9th March, 2016, 10:33 AMAn email with the subject of  Voice Message Attached from +44163311902 – name unavailable [ random numbered]  pretending to come from voicemail <voicemail@inclarity.net>   with a zip attachment is another one from the current bot runs which downloads Dridex banking malware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The telephone number in the subject line changes with each email but  all start with +44163  and matches the first part of the attachment name The email looks … Continue reading → Continue reading Voice Message Attached from +44163311902 – name unavailable inclarity voicemail – JS malware leads to Dridex

DOC-Z21193008 Idris Mohammed – word doc malware leads to Dridex

Posted on by

Last revised or Updated on: 9th March, 2016, 10:21 AMAn email with the subject of   DOC-Z21193008 pretending to come from  Idris Mohammed <idrismohammed29@gmail.com> ( random numbers after idrismohammed ) with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Idris Mohammed <idrismohammed29@gmail.com> Date: Wed … Continue reading → Continue reading DOC-Z21193008 Idris Mohammed – word doc malware leads to Dridex

Urgent Purchase Order Powershell exploit malware

Posted on by

Last revised or Updated on: 9th March, 2016, 10:12 AMAn email with the subject of  Urgent Purchase Order  pretending to come from A. Mohammed <magani@vertexgroup-bd.com>  ( probably random email addresses) with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: A. Mohammed … Continue reading → Continue reading Urgent Purchase Order Powershell exploit malware

Invoice #96187656 for your Order – JS malware leads to Teslacrypt ransomware

Posted on by

Last revised or Updated on: 9th March, 2016, 7:49 AMAn email with the subject of  Invoice #96187656 for your Order [ random numbered]  pretending to come from Finance Information ( random email addresses) with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. I have only seen 1 copy of this so far this morning, so I have no idea if wavenet group is being spoofed in all the emails using … Continue reading → Continue reading Invoice #96187656 for your Order – JS malware leads to Teslacrypt ransomware

American Express Account Alert: Personal Safe Key (PSK) – Phishing

Posted on by

Last revised or Updated on: 9th March, 2016, 7:27 AMWe are seeing a mass run of phishing emails spoofing American Express saying Please create your Personal Security Key. There are 3 sites so far discovered that attempt to perform this phishing attack http://americanexpressnew2016.com/login http://americanexpressglobal.com/login http://axpoglobalverify.com/login Currently all 3 sites fail to resolve from a UK IP address. They were all registered yesterday 8 March 2016 via Todaynic.com using Chinese details which I assume are false. The name servers associated with the domains are DNS1.NEWSITEDNS2.RU and     DNS2.NEWSITEDNS2.RU Edit: after a bit of digging around, it appears that the NEWSITEDNS2.RU has previously been used for Amex and other bank phishing attacks. It is suggested that you block their IP numbers to prevent  further and … Continue reading → Continue reading American Express Account Alert: Personal Safe Key (PSK) – Phishing