Collaborate Disseminate
I am seeing changes to the password protected word docs campaign we have been seeing for ages. I am not sure what malware payload we are getting today. It looks different to all the usual previous ones. Last week they changed from Nymaim to IceD. They … Continue reading Password Protected word docs malware campaigns continue
I am seeing a new malware campaign this morning hitting UK abusing google docs. So far I can’t get the final payload, so I don’t know what it is supposed to be. I have had intermittent luck with getting the vbs file inside a zip. Sometimes … Continue reading Fake Order data Malware campaign abusing Google docs
We see lots of phishing attempts . This one is much better done than the majority of others we see. This pretends to be an email from We Transfer which is a service used to send files to other users. Basically a file sharing service, where you upload … Continue reading Fake Someone sent you a file via WeTransfer- Phishing
This is slightly more difficult post than usual to write. We have been seeing large email based malware campaigns over the last few days. All the emails are coming from a handful of hosting companies/ servers either in Russia, Ukraine or India. So f… Continue reading Massive email based malware campaigns using possibly compromised Godaddy name servers
We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. Earlier we saw a Brexit theme and now we are seeing emergency exit notices. The subject this time is consistent in all versions “Urgent to all residents of … Continue reading Urgent to all residents of the building email delivers Ursnif
We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. The criminals are using the theme of Brexit which is very topical in UK ( and the rest of Europe) at the moment. There are numerous subjects all with Brexit somew… Continue reading Large Ursnif campaign hitting UK using Brexit as lure
We are still seeing a lot of Lokibot hitting the UK. We don’t bother to post about most of them, because the subjects & emails are so generic that there normally is nothing particularly identifiable about them. However overnight we received a… Continue reading Fake UNILEVER PURCHASE ORDER #091223 for acknowledgement delivers Lokibot
This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Advice Ref: 2 / Customer Ref: P” pretends to come from HSBC but a… Continue reading trickbot via fake HSBC Payment Advice
We are seeing an Ursnif /Gozi /ISFB campaign hitting the UK since yesterday. I was first alerted by this Twitter post. I started to investigate quickly last night and several much better researchers and analysts have taken over and found much more deta… Continue reading Ursnif campaign hitting UK imitating well known companies
Seeing some changes to Lokibot with this malware delivery campaign overnight. I don’t know if it is a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Genera… Continue reading Lokibot campaigns continue with some changes to C2 urls