Collaborate Disseminate
I am seeing a bit of changes today from the scumbags who are distributing the Hawkeye Keylogger Trojan. The email template is a typical fake Purchase Order with a malicious word doc attachment. The word doc is actually a RTF that uses the CVE-2017-118… Continue reading Some changes to malicious RTF docs delivering Hawkeye
A slightly interesting and unusual malware delivery to report first today. First we note the spelling mistake in the subject line “Purchase Oder”, then the body content when the email is delivered to the prospective victim. Please read the … Continue reading megalodon delivered via fake purchase oder via compromised Godaddy DNS settings
We are seeing a slight change in the Lokibot campaign deliveries today. We always see a lot of Lokibot hitting the UK. We don’t bother to post about most of them,just tweet about them to other researchers, because the subjects & emails are so gener… Continue reading Lokibot continues to hit UK using XLS file attachments
Seeing some changes to Lokibot with this malware delivery campaign overnight. I don’t know if it is a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Genera… Continue reading Lokibot campaigns continue with some changes to C2 urls
We frequently see this sort of generic Malicious Spam email with an office file attachment that acts as a downloader for all sorts of malware. Today’s example is an email with the subject of [Your Email Address] RE:Payment Receipt for your refere… Continue reading Fake Payment Receipt delivers Nanocore RAT malware
We have been noticing a change in the malware delivery pattern with Lokibot ( and possibly other malware) over the last few days. Instead of using the more normal Excel file extensions like XLS or XLSX they have started to use .XLAM extensions. Accord… Continue reading Malware using Excel XLAM Excel Macro enabled addins to bypass protections
Yet another fake or spoofed DHL delivery notification delivering what today turns out to be Remcos RAT . An email with the subject of “READ : (DHL Express) -Delivery Address Confirmation” Pretending to come from dhlSender@dhl.com <nore… Continue reading Fake DHL READ : (DHL Express) -Delivery Address Confirmation delivers Remcos Rat
In a case that shows you can teach an old exploit new tricks, a group of attackers who push information-stealing malware modified a well-known exploit in a way that it bypasses detection by most antivirus programs. The incident was reported by researc… Continue reading Spyware Pushers Modify Equation Editor Exploit to Bypass AV Detection
Something slightly different to start with this morning. There is nothing special about the email lure, but the attached word doc seems to be a bit different to the ones we are used to seeing with equation editor exploits. I don’t know if this … Continue reading Agent Tesla Keylogger via fake new Order using Equation Editor RTF exploit
Nothing exceptionally special about this malware campaign delivering Pony / fareit trojan. An email with the subject of “Urgent Order for october Shipment needed” pretending to come from AL-HASSANA TRADING LTD <info@al-hassana.com>… Continue reading Urgent Order for october Shipment needed delivers Pony / Fareit