Category Archives: EXE-in-ZIP

FedEx Problems with item delivery, n.00196222 Shawn Maddox – JS malware leads to ransomware

Posted on by

Last revised or Updated on: 18th March, 2016, 6:56 AMAn email with the subject of  FedEx_00196222.zip pretending to come from  mogotoys@server.robo-apps.com; on behalf of; FedEx 2Day <shawn.maddox@mogotoys.com>  with a zip attachment is another one from the current bot runs which downloads ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: mogotoys@server.robo-apps.com; on behalf of; FedEx 2Day <shawn.maddox@mogotoys.com> Date: Fri 18/03/2016 02:49 Subject: Problems with item delivery, n.00196222 Attachment: FedEx_00196222.zip Body content: Dear Customer,  Your parcel has arrived at March 15. Courier was … Continue reading → Continue reading FedEx Problems with item delivery, n.00196222 Shawn Maddox – JS malware leads to ransomware

PDFPart2.pdf Sent from my Samsung Galaxy Note 4 – powered by Three – JS malware leads to Locky ransomware

Posted on by

Last revised or Updated on: 17th March, 2016, 1:36 PMAn email with the subject of  PDFPart2.pdf pretending to come from Administrator  admin@ your own email domain with a zip attachment is another one from the current bot runs which downloads Locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these are misconfigured and broken and look like this when received in an email client. Some email servers will fix the misconfiguration and deliver a working email. All the ones I have … Continue reading → Continue reading PDFPart2.pdf Sent from my Samsung Galaxy Note 4 – powered by Three – JS malware leads to Locky ransomware

Document1 pretending to come from your own email address – JS malware leads to Locky ransomware

Posted on by

Last revised or Updated on: 16th March, 2016, 12:21 PMA blank/empty  email with the subject of   Document1 pretending to come from your own email address and sent to your own email address  with a zip attachment is another one from the current bot runs which downloads Locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: your own email address Date: Wed 16/03/2016 11:58 Subject: Document1 Attachment: Document1.zip Body content: totally blank   Screenshot: NONE   These malicious attachments normally have a password … Continue reading → Continue reading Document1 pretending to come from your own email address – JS malware leads to Locky ransomware

Bestellung 69376 david.favella123@buhlergroup.com – JS malware leads to Dridex or locky

Posted on by

Last revised or Updated on: 16th March, 2016, 11:54 AMAn email written partly in English and partly in German supposedly from  Buhler group with the subject of  Bestellung 69376 [ random numbered]  pretending to come from  david.favella654@buhlergroup.com ( random numbers after david.favella )  with a zip attachment is another one from the current bot runs which downloads either Dridex banking Trojan or Locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Update: I am reliably informed this is Locky ransomware not Dridex banking Trojan The … Continue reading → Continue reading Bestellung 69376 david.favella123@buhlergroup.com – JS malware leads to Dridex or locky

Dropbox spreading malware via spoofed emails about orders – fake PDF malware

Posted on by

Last revised or Updated on: 15th March, 2016, 1:41 PMContinuing on from these earlier malspam runs [1] [2]  we now have a series of emails with the basic subject of  orders  pretending to come from  different companies with  a link to Dropbox to download a  zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than … Continue reading → Continue reading Dropbox spreading malware via spoofed emails about orders – fake PDF malware

Itinerary #13B0B450E no-reply@clicktravel.com – JS malware leads to locky ransomware

Posted on by

Last revised or Updated on: 15th March, 2016, 12:09 PMAn email with the subject of  Itinerary #13B0B450E [ random numbered]  pretending to come from no-reply@clicktravel.com  with a zip attachment is another one from the current bot runs which downloads They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. At least this one has an almost  believable content, attachment  and sender that matches. It looks like a new Dridex / Locky email creator has appeared on the scene The email looks like: From: no-reply@clicktravel.com Date:Tue 15/03/2016 10:44 Subject: … Continue reading → Continue reading Itinerary #13B0B450E no-reply@clicktravel.com – JS malware leads to locky ransomware

Document Enclosed – fake PDF malware

Posted on by

Last revised or Updated on: 15th March, 2016, 11:56 AMI haven’t seen a good old fashioned malware spreading email like this one in ages and today we get what looks like the start of a return to the ” good old days with a full blown malware being malspammed out as an attachment, rather than .JS files or Word docs being used to download malware from websites . It is a refreshing change to the bad actors reverting to these old fashioned simple social engineering tricks An email with the subject of Document Enclosed   pretending to come from Ka2521@hotmail.co.uk with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential … Continue reading → Continue reading Document Enclosed – fake PDF malware

photo,my photo,image,pic Sent from my iPhone – fake jpg malware

Posted on by

Last revised or Updated on: 15th March, 2016, 11:30 AMI haven’t seen a good old fashioned malware spreading email like this one in ages. It is a refreshing change to the bad actors reverting to these old fashioned social engineering tricks pretending to send a photo from their iPhone. An email with the subject of photo,my photo,image,pic  pretending to come from lyle.house@hotmail.co.uk ( probably random addresses) with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They use email addresses and subjects that will entice a user to read the email … Continue reading → Continue reading photo,my photo,image,pic Sent from my iPhone – fake jpg malware

Insufficient Funds Transaction ID:12719734 – JS malware leads to Teslacrypt

Posted on by

Last revised or Updated on: 15th March, 2016, 8:03 AMThe Ransomware  bots seems to have settled on a generic  financial theme so far  this week. The most recent one is an email with the subject of  Insufficient Funds Transaction ID:12719734 [ random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The attachments all have a 2 part naming convention. They start with a … Continue reading → Continue reading Insufficient Funds Transaction ID:12719734 – JS malware leads to Teslacrypt

Incoming Transaction Declined ID: 21287178 – JS malware leads to teslacrypt

Posted on by

Last revised or Updated on: 14th March, 2016, 11:30 PMAn email with the subject of  Incoming Transaction Declined ID: 21287178 [ random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: random names & email addresses Date: Mon 14/03/2016 23:19 Subject: Incoming Transaction Declined ID: 21287178 Attachment: confirmation_30816188.zip Body content: Your Purchase  Sender’s Details: 21287178Amount: USD123,75ACH Routing / Transit Number: … Continue reading → Continue reading Incoming Transaction Declined ID: 21287178 – JS malware leads to teslacrypt