EXE-in-ZIP – Page 17 – WindowsTechs.com

Traffic report ID: 02271147 – JS malware leads to ransomware

Posted on March 14, 2016 by Derek

Last revised or Updated on: 14th March, 2016, 5:52 PMAn email with the subject of Traffic report ID: 02271147 [ random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Leonor greene <greeneLeonor6857@lifesource-energysystems.com> Date: Subject: Traffic report ID: 02271147 Attachment: post_scan_02271147.zip Body content: Dear Citizen, We are contacting you on behalf of a local … Continue reading → Continue reading Traffic report ID: 02271147 – JS malware leads to ransomware→

Emailing: IMG_18977 pretending to come from admin at your own email domain – JS malware leads to locky or Dridex

Posted on March 14, 2016 by Derek

Last revised or Updated on: 14th March, 2016, 2:04 PMAn email with the subject of Emailing: IMG_18977 [ random numbered] pretending to come from admin at your own email domain with a zip attachment is another one from the current bot runs which downloads what looks like either Locky ransomware or Dridex banking Trojan They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From:admin admin@victim domain.tld Date: Mon 14/03/2016 12:14 Subject: Emailing: IMG_18977 Attachment: IMG_18977.zip Body content: Your message is ready to be sent … Continue reading → Continue reading Emailing: IMG_18977 pretending to come from admin at your own email domain – JS malware leads to locky or Dridex→

blank email from support@hvp-online.com – JS malware downloads kovter boaxxe and ransomware

Posted on March 14, 2016 by Derek

Last revised or Updated on: 14th March, 2016, 9:55 AMAn email addressed to abuse at your email domain with no subject coming from Support <support@hvp-online.com> with a zip attachment is another one from the current bot runs which downloads They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. I have only seen 1 copy of this so far, but in previous weeks, I often got 1 copy about 1-2 hours before the main influx. I do not know based on this one email if there will be … Continue reading → Continue reading blank email from support@hvp-online.com – JS malware downloads kovter boaxxe and ransomware→

Debt #80574 , Customer Case Nr.: 693 – JS malware leads to Teslacrypt

Posted on March 13, 2016 by Derek

Last revised or Updated on: 13th March, 2016, 5:33 PMAn email with the subject of Debt #80574 , Customer Case Nr.: 693 [ random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. I haven’t seen a malspam run of this magnitude on a Sunday afternoon/evening in UK for ages. They must be hoping to catch the Monday morning workers when … Continue reading → Continue reading Debt #80574 , Customer Case Nr.: 693 – JS malware leads to Teslacrypt→

Urgent Notice # 96954696 – JS malware leads to teslacrypt ransomware

Posted on March 11, 2016 by Derek

Last revised or Updated on: 12th March, 2016, 3:57 PMAn email with the subject of Urgent Notice # 96954696 [ random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt or locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Update 12 March 2016: Unusual for a Saturday, so they are going after the domestic /consumer market instead of office/Enterprise /companies. Another big malspam run of this email today with malicious … Continue reading → Continue reading Urgent Notice # 96954696 – JS malware leads to teslacrypt ransomware→

FW: Payment 16-03-#280729 We have received this documents from your bank please review attached documents – JS malware leads to locky ransomware

Posted on March 11, 2016 by Derek

Last revised or Updated on: 11th March, 2016, 11:12 AMAn email with the subject of Pay for driving on toll road, invoice #00212297 [ random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The alleged senders name matches the name of the account manger in the body of the email The email looks like: From: Inez Harding <HardingInez04459@jazztel.es> Date: Fri 11/03/2016 08:15 Subject: … Continue reading → Continue reading FW: Payment 16-03-#280729 We have received this documents from your bank please review attached documents – JS malware leads to locky ransomware→

Your Amazon order #204-217966-773659 – JS malware leads to Locky Ransomware

Posted on March 11, 2016 by Derek

Last revised or Updated on: 11th March, 2016, 10:50 AMAn email with the subject of Your Amazon order #204-217966-773659 [ random numbered] pretending to come from AMAZON.COM <no-reply@Amazon.com> with a zip attachment is another one from the current bot runs which downloads Locky ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: AMAZON.COM <no-reply@Amazon.com> Date: Fri 11/03/2016 09:09 Subject: Your Amazon order #204-217966-773659 Attachment: ORD204-217966-773659.zip Body content: Hello, Thank you for your order. We’ll let you know once your item(s) have … Continue reading → Continue reading Your Amazon order #204-217966-773659 – JS malware leads to Locky Ransomware→

GreenLand Consulting Unpaid Issue No. 14599 – JS malware leads to teslacrypt

Posted on March 10, 2016 by Derek

Last revised or Updated on: 10th March, 2016, 5:17 PMAn email with the subject of GreenLand Consulting Unpaid Issue No. 14599 [ random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Update: Hybrid analysis screenshots shows it as Locky ransomware, which is weird because the websites that are being used to download the ransomware and the file naming convention have … Continue reading → Continue reading GreenLand Consulting Unpaid Issue No. 14599 – JS malware leads to teslacrypt→

Attached File / Doc / Document pretending to come from scanner /printer at your own domain – JS malware leads to Locky Ransomware

Posted on March 10, 2016 by Derek

Last revised or Updated on: 10th March, 2016, 10:22 AMAn email with the subject of Attached File / Attached Doc / Attached Document pretending to come from a scanner or printer at your own domain with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan EDIT: it is LOCKY ransomware not Dridex They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The attachment name is created from the recipients email address and 2 sets of random numbers … Continue reading → Continue reading Attached File / Doc / Document pretending to come from scanner /printer at your own domain – JS malware leads to Locky Ransomware→

random named doc pretending to come from admin at your own domain – JS malware leads to ransomware

Posted on March 9, 2016 by Derek

Last revised or Updated on: 9th March, 2016, 1:18 PMAn email with the subject of DOC-AA25400B [ random numbered] pretending to come from admin <adm323@victim_domain.tld> the numbers after adm are random Your own email domain with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: admin <adm323@victim_domain.tld> Date: Wed 09/03/2016 12:05 Subject: DOC-AA25400B Attachment: DOC-AA25400B.zip Body content: Totally blank body content Screenshot: NONE These malicious attachments normally … Continue reading → Continue reading random named doc pretending to come from admin at your own domain – JS malware leads to ransomware→