EXE-in-ZIP – Page 18 – WindowsTechs.com

FW: Invoice 2016-M#184605 – JS malware leads to Locky Ransomware

Posted on March 9, 2016 by Derek

Last revised or Updated on: 9th March, 2016, 11:51 AMAn email saying Please find attached 2 invoices for processing with the subject of FW: Invoice 2016-M#184605[ random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The name of the account manager matches the alleged sender. The invoice number matches the attachment number The email looks like: From: Ann Guerrero <GuerreroAnn36420@ono.com> Date: Wed 09/03/2016 10:38 … Continue reading → Continue reading FW: Invoice 2016-M#184605 – JS malware leads to Locky Ransomware→

Voice Message Attached from +44163311902 – name unavailable inclarity voicemail – JS malware leads to Dridex

Posted on March 9, 2016 by Derek

Last revised or Updated on: 9th March, 2016, 10:33 AMAn email with the subject of Voice Message Attached from +44163311902 – name unavailable [ random numbered] pretending to come from voicemail <voicemail@inclarity.net> with a zip attachment is another one from the current bot runs which downloads Dridex banking malware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The telephone number in the subject line changes with each email but all start with +44163 and matches the first part of the attachment name The email looks … Continue reading → Continue reading Voice Message Attached from +44163311902 – name unavailable inclarity voicemail – JS malware leads to Dridex→

Urgent Purchase Order Powershell exploit malware

Posted on March 9, 2016 by Derek

Last revised or Updated on: 9th March, 2016, 10:12 AMAn email with the subject of Urgent Purchase Order pretending to come from A. Mohammed <magani@vertexgroup-bd.com> ( probably random email addresses) with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: A. Mohammed … Continue reading → Continue reading Urgent Purchase Order Powershell exploit malware→

Invoice #96187656 for your Order – JS malware leads to Teslacrypt ransomware

Posted on March 9, 2016 by Derek

Last revised or Updated on: 9th March, 2016, 7:49 AMAn email with the subject of Invoice #96187656 for your Order [ random numbered] pretending to come from Finance Information ( random email addresses) with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. I have only seen 1 copy of this so far this morning, so I have no idea if wavenet group is being spoofed in all the emails using … Continue reading → Continue reading Invoice #96187656 for your Order – JS malware leads to Teslacrypt ransomware→

FW: Invoice #733745-2016-03 – JS malware leads to ransomware

Posted on March 8, 2016 by Derek

Last revised or Updated on: 8th March, 2016, 3:32 PMAn email with the subject of FW: Invoice #733745-2016-03 [ random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads a Locky Ransomware version They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The alleged sender matches the account manger in the body of the email. The first name of the recipient from the part before the @ in the recipioents email address … Continue reading → Continue reading FW: Invoice #733745-2016-03 – JS malware leads to ransomware→

Compensation – Reference Number #242852 – JS malware leads to Locky Ransomware

Posted on March 8, 2016 by Derek

Last revised or Updated on: 8th March, 2016, 12:26 PMAn email with the subject of Compensation – Reference Number #242852 [ random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The name of the alleged sender matches the name of the sales manager in the body of the email The email looks like: From: Lily Adams <AdamsLily33@haleandheartymovers.com> Date: Tue 08/03/2016 12:00 Subject: Compensation … Continue reading → Continue reading Compensation – Reference Number #242852 – JS malware leads to Locky Ransomware→

Emailing: 20121005154449756 Gary Atkinson garrardwindows.co.uk – JS malware leads to Dridex

Posted on March 8, 2016 by Derek

Last revised or Updated on: 8th March, 2016, 9:44 AMAn email with the subject of Emailing: 20121005154449756 pretending to come from Gary Atkinson <Gary@garrardwindows.co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Gary Atkinson <Gary@garrardwindows.co.uk> Date: Tue 08/03/2016 09:00 Subject: Emailing: 20121005154449756 Attachment: Body content: Please find attached document as requested. Screenshot: NONE These malicious attachments normally have a password stealing component, with … Continue reading → Continue reading Emailing: 20121005154449756 Gary Atkinson garrardwindows.co.uk – JS malware leads to Dridex→

Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 Yorkshire Water – JS malware leads to Dridex

Posted on March 8, 2016 by Derek

Last revised or Updated on: 8th March, 2016, 9:45 AMAn email with the subject of PayPay_Advice_Vendor_0000300320_1000_for_03.03.2016 pretending to come from Accounts Payable <vendoramendments@yorkshirewater.co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Accounts Payable <vendoramendments@yorkshirewater.co.uk> Date: Tue 08/03/2016 08:25 Subject: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 Attachment: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP Body content: —————————————– Spotted a leak? If you spot a leak please report it immediately. Call us on 0800 57 3553 or go … Continue reading → Continue reading Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 Yorkshire Water – JS malware leads to Dridex→

Emailing – IMG_0015.pdf Robert Symon jumboselfstorage.co.uk – JS malware leads to Locky Ransomware

Posted on March 7, 2016 by Derek

Last revised or Updated on: 7th March, 2016, 5:24 PMAn email with the subject of Emailing – IMG_0015.pdf pretending to come fromRobert Symon <robert@jumboselfstorage.co.uk> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware . They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Robert Symon <robert@jumboselfstorage.co.uk> Date: Mon 07/03/2016 14:02 Subject: Emailing – IMG_0015.pdf Attachment: IMG_0015.pdf.zip Body content: Totally empty Screenshot: None These malicious attachments normally have a password stealing component, with the aim of … Continue reading → Continue reading Emailing – IMG_0015.pdf Robert Symon jumboselfstorage.co.uk – JS malware leads to Locky Ransomware→

E-Service (Europe) Ltd Invoice No: 10013405 – JS malware leads to Locky Ransomware

Posted on March 7, 2016 by Derek

Last revised or Updated on: 7th March, 2016, 1:17 PMAn email with the subject of E-Service (Europe) Ltd Invoice No: 10013405 [ random numbered] pretending to come from Andrew Williams <andrew.williams@eurocoin.co.uk> with a zip attachment is another one from the current bot runs which downloads LOCKY RANSOMWARE They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Andrew Williams <andrew.williams@eurocoin.co.uk> Date: Mon 07/03/2016 11:39 Subject: E-Service (Europe) Ltd Invoice No: 10013405 ( random numbers) Attachment: Invoice 10013405.zip Body content: Dear Customer, Please find … Continue reading → Continue reading E-Service (Europe) Ltd Invoice No: 10013405 – JS malware leads to Locky Ransomware→