Collaborate Disseminate
I seem to be getting all the weird and wonderful malware today, all using different or unusual delivery methods. This next example is about an order confirmation. The attachment is a .uue attachment. Winzip says it can open .UUE files but only extracted a garbled encrypted/encoded txt file. Universal extractor … Continue reading → Continue reading Fake order malspam email with uue attachment delivers malware
I seem to be getting all the weird and wonderful malware today, all using different or unusual delivery methods. This next example is about an order confirmation. The attachment is a .uue attachment. Winzip says it can open .UUE files but only extracted a garbled encrypted/encoded txt file. Universal extractor … Continue reading → Continue reading Fake order malspam email with uue attachment delivers malware
The next in the never ending series of malware laden emails is this where somebody cannot spell or type properly with the subject of REVIEW QOUTATION pretending to come from aaron.coley@jonescompanies.com although they did get the correct spelling in the email body. They use email addresses and subjects that will entice, persuade, scare or … Continue reading → Continue reading REVIEW QOUTATION malspam delivers some sort of malware
Following on from Yesterday’s attempt with a .r24 attachment the next in the never ending series of malware downloaders is an email with the subject of FW:: Re: invoice pretending to come from Care@Jafra.co.id The email content is identical to yesterday’s version. They use email addresses and subjects that will persuade, entice, shock or … Continue reading → Continue reading Fwd: Re: Invoice with a r24 extension delivers ( or tries to deliver) malware
The next in the never ending series of malware downloaders is an email with the subject of Re: Revised invoice pretending to come from Sales <Sales@machinery.com> They use email addresses and subjects that will entice a user to read the email and open the attachment. machinery.com has not been hacked or had their … Continue reading → Continue reading Re: Revised invoice malspam tries to delivers malware using an r24 extension
Continuing with the never ending series of malware laden emails is an email with the subject of DHL GLOBAL FREIGHT CONSIGNMENT FORM coming from DHL GLOBAL WORLD WIDE AGENT <deddi@karebet-group.com> with a .ace attachment delivers malware that looks like a pony dropper and /or fareit password stealer trojan Update: returns are coming back from … Continue reading → Continue reading Fake DHL GLOBAL FREIGHT CONSIGNMENT FORM malspam delivers malware
The next in the never ending series of Locky downloaders is an email with the subject of New BT Bill pretending to come from BT Business <btbusiness@bttconnect.com> with a link in body of email to download a zip file These are much more believable emails than the usual Locky malspam. … Continue reading → Continue reading Locky delivered by fake BT bill
Continuing with the never ending series of malware laden emails is an email with the subject of RFQ072017 coming from Stafford Shawn <staffordshawn1@yahoo.com> ( possibly random senders) but definitely coming via Yahoo email network with a zip attachment containing a file that pretends to be a pdf file but is a .exe file. I … Continue reading → Continue reading fake purchase order delivering malware
Continuing with the never ending series of malware laden emails is an email with the subject of Purchase Order coming from Angelika Rodriguez <zales@municipiodepaute.gob.ec>which delivers what is probably a nanocore RAT ( it matches yara sigs for that malware) What makes these slightly worse than any other infected or compromised sender is the sending … Continue reading → Continue reading Angelika Rodriguez – zales@municipiodepaute.gob.ec – Purchase Order malspam delivers nanocore RAT
The 2nd in today’s Trickbot malspams is an email with the subject of eFax message from “8473365403” – 1 page(s), Caller-ID: 44-020-3136-4931 pretending to come from eFax but actually coming from a look-a-like domain <message@efax-download.com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank … Continue reading → Continue reading eFax message from “8473365403” – 1 page(s), Caller-ID: 44-020-3136-4931 malspam delivers Trickbot banking Trojan