Collaborate Disseminate
A quick post detailing another Formbook campaign with what looks like a few changes.Recently the criminals distributing this malware have been using .exe files inside various forms of archive, including .iso, .ace, .rar. ,zip. Frequently they use vario… Continue reading Formbook campaigns continue via malspam emails
Following on from my slightly earlier post about Lokibot, this is yet another version with 2 XLS spreadsheet attachments coming in a fake Overdue Invoices November – December 2018 email. This version uses CVE-2017-11882 or is trying to, but only… Continue reading More Lokibot via fake Maersk Quotation / Invoice
Java Adwind is a persistent malware that we see frequently. It tends to come in waves and we haven’t seen much hitting the UK in recent weeks. But the long Christmas break is still in effect in the UK. The malware bad actors know that the defence… Continue reading java adwind via fake outrigger corp invoice
Seeing some changes to Lokibot with this malware delivery campaign overnight. I don’t know if it is a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Genera… Continue reading Lokibot campaigns continue with some changes to C2 urls
An old favourite lure with this email with the subject of “DHL Shipping of Original invoice B/L dated 26/10/2018” pretending to come from DHL EXPRESS – < noreply@dhl.com > with a malicious word doc attachment delivers Remcos… Continue reading More Fake DHL invoices delivering Remcos RAT via office XML files
This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Overdue Invoice ” pretends to come from Pricewaterhouse Coopers LLP but a… Continue reading Fake Pricewaterhouse Coopers LLP “Overdue Invoice” delivers Trickbot
We are back to a slightly more complicated or involved Trickbot download campaign today with links in the email to download the XLS file instead of attachments. This malware campaign delivery method was first mentioned on 22 October 2018 when I missed … Continue reading Fake Companies House “Company report” delivers Trickbot
Trickbot are continuing with their malware spreading campaigns using Office Macros, particularly Excel spreadsheets with macros. Today’s example is an email pretending to be an invoice for nearly £35,000 containing the subject of “FW: Inv… Continue reading Trickbot delivered via fake Intuit “FW: Invoice #3989021 ” email
One of the things I’ve learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap. One of the main ways that shows up is in the reuse of infrastructure. Or as one of my criminology friends says it “most crim… Continue reading Dangerous Invoices and Dangerous Infrastructure
The Necurs botnet has been observed pushing an unusual malware campaign that almost exclusively targets users and employees within the financial sector. Necurs is one of the largest and longest-lived botnet that’s still in operation today. Over t… Continue reading Necurs Botnet Launches Campaign Against Banks