Collaborate Disseminate
I was sent a message via the submissions system last night with the email the victim received attached. At first glance it looked like the typical password protected word docs we see regularly pretending to be either an order, invoice or resume, that f… Continue reading nanocore RAT via fake order in password protected word doc with wrong password
An email with the subject of POQEA inquiry for order pretending to come from Balwinder Singh <sanjayl.sherma@gmail.com> with a link to download a malicious word doc delivers Agent Tesla Keylogger / Remote Access Trojan. This campaign is u… Continue reading Fake PO Inquiry email delivers Agent Tesla Keylogger via rtf exploits
The start to another week with several different malspam emails arriving overnight to start off Monday Morning with a bang. They are all typical subjects & email content and all deliver various well known malware, using a variety of exotic compress… Continue reading Multiple malware versions via malspam emails
We are still seeing a lot of Lokibot hitting the UK. We don’t bother to post about most of them, because the subjects & emails are so generic that there normally is nothing particularly identifiable about them. However overnight we received a… Continue reading Fake UNILEVER PURCHASE ORDER #091223 for acknowledgement delivers Lokibot
It looks a bit like we are on for a Manic Monday today. The last couple of weeks have been pretty slow malware wise in UK, but that all looks like it is changing today with a slow, steady onslaught of the typical daily malware that we have not seen muc… Continue reading Fake Purchase Order email delivers Remcos RAT
One of the things I’ve learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap. One of the main ways that shows up is in the reuse of infrastructure. Or as one of my criminology friends says it “most crim… Continue reading Dangerous Invoices and Dangerous Infrastructure
An email with the subject of coming from Purchase <ACPM@REAGAN.COM> with a link in the email body that uses a chain to eventually download what looks like some sort of keylogger Update: I am assured this is Agent Tesla Keylogger. I always fin… Continue reading Fake Quote PO ACPM@REAGAN.COM delivers a keylogger
We continue to be plagued daily by fake financial themed emails containing java adwind attachments. I have previously mentioned many of these HERE. We have been seeing these sort of emails almost every day and there was nothing much to … Continue reading →
The next in the never ending series of Locky downloaders is an email with the subject of old office facilities coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS … Continue reading →
Continue reading old office facilities malspam delivers Locky
An email with the subject of PO # 10 – B F pretending to come from Kalyani Purchase <purchase@kalyanimotors.com> with a zip attachment is another one from the current bot runs which downloads the same Locky ransomware version as described in … Continue reading → Continue reading Malware: “PO # 10 – B F” delivers Locky