Spam Campaign Leveraged RTF Documents to Spread Infostealers

A spam campaign leveraged malicious RTF documents to distribute notorious infostealers including Agent Tesla and Lokibot. While digging through a few other spam campaigns, Lastline observed unusual use of the C# compiler from the command line in some s… Continue reading Spam Campaign Leveraged RTF Documents to Spread Infostealers

Hawkeye keylogger via fake receipt. Stolen data sent to another keylogger site.

Over the last month or 6 weeks we, along with many other researchers, have noticed quite a drop in Malspam, in fact in spam generally. Nobody quite knows why but generally this means one or other of the major spam sending botnets has been taken down or… Continue reading Hawkeye keylogger via fake receipt. Stolen data sent to another keylogger site.

Azorult via fake inquiry email using Microsoft Office Equation Editor exploits

Another malware campaign using malformed  RTF files involving Microsoft Office Equation Editor exploits to extract or drop a zip file from an embedded ole object containing  the payload and an “innocent” lure doc to be displayed. Today it l… Continue reading Azorult via fake inquiry email using Microsoft Office Equation Editor exploits

Fake Quotation Request with malformed RTF file attachments delivering Lokibot

Another day and yet another malformed. malicious word doc attachment that is a renamed RTF file delivering Lokibot malware. These criminal gangs are really playing around with RTF files and constantly changing the header control word to try to bypass A… Continue reading Fake Quotation Request with malformed RTF file attachments delivering Lokibot

Formbook via fake Unicredit Bank swift transfer using different malformed RTF files

I can’t remember previously seeing a malware delivery campaign using a malformed, malicious RTF file like this one. It definitely is using one of the multiple Equation Editor exploits.There is some dispute on VirusTotal whether it is  CVE-2017-11… Continue reading Formbook via fake Unicredit Bank swift transfer using different malformed RTF files

Formbook malware delivered via RTF exploit downloading MSI file

It looks like the summer holidays are over and the malware scumbags are trying out new and different delivery methods to catch us all unawares. This latest one is an email pretending to be a bank transfer notification with the subject of “Re: Pay… Continue reading Formbook malware delivered via RTF exploit downloading MSI file

Slightly different Lokibot delivery via embedded ole objects in rtf word doc

Today’s first example of malware received overnight is a slightly less usual delivery method for Lokibot. The email is a common lure pretending to be  a quote / Inquiry request and is  nothing special. The subject is  “Re: Inquiry / Quotes&… Continue reading Slightly different Lokibot delivery via embedded ole objects in rtf word doc

Zero-day flaw exploited in targeted attacks is fixed by Microsoft

This month’s Patch Tuesday bundle of updates from Microsoft included a fix for a critical vulnerability that has been actively exploited by at least one hacking gang in targeted attacks.
Read more in my article on the Tripwire State of Security blog.
Continue reading Zero-day flaw exploited in targeted attacks is fixed by Microsoft