Category: Malspam
Malspam Delivers Loki-Bot
Originally posted at malwarebreakdown.com Follow me on Twitter I received some malspam on 03/22/18 that contained two .doc file attachments. The subject of the email was “Order 2018-048 & 049, Please Confirm”. The attached exploit documents were named similarly to the subject of the email, “PO2018-048.doc” and “PO 2018-049.doc”. Below is an image of the email: ...
Malspam Delivers Pony and Loki-Bot
Originally posted at malwarebreakdown.com Follow me on Twitter Sender: user1@enteronly.com.tw Subject: RE: Payment IN-2716 – MPA-PI17045 – USD Attachment(s): Payment_001.doc and Payment_002.doc Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882. Payment_001.doc: Traffic: User-Agent: Windows Installer User Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Pony Panel: Image found at hxxp://paclficinsight[.]com/new1/pony/china.jpg IOCs Network: 94.102.1.194 – hxxps://agahguner.com GET /44.msi 94.102.60.3 ...
Malspam Contains Password Protected Document That Downloads Sigma Ransomware
Follow me on Twitter I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”: The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware. ...
Malspam Entitled “Invoice attched for your reference” Delivers Agent Tesla Keylogger
I recently got my hands on some malspam entitled “Invoice attched for your reference.” Below is an image of the email: The image of a PDF document links to hxxp://dropcanvas.com/ozbak/1: Dropcanvas.com is a site used to transfer files between users. While not inherently malicious, file sharing sites are often abused in these types of social engineering ...
Malspam Distributing Ursnif (Gozi ISFB)
A user received malspam with a .doc attachment. Static analysis of the file showed it was a Microsoft Word 2007+ document with an embedded macro located in vbaProject.bin. The malware authors trick victims into enabling macros (Enable Content) and, to better evade sandboxes, use AutoClose to execute the macro after the file has been closed. ...
“Re: Details” Malspam Downloads CoreBot Banking Trojan
I got some malspam on 09/07/17 and decided to play around with it a bit. Below is an image of the email: The email is pretending to come from “Signa Air” and the subject is “Re: Details”. The text of the email is as follows: FYI, I sent this earlier with my regular email but ...
“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.
I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns ...
“IMG_” Malspam Delivers GlobeImposter Ransomware
I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time. The subject line of the malspam samples that I received all started with “IMG_” ...
Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware
Download location where I got the malicious Word document: 192.232.223.76 – kinonah.com – GET /Cust-4762868855/ – Compromised website hosting malicious Word document VirusTotal Report Hybrid-Analysis Report SHA256: d8cfe351daa5276a277664630f18fe1e61351cbf3b0a17b6a8ef725263c0cab4 Additional Word document download locations: 213.190.161.210 – avenueevents.co.uk/Cust-PBP-03-D683320/ 67.212.91.221 – kingstoncybermall.com/Cust-3647227423/ 5.10.105.46 – theuntoldsorrow.co.uk/ORDER.-XI-80-UY913942/ 173.236.177.156 – visuals.com/CUST.-VT-38-RH422386/ 192.254.251.86 – thenursesagent.com/ORDER.-9592209302/ 192.185.148.240 – tiger12.com/TGA-48-76252-doc-May-04-2017/ 192.185.216.220 – gabrielramos.com.br/lxu-3h-ip079-zgmg.doc/ 146.185.16.121 ...
Hacked Sites Redirecting Users to Various Malvertising Campaigns
I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...
Malware breakdown 