Category: Malspam

Malspam Delivers Loki-Bot

Originally posted at malwarebreakdown.com Follow me on Twitter I received some malspam on 03/22/18 that contained two .doc file attachments. The subject of the email was “Order 2018-048 & 049, Please Confirm”. The attached exploit documents were named similarly to the subject of the email, “PO2018-048.doc” and “PO 2018-049.doc”. Below is an image of the email: ...

Malspam Delivers Pony and Loki-Bot

Originally posted at malwarebreakdown.com Follow me on Twitter Sender: user1@enteronly.com.tw Subject: RE: Payment IN-2716 – MPA-PI17045 – USD Attachment(s): Payment_001.doc and Payment_002.doc Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882. Payment_001.doc: Traffic: User-Agent: Windows Installer User Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Pony Panel: Image found at hxxp://paclficinsight[.]com/new1/pony/china.jpg IOCs Network: 94.102.1.194 – hxxps://agahguner.com GET /44.msi 94.102.60.3 ...

Malspam Contains Password Protected Document That Downloads Sigma Ransomware

Follow me on Twitter I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”: The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware. ...

Malspam Entitled “Invoice attched for your reference” Delivers Agent Tesla Keylogger

I recently got my hands on some malspam entitled “Invoice attched for your reference.” Below is an image of the email: The image of a PDF document links to hxxp://dropcanvas.com/ozbak/1: Dropcanvas.com is a site used to transfer files between users. While not inherently malicious, file sharing sites are often abused in these types of social engineering ...

Malspam Distributing Ursnif (Gozi ISFB)

A user received malspam with a .doc attachment. Static analysis of the file showed it was a Microsoft Word 2007+ document with an embedded macro located in vbaProject.bin. The malware authors trick victims into enabling macros (Enable Content) and, to better evade sandboxes, use AutoClose to execute the macro after the file has been closed. ...

“Re: Details” Malspam Downloads CoreBot Banking Trojan

I got some malspam on 09/07/17 and decided to play around with it a bit. Below is an image of the email: The email is pretending to come from “Signa Air” and the subject is “Re: Details”. The text of the email is as follows: FYI, I sent this earlier with my regular email but ...

“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns ...