Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the…
A quick write-up on a generic infostealer that also uses a UAC bypass technique. I could not find much about this malware outside that it was a generic information stealing malware. For some interesting reading on how to bypass UAC within Windows, please see the following links: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/…
Quick post for today. I have been seeing a lot of malspam with malicious Javascript attachments zipped inside a 7zip archive for the past couple of days. The emails themselves all seem to revolve around the theme of a receipt or invoice as seen below. From what I can tell,…
So continuing from my update yesterday (see 2017-08-30 Trickbot Maldoc – Part One), it looks as if sometime last night while working on the writeup, and perhaps again this morning, Trickbot got cheeky and updated itself. It looks as if the file “Atpsijj.exe” is a new file with a different…
For today’s post, I will be looking at a malicious Word document that we got spoofing NatWest which led to Trickbot malware being installed on the system. After I found this sample, I started to see posts on Tweeter from people like @dvk01uk and @VK_Intel posting about Trickbot. For this…
For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running…
Just a quick one for today. I saw Brad’s tweet about a sample of Blank Slate malspam and decided to see if I could find some today while at work. Thankfully the email filters did their job and all of them were blocked. Brad also blogged about this over on…
Today’s post is based on a malicious email that I saw in out email filters. The email (seen below) had a simple link in it that took the user to a site that automatically started a download of a malicious Word document. Odd thing is that when you visited the…
This write up stems from a user getting a malicious Word document via an email for an invoice. Running the PCAP file through Network Total, I saw that that this was tagged as Geodo/Emotet malware. Googling around for Emotet, I came across a Forcepoint article in which they did a…
Looking for some malspam yesterday and I came across something that looks like it was exploiting the CVE 2017-0199 vulnerability in MS Office RTF files. FireEye did a nice write-up of this which you can read here. Googling to see if anyone else had seen these domains before, I was…