Showing 129 results for: Malware ×

BrickerBot mod_plaintext Analysis

A week ago, the author of BrickerBot claimed that they retired and published their manifesto along with some source code of their bot. In the manifesto, they wrote: "Take a look at the number of payloads, 0-days and techniques and...

CHM Badness Delivers a Banking Trojan

Like good old Microsoft Office Macros, Compiled HTML (CHM) Help files have been utilized by malware authors for more than a decade to sneak malicious downloader code into files making them harder to detect. CHMs are a Microsoft proprietary online...

Sneaky *.BAT File Leads to Spoofed Banking Page

If you thought using BAT files was old hat, think again. While monitoring our Secure Email Gateway Cloud service, we came across several suspect spam emails targeting Brazilian users. The figure below shows email details to trick and entice users...

VAT Return with a Vengeance

Authors: Dr. Fahim Abbasi, Gerald Carsula and Rodel Mendrez Scam Overview Her Majesty's Revenue & Customs (HMRC) is the UK department responsible for collecting taxes and other tax related services like VAT returns. On 6th September, 2017, scammers launched a...

Locky Part 2: As the Seasons Change so is Locky

It's that time of year where the seasons are changing. The Northern Hemisphere moves into Autumn, and the Southern Hemisphere moves to Spring. So it is with Locky. As we discussed in our last post, spam campaigns were downloading Locky...

Emotet lives another day using Fake O2 invoice notifications

Authors: Dr. Fahim Abbasi and Nicholas Ramos We witnessed a widespread phishing campaign targeting O2 customers, that surfaced on 18th August, 2017 and continued intermittently until 21st August, 2017. Telefonica UK Limited, trading as O2, is a major telco provider...

Malware Xeroing in on Cloud Accounting Customers

Authors: Dr. Fahim Abbasi and Rodel Mendrez We witnessed a sophisticated phishing campaign on 16th August 2017, targeting victims by sending spoofed phishing email messages appearing to come from Xero. Xero is a New Zealand-based software company that develops cloud-based...

The Spam, JavaScript and Ransomware Triangle

Authors: Dr. Fahim Abbasi and Nicholas Ramos Introduction Our global spam honeypot sensors detected a pervasive email campaign that was leveraging a zipped attachment containing a malicious JavaScript. When opened, the JavaScript was used to infect victims with ransomware. This...

Necurs Unleashed "Locky diablo" from Hell

Over two days in early August (the 8th and 9th), amidst of the active distribution of Trickbot malware, a new Locky ransomware variant called "diablo" has emerged from hell. The Trustwave SpiderLabs Spam Research Database has picked up a large...

Tale of the Two Payloads – TrickBot and Nitol

A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan that first appeared late last year targeting banks in Europe,...

Petya From The Wire: Detection using IDPS

Most malware that traverses a network do so with specific indicators, some of which look like legitimate network traffic and others that are completely unique to the malware. A single IDPS signature can have high confidence of detecting an infection...

The Petya/NotPetya Ransomware Campaign

This is an ongoing, emerging story and may be updated after posting. There is a new wormlike ransomware campaign on the loose today and you wouldn't be mistaken if you're experiencing a little WannaCry deja vu. The campaign has been...