Multiple Hawkeye malspam campaigns via GreenCloudVPS

Another Hawkeye keylogger campaign again today. We see these most days and the emails are always such a generic invoice, order or Request for quotation so I don’t bother to post all versions we receive. I normally just tweet to the other researchers and submit to antivirus companies. These are all using CVE-2017-11882 RTF

Today we are seeing a much more aggressive campaign than usual with multiple senders and subjects. But all coming from the same IP number and server. None of the email addresses or companies mentioned in this campaign are sending the emails to you. Their details have simply been spoofed.

23.226.130.106  23.226.130.106.static.greencloudvps.com Secaucus New Jersey US AS8100 QuadraNet Enterprises LLC

I have seen this IP address sending out this malspam since 22 April 2019 and am completely unable to find an abuse address to send complaints to

23.226.130.106 sending out malspam

23.226.130.106 sending out malspam

So far today I have received 3 different versions.

  • Jenny- (Ms) Ngân Ly” <This email address is being protected from spambots. You need JavaScript enabled to view it.>  RE:RFQ    Add-Order.doc
  • Grifo Pac Srl – Acquisti <This email address is being protected from spambots. You need JavaScript enabled to view it.>  SV: Request for Quote  RFQ-Add Order.doc
  • Jackie Lazzaro <This email address is being protected from spambots. You need JavaScript enabled to view it.>  RE: Request To Quote For Additional Order   RFQ-Add Order.doc

The malware doc and payload in each case is exactly the same.

Add-Order.doc       Current Virus total detections: Anyrun |

This malware doc  downloads from  https://premchandracollege.in/ikenna.exe   Virustotal URL | File |

A quick search has also shown me an Agent tesla Keylogger / trojan from another file on the same payload site http://premchandracollege.in/wirelord.exe  virusTotal

They are using email addresses and subjects that will scare, persuade  or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

You can now submit suspicious sites, emails and files via our Submissions system

Screenshot:

Fake order /quote email

Fake order /quote email

Fake order /quote email

Fake order /quote email

 

Fake order /quote email

Fake order /quote email

 

All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t.  Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found .  The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or  an embedded OLE object that when run will infect you.

Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you.

By default protected view is enabled and  macros are disabled, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Definitely DO NOT follow the advice they give to enable macros or enable editing to see the content.

Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365.  Some versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content.  Do NOT enable Macros or editing under any circumstances

Office_macro Multiple Hawkeye malspam campaigns via GreenCloudVPS Multiple Hawkeye malspam campaigns via GreenCloudVPS Multiple Hawkeye malspam campaigns via GreenCloudVPS Multiple Hawkeye malspam campaigns via GreenCloudVPS Multiple Hawkeye malspam campaigns via GreenCloudVPS

 

What can be infected by this

At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone. The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed. BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros do not run in “Office Online”  Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files. 

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. It might be a simple message saying “look at this picture of me I took last night” that appears to come from a friend. It might be a scare ware message that will make you open the attachment to see what you are accused of doing. Frequently it is more targeted at somebody ( small companies etc.) who regularly receive PDF attachments or Word .doc attachments or any other common file that you use every day, for example an invoice addressed to This email address is being protected from spambots. You need JavaScript enabled to view it..

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. A lot of malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file  that is supposed to contain the pictures of “Sally’s dog catching a ball”, an invoice or receipt from some company for a product or service  or receive a Word doc or Excel file report that work has supposedly sent you to finish working on at the weekend,  you can easily see if it is a picture or document & not a malicious program. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse  .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

With these malformed infected word, excel and other office documents that normally contain a vba macro virus, the vital thing is do not open any office document direct from your email client or the web. Always save the document to a safe location on your computer, normally your downloads folder or your documents folder and scan it with your antivirus. Many Antiviruses do not natively detect vba  macro-viruses in real time protection and you need to enable document or office protection in the settings. Do not rely on your Anti-Virus to immediately detect the malware or malicious content.    DO NOT enable editing mode or enable macros  

All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is word docs, excel files and PowerPoint etc  that are downloaded from the web or received in an email  automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document until you are 100% sure that it is a safe document. If the protected mode bar appears when opening the document DO NOT enable editing mode or enable macros the document will look blank or have a warning message, but will be safe.

Be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still  using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007.  Many of us have continued to use older versions of word and other office programs, because  they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.  The risks in using older version are now seriously starting to outweigh the convenience, benefits and cost of keeping an old version going.

I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.

 

IOC:

Secure.docMD5: b2e0d468b82b1de92829817b1292907eSHA-1: 2364a75570bab29a5ef1e780bae03f0ff6935f57Download URLshttp://ballparkjerseys.com/bo.bin  212.53.86.192http://asifapparels.com/bo.bin  173.249.54.230MD5: 11458b0259a54c0a8146e7c16d1595e4SHA1: 1ce8d815703dc9bfce0053d3b1c27f2d9bcdff39

Email from: This email address is being protected from spambots. You need JavaScript enabled to view it.

Read more https://myonlinesecurity.co.uk/multiple-hawkeye-malspam-campaigns-via-greencloudvps/

  • Urgent to all residents: email delivers Ursnif payloaf

    Urgent to all residents: email delivers Ursnif payloaf

    These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or other log in credentials.Be very careful with email attachments. Most of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Read More
  • Our actions have an impact. - Tearfund

    Our actions have an impact. - Tearfund

    As part of Tearfund’s Matched Giving Appeal, we are asking supporters to donate and pledge to reduce their plastic. When we speak out about plastic pollution and how it affects people in poverty, we are keeping the issue on the agenda. When we show by our actions that we want to live in a less wasteful world, we are valuing what God has given us and caring for our global neighbours, as well as sending a powerful signal that we want decision-makers to act. Join us by taking the Plastic Pledge to give up using one single-use plastic item for 40 days (or more!). Every single-use plastic item we save is one less thing in a landfill site, ocean or incinerator – or one less thing shipped overseas for another country to dispose of.Single-use plastics are plastic items that are only intended to be used once, such as soft drinks bottles. The most common items include disposable cups, drinks bottles, non-recyclable packaging, wipes and female hygiene products. Finding alternatives to these plastics is easier than you might think! It can be very satisfying to know that you are walking that little bit lighter on the earth – and often, it saves you money too. Read More
  • Bitcoin verify your Identity phishing scam hosted on Microsoft Azure hosting

    I  am seeing a bitcoin phishing scam campaign this morning hosted on Microsoft Azure/windows.net. The emails pretend to come from your own email address and are addressed to the same email address. All hosting companies get abused and used for malware, scams and phishing. Recently Microsoft Azure Hosting seems to be the flavour of the month.... Read More
  • More AgentTesla keylogger and Nanocore RAT in one bundle

    We are seeing a continuation of even more AgentTesla malspam campaigns again this morning. However today’s is somewhat different to usual and also delivers a Nanocore RAT. Actually the Nanocore RAT  is downloading the AgentTesla keylogger. And after a bit of digging around and seeing an Open Directory listing on the AgentTesla download... Read More
  • Lokibot via fake purchase order but won’t run in W7 or W8.1

    I have got a very unusual and somewhat difficult to analyse set of malware files here. I received 2 different versions of this email. The first with just an XLSX attachment, the second with both an XLSX and a .rar attachment. Running the xlsx file through Anyrun  using W7 64 bit resulted in a system freeze where it took so much memory &... Read More
  • Fake order eventually drops Lokibot but something else happens

    I am not entirely sure what the in initial binary download with this one is, but there are indications it might be Dark Comet RAT. What we do know is that it drops a Lokibot binary The word doc is actually a RTF file containing embedded ole objects. This appears to contain 5 identical ole objects that in turn drop an Excel macro enabled worksheet... Read More
  • ISRStealer via fake Prudential Assurance Company Purchase Order

    Every now & again we see a resurgence of ISRStealer  info-stealer / Keylogger Trojan Malware. This malware has been around since 2011 and gets intermittent distribution campaigns. You can now submit suspicious sites, emails and files via our Submissions system Prudential Assurance Company Singapore has not been hacked or had their email... Read More
  • Nanocore RAT via fake DHL failed delivery in Chinese

    A quick post about the latest in a long, long, long, very, very long line of fake DHL delivery failure emails delivering all sorts of malware. Today’s version is slightly different to the ones we frequently see in UK. Today it is delivering Nanocore RAT in a zip file attachment. Firstly it is written entirely in Chinese, so most recipients... Read More
  • Multiple Hawkeye malspam campaigns via GreenCloudVPS

    Another Hawkeye keylogger campaign again today. We see these most days and the emails are always such a generic invoice, order or Request for quotation so I don’t bother to post all versions we receive. I normally just tweet to the other researchers and submit to antivirus companies. These are all using CVE-2017-11882 RTF Today we are seeing... Read More
  • Supporting Voluntary & Community Sector Groups in Keeping Children & Young People Safe

    Does your organisation work with a significant number of children and young people? If so, did you know that there is a VCS Safeguarding Forum that supports Safeguarding Leads as part of a network across the county?   Key Aims: • To bring together key VCS Safeguarding Leads from across West Sussex, to create networking opportunities and share best practice and training. Read More
  •  WSCC Care and Help at Home Service - Survey

    WSCC Care and Help at Home Service - Survey

    Voluntary and community organisations have the opportunity to give us their views on the future [Care and Help at Home service] and help us to understand how we might work better together to support independence at home. The survey should take around 10-15 minutes to complete.” https://haveyoursay.westsussex.gov.uk/children-adults-families-health-and-education/care-and-support-at-home-vco Read More
  • It looks like another DNS compromise hack happening

    I saw a fairly short-lived, reasonably low volume, malspam campaign earlier this morning that looks like it comes via Necurs Botnet and is somehow using a “new” compromise or security hole in the DNS system. These appear to be targeted at UK only and as far as I can tell ONLY a UK IP number will get a redirect to the scumware site.... Read More
  • Hot Mobile Israeli Hebrew Phishing scam

    We see lots of phishing attempts for various credentials. This scam in Hebrew is a totally new one to me. As far as I can tell the Mobile phone company being spoofed Hot Mobile is an Israeli Mobile Phone company that has links to the Israeli defence Forces. All the info I am getting about this comes from Google translate or Wikipedia, so might not... Read More
  • Watch out for these fake account emails.

    We’ve seen an increase in reports about fake account emails claiming that there’s an issue with your account, or that your account has been suspended. The email states that you need to “update” your account details in order to resolve the problem. The link in the emails leads to genuine-looking company phishing websites designed to steal your username and password, as well as payment details. Always question unsolicited requests for your personal or financial information in case it’s a scam. Never automatically click on a link in an unexpected email or text. For more information on how to stay secure online, visit www.cyberaware.gov.uk Message Sent ByAction Fraud (Action Fraud, Administrator, National) Read More
  • Gootkit banking Trojan via Fake UKPC parking penalty appeals

    I am hearing about a return of the fake UKPC parking charge appeals scam which has been quiet for about 1 year. At this time I don’t have a copy of the email that was received by the victim, only the link that was in it. I assume the email will be very similar to the ones described in these 2 posts  [1] [2]. UKPC are a nationwide... Read More
  • Get Safe Online With Switched On Parents In July 2019

    Get Safe Online With Switched On Parents In July 2019

      Do you really know what your child does when they’re online? For our children and young people, the internet is a wonderful place where they can explore, learn new things, communicate, be entertained and much more, with their curiosity and appetite for new content evolving and growing as they do. At Get Safe Online, we embrace these benefits, but equally, we know that it can be a challenging and potentially hazardous experience. Do you know how long they’re spending online, what content they’re viewing or who they’re chatting with? Are you concerned that they could be bullied, befriended by the wrong kind of people or even being persuaded to commit criminal offences? Or even that it could be your child who’s the abuser or budding cybercriminal? (After all, everyone is somebody’s child). Ironically, the fact that Read More
  • Fake PrivatBank email delivers AgentTesla and Phishing

      I received a rather interesting email earlier today. It pretends to be an email from Privatbank.com and written mainly in Ukranian.  There is not a known bank using PrivatBank.com anywhere I can find listed although a website for this domain was registered many years ago (2001). The closest  legitimate bank that I can find is... Read More
  • Fake Council Tax refund phishing scam

    I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be  a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine  Gov.uk site complete with all branding & Postcode lookup. I don’t have the original... Read More
  • Free EU Citizens' rights and Brexit: info session and Q&A , Brighton, Thursday 6 December

     Are you an EU citizen living in the UK? Do you have questions about how Brexit will affect your rights to stay here? The embassies of EU countries and the Representation of the European Commission invite EU citizens to an information session in Brighton on EU citizens' rights and Brexit. Read More
  • Fake Fedex Express Shipment For Pickup in iso delivers nanocore using Sendgrid

    The next in the overnight malware campaigns is a fake Fedex Express email delivering Nanore RAT via an img ( Iso) file. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better... Read More
  • More compromised windstream email sending malspam with Orion keylogger

    Following on from Last Friday, it is looking like Windstream, Zimbra & Synacor still have a problem with accounts being compromised and mass malspam being sent.  Generally speaking the majority of ISPs are pretty good with blocking outgoing spam & malware emails. They generally restrict the numbers of emails sent per hour / day for... Read More
  • Have Your Say On Sussex Police Funding

    Have Your Say On Sussex Police Funding

    This week 70 new police officers completed their training, and a further 38 have started theirs as part of the biggest recruitment drive in Sussex for over ten years, made possible by this year’s increase in the police element of council tax - the precept. Last week the Government announced the provisional funding settlement for policing in a £970 million package that gives Police & Crime Commissioners the ability, should they wish, to raise the precept above the current £12 limit. This unprecedented funding opportunity could help Sussex to recruit substantial numbers of PCSOs and even more police officers, as well as improving the public contact service, especially the 101 non-emergency number. Although no final decisions will be made until early February next year, the Chief Constable and the PCC, Katy Bourne, have indicated their commitment to ensure that residents will see and feel the benefit of any extra funding raised locally. If you have not already done so, you can give the PCC your views on police funding by completing a very short survey available on her website at https://www.sussex-pcc.gov.uk/. I have been asked by the PCC to pass on her thanks to all Neighbourhood Watch volunteers for your support of Sussex Police throughout the year, which I am doing with great pleasure. Season's greetings to all Read More
  • Finding Additional Support In A Power Cut

    UK Power Networks own and run the electricity cables in most of our region and fix power cuts. They deliver the electricity which you buy through your choice of supplier. They provide a priority service for anyone who might face extra difficulty in the event of a power cut, including households with an elderly person, young children, someone less mobile or someone with a health condition. Read More
  • More AgentTesla keylogger as fileless malware.

    We are seeing a continuation of the new style AgentTesla malspam campaign again this morning. This is still using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. The initial stage today is a .exe file though not a word doc / rtf f=doc in the... Read More
  • Worthing Sporting Memories

    Sporting Memories is an opportunity for older sports fans to get together to talk sport over a cuppa. It aims to promote physical and mental well-being through reminiscence and tapping into passion, knowledge and love of sport. It is open to any one over the age of 50 who likes sport, and enjoys reminiscing about their experiences of watching or playing sport! It is free and takes place every Thursday 10.00 - 11.30am, at the Clubhouse, Worthing Football Club.   Read More
  • good quality grant applications from registered community groups

    good quality grant applications from registered community groups

    Homity is a small, independent, Brighton based Charitable Trust. Since 2014 we have awarded many small grants to local causes in real need of funds that will make a BIG difference. Our Trustees and Grants committee meet 3 times a year to consider the best quality applications and can award smaller (<£1000) funds quickly to those groups showing real need Read More
  • Big Energy Saving Network

      Consumer energy awareness for front line workers with the Big Energy Saving Network.   Transition Town Worthing (TTW) has been chosen as Worthing’s champion for the Big Energy Saving Network 18/19 (BESN). The project is funded and administered by Citizen’s Advice, and the aim is to engage consumers, particularly those who might be vulnerable through reasons such as age, disability or financial situation, with their energy bills, assisting them to learn more about what they’re paying and how they’re paying for it, enabling them to acquire a fairer deal, and access any further assistance that may be available to them. People who are not actively engaged with the energy mark Read More
  • Free Conference Brighton Pier 13th June - Protecting young people against radicalisation and grooming on the internet

    Free Conference Brighton Pier 13th June - Protecting young people against radicalisation and grooming on the internet

    Creative Exchange is working with the EU and Erasmus who have funded projects across EU partner countries and for the past 18 months we have been working on Radicalisation and Protecting Young People from Internet Grooming. It is called the Heads-Up Project. Read More
  • Training for groups or organisations that work with vulnerable adults, Tuesday 23 October

    Does your group or organisation work with vulnerable adults? If so, you have an important role to play in helping keep them safe. ‘Keeping Adults Safe’ is an introductory course for community groups and voluntary organisations who work with, engage and deliver activities or services for adults. The next course is on Tuesday 23 October 2018, 9.30am - 4.30pm, in Brighton. Concentrating specifically on the over 18s age group, the course will provide you with an understanding of your role in establishing a safe environment, and what you can do to create this environment. For more information and to book a place, visit: http://bhcommunityworks.org.uk/keep-adults-safe-training/ A small number of free bursary places are available to member organisations with annual income of less than £35,000. Read More
  • Phishing on a compromised Brazilian ISP via fake Fax email

    Just a very quick post about a phishing scam this morning. This is only noteworthy because the phishing takes place on a compromised website belonging to a small Brazilian ISP. https://www.agilinker.com.br/  The email pretends to be a fax message from your own domain, so the ones I received pretended to come from... Read More
  • voicemail phishing scam involving compromised OneDrive for business site

    We see lots of phishing attempts for email credentials. This one is slightly different than many others and somewhat more  complicated. It pretends to be a message to download a voicemail. You can now submit suspicious sites, emails and files via our Submissions system Remember many email clients, especially on a mobile phone or tablet, only... Read More
  • Community Works Reps’ Nominations are open! Deadline Friday 12 October

    We are looking for representatives who would like to become champions for community groups and voluntary organisations, across Brighton & Hove, Adur and Worthing on behalf of Community Works. Do you want to ensure the voices of these groups are heard and understood? Are you keen to share your knowledge and expertise across a broad range of partnerships and agendas? Would you like to represent community and voluntary organisations at a strategic level? Read More
  • multiple malware delivered from compromised website run on a domestic BT IP address

    As I mentioned earlier in the week, we aren’t seeing massive amounts of malware, especially in the UK at the moment BUT we do see a steady lowish volume stream of commodity malware. These are the standard easy to purchase and use malware tools like Nanocore, Hawkeye, Agent Tesla and other keyloggers or remote access trojans that are so easy... Read More
  • Fake Payment receipt vbs drops njrat bladabindi downloads Agent Tesla via Sendspace.

    A rather interesting malware campaign from overnight. It all starts with an email pretending to be a payment receipt that contains a .tar attachment which contains a vbs file. As per usual the email is just generic enough to entice a recipient to open it, read it & possibly extract & run the malware file. This is another one of the ... Read More
  • TRULEIGH HILL CONSULTATION

    • Find out more about future plans to enrich and protect this special part of the South Downs National Park. • Discover more about the planned improvements at the Truleigh Hill Youth Hostel (YHA) • Talk to YHA staff about holidays, school trips, local and national YHA services. • Sample delicious refreshments from the YHA café. • FREE nature based and wilderness skills activities for all the family throughout the afternoon, coordinated by ‘So Sussex’ • Meet RSPB volunteers and learn about the local wildlife species you might spot – from barn owls to chalk hill blue butterflies • Take a virtual animated tour of the RAF underground bunker at Truleigh Hill, giving you a glimpse into the site’s history and hidden heritage. • Complete our online survey and tell us YOUR views southdowns.gov. uk/truleigh-hill-surveyPhil Paulo (Community Landscape Project Officer Truleigh Hill) Email: Phillip.Paulo@ southdowns.gov.uk Tel: 01730 819283 FREE Parking available at the YHA. A FREE Shuttle bus will run throughout the afternoon from the junction of Mill Hill and Erringham Road, Shoreham by Sea up to Truleigh Hill YHA and back. Read More
  • compromised windstream email sending malspam

    Got a bit of a dodgy one here today, where it looks like the email service for windstream.net has been compromised to allow a miscreant to send malicious emails that are passing all authentication. It is highly likely that it is an individual customer of Windstream that has been compromised, rather than the entire system, but the whole idea of a... Read More
  • Trustee & Leadership Networks meets on the 16th October.

    ‘How to become a Charitable Incorporated Organisation’Date: 16 October 2018Time: 6.00-8.00pmVenue: Gordon Room, Worthing Town HallCost: FreeBook: via Eventbrite Read More
  • Watch out for these fake TV Licensing emails.

    Watch out for these fake TV Licensing emails. We’ve seen a sharp increase in reports about fake TV Licensing emails claiming to offer refunds. The emails state that the refund cannot be processed due to “invalid account details”. The links provided in the emails lead to phishing websites designed to steal personal and financial details. Read More
  • More AgentTesla keylogger info-stealer campaigns hitting UK

    We are still seeing continuous AgentTesla keylogger / Info-Stealer campaigns hitting the UK. We sill aren’t seeing a lot of other malware at the moment. I have received about 20 different versions over the last week that have all been nothing special, with no outstanding features worth mentioning, so I have just submitted to AV companies and... Read More
  • nanocore RAT via fake order in password protected word doc with wrong password

    I was sent a message via the submissions system last night with the email the victim received attached. At first glance it looked like the typical password protected word docs we see regularly pretending to be either an order, invoice or resume, that frequently drop or download some sort of ransomware. At first I could not open this word doc using... Read More
  • AWC Community Transport Grants are open!

    Good morning  Just to share that these new grants opened today, all the details on our website: https://www.adur-worthing.gov.uk/community-transport-grants/ Deadline is 19th October. Best wishes, Jo Joanne Clarke Communities and Third Sector Lead, Adur & Worthing Councils Read More
  • Get Safe Online will help you keep your online payments safe.

    Trust Get Safe Online to help protect your finances with safer payments advice from the GSO experts These days, you can pay for almost anything online: products, services, tickets, holidays … even your next car, van or motorcycle. You can donate to charity, buy a driving licence or passport or pay to download, stream, play or gamble. It’s fast and convenient, but there are also risks attached, with cybercriminals doing all they can to divert your money into their pockets. Read More
  • AgentTesla keylogger as fileless malware.

    I am seeing a somewhat different to usual AgentTesla malspam campaign this morning. This is using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. It all starts with the Word doc attachment, which is actually a RTF file that is using the... Read More
  • Hawkeye keylogger via fake receipt. Stolen data sent to another keylogger site.

    Over the last month or 6 weeks we, along with many other researchers, have noticed quite a drop in Malspam, in fact in spam generally. Nobody quite knows why but generally this means one or other of the major spam sending botnets has been taken down or is retooling & getting ready for a  new set of campaigns. One of the few constant... Read More
  • banload and stealer

    Some weird malware possibly banload and a stealer. Details were uploaded to our submissions system Starts with email link that downloads tax.zip from http://199.192.29.182/Folder/Downloader.php?1409 This zip contains genuine google updater & a bat file which downloads a powershell script from http://51.75.142.21/l2406/uk/kk/20938092830482 Then... Read More
  • Carer Innovations Fund

    The Carer Innovations Fund aims to support accessible, carer-friendly communities and public services and also seeks to provide evidence on effective interventions to support carers.  The fund seeks to identify and promote creative and innovative models that look beyond statutory services to ensure that carers are: Read More
  • various phishing scams via compromised Mexican Gov email address

    This set of phishing scams is noteworthy because the emails all originate from a compromised email account belonging to the Mexican Government or at least using the Mexico Gov domain. It seems to track back to the Ministry of Justice of Guanajuato state. They all pass authentication checks so are more likely to be delivered to prospective victims.... Read More
  • curry pcworld data loss 2018

    curry pcworld data loss 2018

    On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware. We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts. Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address. While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated. Read More
  • Remcos Rat via fake invoice using multiple delivery methods.

    I have heard of the “Belt and Braces ” approach to delivering malware before, but this malware campaign delivering Remcos Rat is using  the belt and 2 pairs of braces to try make sure the malware gets delivered. The email is a fairly typical Invoice Request that appears to a part of an ongoing conversation and contains 3 different... Read More
  • Lokibot via abusing the ngrok proxy service

    It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN... Read More
  • The Adur and Worthing Poverty Truth Commission

    Briefing meetings October 3rd 2018: Open to all. The Adur and Worthing Poverty Truth Commission (AWPTC) are pleased to announce that we will be holding two open briefing meetings for the community of Adur & Worthing to meet with us and our national Coordinator Andrew Grinnell from Leeds. The Adur and Worthing Poverty Truth Commission aims to generate solutions for the local area by bringing together decision makers with those with first-hand experience of poverty. Read More
  • claiming to offer a home insulation scheme which is supported by East Sussex County Council.

      East Sussex Trading Standards are warning residents to be vigilant about companies who are cold calling and claiming to offer a home insulation scheme which is supported by East Sussex County Council. However, it is possible that similar improper approaches may be made anywhere across the county. It is not in the remit for East Sussex County Council to support schemes that involve cold calling, and companies claiming that they do are misleading residents and may be breaking the law. This warning follows a spate of recent complaints from residents in Hastings about cold callers falsely offering an ESCC supported insulation scheme, but incidents may also be occurring elsewhere. Read More
  • eBook, "When I was young". guide to a summer outdoors,

    We're excited to announce the launch of our brand new eBook, "When I was young". A fantastic new guide to a summer outdoors, perfect for all the family. Think back to when you were young, do you ever remember being glued to a TV screen, games console or phone? No, neither do we, so let's show the next generation the excitement that can be had from the doorstep.    We want your children to enjoy being in the outdoors, just as you did when you were little. So we've created this brand new downloadable guide packed with fun activities, games and ideas to keep your family busy all summer long.   Get the kids to re-connect with the outdoors this summer and  re-create your childhood memories! Read More
  • Phishing emails pretending to be sent from myonlinesecurity.co.uk

    First of all I want to apologise to anybody who received a scam phishing email that pretended or appeared to come from our email address This email address is being protected from spambots. You need JavaScript enabled to view it..  These emails were not sent from this server but from a scummy server controlled by a hosting company  in Iceland who are used frequently by criminals for malware,... Read More
  • Hawkeye keylogger using fileless delivery system via Amazon AWS

    We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan. The vast majority have either a zip file containing the trojan itself or a malformed word doc either containing macros or using one of the Microsoft Equation Editor Exploits like CVE-2017-0199, CV-2017-11882 or CVE 2017-8570 that download... Read More
  • West Durrington Community Facilities - opportunity for an organisation

    "Adur & Worthing Councils own a number of community buildings and lease these to strong, community-focused groups and organisations to manage. The buildings are valuable assets for our local residents and the wider community - and meeting their needs, wants and expectations are essential. The Councils need organisations with sound experience, leadership and passion to take on a new lease and be the driver of good things in, and with, the local communities." Read More
  • Launch of Worthing Refill

    Refill Worthing launch - 15th August, 5:30-8pm @ St. Paul's cafe, chapel Road, Worthing BN11 1EE   A scheme to break our plastic habit, which started in Bristol and has taken off nationally, is launching in Worthing. The Refill scheme signs up local businesses, cafes and venues to become Refill stations, where members of the public can refill their own water bottles for free. The nifty little Refill app, available at the normal places, shows people their nearest stations on a map. Folks can also upload their own favourite cafes if they too want to become Refill stations.  Read More
  • Fake Bose site selling goods at stupid prices.

    I have got a slightly unusual potential scam / phishing / ID and money theft or fake goods scam to report on today. Yesterday I received a message via our submission form about a look-a-like site selling Bose products. The reporter was a bit concerned, saying “This site looks impressive but the price reductions are massive. Not at all what... Read More
  • AgentTesla Keylogger and Binary Options scam

    We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis. Today’s example of an AgentTesla campaign is somewhat more interesting than usual. The email is nothing special and... Read More
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59