fake Visa notification with password protected word doc delivers malware

Haythem Elmir
0 1
Read Time1 Minute, 18 Second

An email with the subject of Fwd: derek ( recipient’s name)  pretending to come from Pamela <logo@mensperl.edu> ( probably random senders)  with a malicious word doc attachment  delivers some sort of malware, but I don’t know what

The word doc is passworded and you need to use the password from the email body to open it. Once you use the password and enable content, then a macro runs that downloads a jpg file, which is actually a renamed .exe file.  I can’t get the .exe to do much on any of the sandboxes I tried. It seems to drop a version of Tor browser but doesn’t seem to do much else. I did get a couple of NSIS installer warnings. I don’t know if that is due to it trying to run in a sandbox or VM and having anti-analysis protection or whether it is genuinely a buggy/broken installer.

Update: I am reliably informed that it is Sigma ransomware which appears to only run on a real computer, not a VM or Sandbox

They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

to read the original article:

https://myonlinesecurity.co.uk/fake-visa-notification-with-password-protected-word-doc-delivers-malware/

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

HP Silently Installs Telemetry Bloatware On Your PC—Here's How to Remove It

Do you own a Hewlett-Packard (HP) Windows PC or laptop? Multiple HP customers from around the world are reporting that HP has started deploying a « spyware » onto their laptops—without informing them or asking their permission. The application being branded as spyware is actually a Windows Telemetry service deployed by HP, […]