spam


Recently, FortiGuard Labs found a phishing campaign targeting French Nationals. In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link. As it turns out, the downloaded file is an HTA (HTML Application) file, a format that is becoming more and more common as a malware launch point. It is usually used as a downloader for the actual binary payload. However in this campaign,... [Read More]
by RSS Joie Salvio and Rommel Joven  |  Oct 12, 2017  |  Filed in: Security Research
It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet’s advanced  Kadena Threat Intelligence System [1](KTIS) Fig. 1 Encrypted files with .lukitus extension Fig. 2 Familiar Locky ransom note Same Locky, More Spam This... [Read More]
by RSS Joie Salvio, Rommel Joven and Floser Bacurio  |  Aug 17, 2017  |  Filed in: Security Research
Hancitor is one of the better-known malware downloaders due to its numerous SPAM runs and evolving delivery technique. It reminds us of Upatre, which gained notoriety status over the past two years but has now died down, possibly due to the takedowns of its major payloads. In the case of Hancitor, it still seen as a favourite carrier of very much active malware families such as Pony and Vawtrak. Just recently, we found a new spam campaign of Hancitor with some notable developments that may have been in the previous variants, but were not discussed... [Read More]
by RSS Joie Salvio and Rommel Joven  |  Nov 02, 2016  |  Filed in: Security Research
Recently we received a SPAM with an attachment, which is a password-protected Word document. Its MD5 is 6619356e9e0c9d2445bf777a8bea5d6a, which is detected as “WM/Agent.60F9!tr” by the Fortinet AntiVirus service. When the document is opened, the attached malicious VB script code is executed and additional malware is created and executed. Based on our analysis, this is information-stealing malware. In this blog, we’ll show you how the malware works, what information is stolen from a victim’s system, and how the stolen data... [Read More]
by RSS Xiaopeng Zhang  |  Oct 24, 2016  |  Filed in: Security Research
Spam has been an constant and chronic problem since the early days of the internet.  The first unsolicited mass e-mailing (later termed SPAM) was sent on May 1, 1978 by Gary Thuerk of Digital Equipment Corp (DEC) advertising the VAX T-series to 400 of the then 2600 ARPAnet users. The SMTP protocol we still use today for emailing, grew out of these early mail protocols used in ARPANET (Postel RFC788 and RFC821) in the early 1980's, and has changed relatively little since.  From its inception, the SMTP protocol had little (no)... [Read More]
by RSS Carl Windsor  |  Sep 09, 2016  |  Filed in: Security Research
Malware-as-a-Service (MaaS) business models continue to thrive in the cyber underground. It has allowed cyber crooks to generate renewable income through renting malware rather than selling their tool for a one-time payment. As a result, the business model has been adopted in various underground commodities such as exploit kits and remote access trojans. Recently, we saw the emergence of Ransomware-as-a-Service (RaaS) platforms. During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form... [Read More]
by RSS Roland Dela Paz and Rommel Joven  |  Aug 31, 2016  |  Filed in: Security Research
Remote Administration Tools (RAT) have been around for a long time. They provide users and administrators with the convenience of being able to take full control of their systems without needing to be physically in front of a device. In this age of global operations, that’s a huge deal. From troubleshooting machines across countries to observing employees across rooms, RAT solutions have become widely used tools for remote maintenance and monitoring. Unfortunately, malware authors often utilize these same capabilities to compromise systems.... [Read More]
by RSS Floser Bacurio Jr. and Joie Salvio  |  Aug 29, 2016  |  Filed in: Security Research
As if using the Internet -- the Web in particular -- weren't already fraught with cyber-perils, users -- in offices on company LANs, as well as home-based and mobile individual users -- have to add "malvertising" to the list of things from which they need to protect themselves. "Malvertising," like the name suggests, means "ads that contain malware." Like other malware infection vectors, some mal-ads aren't dangerous unless you click on them -- but others can do "drive-by downloads," sneaking their... [Read More]
by RSS Daniel Dern  |  Jun 02, 2015  |  Filed in: Industry Trends
I’ve spent a lot of time over my career talking about education. K12, higher ed, virtual and blended learning, educational technology, you name it. I’ve even looked extensively at continuing education and professional development. As my focus has turned more to enterprise technologies and security over the last several years, I still couldn’t help but see many of the challenges we face in IT through an educational lens. After all, security pros and hackers aren’t born with deep security and networking expertise - why should... [Read More]
by RSS Chris Dawson  |  May 04, 2015  |  Filed in: Industry Trends
Lethic is a proxy bot with an extremely long history that started in January 2010. It is most known for spreading spam emails to earn as much money from the underground market as possible. In March 2014, our botnet monitoring system found that Lethic has now transformed into a clicker bot. Lethic's Spamming Method As a proxy bot, Lethic only transfers data between its command-and-control (C&C) server and its target. When spreading spam emails, the bot receives the business SMTP email server's IP address and port from the C&C server (see... [Read More]
by RSS He Xu  |  May 06, 2014  |  Filed in: Security Research