Spam Bot.exe !!HOT!!
Although trojans typically target individuals to steal bank account credentials, the TrickBot trojan was being used to deliver secondary malware in a similar way to what is detailed in this research. The difference from the campaign mentioned in this research is that as this campaign uses TrickBot to steal sensitive information, it also deploys Ryuk to ransom victims data. Criminals targeting large enterprises used spam emails to deliver the Emotet trojan in order to distribute the TrickBot malware. Once a machine is infected with the TrickBot malware, it begins to steal sensitive information and the criminal group tries to determine if the company is an industry target. If so, they deliver the Ryuk ransomware.
Recently, several malware families have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner.
In December, Trustwave discovered that Formbook malware was being delivered through spam emails containing OneNote attachments. Since then, various malware families, including Redline Stealer and Asyncrat, have started incorporating OneNote attachments in their spam campaigns. Cyble Research Intelligence Labs (CRIL) has also noticed that the Qakbot malware uses OneNote attachments in their campaigns.
The initial infection starts with a spam email containing a OneNote attachment. When the user opens the attachment, it drops an embedded .hta file executed by mstha.exe. This results in downloading a Qakbot DLL file, which is then executed by rundll32.exe. The below figure shows the Qakbot delivery mechanism.
Qakbot is a Prevalent and constantly evolving malware that can have serious consequences for its victims, such as financial fraud, identity theft, etc. In this case, the Qakbot malware spreads via spam emails containing OneNote attachments. Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.
In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, we identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP. We notified them before the release of this publication.
We believe the spambot is under heavy development and it has changed a lot since the first time we saw it. A mention about this threat was posted on Twitter by AnyRun; however, to the best of our knowledge no one has published a detailed analysis of it. We named this new malware Varenyky, and on July 22nd, ESET researchers saw it launch its first sextortion scam campaign.
The operators of a Trickbot spam campaign have found a new way to spread their digital infection: by using fears of a biological one. Spam targeting Italian e-mail addresses is playing on fears over the Coronavirus outbreak in that country.
Note that the message "Access Denied\r\nSorry, your IP has been identified as belonging to a spam bot or another annoying crawler" is a reply from your webserver when the Let's Encrypt validation server requested the token.
Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space.
The email threat landscape is constantly changing as new threats emerge or existing threats evolve over time. Over the past few years, Emotet has been one of the primary threats being delivered via malicious spam campaigns as we have previously described in detail several times. Following law enforcement disruption of the Emotet botnets, we've been waiting for another threat to fill the void left by Emotet's exit.
Beginning in mid-September 2021, we observed malspam campaigns being used to deliver malicious Microsoft Office documents that function as the initial stage of the infection process and are used to infect systems with SQUIRRELWAFFLE. Similar to what has been observed in previous threats like Emotet, these campaigns appear to be leveraging stolen email threads, as the emails themselves appear to be replies to existing email threads. As shown below, these emails typically contain hyperlinks to malicious ZIP archives being hosted on attacker-controlled web servers.
When the victim accesses the hyperlink contained in the initial malicious spam message, they are sent a ZIP archive containing a malicious Office document. While these documents have varied across campaigns, in all cases, they are either Microsoft Word documents or Microsoft Excel spreadsheets. These documents contain the malicious code responsible for retrieving and executing the next stage component, in this case, the SQUIRRELWAFFLE payload.
We believe the earliest files used in these campaigns were submitted to public malware repositories on Sept. 10, 2021. The campaign volume began to ramp up on Sept. 13, 2021 and has been characterized by daily spam runs observed since then.
This rotation is also reflected in the maldoc macros themselves, with the macro function names and hashes rotating at the same time. This is reflected in the table below, which shows some of the macro function names, hashes and the corresponding campaign landing pages used by the macros to retrieve the SQUIRREWAFFLE DLL files observed across some of the initial malspam campaigns.
A new malware loader named "SQUIRRELWAFFLE" has recently emerged in the threat landscape. This threat is primarily delivered via malicious spam email campaigns and features several interesting characteristics that organizations should be aware of. These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations around the world. While this threat is relatively new, the distribution campaigns, infrastructure, and C2 implementations feature several interesting techniques that are similar to those seen from other more established threats. Organizations should continue to employ comprehensive defense-in-depth security controls to ensure that they can prevent, detect, or respond to SQUIRRELWAFFLE campaigns that may be encountered in their environments.
LokiBot stealer is distributed mostly via mail-spam campaigns, prompting the user to download a malicious file that is attached. Remarkably, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files containing a Loki-Bot executable or ISO files, and a Loki-Bot executable.
Lastly, since the first version of the malware was leaked and cloned, eventually becoming available for a significantly lower price than the original, LokiBot spyware became a widely spread malware that continues to appear in several mail-spam campaigns. In fact, the virus has become so popular that its set-up explanation videos on stealing credentials are publically available on YouTube. 041b061a72