Results for spam

Threat Research

New Spam Attack Targets Romanian Corporation

The FortiGuard SE team has discovered an ongoing malicious spam campaign over the past few weeks. It uses a combination of a variant of the Fareit/Pony downloader together with the Formbook infostealer malware. Read this analysis report of the spam campaign.

By FortiGuard SE TeamMay 08, 2019

Threat Research

VenusLocker Delivering Rotten Easter Eggs in South Korea

Over this past Easter weekend, FortiGuard Labs came across a new malicious spam campaign specifically targeting South Korea. What made this campaign unique from others is that it is the first GandCrab 2.0 malspam ransomware campaign that we’ve seen in South Korea targeting organizations in the financial sector. It appears to be originating from the VenusLocker group, which we highlighted in December of last year when we documented that they had switched their game plan from ransomware to cryptocurrency mining. Well, it appears that the VenusLocker group is back in the ransomware game, this time with GandCrab.

By Val SaengphaibulApril 04, 2018

Threat Research

Tax Refund Phishing In Malaysia – How They Bypass The Two Factor Authentication Security System

FortiGuard Labs has been tracking a tax refund phishing scam in Malaysia. Let’s get into the details of how this works.

By Nelson NguNovember 12, 2017

Threat Research

PDF Phishing Leads to Nanocore RAT, Targets French Nationals

Recently, FortiGuard Labs found a phishing campaign targeting French Nationals. In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link. As it turns out, the downloaded file is an HTA (HTML Application) file, a format that is becoming more and more common as a malware launch point. It is usually used as a downloader for the actual binary payload. However in this campaign,...

By Joie Salvio and Rommel JovenOctober 12, 2017

Threat Research

Locky Launches a More Massive Spam Campaign with New “Lukitus” Variant

It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet’s advanced  Kadena Threat Intelligence System [1](KTIS) Fig. 1 Encrypted files with .lukitus extension Fig. 2 Familiar Locky ransom note Same Locky, More Spam This...

Threat Research

The Angry Spam and The Tricky Macro Delivers Updated Hancitor

Hancitor is one of the better-known malware downloaders due to its numerous SPAM runs and evolving delivery technique. It reminds us of Upatre, which gained notoriety status over the past two years but has now died down, possibly due to the takedowns of its major payloads. In the case of Hancitor, it still seen as a favourite carrier of very much active malware families such as Pony and Vawtrak. Just recently, we found a new spam campaign of Hancitor with some notable developments that may have been in the previous variants, but were not discussed...

By Joie Salvio and Rommel JovenNovember 02, 2016

Threat Research

Information-stealing Malware Is Spread Via Word Document

Recently we received a SPAM with an attachment, which is a password-protected Word document. Its MD5 is 6619356e9e0c9d2445bf777a8bea5d6a, which is detected as “WM/Agent.60F9!tr” by the Fortinet AntiVirus service. When the document is opened, the attached malicious VB script code is executed and additional malware is created and executed. Based on our analysis, this is information-stealing malware. In this blog, we’ll show you how the malware works, what information is stolen from a victim’s system, and how the stolen data...

By Xiaopeng ZhangOctober 24, 2016

Threat Research

SPF, DKIM, and DMARC: Acronym Soup or Useful Email Security?

Spam has been an constant and chronic problem since the early days of the internet.  The first unsolicited mass e-mailing (later termed SPAM) was sent on May 1, 1978 by Gary Thuerk of Digital Equipment Corp (DEC) advertising the VAX T-series to 400 of the then 2600 ARPAnet users. The SMTP protocol we still use today for emailing, grew out of these early mail protocols used in ARPANET (Postel RFC788 and RFC821) in the early 1980's, and has changed relatively little since.  From its inception, the SMTP protocol had little (no)...

By Carl WindsorSeptember 09, 2016

Threat Research

Fake-Game: The Emergence of a Phishing-as-a-Service Platform

Malware-as-a-Service (MaaS) business models continue to thrive in the cyber underground. It has allowed cyber crooks to generate renewable income through renting malware rather than selling their tool for a one-time payment. As a result, the business model has been adopted in various underground commodities such as exploit kits and remote access trojans. Recently, we saw the emergence of Ransomware-as-a-Service (RaaS) platforms. During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form...

Threat Research

German Speakers Targeted by SPAM Leading to Ozone RAT

Remote Administration Tools (RAT) have been around for a long time. They provide users and administrators with the convenience of being able to take full control of their systems without needing to be physically in front of a device. In this age of global operations, that’s a huge deal. From troubleshooting machines across countries to observing employees across rooms, RAT solutions have become widely used tools for remote maintenance and monitoring. Unfortunately, malware authors often utilize these same capabilities to compromise systems....