Cyber999 Advisories

Overview Contact Advisories Incident Statistics
Share this page :
18 October 2025     Alert

MA-1400.102025: MyCERT Alert - Email with Malicious Attachment Targeting Internet Banking Users

1.0 Introduction
CyberSecurity Malaysia has recently observed a spoofed email attached to a suspicious PDF file, purportedly from a well-known Malaysian bank. The email is crafted to appear legitimate, luring recipients into opening the attachment.

Once executed, the malicious file may install a keylogger and an infostealer onto the victim’s device. This infostealer can harvest online banking credentials, monitor user activity, and enable attackers to gain unauthorised access to Internet banking accounts.

Such campaigns are part of ongoing cyber threats targeting online banking users in Malaysia, aimed at committing fraud and financial theft.

2.0 Impact

  • Credential theft  – Customers’ online banking login IDs and one-time passwords (OTPs) may be stolen.
  • Unauthorised transactions  – Attackers may conduct fraudulent transfers from compromised accounts using the stolen IDs and OTPs.
  • System compromise  – Infected devices may be controlled remotely for further malicious activities.
  • Privacy breach  – Customers’ personal and sensitive data may be exfiltrated, leading to identity theft.
  • Financial loss  – Customers risk losing money from their accounts.


3.0 Technical Details
Below is the screenshot of the spoofed email sent out, which looks legitimate as a well-known bank:


Screenshot 1: Spoofed email sends pretending to be the well-known Bank

Analysis Summary

The payload is a keylogger and infostealer that employs specific techniques to load additional code and prepare for exfiltrating sensitive data. It was delivered via a spoofed email from  AdvicesMY@sc.com , tricking the user into executing the attachment. After initial execution, the malware remains undetected, allowing it to perform its malicious tasks.


Execution Chain


Static Analysis Stage 1 - Initial delivered file: MY00485Q3245639MYKUL.exe

4.0 Indicators of Compromise (IOCs)
File-Based IOCs:

  • bfcdcc097c1f5364c99b244e9d15bad7f93e76229319018a0af7bd6bc71df3c1
  • 1351d694b53ba5c36c9790ecd17732a229e946438e6235c21e811866c468af9b
  • 85c44fa7dc272a30fe82205119c71604224677380b26271bb0d4d82565b4c6d6
  • c8fbd267744bb1909959f92841f69d25e732f559e74ca7b596ee008a78f17614
  • 6005f0e4563fef5e8abfdb88cacd5b3d8fd4cff04b1af93e8e01a9990f46d5c0 

Network-Based IOCs:

  • hxxps://api[.]telegram[.]org/bot/sendMessage?chat_id=&text=<HOST INFO>
  • hxxp://51[.]38[.]247[.]67:8081/_send_[.]php?L
  • hxxps://reallyfreegeoip[.]org/xml/
  • hxxp://checkup[.]dyndns[.]org/ 

SMTP Setup:

  • Host: mail[.]derelimatbaa[.]com
  • Port: 587

Data Send From:


5.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the cyber security best practices and apply the necessary updates.

  • Email Safety
    • Do not open, download, or execute attachments from unknown or unsolicited emails or messages.
    • Verify the authenticity of any banking-related communication by contacting the bank directly through the bank’s official channels (telephone, website, mobile app).
    • Be cautious of emails urging immediate action (e.g., "urgent verification required").
  • System & Device Security
    • Ensure operating systems, browsers, and all applications are updated with the latest patches.
    • Install reputable antivirus/anti-malware software and keep signatures updated.
    • Enable firewalls to block unauthorised inbound/outbound connections.
  • Banking Security Practices
    • Enable  multi-factor authentication (MFA)  for all Internet banking accounts where available.
    • Avoid accessing banking services through public or unsecured Wi-Fi networks.
    • Monitor bank statements and account activities regularly for suspicious transactions.
  • Incident Response
    • If you suspect your device is infected, disconnect from the Internet immediately and run a full antivirus scan.
    • Report suspicious emails to your bank and Cyber999 (cyber999@cybersecurity.my).
    • Change banking and email passwords immediately if compromise is suspected.

Generally, CyberSecurity Malaysia advises users to stay updated with the latest security announcements from the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with us through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 08:30 -17:30 MYT 
Web:  https://www.cybersecurity.my  

6.0 References

Search
Type
Archives
logo
CyberSecurity Malaysia is the national cyber security specialist agency under the purview of the Ministry of Digital (KD)
 
Select User Category
Contact Us

  • CyberSecurity Malaysia,
    Level 7 Tower 1, Menara Cyber Axis, Jalan Impact,
    63000 Cyberjaya, Selangor Darul Ehsan, Malaysia.

  • enquiry@cybersecurity.my

  • +603 - 8800 7999

  • +603 - 8008 7000

COPYRIGHT © CYBERSECURITY MALAYSIA

CONTACT US | DISCLAIMER | PERSONAL DATA PROTECTION NOTICE | SITEMAP

TOP
ASK Byte
Chatbot Portal

Hi, I am ASK Byte. Please submit your questions about the portal and I will try to get answers from online knowledge stores.

Hi, Saya Admin Chatbot. Saya sedia chat dengan anda secara terus. Bagaimana saya boleh membantu anda?

Click the button below to interact with the CSM chatbot

Proceed