Fake 'pdf attachment', 'DHL Statements', 'nm.pdf', DHL, 'invoice' SPAM
FYI...
Fake 'pdf attachment' SPAM - delivers Locky/Dridex
- https://myonlinesecurity.co.uk/more-...f-attachments/
11 May 2017 - "... well used email template with subjects varying from with literally hundreds if not thousands of subjects. These generally deliver either Locky ransomware or Dridex banking Trojan.
File_69348406
PDF_9859
Scan_2441975
Document_11048
Copy_9762
They -all- have a pdf attachment that drops a word doc with macros... all downloads from these locations which delivers an encrypted txt file that should be converted by the macro to a working.exe file but Payload security.... doesn’t seem able to convert it...
wipersdirect .com/f87346b
tending .info/f87346b
julian-g .ro/f87346b
I am being told this is a -new- ransomware called jaff ransomware*...
* https://twitter.com/siri_urz/status/862586080507424769
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
wipersdirect .com: 108.165.22.125: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/4a...9ec3/analysis/
tending .info: 80.75.98.151: https://www.virustotal.com/en/ip-add...1/information/
julian-g .ro: 86.35.15.215: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/46...2654/analysis/
___
Fake 'DHL Statements' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
11 May 2017 - "... an email with the subject of '6109175302 Statements x Requests Required' (random numbers) pretending to come frombgyhub@ dhl .com with a zip attachment containing -2- differently named .js files which delivers some sort of malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...s-Required.png
TYPE OF GOODS_DECLARATION.zip: Extracts to: DECLARATION (FORM).PDF.js -and- TYPE OF GOODS DOC.pdf.js
Current Virus total detections [1] [2]: Payload Security [3] [4] shows a download from one or both of these locations:
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs which is renamed and autorun by the script (VirusTotal [5]) (Payload Security[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/3...is/1494487534/
2] https://www.virustotal.com/en/file/a...is/1494487531/
3] https://www.hybrid-analysis.com/samp...ironmentId=100
4] https://www.hybrid-analysis.com/samp...ironmentId=100
5] https://www.virustotal.com/en/file/2...is/1494488118/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/45...c5ce/analysis/
wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/5d...680e/analysis/
___
Malware spam with 'nm.pdf' attachment
- http://blog.dynamoo.com/2017/05/malw...ttachment.html
11 May 2017 - "Currently underway is a malicious spam run with various subjects, for example:
Scan_5902
Document_10354
File_43359
Senders are random, and there is -no- body text. In -all- cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED -or- 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].
The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58[5].
Putting the .docm file back into Hybrid Analysis and Malwr [6] [7] shows the same sort of results, namely a download from:
easysupport .us/f87346b ...
UPDATE: A contact pointed out this Hybrid Analysis[X] which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which -matches- this Tweet[8] about something called "Jaff ransomware".
That report also gives two other locations to look out for:
trialinsider .com/f87346b
fkksjobnn43 .org/a5/
This currently gives a recommended blocklist of:
47.91.107.213
trialinsider .com
easysupport .us "
1] https://virustotal.com/en/file/e148f...is/1494492097/
2] https://virustotal.com/en/file/0ee0b...is/1494492251/
3] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us
- https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/23...e188/analysis/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us
5] https://virustotal.com/en/file/60446...is/1494492613/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
198.58.93.28 - easysupport .us
> https://www.virustotal.com/en/url/23...e188/analysis/
7] https://malwr.com/analysis/NjE5YjEyN...Y1NjU5ZDViNzk/
8] https://twitter.com/malwrhunterteam/...97006363152385
X] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
107.154.168.227 - trialinsider .com
47.91.107.213 - fkksjobnn43 .org
trialinsider .com: 107.154.161.227: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/5c...291a/analysis/
107.154.168.227: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/5c...291a/analysis/
fkksjobnn43 .org: 47.91.107.213: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/71...e012/analysis/
___
Fake 'DHL' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/more-...anking-trojan/
11 May 2017 - "... an email with the subject of 'Fwd: DHL Redelivery Confirmation #574068024996' (random numbers) pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Ursnif banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...redelivery.png
request-redelivery-2017053299810.pdf.js - Current Virus total detections 1/57*. Payload Security** shows a download from one of both of these locations
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is -renamed- and autorun by the script (VirusTotal 9/62***) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1494500118/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/2...is/1494488118/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/45...c5ce/analysis/
wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/5d...680e/analysis/
___
Fake 'invoice' SPAM - using docs with embedded ole objects
- https://myonlinesecurity.co.uk/ursni...d-ole-objects/
11 May 2017 - "... banking Trojans. This one is using a different delivery method to try to throw us off track... this has a word docx attachment that contains an embedded ole object that when you click on the blurry image in the word doc, thinking you are opening an invoice you actually open & run the embedded hidden .js file. This pretends to be an invoice coming from random senders:
> https://myonlinesecurity.co.uk/wp-co...ole-object.png
Screenshot: https://myonlinesecurity.co.uk/wp-co...zi-invoice.png
7398219046.docx - Current Virus total detections 2/58*. Payload Security** shows the dropped .js file but doesn’t make it available for download. I had to get that manually (VirusTotal 1/55***) (Payload Security[4]) which shows
the same connections and download from one or both of these locations
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is renamed and autorun by the script (VirusTotal 9/62[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1494509580/
** https://www.hybrid-analysis.com/samp...ironmentId=100
** https://www.virustotal.com/en/file/6...is/1494508789/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
5] https://www.virustotal.com/en/file/2...is/1494488118/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/45...c5ce/analysis/
wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/5d...680e/analysis/
___
New ‘Jaff’ ransomware via Necurs ...
- https://blog.malwarebytes.com/cyberc...sks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malwarebytes.com/wp-con...7/05/email.png
...
> https://blog.malwarebytes.com/wp-con...Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malwarebytes.com/wp-con.../encrypted.png
... the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
