Fake blank/empty SPAM, WordPress Brute Force Attacks
FYI...
Fake blank/empty SPAM - delivers globeimposter ransomware
- https://myonlinesecurity.co.uk/more-...er-ransomware/
26 Dec 2017 - "... malware downloaders from the Necurs botnet... a blank/empty email with the subject of 'CCE26122017_004385' (random numbers after the date) pretending to come from random names and random email addresses that just has a 7z attachment containing a .js file... One of the emails looks like:
From: Emmitt <Emmitt@ kendrixcorp .com>
Date: Tue 26/12/2017 15:04
Subject: CCE26122017_004385
Attachment: CCE26122017_004385.7z
Body content: completely blank/empty
Screenshot: https://myonlinesecurity.co.uk/wp-co...6_15-28-28.png
CCE26122017_004385.7z: Extracts to: CCE26122017_48779.js - Current Virus total detections 11/58*. Hybrid Analysis**...
This particular version downloads from
http ://www.thedournalist .com/mnbTREkfDS??jYAbcsB=jYAbcsB (there will normally be 6-8 other download locations)
(VirusTotal 7/68[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1514301126/
CCE26122017_48779.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
86.106.30.37
Contacted Hosts
86.106.30.37
3] https://www.virustotal.com/en/file/3...is/1514301538/
mnbTREkfDS.exe
thedournalist .com: 86.106.30.37: https://www.virustotal.com/en/ip-add...7/information/
___
Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
- https://www.bleepingcomputer.com/new...monero-miners/
Dec 20, 2017 - "... WordPress sites around the globe have been the targets of a massive brute-force campaign during which hackers attempted to guess admin account logins in order to install a Monero miner on compromised sites...
Once attackers get in, they install a Monero miner, and they also use the infected site to carry out further brute-force attacks. These two operations don't happen at the same time, and each site is either brute-forcing other WordPress sites or mining Monero..."
WordPress Brute Force Attack Campaign
- https://www.wordfence.com/blog/2017/...rdpress-attack
Dec 18, 2017 - "A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour. The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012..."
___
Remove the Slmgr32.exe Monero CPU Miner
- https://www.bleepingcomputer.com/vir...nero-cpu-miner
Nov 3, 2017
