Fake 'Rechnung', 'Scanned image' SPAM, Fake 'Quick cash' fraud SCAM/PHISH
FYI...
Fake 'Rechnung' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/rechn...ky-ransomware/
5 July 2016 - "An email partly in German and partly in English pretending to be a-mobile-phone-bill with the subject of 'Rechnung 2016-93910' [random numbered] pretending to come from mpsmobile GmbH <info@ mpsmobile .de> with a zip attachment which downloads Locky ransomware... One of the emails looks like:
From: mpsmobile GmbH <info@mpsmobile .de>
Date: Tue 05/07/2016 10:45
Subject: Rechnung 2016-93910
Attachment: 52751_Rechnung_2016-93910_20160705.zip
Sehr geehrte Damen und Herren, anbei erhalten Sie das Dokument ‘Rechnung 2016-93910′ im PDF-Format. Um es betrachten und ausdrucken zu können, ist der PDF Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren. Mit freundlichen Grüssen mpsmobile Team ...
Dear Ladies and Gentlemen, please find attached document ”Rechnung 2016-93910’ im PDF-Format. To view and print these forms, you need the PDF Reader, which can be downloaded on the Internet free of charge. Best regards mpsmobile GmbH ...
5 July 2016: 52751_Rechnung_2016-93910_20160705.zip: Extracts to: 63227_2016-53001_20160705.js
Current Virus total detections 23/56*. Payload Security** | MALWR*** was unable to find anything but manual analysis shows a download from http ://brewinbooks .com/98uhnvcx4x (VirusTotal 3/53[4]) which looks like Locky Ransomware but MALWR[5] doesn’t show any activity which is probably due to anti-sandbox protection in the file. Other download locations so far found include:
http ://brazilmart .com/98uhnvcx4x
http ://brewinbooks .com/98uhnvcx4x
http ://thecorporate .gift/98uhnvcx4x
http ://lojaeberlin .com/98uhnvcx4x
http ://topbag .com.au/98uhnvcx4x
http ://hangusaxachtay .com/98uhnvcx4x
http ://flyingcarts .com/98uhnvcx4x
http ://imbagscanta .com/98uhnvcx4x
http ://foxprint .ro/98uhnvcx4x
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
79.170.44.88
185.106.122.46
185.106.122.38
192.42.116.41
5.196.70.240
*** https://malwr.com/analysis/MTViYTEyZ...E3N2I4MTczNjQ/
4] https://www.virustotal.com/en/file/f...is/1467711259/
5] https://malwr.com/analysis/MTczYmY2M...MyZGZkNjkyYmI/
___
Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malw...-leads-to.html
5 July 2016 - "This -fake- document scan appears to come from within the victim's own domain but has a malicious attachment.
From: administrator8991@ victimdomain .com
Date: 5 July 2016 at 12:47
Subject: Scanned image
Image data has been attached to this email.
Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52* and 6/52**. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:
leafyrushy .com/98uhnvcx4x
sgi-shipping .com/98uhnvcx4x
There will be a lot more locations too. This drops a binary with a detection rate of 5/55[3] which appears to be Locky ransomware. Hybrid Analysis[4] shows it phoning home to:
185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)
Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be Locky ransomware.
Recommended blocklist:
185.106.122.0/24
185.129.148.0/24 "
* https://virustotal.com/en/file/26202...is/1467721871/
** https://virustotal.com/en/file/34c92...is/1467721877/
1] https://malwr.com/analysis/ZTNkYzVmM...NkZWYzZDliYTM/
Hosts
209.222.76.2
2] https://malwr.com/analysis/Y2RlMTJlY...lmMWMwZGJjYjk/
Hosts
160.153.74.199
3] https://virustotal.com/en/file/2a92e...34f0/analysis/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.106.122.38
185.106.122.46
185.129.148.6
___
Fake 'Quick cash' fraud SCAM/PHISH
- https://myonlinesecurity.co.uk/fake-...s-fraud-scams/
5 July 2016 - "... Instead of the usual spam emails, we are seeing loads of -fake- invoices, all with links to various companies that pass through or redirect the user to
http ://www.quickcashsystem .biz/?offerID=1062&p=10274a38b6a0b47645075132d8d48c (They are probably affiliate references so the scummy scammers can pay the evil fraudsters who send victims to them). The reference number is different, depending on the “victim’s IP number”. I visited via different proxies and got a different reference number each visit... This all starts off with an email like one of these:
This first one pretends to be an Account Balance Warning from an unnamed bank. All the links go to
http ://beckham7 .com/lists/link.php?M=28914&N=33&L=18&F=H where you are -redirected- (eventually) to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e where a video immediately starts playing offering you, showing you a big mansion, expensive cars and the chance to make $$$$$.
Screenshot: https://myonlinesecurity.co.uk/wp-co...7-1024x733.png
This one pretends to be an electronics invoice and at a first quick glance, you could quite easily mistake it for an Ebay invoice and follow the links to see what on earth has happened, because you don’t remember ordering anything. This one leads to http ://a2cd .com/lists/link.php?M=29114&N=33&L=18&F=H which -redirects- to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecurity.co.uk/wp-co...1-1024x608.png
This 3rd example is so generic that almost anyone receiving it would click through to see what or how this mistake could have been made. This goes to
http ://steps123 .com/lists/link.php?M=29215&N=41&L=20&F=H and -redirects- to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecurity.co.uk/wp-co...3-1024x580.png
You eventually end up on this page, whichever link you follow to start with:
> https://myonlinesecurity.co.uk/wp-co...h-1024x644.png
If you look at the small print at the very bottom of the page, you just see in very light type a link to disclaimer and privacy:
> https://myonlinesecurity.co.uk/wp-co...aimer_link.png
Following the disclaimer link, you get a page that does warn you “The www .quickcashsystem .biz sales video is fictitious and was produced to portray the potential of the www .quickcashsystem .biz 3rd party signals software. Actors have been used to present this opportunity and it should be viewed for entertainment purposes. We do not guarantee income or success, and example results in the video and anywhere else on this website do not represent an indication of future success or earnings.”
quickcashsystem .biz: 5.189.129.65: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/67...0189/analysis/
