SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Whatsapp leads to Fake Flash update – malware
- http://myonlinesecurity.co.uk/whatsa...pdate-malware/
27 Jan 2015 - "An email pretending to come from somebody you know that appears to be a Whatsapp notification is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e1-262x300.png

When you press the play button in the email, you get sent to a page looking like:
> http://myonlinesecurity.co.uk/wp-con...2-1024x739.png
... if you select the 'upgrade now' button you end up with a fake flash player update and a badly infected computer...
27 January 2015: adobe_flash_player_update.exe . Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1422376705/
___

Fake 'invoice' SPAM - malware
- http://blog.dynamoo.com/2015/01/malw...de-r-kern.html
27 Jan 2015 - "Kern Engineering & Mfg Corp. is a wholly legitimate firm, they are not sending out this spam nor have their systems been compromised in any way. Instead, this is a -forgery- which has a malicious Word document attached.
From: Eileen Meade [eileenmeade@ kerneng .com]
date: 27 January 2015 at 08:25
subject: inv.# 35261
Here is your invoice & Credit Card Receipt.
Eileen Meade
R. Kern Engineering & Mfg Corp.
Accounting
909) 664-2442
Fax 909) 664-2116

So far, I have seen two different version of the Word document, both poorly detected [1] [2] containing two different macros... These attempt to download a binary from one of the following locations:
http ://UKR-TECHTRAININGDOMAIN .COM/js/bin.exe
http ://schreinerei-ismer.homepage.t-online .de/js/bin.exe
This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57*..."
1] https://www.virustotal.com/en/file/7...is/1422351101/

2] https://www.virustotal.com/en/file/2...is/1422351116/

* https://www.virustotal.com/en/file/2...is/1422351532/


- http://myonlinesecurity.co.uk/eileen...d-doc-malware/
27 Jan 2015
> https://www.virustotal.com/en/file/7...is/1422350612/

> https://www.virustotal.com/en/file/2...is/1422350713/

- http://blog.mxlab.eu/2015/01/27/fake...word-document/
Jan 27, 2015
> https://www.virustotal.com/en/file/2...is/1422351532/

216.251.43.17: https://www.virustotal.com/en/ip-add...7/information/

80.150.6.138: https://www.virustotal.com/en/ip-add...8/information/

[AplusWebMaster]

FYI...

Fake 'Lloyds new message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/lloyds...e-pdf-malware/
9 Feb 2015 - "'You have a new message pretending to come from Lloyds Commercial Banking <GrpLloydslinkHelpdesk@ lloydsbanking .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Lloyds Commercial Logo
We want you to recognise a fraudulent email if you receive one. Lloyds Bank will always greet you personally using your title and surname and, where you hold an existing account with us, the last four digits of your account number: XXXX1328.
Dear Lloyds Link Customer,
You have a new message
There’s a new message for you, messages contain information about your account, so it’s important to view them.
If you’ve chosen to use a shared email address, please note that anyone who has access to your email account will be able to view your messages.
Please check attached message for more details.
Subject
Date
Account details
Account number
Important information about your account
09 Feb 2015
Lloyds Commercial
XXXX1328
Please note: this message is important and needs your immediate attention. Please check attached file straightaway to view it.
Yours sincerely
Signature image of Nicholas Williams - Consumer Digital Director
Nicholas Williams,
Consumer Digital Director
Please do not reply to this email as this address is not manned and cannot receive any replies.
Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales, number 2065. Telephone: 020 7626 1500.
Lloyds Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278.

9 February 2015: ImportantMessage.zip: Extracts to: ImportantMessage.scr
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1423485253/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
94.41.208.125: https://www.virustotal.com/en/ip-add...5/information/
198.23.48.157: https://www.virustotal.com/en/ip-add...7/information/
UDP communications
77.72.174.165: https://www.virustotal.com/en/ip-add...5/information/
77.72.174.164: https://www.virustotal.com/en/ip-add...4/information/
___

Fake 'Lloyds new debit' SPAM - PDF malware
- http://myonlinesecurity.co.uk/lloyds...e-pdf-malware/
9 Feb 2014 - "'You have received a new debit' pretending to come from Payments Admin <paymentsadmin@ lloydstsb .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Monday 09 February 2014
This is an automatically generated email by the Lloyds TSB PLC
LloydsLink online payments Service to inform you that you have receive a
NEW Payment.
The details of the payment are attached.
This e-mail (including any attachments) is private and confidential and
may contain privileged material. If you have received this e-mail in
error, please notify the sender and delete it (including any
attachments) immediately. You must not copy, distribute, disclose or use
any of the information in it or any attachments.

9 February 2015 : details#00390702.zip: Extracts to: details.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1423485121/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
94.41.208.125: https://www.virustotal.com/en/ip-add...5/information/
91.103.216.71: https://www.virustotal.com/en/ip-add...1/information/
UDP communications
77.72.174.167: https://www.virustotal.com/en/ip-add...7/information/
77.72.174.166: https://www.virustotal.com/en/ip-add...6/information/

[AplusWebMaster]

FYI...

Fake Magazine Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/essex-...e-pdf-malware/
23 Feb 2015 - "'Essex Central Magazine Invoice' pretending to come from Essex Central Magazine <darren@ notifications .kashflow .com> with a zip attachment is another one from the current bot runs... The email looks like:
Please see attached invoice for the upcoming issue of Essex Central
Magazine.
Regards,
Accounts Dept.

23 February 2015: invoice.zip: Extracts to: invoice_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1424701064/

- http://blog.mxlab.eu/2015/02/23/fake...upatre-trojan/
Feb 23, 2014
> https://www.virustotal.com/en/file/8...2b79/analysis/
___

A Week in Security...
- https://blog.malwarebytes.org/online...ity-feb-15-21/
Feb 23, 2013 - "... fakeouts festooned all over YouTube, claiming to activate Windows 10:
> https://blog.malwarebytes.org/online...s-and-surveys/
... rogue tweets on Twitter baiting whoever is interested in Evolve:
> https://blog.malwarebytes.org/fraud-...ed-by-malware/
... a quite rare phishing campaign that targets accounts of Japanese gamers who have profiles under Square Enix:
> https://blog.malwarebytes.org/fraud-...-video-gamers/
... an infection via malicious code injection on the official website of renowned British celebrity chef... the site launches exploits targeting vulnerabilities on Adobe Flash, Silverlight, and Java:
> https://blog.malwarebytes.org/exploi...o-exploit-kit/
... a compromise on RedTube, a top adult entertainment site. It was injected with a rogue iframe that directs visitors to the download and execution of an Angler exploit kit variant. The said EK targets Flash and Silverlight vulnerabilities:
> https://blog.malwarebytes.org/exploi...ts-to-malware/
... Malwarebytes Labs Team."

[AplusWebMaster]

FYI...

Fake IRS SPAM - doc malware
- http://blog.dynamoo.com/2015/03/malw...tronic-ip.html
6 Mar 2015 - "This -fake- IRS email comes with a malicious attachment.
From: Internal Revenue Service [refund.noreply@ irs .gov]
Date: 6 March 2015 at 08:48
Subject: Your 2015 Electronic IP Pin!
Dear Member
This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
Please kindly download the microsoft file to securely review it.
Thanks
Internal Revenue Service ...

... attachment TaxReport(IP_PIN).doc ... there are usually several different versions[1]. Currently this is -undetected- by AV vendors*. This contains a malicious macro... which downloads a component from the following location:
http ://chihoiphunumos .ru/js/bin.exe
There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55**. Automated analysis tools... show attempted connections to:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
According to the Malwr report this executable drops another version of itself [VT 1/56***] and a malicious DLL [VT 2/56****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103 "
* https://www.virustotal.com/en/file/d...is/1425632162/

** https://www.virustotal.com/en/file/8...is/1425632174/

*** https://www.virustotal.com/en/file/a...is/1425632946/

**** https://www.virustotal.com/en/file/8...is/1425632950/

1] http://myonlinesecurity.co.uk/intern...sheet-malware/
6 Mar 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...nic-IP-Pin.png
___

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/mick-g...sheet-malware/
6 Mar 2015 - "'Mick George Invoice 395687 for Dudley Construction Ltd' pretending to come from Mick George Invoicing <mginv@ mickgeorge .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These emails today, so far, are all malformed and broken. Every copy that I have received appears garbled and doesn’t actually have an attachment. Some mail servers will be configured to repair the damage and deliver the email in its full glory, where it will potentially infect you. This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ge-invoice.png

... the malware payload will be identical to today’s other malicious office document run Internal Revenue Service Your 2015 Electronic IP Pin! – word doc or excel xls spreadsheet malware*. We do notice that the bad guys are using 2 or 3 subjects and email templates but using the same malware that has been -renamed- ...
Edit: I have managed to extract the malware payload from a quarantined copy on the server and can confirm that it is the -same- malware payload as today’s other run although renamed as Invoice395687.DOC . So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* http://myonlinesecurity.co.uk/intern...sheet-malware/

- http://blog.dynamoo.com/2015/03/malw...ce-395687.html
6 Mar 2015 - "This -malformed- spam is meant to have a malicious attachment... This malware and the payload it drops is identical to the one found in this -fake- IRS spam run* earlier today..."
* http://blog.dynamoo.com/2015/03/malw...tronic-ip.html
___

Fake Bankline SPAM - malware
- http://blog.dynamoo.com/2015/03/malw...eived-new.html
6 Mar 2015 - "This fake banking spam leads to malware.
From: Bankline [secure.message@ business .natwest .com]
Date: 6 March 2015 at 10:36
Subject: You have received a new secure message from BankLine
You have received a secure message.
Your Documents have been uploaded to Cubby cloud storage.
Cubby cloud storage is a cloud data service powered by LogMeIn, Inc.
Read your secure message by following the link bellow: ...
<redacted> ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.
First time users - will need to register after opening the attachment...

This downloads a ZIP file from cubbyusercontent .com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57*. Automated analysis tools... show attempted connections to the following URLs:
http ://all-about-weightloss .org/wp-includes/images/vikun.png
http ://bestcoveragefoundation .com/wp-includes/images/vikun.png
http ://190.111.9.129 :14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://190.111.9.129 :14249/0603no11/HOME/41/7/4/
It also appears that there is an attempted connection to 212.56.214.203.
Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to -block-.
It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns .org to work out the IP address of the infected machine, it is worth checking for traffic to this domain. The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57**."
* https://www.virustotal.com/en/file/d...is/1425640773/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
192.254.186.169: https://www.virustotal.com/en/ip-add...9/information/
46.151.254.183: https://www.virustotal.com/en/ip-add...3/information/
5.178.43.49: https://www.virustotal.com/en/ip-add...9/information/
212.56.214.203: https://www.virustotal.com/en/ip-add...3/information/
UDP communications
74.125.200.127: https://www.virustotal.com/en/ip-add...7/information/

** https://www.virustotal.com/en/file/8...is/1425641282/
... Behavioural information
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
217.116.122.136: https://www.virustotal.com/en/ip-add...6/information/
___

Fake HSBC SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-p...e-pdf-malware/
6 Mar 2015 - "'HSBC Payment' pretending to come from HSBC <no-replay@ hsbc .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...BC-Payment.png

6 March 2015: HSBC-2739.zip: Extracts to: HSBC-2739.exe
Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1425636158/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
5.10.69.232: https://www.virustotal.com/en/ip-add...2/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
77.72.169.167: https://www.virustotal.com/en/ip-add...7/information/
77.72.169.166: https://www.virustotal.com/en/ip-add...6/information/
___

Fake Gateway SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-o...e-pdf-malware/
6 Mar 2015 - "'Your online Gateway .gov .uk Submission' pretending to come from Gateway .gov.uk <ruyp@ bmtrgroup .com> with a link to download a zip attachment is another one from the current bot runs... The email looks like:
Your online Gateway .gov.uk Submission
Government Gateway logo
Electronic Submission Gateway
Thank you for your submission for the Government Gateway.
The Government Gateway is the UK’s centralized registration service for e-Government services.
To view/download your form to the Government Gateway please visit http ://www.gateway .gov.uk/
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov .uk - the best place to find government services and information - Opens in new window
The best place to find government services and information

The link in the email leads to... the same malware as today’s run of 'You have received a new secure message from BankLine' -fake- PDF malware*.
* http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Cryptowall, again!
- https://isc.sans.edu/diary.html?storyid=19427
Last Updated: 2015-03-06 - "A new variant of Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems. According to net-security.org*, Bitdefender labs has found a -spam- wave that spread a malicious .chm attachments. CHM is the compiled version of html that support technologies such as JavaScript which can -redirect- a user to an external link. “Once the content of the .chm archive is accessed, the malicious code downloads from this location http :// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process”..."
* http://net-security.org/malware_news.php?id=2981
Mar 5, 2015
> http://www.net-security.org/images/a...owall-calc.jpg

[AplusWebMaster]

FYI...

Fake Fax SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/fax-fr...sheet-malware/
19 Mar 2015 - "'Fax from +4921154767199 Pages: 1' pretending to come from faxtastic! <fax@ faxtastic .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
You have received a new fax. To view it, please open the attachment.
Did you know we now send? Visit www .faxtastic .co.uk for more details.
Regards,
faxtastic Support Team

19 March 2015 : 2015031714240625332.xls - Current Virus total detections: 2/57* | 2/57** at least one of these malicious macros is contacting meostore .net/js/bin.exe to download the dridex banking Trojan. (VirusTotal***). There will be other download locations... So far I am only seeing 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1426754021/

** https://www.virustotal.com/en/file/9...is/1426753958/

*** https://www.virustotal.com/en/file/0...is/1426753820/
... Behavioural information
TCP connections
95.163.121.200: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/marflo...sheet-malware/
19 Mar 2015 - "'Marflow Your Sales Order' pretending to come from sales@ marflow .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Your order acknowledgment is attached.
Please check carefully and advise us of any issues.
Best regards
Marflow

19 March 2015 : 611866.xls - Current Virus total detections: 2/57* | 2/57**
Although these are -different- macros to the earlier XLS spam macro run today, they appear to be contacting the -same- sites and downloading the same dridex malware Fax from +4921154767199 Pages: 1 – word doc or excel xls spreadsheet malware:
> http://myonlinesecurity.co.uk/fax-fr...sheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1426760344/

** https://www.virustotal.com/en/file/8...is/1426760388/

- http://blog.dynamoo.com/2015/03/malw...couk-your.html
19 March 2015
"... Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201 "
___

Fake Solicitors Debt SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malw...tors-debt.html
19 Mar 2015 - "This spam has a malicious attachment.
Date: 19 March 2015 at 12:52
Subject: Aspiring Solicitors Debt Collection
Aspiring Solicitors
Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance: 2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.
You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.
Court Fees GBP 245.00
Solicitors Costs GBP 750.00
Cheques or Postal Orders should be made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings...

Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5..."

- http://myonlinesecurity.co.uk/aspiri...sheet-malware/
19 Mar 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...Collection.png
> https://www.virustotal.com/en/file/0...is/1426773553/
0 / 57
___

More Fake Invoice SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
19 Mar 2015 - "A whole series of emails with multiple subjects all having random numbers including:
Invoice ID:77f5451 in attachment
Your February Invoice ID:58a0834
These all come from multiple random addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails all have a completely-empty body.

19 March2015 : 58a0834.doc - Current Virus total detections: 0/57*
These look very similar to Aspiring Solicitors Debt Collection – word doc or excel xls spreadsheet malware:
> http://myonlinesecurity.co.uk/aspiri...sheet-malware/
The same warning must apply and opening the malicious doc will infect you, even with macros disabled... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1426778947/
0 / 57

- http://blog.dynamoo.com/2015/03/malw...654321-in.html
19 Mar 2015 - "... contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the -same- as the one used in this attack*..."
* http://blog.dynamoo.com/2015/03/malw...tors-debt.html
___

BoA Phish seeks personal data ...
- https://blog.malwarebytes.org/fraud-...-data-bonanza/
Mar 19, 2015 - "If you’re a Bank of America customer you’ll want to avoid this phishing URL, located at 74.208.43.206 /html/E-Alert(Dot)html:
> https://blog.malwarebytes.org/wp-con.../03/boaph1.jpg
The site says:
"We need you to verify your account information for your online banking to be re-activated"
...and asks visitors to “click-the-download-button to receive your verification file”, then open it in their browser. As it turns out, “downloading the file” means “visit another webpage”:
Alertfb .pw /site/IrregularActivityFile(dot)html
The above site takes those eager to hand over personal information to the cleaners – there’s a wide variety of data harvested including Online ID and passcode, name, DOB, social security number, drivers license number, email address and password. That’s not all – there’s also 3 security questions and payment information / address to complete the carefully laid out steps... That’s a lot of info to hand over to scammers, and anybody who thinks they may have been caught by something similar to the above should contact their bank immediately. Some of the images on the website are apparently broken and none of the URLs look remotely like legitimate BoA URLs so that will hopefully deter a few would be banking disasters. While in the process of drafting this blog we’ve noticed the second site which asks for the bulk of the banking customer information is being -flagged- by Chrome for phishing, so hopefully that will help to reduce the potential victim pool still further. We’ll update the post as we test with different browsers, but for now watch what you click and be very cautious should you see either of the two URLs pop up in an unsolicited email…"
74.208.43.206: https://www.virustotal.com/en/ip-add...6/information/

104.219.184.113: https://www.virustotal.com/en/ip-add...3/information/

[AplusWebMaster]

FYI...

Fake 'Tax Refund' SPAM - malware
- http://blog.dynamoo.com/2015/04/malw...on-office.html
1 Apr 2015 - "This fake tax notification spam leads to malware hosted on Cubby.
From: Australian Taxation Office [noreply@ ato .gov .au]
Date: 1 April 2015 at 00:51
Subject: Australian Taxation Office - Refund Notification
IMPORTANT NOTIFICATION
Australian Taxation Office - 31/03/2015
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.
To view/download your tax notification please click here or follow the link below :
https ://www .ato .gov .au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003
Laurence Thayer, Tax Refund Department Australian Taxation Office

The names and the numbers -change- from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent .com (e.g. https ://www.cubbyusercontent .com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download. In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57*. Automated analysis tools... show that it downloads components from:
ebuyswap .co.uk/mandoc/muz3.rtf
eastmountinc .com/mandoc/muz3.rtf
It then attempts to phone home to:
141.105.141.87:13819/3103us13/HOME/41/7/4/
That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip .dyndns .org. Although this is benign, monitoring for it can be a good indicator of infection. These URL requests are typical of the Upatre downloader. According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55** plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.
Recommended blocklist:
141.105.140.0/22
ebuyswap .co.uk
eastmountinc .com "
* https://www.virustotal.com/en/file/7...is/1427874847/

** https://www.virustotal.com/en/file/0...is/1427876163/
___

Fake 'Delivery Note' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/cih-de...sheet-malware/
1 Apr 2015 - "'CIH Delivery Note 0051037484' pretending to come from Batchuser BATCHUSER <ecommsupport@ cihgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

1 April 2015 :CIH Delivery Note 0051037484.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** | 0/56****
So far I have seen 4 versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1427875359/

** https://www.virustotal.com/en/file/8...is/1427875359/

*** https://www.virustotal.com/en/file/1...is/1427875320/

**** https://www.virustotal.com/en/file/6...is/1427875511/

- http://blog.dynamoo.com/2015/04/malw...batchuser.html
1 Apr 2015 - "The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment...
Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249 "
___

Fake 'Sales_Order' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/sales_...sheet-malware/
1 Apr 2015 - "'Sales_Order_6100152' pretending to come from Hazel Gough <hazel.gough@ kosnic .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...er_6100152.png

1 April 2015 : Sales_Order_6100152.doc ... same malware although renamed as today’s CIH Delivery Note 0051037484 – word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/cih-de...sheet-malware/
___

Fake 'Unpaid Invoice' SPAM - vbs malware
- http://myonlinesecurity.co.uk/unpaid...s-vbs-malware/
1 Apr 2015 - "'Unpaid Invoice [ID:99846] or This is your Remittance Advice [ID:98943]' (all random ID numbers) coming from -random- email addresses, persons and companies with a zip attachment is another one from the current bot runs... The attachments on these are so tiny at less than 1kb in size, that users will be easily fooled into thinking that they are harmless. The zips contain an encoded vbs script... The email body is totally -blank- ...

1 April 2015: Random Attachment zip name: Extracts to: 83JHE76328475243920_1a.doc.vbs
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1427886418/

- http://blog.dynamoo.com/2015/04/malw...ice-09876.html
1 Apr 2015 - "... has -no- body text and comes from random senders... It has a ZIP attachment which contains... a malicious VBS script... very similar to the VBA macro used in this spam run yesterday:
> http://blog.dynamoo.com/2015/03/malw...ur-latest.html
This binary has a detection rate of 4/55*..."
* https://www.virustotal.com/en/file/c...is/1427886150/
... Behavioural information
TCP connections
188.120.225.17: https://www.virustotal.com/en/ip-add...7/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-add...5/information/
___

Fake 'Remittance' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-r...sheet-malware/
1 Apr 2015 - "'Your Remittance Advice NB PRIVATE EQUITY PARTNERS LTD' (the company name is totally random but matches the name in the body) coming from random email addresses from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The attachment name matches the advice in the body and looks like:

Dear sir or Madam,
Please find attached a remittance advice (ZL147QNXM.doc) for your information.
Should you need any further information, please do not hesitate to contact us.
Best regards
NB PRIVATE EQUITY PARTNERS LTD

1 April 2015 : ZL147QNXM.doc - Current Virus total detections: 1/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/5...is/1427895461/

- http://blog.dynamoo.com/2015/04/malw...ce-advice.html
1 Apr 2015 - "... Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78 "
___

Fake 'o/s invoices' SPAM – PDF malware
- http://myonlinesecurity.co.uk/van-sw...e-pdf-malware/
1 Apr 2015 - "'Van Sweringen o/s invoices' pretending to come from Lisa Anderson <landerson@ homewatchcaregivers .com> with a zip attachment is another one from the current bot runs... The email looks like:
Outstanding invoices attached!
Thank you!
Lisa
Lisa J. Anderson/Office Manager
Homewatch CareGivers of
23811 Chagrin Blvd. Suite 114
Beachwood, OH 44122 ...

1 Ap[ril 2015: 6100_NULGE.zip : Extracts to: en_en.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1427902354/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
141.105.141.87: https://www.virustotal.com/en/ip-add...7/information/ <<<
94.23.6.64: https://www.virustotal.com/en/ip-add...4/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-add...5/information/ <<<
___

Xtube Exploit leads to Cryptowall Malware
- https://blog.malwarebytes.org/intell...owall-malware/
31 Mar 2015 - "We wrote about the adult site xtube .com being compromised -redirecting- visitors to a landing page for the Neutrino Exploit kit last week*... The malware that dropped from the exploit was found here** and was called xtube.exe... All user files are encrypted using “RSA-2048″ encryption. In order to pay the -ransom- victims are instructed to visit paytoc4gtpn5cz12.torconnectpay .com. A separate address is also provided over the tor network:
> https://blog.malwarebytes.org/wp-con...LP_DECRYPT.png
... 'always good to remember that highly ranked websites (including adult content) are a prime target for hackers due to the traffic they get..."
* https://blog.malwarebytes.org/exploi...a-neutrino-ek/

** https://www.virustotal.com/en/file/c...1357/analysis/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustotal.com/en/ip-add...4/information/
93.185.106.78: https://www.virustotal.com/en/ip-add...8/information/

- http://blog.trendmicro.com/trendlabs...s-for-1q-2015/
April 1, 2015 - "Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were -not- limited to that region; Turkey, Italy, and France were also affected by this malware. We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware. These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price..."
(More detail at the trendmicro URL above.)

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malw...en-varker.html
15 Apr 2015 - "This fake invoice has a malicious attachment:

From: Kairen Varker [mailto:kvarker@ notifications .kashflow .com] On Behalf Of Kairen Varker
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from
I have made the changes need and the site is now mobile ready . Invoice is attached

In this case the attachment is called Invoice-83230.xls which is currently undetected* by AV vendors. It contains this malicious macro... which downloads a component from the following location (although there are probably more than this):
http ://925balibeads .com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57***.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228
MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995 "
* https://www.virustotal.com/en/file/a...is/1428998998/

** https://www.virustotal.com/en/file/6...is/1428998395/

*** https://www.virustotal.com/en/file/8...is/1428999812/

- http://myonlinesecurity.co.uk/invoic...sheet-malware/
14 Apr 2015
> https://www.virustotal.com/en/file/b...is/1428997086/
___

Fake 'Account reconcilation' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/accoun...sheet-malware/
14 Apr 2015 - "'Account reconcilation statement' from [random company] [random characters] – coming from random names and email addresses with a zip file attachment that extracts to a malicious word doc and an image of a sales chart is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...m_version1.png

... Where you can see the name of the alleged sender matches the name in the body of the email and the random characters in the subject match the attachment zip name. Once you extract the content of the zip you get a folder on the computer that is simply named as a number 2 or 8 or 9 etc. opening the folder gives you a malicious word doc and an image of a sales chart like one of these, that are intended to help convince you of the genuine nature of the word doc and entice you to open it and get infected:
> http://myonlinesecurity.co.uk/wp-con...ion-images.jpg
...
> http://myonlinesecurity.co.uk/wp-con...sual-graph.jpg
...
> http://myonlinesecurity.co.uk/wp-con.../sales-cmp.jpg
... 4 April 2015 : documentation.doc / vs74_stats.doc / cmp static.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** . So far I have examined 3 different versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1429005163/

** https://www.virustotal.com/en/file/d...is/1429005436/

*** https://www.virustotal.com/en/file/d...is/1429005436/
___

Fake 'HM Revenue' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/cis-on...e-pdf-malware/
14 Apr 2015 - "'CIS Online submission received by HM Revenue and Customs' pretending to come from helpdesk@ ir-efile .gov .uk with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...nd-Customs.png

14 April 2015: Returns_Report.zip: Extracts to: Returns_Report.exe
Current Virus total detections: 5/57* . This 'CIS Online submission received by HM Revenue and Customs' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...."
* https://www.virustotal.com/en/file/8...is/1429017381/
___

Fake 'Credit Release' SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-cre...e-pdf-malware/
14 Apr 2015 - "'RE: Credit Release Request' pretending to come from Bank <tim.redmon@ hsbc .com> ( random names @ hsbc .com) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...se-Request.png

14 April 2015: banP_.zip: Extracts to: banк.exe
Current Virus total detections: 6/57* . This RE: Credit Release Request is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1429017978/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustotal.com/en/ip-add...4/information/
90.84.60.97: https://www.virustotal.com/en/ip-add...7/information/
5.141.22.43: https://www.virustotal.com/en/ip-add...3/information/
___

Fake 'Auto Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
14 Apr 2015 - "'INVOICE BI653133' pretending to come from websales(random number)@autonetplus .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

Account: 1164
From: DORSET AUTO SPARES BLANDFORD
The following are attached to this email:
IBI653133.XLS

14 April 2015 : IBI653133.XLS
Current Virus total detections: 0/56* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1429017301/
___

CoinVault ransomware: Retrieve data without paying the criminals
- http://net-security.org/malware_news.php?id=3017
14.04.2015 - "Victims of the CoinVault ransomware have a chance to retrieve their data -without- having to pay the criminals, thanks to a repository of decryption keys and a -decryption- application made available online by Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Netherlands’ police:
> https://noransom.kaspersky.com/
CoinVault ransomware has been around for a while, encrypting victims’ files and demanding Bitcoins to unlock them. In order to help victims recover from an attack, the NHTCU and the Netherlands’ National Prosecutors Office obtained a database from a CoinVault command & control sever. This server contained Initialization Vectors (IVs), Keys and private Bitcoin wallets and helped to create the special repository of decryption keys. As the investigation is ongoing, new keys will be added when available. “We have uploaded a huge number of keys onto the site. If we do not currently have records for a particular Bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information,” - says Jornt van der Wiel, Security Researcher at Kaspersky Lab. CoinVault has infected more than 1,000 Windows-based machines in over 20 countries, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Victims have also been registered in Belgium, Austria, Switzerland, Norway, Sweden, Luxemburg, Denmark, Slovakia, Slovenia, Spain, Italy, Hungary, Ireland, Croatia, Russia, Canada, Israel, the United Arab Emirates, China, Indonesia, Thailand, South Africa, Australia, New Zealand, Panama, the Dominican Republic, and Mexico."
___

Fake 'USPS' SPAM - PDF malware
- http://myonlinesecurity.co.uk/usps-f...e-pdf-malware/
14 Apr 2015 - "'USPS – Fail to deliver your package' pretending to come from USPS <no-reply@ usps .gov> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ur-package.png

14 April 2015: USPS2335999.zip: Extracts to: USPS04142015.scr
Current Virus total detections: 7/55* . This 'USPS – Fail to deliver your package' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1429034017/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustotal.com/en/ip-add...4/information/
90.84.60.64: https://www.virustotal.com/en/ip-add...4/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-add...8/information/