FYI...
Whatsapp leads to Fake Flash update – malware
- http://myonlinesecurity.co.uk/whatsa...pdate-malware/
27 Jan 2015 - "An email pretending to come from somebody you know that appears to be a Whatsapp notification is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e1-262x300.png
When you press the play button in the email, you get sent to a page looking like:
> http://myonlinesecurity.co.uk/wp-con...2-1024x739.png
... if you select the 'upgrade now' button you end up with a fake flash player update and a badly infected computer...
27 January 2015: adobe_flash_player_update.exe . Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1422376705/
___
Fake 'invoice' SPAM - malware
- http://blog.dynamoo.com/2015/01/malw...de-r-kern.html
27 Jan 2015 - "Kern Engineering & Mfg Corp. is a wholly legitimate firm, they are not sending out this spam nor have their systems been compromised in any way. Instead, this is a -forgery- which has a malicious Word document attached.
From: Eileen Meade [eileenmeade@ kerneng .com]
date: 27 January 2015 at 08:25
subject: inv.# 35261
Here is your invoice & Credit Card Receipt.
Eileen Meade
R. Kern Engineering & Mfg Corp.
Accounting
909) 664-2442
Fax 909) 664-2116
So far, I have seen two different version of the Word document, both poorly detected [1] [2] containing two different macros... These attempt to download a binary from one of the following locations:
http ://UKR-TECHTRAININGDOMAIN .COM/js/bin.exe
http ://schreinerei-ismer.homepage.t-online .de/js/bin.exe
This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57*..."
1] https://www.virustotal.com/en/file/7...is/1422351101/
2] https://www.virustotal.com/en/file/2...is/1422351116/
* https://www.virustotal.com/en/file/2...is/1422351532/
- http://myonlinesecurity.co.uk/eileen...d-doc-malware/
27 Jan 2015
> https://www.virustotal.com/en/file/7...is/1422350612/
> https://www.virustotal.com/en/file/2...is/1422350713/
- http://blog.mxlab.eu/2015/01/27/fake...word-document/
Jan 27, 2015
> https://www.virustotal.com/en/file/2...is/1422351532/
216.251.43.17: https://www.virustotal.com/en/ip-add...7/information/
80.150.6.138: https://www.virustotal.com/en/ip-add...8/information/