SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Malvertising found on Dating Site Match[dot]com
- https://blog.malwarebytes.org/malver...e-matchdotcom/
Sep 3, 2015 - "In an attack similar to the one that happened last month on PlentyOfFish, the UK version of online dating site Match .com was caught serving malvertising. Both companies are actually related since the Match Group bought out POF.com last summer. This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit.
Infection flow:
Initial URL: uk.match .com/search/advanced_search.php
Malvertising: tags.mathtag .com/notify/js?exch={redacted}&price=0.361
Malvertising: newimageschool .com/adframe/banners/serv.php?uid=215&bid=14&t=image&w=728&h=90
Malicious Redirector: goo .gl/QU2x0w
Exploit Kit (Angler): med.chiro582help .com/carry.shtm?{redacted}
> https://blog.malwarebytes.org/wp-con...15/09/math.png
The malvertising goes through a Goo.gl shortened URL (already blacklisted) that loads the Angler exploit kit:
> https://blog.malwarebytes.org/wp-con.../09/google.png
Angler EK is known to serve the Bedep ad fraud Trojan as well as CryptoWall ransomware. The cost per thousand impressions (CPM) for the booby trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $5oo per victim. We alerted Match .com and the related advertisers but the malvertising campaign is still-ongoing via other routes."

chiro582help .com: 74.207.227.69: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'chat history' SPAM – PDF malware
- http://myonlinesecurity.co.uk/you-ne...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You need to read this chat history' coming from random senders and email addresses from with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
You should know this. View the chat history that I’ve attached. Remember
it’s strongly confidential, so please don’t show it to anyone.
Mrs. Edmund Schultz | (859) 913-2400
Toys | Hackett-Kiehn

And hundreds of other random names, email addresses, phone numbers and companies. Other subjects in this series include:
You should view this correspondence
Please view this correspondence
You need to view it
Please see it
You need to review this information
You need to review this chat history
Please see this messages
You need to read this chat history
You should read this messages
You should view this correspondence
And hundreds of other similar variations on the theme of messages and chat history...
3 September 2015: history Ward LockUG.zip: Extracts to: history Chelsea VillagePY.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1441271691/
___

Fake 'Invoice / credit note' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
3 Sep 2015 - "The latest set of -Upatre- downloader emails are 'Invoice' or 'credit note' from random companies. An email with the subject of 'Invoice INV-91659 from [random company]' for [Your web domain] (random numbers) or 'Credit Note CN-85402 from [random company]' for [Your web domain] (random numbers) pretending to come from Accounts with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...4-1024x493.png

3 September 2015: Invoice INV-91659.zip: Extracts to: Invoice.scr
Current Virus total detections 1/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1441279729/
___

Fake 'Lloyds Bank' SPAM – PDF malware
- http://myonlinesecurity.co.uk/custom...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'Customer Account Correspondence' pretending to come from Lloyds Bank Commercial Finance <customermail@ lloydsbankcommercialfinance .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x490.png

3 September 2015: Lloyds-Commercial_Documents.zip: Extracts to: Lloyds-Commercial_Documents.scr
Current Virus total detections 3/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1441281692/
___

Fake 'overdue balance' SPAM – PDF malware
- http://myonlinesecurity.co.uk/overdu...e-pdf-malware/
3 Sep 2015 - "Following on from the earlier -Upatre- downloaders, the latest set of emails are about an overdue balance from random companies. An email with the subject of 'Urgent' e-mail letter of 'overdue balance' or 'Important reminder notice about outstanding balance' or very similar wording with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x314.png

Some of the subjects so far seen include:
Important reminder letter about outstanding remittances
Urgent e-mail letter of overdue balance
Important reminder letter about outstanding remittances
Urgent letter of past due balance
Urgent reminder about your delinquent balance
Important reminder notice of delinquent remittances
Urgent reminder about outstanding balance ...
3 September 2015: documents Heidenreich MillsDE.zip: Extracts to: documents Stark LodgeFR.exe
Current Virus total detections 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1441291670/
___

Fake 'Canadian Bank' SPAM - PDF malware
- http://myonlinesecurity.co.uk/you-ha...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You have received a secure e-mail / Vous avez reu un courriel protégé' pretending to come from Canadian Imperial Bank of Commerce <noreply@ cibc .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x580.png

3 September 2015: SecureMail.zip: Extracts to: SecureMail.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1441298777/
___

Skype Spam...
- https://blog.malwarebytes.org/fraud-...is-skype-spam/
Sep 3, 2015 - "Over the last few weeks, there’s been a spam campaign taking place on Skype which involves the following steps:
> Scammers use an automated technique to break old/weak Skype passwords (this has been contested by Skype users in that forum thread*).
* http://community.skype.com/t5/Securi...4038620#M47813
> They then use these accounts to send spam messages to contacts.
> The spam frequently hides the “real” destination by providing (say) a Baidu search engine link instead – along with the Skype Username of the person who clicked the link in the URL.
> The websites the “masked” URls lead to tend to use redirects – it’s possible they’ve been compromised – before dumping the end-user on a diet spam page.
Here’s an example of the spam currently going around:
>> https://blog.malwarebytes.org/wp-con...skypespam0.jpg
“Hi [username] | baidu(dot)com/[URL string] advise”
Below you can see the initial landing page, the final destination and a screenshot of a Fiddler log:
> https://blog.malwarebytes.org/wp-con...skypespam3.jpg
...
> https://blog.malwarebytes.org/wp-con...pam2.jpg?w=564
If your Skype password is in need of a spring clean... feel free to check out the list of hints and tips on the Skype Security page**."
** https://www.skype.com/en/security/

[AplusWebMaster]

FYI...

Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecurity.co.uk/paymen...e-pdf-malware/
15 Sep 2015 - "2 sets of emails pretending to come from payslip@ hss.health.nsw. gov.au with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' or 'Payslip for the period 31 Aug 2015 to 14 sep 2015' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x506.png

15 September 2015: PAYG-EoY-2014-15-11577085-181466719.zip: Extracts to: PAYG-EoY-2014-15-04831806-000718002.scr
Current Virus total detections 11/56*
15 September 2015: Payslip13526234054137704-78242.zip: Extracts to: Payslip00477196470196471-00038.scr
Current Virus total detections 6/57**
... Techhelplist.com have done a breakdown of these Upatre downloaders from yesterday’s versions of these emails with similar attachments... HERE[3] and Here[4].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1442293989/

** https://www.virustotal.com/en/file/c...is/1442282228/

3] https://techhelplist.com/spam-list/9...l-year-malware

4] https://techhelplist.com/spam-list/9...o-date-malware
___

Fake 'Unsettled invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsett...e-pdf-malware/
15 Sep 2015 - "The latest -Upatre- style downloaders are attached to series of emails with the subject of 'Unsettled invoice e-mail notice' pretending to come from random addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Hello dear customer,
I urgently ask you to settle an invoice from Tue, 15 Sep 2015 11:39:13 +0100

Other subjects in this malspam run include:
Unsettled invoice e-mail reminder
Important invoice e-mail notice
Overdue invoice e-mail reminder
Unsettled invoice notification
Outstanding invoice e-mail notice
Important invoice final reminder
The times are all random, but the dates all say Tue, 15 Sep 2015..
15 September 2015: Voluptas soluta laborum illum aperiam praesentium molestiae sequi..zip:
Extracts to: Consequatur sint consectetur qui esse..exe
Current Virus total detections 1/57*
This doesn’t actually appear to be Upatre and we haven’t managed to get any other downloads from it via automatic analysis so far... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1442313814/
___

WhatsApp scam/SPAM ...
- https://blog.malwarebytes.org/fraud-...sapp-stickers/
Sep 15, 2015 - "We’ve spotted a WhatsApp scam using the same general template as the previously covered WhatsApp Elegant Gold*, located at:
stickers-whatsapp(dot)com
... which asks for your WhatsApp Number in return for some “stickers“. You typically have to pay for stickers via a number of Apps, so potential freebies are always going to pull in some eyeballs.
> https://blog.malwarebytes.org/wp-con...tstickers1.jpg
It follows the familiar pattern of “Spam a bunch of people and we’ll give you what you want”, complete with inevitable Shyamalan-style plot twist at the end (no, your phone wasn’t a ghost the whole time). Here’s the spam request:
> https://blog.malwarebytes.org/wp-con...tstickers2.jpg
... As with other sites of a similar nature**, we advise you to not bother and stick to legit apps on your mobile store of choice if you really want to plaster your texts with images. All you’ll get for your time and trouble with these websites are adverts, PUPs and surveys (also, your phone was totally a ghost the whole time)."
* https://blog.malwarebytes.org/fraud-...gital-catwalk/

** https://blog.malwarebytes.org/fraud-...p-voice-users/

stickers-whatsapp(dot)com: 54.254.185.159: https://www.virustotal.com/en/ip-add...9/information/
___

Cisco router break-ins bypass cyber defenses
- http://www.reuters.com/article/2015/...0RF0N420150915
Sep 15, 2015 - "... researchers* say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected. In the attacks, a highly sophisticated form of malicious software, dubbed "SYNful Knock'*, has been implanted in routers made by Cisco..."
* https://www.fireeye.com/blog/threat-...ck_-_acis.html
Sep 15, 2015 - "... recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least -14- such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India... Conclusion: ... It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence..."
1] http://www.cisco.com/web/about/secur...assurance.html

[AplusWebMaster]

FYI...

Fake 'toll road payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsett...e-pdf-malware/
28 Sep 2015 - "Another load of emails from the Upatre downloaders with the subject of 'Unsettled toll road payment reminder' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Good day!
Your toll road ticket #2515380112 is still unsettled. Please make a remittance to avoid additional fees within 12 days.
The copy of ticket is attached to this e-mail.

Other subjects in today’s malspam run include:
Turnpike road invoice reminder
Outstanding turnpike invoice message
Outstanding turnpike payment email reminder
Oustanding toll road ticket notification
Oustanding toll road payment notification
Unsettled toll road bill notice
Turnpike road bill reminder
Toll road bill notice
Toll road payment message
Turnpike road ticket notification

28 September 2015: Doc_9911815_Unsettled toll road payment reminder .pdf.zip:
Extracts to: copious strumpet kernel mode.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1443433322/

Similar: https://isc.sans.edu/diary.html?storyid=20191
2015-09-28
Screenshot: https://isc.sans.edu/diaryimages/ima...25_33%20AM.png
[1] https://www.virustotal.com/en/file/8...is/1443436044/
4/55
___

Fake 'latest proposal' SPAM – PDF malware
- http://myonlinesecurity.co.uk/the-la...e-pdf-malware/
28 Sep 2015 - "Another set of emails with Upatre downloaders involve the subject of 'The latest proposal' pretending to come from random email addresses and companies with a zip attachment is another one from the current bot runs... The content of the email says :
Good day,
I’ve attached a new project and business proposal to this e-mail. I suppose it will interest you.
... This message and any attachments are confidential and intended for the named
addressee(s) only.If you have received this message in error, please notify
immediately the sender, then delete the message. Any unauthorized modification,
edition, use or dissemination is prohibited. The sender does not be liable for
this message if it has been modified, altered, falsified, infected by a virus
or even edited or disseminated without authorization...

Other subjects in this Malspam run include:
My commercial proposal
Please read my new commercial proposal
Please read my new business project
Please view my new project
New business proposal
The latest proposal of common business ...
28 September 2015: Doc_21123802_My commercial proposal .pdf.zip:
Extracts to: attendee parent bank manage to.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1443448919/
___

Pornhub, YouPorn - Malvertising ...
- https://blog.malwarebytes.org/malver...sing-campaign/
Sep 28, 2015 - "The xHamster malvertising campaign we wrote about last week[1] was part of several attacks against many top adult sites. It is unclear whether this was a planned effort from threat actors but the timing is certainly strange. Over the week-end we detected -another- incident affecting Pornhub and YouPorn, some of the biggest adult websites with a combined 800 million monthly visits... Overview:
Publishers: Pornhub .com/YouPorn .com
Ad network: syndication.exoclick .com/{redacted}
Malicious code: trackitsup .com/cookiecheck.js?{redacted}
Redirection to exploit-kit: beatiful.sextubehard .pw/{redacted}
Angler Exploit Kit: knutterigemukaantulolleen.colleenmhammond .org
Rogue advertisers abused the ExoClick ad network by inserting a seemingly legitimate piece of code as an ad banner. The first documented instance of the ‘cookiecheck.js‘ campaign appears to have taken place on Sept. 19th according to this tweet from malware hunter Malekal:
> https://twitter.com/malekal_morte/st...48983959113728
#Browlock #Ransomware at @Exoclick network...
'The ‘cookiecheck’ malvertising campaign. Rotating domain names all use the same JavaScript snippet.'
Fortunately, the malvertising on Pornhub and YouPorn did not last as long, thanks to an immediate action from both the publisher and ad network... During the past several months, high profile malvertising attacks against top adult sites have been sparse. This makes what we have seen during the past couple of weeks very unusual but also impactful given the sheer volume of traffic these sites receive. What’s more, the attack against top adult ad network TrafficHaus we documented last week[1] may have been the result of a security breach, according to a comment left on security blogger Graham Cluley’s site**. Users should make sure that their computers are fully patched and protected with several layers of security (the 3 A’s is a very effective line of defense: Anti-exploit, Antivirus, Anti-malware) in order to defeat malvertising and drive-by download attacks."
1] https://blog.malwarebytes.org/malver...p-adult-sites/
Sep 24, 2015
* https://grahamcluley.com/2015/09/xhamster-malware/
Sep 25, 2015
** https://grahamcluley.com/2015/09/xha...#comment-49405
Sep 27, 2015 - "... 89.187.142.208..."
> https://www.virustotal.com/en/ip-add...8/information/

Pornhub .com: 31.192.117.132: https://www.virustotal.com/en/ip-add...2/information/

exoclick .com: 178.33.165.129: https://www.virustotal.com/en/ip-add...9/information/

trackitsup .com: 80.86.89.178: https://www.virustotal.com/en/ip-add...8/information/

sextubehard .pw: "A temporary error occurred during the lookup..."

colleenmhammond .org: 184.168.221.56: https://www.virustotal.com/en/ip-add...6/information/

[AplusWebMaster]

FYI...

Fake 'contract' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/contra...sheet-malware/
8 Oct 2015 - "An email with the subject of 'contract' pretending to come from random companies and email addresses with a zip file containing a malicious word doc attachment is another one from the current bot runs... The email looks like:
Dear customer,
I’m sending you a new contract of the project (Double ordinary certificate)
-Or-
Dear customer,
I’m sending you a new contract of the project (Information about updated summary)

The name in brackets in the body of the email matches the name of the zip attachment that contains the word doc which also has random names... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...-macros_21.png
...
> http://myonlinesecurity.co.uk/wp-con...ected-mode.png

8 October 2015: Double ordinary certificate.zip - Extracts to: Collect corporate business inventories.doc
Current Virus total detections 3/56* ... which doesn’t connect to a webserver but has the Upatre binary embedded inside the word doc inside a rtf file that gets extracted and run from %temp%\w13.exe (VirusTotal 3/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1444322597/

** https://www.virustotal.com/en/file/a...is/1444323758/
___

Fake 'GTA V for Mobile' sites lead to 'Surveys'
- https://blog.malwarebytes.org/online...ad-to-surveys/
Oct 8, 2015 - "... GTA V used as -bait- in many cases... here's one which focuses on the allure of portability to reel in unsuspecting fans of the title. A number of sites are claiming to offer up mobile versions of the game, despite it requiring an Xbox 360 / Xbox One / PS3 / PS4 / decent gaming PC to run – not to mention the disk space taken up, which is a fair amount to say the least (you aren’t going to find many phones with -50GB- available just to be able to install a game). The sites in question are:
gta5forpsp(dot)com
androidgta5(dot)com
iosgta5(dot)com
Despite this, mobile gamers are being told they can run it on Android, iOS and PSP. The three sites we looked at all share similar designs, displaying what they claim to be GTA V running on the aforementioned devices and a download link:
> https://blog.malwarebytes.org/wp-con...handheld11.jpg
... they also use the well worn technique of saying “As seen on…” and listing numerous well known online publications (none of which appear to mention their mysterious version of GTA V)... the creators of the Grand Theft Auto titles, Rockstar Games, don’t mention a handheld version of GTA V anywhere either. It’s almost like it doesn’t exist. This is probably a good time to make a callback to that -50GB- game size, and then see how big one of the mobile downloads is:
> https://blog.malwarebytes.org/wp-con...ahandheld4.jpg
... If in doubt, check the official website of a game developer and discover straight from the source which platform your desired evening’s entertainment runs on. In the above case, there is -no- official version of GTA V for handhelds whatsoever..."

gta5forpsp(dot)com: 91.121.223.39: https://www.virustotal.com/en/ip-add...9/information/
androidgta5(dot)com: https://www.virustotal.com/en/url/02...53e1/analysis/
iosgta5(dot)com: https://www.virustotal.com/en/url/08...3744/analysis/

[AplusWebMaster]

FYI...

Fake 'Invoice Summary.doc' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...nvoice_22.html
22 Oct 2015 - "This -fake- invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment...
From "UUSCOTLAND" [UUSCOTLAND@ uuplc. co.uk]
Date Thu, 22 Oct 2015 19:30:13 +0700
Subject Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.
If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland ...

So far I have seen -three different- versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing... malicious macros... Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates."
1] https://www.virustotal.com/en/file/f...is/1445520172/

2] https://www.virustotal.com/en/file/a...is/1445520186/

3] https://www.virustotal.com/en/file/3...is/1445520199/

UPDATE 1: This VirusTotal report* also identifies the following download locations:
beauty.maplewindows .co.uk/t67t868/nibrd65.exe
dtmscomputers .co.uk/t67t868/nibrd65.exe
namastetravel .co.uk/t67t868/nibrd65.exe
This file has a VirusTotal detection rate of 2/54** and that report indicates network traffic to: 198.74.58.153 (Linode, US)
Further analysis is pending, in the meantime I suggest that you -block- traffic to the above IP."
* https://www.virustotal.com/en/file/a...is/1445520186/

** https://www.virustotal.com/en/file/5...is/1445521267/

198.74.58.153: https://www.virustotal.com/en/ip-add...3/information/
___

Fake Java "pop-ups for Download"
- https://blog.malwarebytes.org/online...ava-i-ordered/
Oct 22, 2015 - "... The downloaded file is called setup.exe and is recognized by a few scanners* that detect this file as potentially unwanted adware. (PUP.Optional.Media)... It installs a program called Media Downloader version 1.5:
> https://blog.malwarebytes.org/wp-con.../warning4w.png
The other one I want to show you is not actually a pop-up, but a background image that was made to look like one:
> https://blog.malwarebytes.org/wp-con.../10/site1w.png
Clicking this “Install” button downloads and prompts you to install a bundler that does install Java version 1.8.25 but not until they have offered the other components of the bundle. In this case I had to “Decline” Norton360, Weatherbug, PC Mechanic and Stormfall Age of War. Note that the latest version for my system is Version 8 Update 65. Version 8u25 is over a year old. Paying attention to the UAC prompt could have saved us some work here. Super IS (Fried Cookie Ltd.) somehow doesn’t have that official ring to it to convince me that this is the Java installer I was promised:
> https://blog.malwarebytes.org/wp-con...UACpromptw.png
Probably triggered by the critical patch update that was released by Oracle there are some sites that use this opportunity to lure users into using Java prompt -lookalikes- or bundled installers (for outdated versions). As always, get your software from trusted sources..."
* https://www.virustotal.com/nl/file/5...02a9/analysis/
___

Email account credentials - PHISH
- http://myonlinesecurity.co.uk/email-...ials-phishing/
22 Oct 2015 - "I came across this slightly different email -phishing- attempt this morning... The original email is quite bland, but just enticing enough to persuade a user to click and fill in the forms...

Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x338.png

If you did follow the link, you would see a webpage looking like this:
> http://myonlinesecurity.co.uk/wp-con...e-1024x565.png
This site is hosted on a free hosting company weebly .com. Unfortunately these free hosts have minimal checks and it is easy to put up almost anything that can infect a user or act as a phishing site. Weebly does eventually respond to abuse reports but in my experience they are quite slow and take a long time to think about whether the site contravenes their T&Cs. Do -not- fill in the forms otherwise your email account will be compromised. You -never- need to give your email account password to anybody."
___

Apple Invoice - Phish
- https://blog.malwarebytes.org/fraud-...invoice-phish/
Oct 22, 2015 - "... a blatant attempt to swipe your payment information. Couched in the well-worn guise of a supposed Apple Store refund, the mail wants potential victims to hand over their Apple ID / password and then a chunk of personal / payment details:
> https://blog.malwarebytes.org/wp-con...pplephis01.jpg
... Of course, you probably did not authorise any sort of purchase for a “CoPilot Premium HD” which is exactly the “Oh no my money, I must retrieve it” reaction they’re banking on (unless you actually did buy one of these, in which case things might get a little confusing). Nothing will have people rushing to click buttons and hand over information faster than the possibility of someone making unauthorised payments – clicking the refund links will take them to a -fake- login, via a -redirect- on a potentially compromised t-shirt website. The phish pages themselves are located at
aut0carhire(dot)com/index/user12-appleid/index(dot)html
> https://blog.malwarebytes.org/wp-con...pplephish1.jpg
After handing over Apple ID credentials, the victim is taken to the next step which involves them giving name, address, DOB and full payment information:
> https://blog.malwarebytes.org/wp-con...pplephish2.jpg
... Unfortunately, hitting the “Cancel Transaction” button here would be pretty much the exact opposite of cancelling a transaction and victims could expect to see many more actual payments suddenly leaving their bank account. If you have this sitting in your mailbox, delete it. If you’ve already sent the scammers your details, notify your bank and cancel the card – while keeping an eye out for any dubious payments. Apple themed phish scams are a popular choice for criminals, and whether faced with iTunes logins, “Find my phone” fakeouts, iCloud shenanigans or payment receipts such as the one above, recipients should be wary and – if in doubt – head to -official- Apple pages* to find out if a payment really is being processed."
* http://www.apple.com/shop/account/home

aut0carhire(dot)com: 97.74.181.128: https://www.virustotal.com/nl/ip-add...8/information/
>> https://www.virustotal.com/nl/url/6a...f05e/analysis/

[AplusWebMaster]

FYI...

Fake 'Document from AL-KO' SPAM - doc malware
- http://myonlinesecurity.co.uk/docume...d-doc-malware/
5 Nov 2015 - "An email with the subject of 'Document from AL-KO' pretending to come from info@ alko .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)

5 November 2015: Document from AL-KO.doc - Current Virus total detections 0/54*.
... Downloads Dridex banking malware from:
www .mazzoni-hardware .de/f75f9juu/009u98j9.exe
deklompjes .nl/~maurice/f75f9juu/009u98j9.exe
members.dodo .com.au/~mfranklin17/f75f9juu/009u98j9.exe
www .www .www.enhancedpixel .com/f75f9juu/009u98j9.exe (VirusTotal 3/54**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1446722835/

** https://www.virustotal.com/en/file/1...is/1446723789/
... Behavioural information
TCP connections
75.99.13.123: https://www.virustotal.com/en/ip-add...3/information/
23.62.99.160: https://www.virustotal.com/en/ip-add...0/information/

- http://blog.dynamoo.com/2015/11/malw...rom-al-ko.html
5 Nov 2015 - "... detection rate of 4/54*... Other automated analyses [5] [6] show network traffic to:
128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
128.199.122.196
75.99.13.123 "
* https://www.virustotal.com/en/file/1...is/1446729564/

5] https://www.hybrid-analysis.com/samp...nvironmentId=2

6] https://malwr.com/analysis/MTNjODQ1M...FiYzg0MzY2ZWE/

128.199.122.196: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'Billing' SPAM – PDF malware
- http://myonlinesecurity.co.uk/monthl...e-pdf-malware/
5 Nov 2015 - "An email with the subject of 'Monthly Billing 920493380924127516 – e-Online Data – amerikicks' coming from random companies, email addresses and names with a zip attachment is another one from the current bot runs... The content of the email says :
Amerikick Studios
Invoice #: 920493380924127516
Please use the HelpDesk for all problems/questions/suggestions. It is located at the bottom of the admin pages.
A full report in the attachment.
Billing for Nov 2015
This is your Payment Gateway monthly invoice...

5 November 2015: Final overdue bill order document.zip: Extracts to: 745348208.exe
Current Virus total detections 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1446738837/
___

Fake 'subpoena' attachment SPAM - doc malware
- http://myonlinesecurity.co.uk/i-got-...d-doc-malware/
5 Nov 2015 - "An email saying 'I got this subpoena in my mail box today' with the subject of 'sued used' pretending to come from dlittle@ cardataconsultants .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Nobody is being sued. Nobody is actually sending a subpoena to you by email. The email looks like:
I got this subpoena in my mail box today, saying that I have been sued by you.
I am sorry but I don’t even know what this is.
I am attaching a scanned copy , please let me know what this is about
Doug Little
Special Services Co-ordinator
CarDATA Consultants
Phone 289-981-2733 ...

5 November 2015 : subpoena.doc - Current Virus total detections 2/54*
This malicious word doc has -2- copies of a RTF file embedded inside it (MALWR**) that when extracted deliver an embedded fareit password stealing malware pm3.exe (VirusTotal 2/55***) that posts information to http ://littonredse .ru/gate.php
These malicious word docs normally also drop an Upatre downloader that in turn downloads a Dyreza banking malware... the macro inside the word doc seems to indicate that it should...
Update: somewhere along the line it also downloads:
- http ://s.teamzerostudio .com/x1.exe (VirusTotal[4])...
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...fff6/analysis/

** https://malwr.com/analysis/NTY3ZjEwM...E5ODhmMTliYTI/

*** https://www.virustotal.com/en/file/6...is/1446742200/
... Behavioural information
TCP connections
80.78.251.32: https://www.virustotal.com/en/ip-add...2/information/
119.81.144.82: https://www.virustotal.com/en/ip-add...2/information/

4] https://www.virustotal.com/en/file/e...is/1446746740/
___

PayPal Spam
- http://threattrack.tumblr.com/post/1...98/paypal-spam
Nov 5, 2015 - "Subjects Seen:
Your PayPal Invoice is Ready
Typical e-mail details:
Dear PayPal Customer,
Please open the attached file to view invoice.
Your monthly account statement is available anytime; just log in to your account. To correct any errors, please contact us through our Help Centre.

Malicious File Name and MD5:
paypal_955154675414192_110515.exe (2364e385b3fe22c9381e20a72ce520e5)

Screenshot: https://40.media.tumblr.com/d36cf5a5...r6pupn_500.png

Tagged: PayPal, Upatre
___

Trojanized adware; 20K popular apps caught in the crossfire
- https://blog.lookout.com/blog/2015/1...anized-adware/
Nov 4, 2015 - "Auto-rooting adware is a worrying development in the Android ecosystem in which malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove. Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware... detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others..."
- http://net-security.org/malware_news.php?id=3144
05.11.2015

- http://arstechnica.com/security/2015...ble-to-remove/
Nov 4, 2015
___

Instagram 'free $50 Xbox cards' - Phish ...
- https://blog.malwarebytes.org/online...ode-generator/
Nov 5, 2015
> https://blog.malwarebytes.org/wp-con...a1-300x261.jpg
"... This tiled effect is achieved by uploading pieces of the larger image one by one, and could well help to attract attention from anybody interested in free $50 Xbox cards... it’s certainly a lot better looking than most similar promo splashes we see elsewhere... It claims to be a code generator, and wants visitors to enter an email-address-to-proceed after having selected their chosen reward. After hitting the 'Generate Code' button, the would-be recipient of free Xbox goodness sees one of those “We’re doing hacking stuff, honest” boxes pop up in the middle of the screen complete with regulation standard green text on black background:
> https://blog.malwarebytes.org/wp-con...xboxinsta3.jpg
... convincing people to fill in surveys has been around for many years, yet they continue to bring in those hopeful of a little free console cash. I’ve seen pretty much every variation of the above there is, and have yet to see a single supposed code generator which actually did just that. All you’ll get for your time and trouble is handing over personal information to marketers and / or potentially unwanted downloads. And after you’ve done all of that, there’s still no guarantee you’ll get anything at the end of it. Our advice is -not- to bother with offers such as these – no matter how nice their Instagram page looks."

[AplusWebMaster]

FYI...

Fake 'Shipping notification' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malw...ification.html
19 Nov 2015 - "This rather terse spam does -not- come from Ceva Logistics but is instead a simple -forgery- with a malicious attachment.
From: noreply@ cevalogistics .com
Date: 19 November 2015 at 10:27
Subject: [Shipping notification] N3043597 (PB UK)

There is -no- body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro... it has a VirusTotal detection rate of 2/54*. The comments on that VirusTotal report plus this Hybrid Analysis report** indicate a malicious binary is downloaded from:
iwcleaner .co.uk/8i65h4g53/o97i76u54.exe
This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54*** and this Hybrid Analysis report[4] shows malicious traffic to the following IP (which I recommend you block):
182.93.220.146 (Ministry of Education, Thailand)
The payload is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/f...is/1447929870/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://www.virustotal.com/en/file/4...is/1447930055/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-add...6/information/
191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/

4] https://www.hybrid-analysis.com/samp...nvironmentId=2
___

Fake 'Google invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malw...nvoice-is.html
19 Nov 2015 - "This -fake- invoice does not come from Google, but is instead a simple -forgery- with a malicious attachment:
From: billing-noreply@ google .com
Date: 19 November 2015 at 12:40
Subject: Your Google invoice is ready
Attached to this email, please find the following invoice:
Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806
Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@ google .com.
Yours Sincerely,
The Google Billing Team
Billing ID: 0349-7974-3806

The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro... Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan."
1] https://www.virustotal.com/en/file/b...is/1447936837/

2] https://www.virustotal.com/en/file/0...is/1447937222/

- http://myonlinesecurity.co.uk/your-g...d-doc-malware/
19 Nov 2015
"19 November 2015: 1630884720.doc - Current Virus total detections 3/54*
... Downloads Dridex banking malware from bhoomiconsultants .com/8i65h4g53/o97i76u54.exe (VirusTotal 1/54**)..."
* https://www.virustotal.com/en/file/b...is/1447942173/

** https://www.virustotal.com/en/file/5...is/1447944295/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-add...6/information/
8.254.218.142: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'Invoice and VAT Receipt' SPAM - xls malware
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
19 Nov 2015 - "An email with the subject of 'Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]' pretending to come from support@ postcodeanywhere .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...8-1024x559.png

19 November 2015: EDMUN11118_181859.xls - Current Virus total detections 5/54*
... tries to download Dridex banking malware from http ://lapelsbadges .com/8i65h4g53/o97i76u54.exe which at the present time is not resolving for me. Usually there are several download locations all delivering the same dridex malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1447943292/

- http://blog.dynamoo.com/2015/11/malw...t-receipt.html
19 Nov 2015 - "... The attachment is EDMUN11118_181859.xls... download(s) a file... has a VirusTotal detection rate of 1/54* and that VirusTotal report indicates it phoning home to:
182.93.220.146 (Ministry Of Education, Thailand)
I strongly recommend that you -block- that IP address. The payload is the Dridex banking trojan..."
* https://www.virustotal.com/en/file/5...is/1447949778/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-add...6/information/
8.254.218.142: https://www.virustotal.com/en/ip-add...2/information/
___

Exploit kits... change tactics
- https://isc.sans.edu/diary.html?storyid=20391
Last Updated: 2015-11-19 - "... computers directed to an EK? It often happens through compromised websites. Threat actors compromise legitimate websites, and pages from these compromised servers have injected script that connects the user's computer to an EK server. This happens behind the scenes, and the user is unaware... Threat actors often use another server as a gate between the compromised website and the EK server. I often call it a "redirect" because it redirects traffic from a compromised website to the EK... The gate is most often another compromised website. Less often, the gate is a dedicated server established by the threat actor. At times, threat actors have used Pastebin or a URL shortner like goo.gl as the gate. In some cases, you might find a second or -third- gate before you get to the EK... All of this is transparent to the unsuspecting user. Fortunately, many security professionals study EK traffic. Specific trends are quickly identified, security professionals share the data, and automated detection is usually available within a day or two. Threat actors know this. Criminals occasionally change tactics in how they direct traffic from compromised websites to their EK servers. For example, earlier this week I noticed a change by an actor using Rig EK. On Monday 2015-11-16, this threat actor was using a distinct gate path. By Wednesday 2015-11-18, the gate patterns had distinctly changed... On Monday 2015-11-16, this actor was using a two gates between the compromised website and Rig EK...
> https://isc.sans.edu/diaryimages/ima...y-image-01.jpg
On Wednesday 2015-11-18, the same actor had switched to a single gate. These single gates appeared to be hosted on -other- compromised websites...
> https://isc.sans.edu/diaryimages/ima...y-image-02.jpg
... The first group of Rig EK intercept came from Monday 2015-11-16. The second group came from Wednesday 2015-11-18. Although I could not identify this actor, the traffic represents the -same- criminal group. I'm basing my assessment on the malware payload. Each payload exhibited the -same- behavior on both occasions... I saw Rig EK and the same post-infection traffic after viewing -more- compromised websites on Wednesday 2015-11-18. You'll find the compromised legitimate website, followed by a single gate. Rig EK was on 46.40.46.146 using the domains ftg .askgreatquestions .com, ghf .askmoregetmore .com -or- erf .closelikeapro .com. Post-infection traffic was seen on 62.76.42.21 using the domain alohajotracks .com, just like we saw before on Monday... I've seen a wide variety of paths from compromised websites to an EK server, so this isn't a comprehensive review on the topic. This is just one example. Don't get me started on -malvertizing- which is a much more complicated chain of events..."
(More detail at the isc URL at the top.)

46.40.46.146: https://www.virustotal.com/en/ip-add...6/information/

62.76.42.21: https://www.virustotal.com/en/ip-add...1/information/