FYI...

Fake 'suspicious account activity' SPAM – doc malware
- http://myonlinesecurity.co.uk/important-notice-detecting-suspicious-account-activity-word-doc-malware/
28 July 2015 - "'Important Notice: Detecting suspicious account activity' pretending to come from 'Service Center' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Subject: Important Notice: Detecting suspicious account activity
Date: Mon, 27 Jul 2015 22:51:16 +0000 (GMT)
From: Service Center <redacted >
Detecting suspicious account activity
<https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
The attachment contain steps to secured your account. If you are viewing
this email on a mobile phone or tablets, please save the document first
and then open it on your PC.
Click Here to download attachment.
<https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
Thanks,
Account Service

If you are unwise enough to follow the links then you will end up with a word doc looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/07/Detecting-suspicious-account-activity_doc.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named Account Details.exe which has an icon of an Excel spreadsheet to fool you into thinking it is innocent and infect you.
28 July 2015 : Email activity.doc Current Virus total detections: 21/55*
... Downloads https ://onedrive.live .com/download?resid=9AC15691E4E70C4D!123&authkey=!AL1jJDlqNUg-vAM&ithint=file%2cexe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a5246537429fe24bc1632abb48268543096ae5f8ff0ad451f17cc9199da69161/analysis/1438037595/

** https://www.virustotal.com/en/file/f0a4022497008ac11211a527b6b08eb5712cfe482157d44ba7ac74d505fc5c1c/analysis/1438062482/
___

Fake 'Please Find Attached' SPAM – doc malware
- http://myonlinesecurity.co.uk/please-find-attached-report-form-london-heart-centre-word-doc-malware/
28 July 2015 - "'Please Find Attached – Report form London Heart Centre' pretending to come from lhc.reception@ heart. org.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/07/Please-Find-Attached-Report-form-London-Heart-Centre.png

28 July 2015: calaidzis, hermione.docm - Current Virus total detections: 9/55*
... Downloads what looks like Dridex banking malware from http ://chloedesign .fr/345/wrw.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1d0131590382a18819c4f3b06017696707298275a4a725beaea8b7a25afbef56/analysis/1438067899/

** https://www.virustotal.com/en/file/99dbad3d1d100e36424f87d19837a83c3df2444810ccf53a7e7b44e2861b83c9/analysis/1438068193/
... Behavioural information
TCP connections
93.171.132.5: https://www.virustotal.com/en/ip-address/93.171.132.5/information/
2.18.213.25: https://www.virustotal.com/en/ip-address/2.18.213.25/information/

chloedesign .fr: 85.236.156.24: https://www.virustotal.com/en/ip-address/85.236.156.24/information/
___

Fake 'Air France' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-air-france-boarding-documents-on-10jul-word-doc-or-excel-xls-spreadsheet-malware/
28 June 2015 - "'Your Air France boarding documents on 10Jul pretending to come from Air France <cartedembarquement@ airfrance .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/07/Your-Air-France-boarding-documents-on-10Jul.png

28 July 2015: Boarding-documents.docm - Current Virus total detections: 9/55*
... which downloads Dridex banking malware from http ://laperleblanche .fr/345/wrw.exe which is the -same- malware as in today’s earlier malspam run using malicious word docs with macros**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b87c9d1ec244c28fa410ae3c64ab6ca7f191b8a7546ad7ec8e460e857153f167/analysis/1438071620/

** http://myonlinesecurity.co.uk/please-find-attached-report-form-london-heart-centre-word-doc-malware/

laperleblanche .fr: 94.23.1.145: https://www.virustotal.com/en/ip-address/94.23.1.145/information/

- http://blog.dynamoo.com/2015/07/malware-spam-your-air-france-boarding.html
28 June 2015 - "... -same- exact payload as this earlier attack* today..."
* http://blog.dynamoo.com/2015/07/malware-spam-please-find-attached.html
"... phones home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
I recommend that you -block- that IP. The malware is the Dridex banking trojan..."
___

Fake 'Invoice notice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoice-delivery-invoice-notice-receipt-alert-dhl-notice-ups-notification-invoice-information-word-doc-malware/
28 July 2015 - "A series of emails with subjects of: 'Invoice delivery / Invoice notice / Receipt alert / DHL notice / UPS notification / Invoice information' and numerous -other- similar subjects with a malicious word doc attachment is another one from the current bot runs... The email looks like:
You had got the bill !
Delivered at: Tue, 28 Jul 2015 16:15:36 +0500.
Number of sheets: 0.
Mailer ID: 3.
Delivery number: 843.
Kindly be advised that attached is photo-copy of the 1st page alone.
We are going to mail the originals to You at the address indicated already.
-Or-
You have received the bill !
Received at: Tue, 28 Jul 2015 11:43:15 +0000.
Amount of sheets: 9.
Addresser ID: 79187913.
Delivery order: 6199843296.
Kindly be advised that attached is scan-copy of the 1st page alone.
We are going to dispatch the originals to You at the location mentioned earlier.

And multiple similar content. If you are unwise enough to open the attachment then you will end up with a word doc looking like this:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/07/Invoice_number_6199843296.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named word.exe which has an icon designed to fool you into thinking it is innocent and infect you. These emails have attachments with names like Invoice_number_6199843296.doc / Order_No._843.doc / Bill_No._95.doc and -multiple- variations of the names and numbers.
28 July 2015 : Invoice_number_6199843296.doc - Current Virus total detections:7/56*
... goes through a convoluted download procedure giving you http ://bvautumncolorrun .com/wp-content/themes/minamaze/lib/extentions/prettyPhoto/images/78672738612836.txt which is a base 64 encoded file that transforms into a password stealer. It also goes to http ://iberianfurniturerental .com/wp-content/plugins/nextgen-gallery/admin/js/Jcrop/css/fafa.txt which automatically downloads http ://umontreal-ca .com/word/word.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/66fef93c2746a3c9ec84cdb76175ef555cfa6495b2c14037f7b18f36e6497575/analysis/1438080189/

** https://www.virustotal.com/en/file/419af0d5a4136749b2be17933355c17ffd568fb07f30a9d19e07144a91b57cea/analysis/1438081346/

bvautumncolorrun .com: 184.168.166.1: https://www.virustotal.com/en/ip-address/184.168.166.1/information/

iberianfurniturerental .com: 173.201.169.1: https://www.virustotal.com/en/ip-address/173.201.169.1/information/

umontreal-ca .com: 89.144.10.200: https://www.virustotal.com/en/ip-address/89.144.10.200/information/
___

Fake 'Voice Message' SPAM – wav malware
- http://myonlinesecurity.co.uk/voice-message-attached-from-08439801260-fake-wav-malware/
28 July 2015 - "'Voice Message Attached from 08439801260' pretending to come from voicemessage@ yourvm .co.uk with a wav (sound file) attachment is another one from the current bot runs... The email looks like:

Time: Jul 28, 2015 3:08:34 PM
Click attachment to listen to Voice Message

28 July 2015: 08439801260_20150725_150834.wav - Current Virus total detections: 2/55*
... Which downloads Dridex banking malware from laurance-primeurs .fr/345/wrw.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/57eea82456dc75a5fc5528d18e235fd3d652703a2bf96585560b025f584bad9b/analysis/1438082138/

laurance-primeurs .fr: 94.23.1.145: https://www.virustotal.com/en/ip-address/94.23.1.145/information/
___

Fake 'Incoming Fax' SPAM - malware
- http://blog.dynamoo.com/2015/07/malware-spam-incoming-fax-internal-only.html
28 July 2015 - "This -fake- fax message leads to malware:
From: Incoming Fax [Incoming.Fax@ victimdomain]
Date: 18 September 2014 at 08:39
Subject: Internal ONLY
**********Important - Internal ONLY**********
File Validity: 28/07/2015
Company : http ://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc
********** Confidentiality Notice ********** ...
(#2023171)Renewal Invite Letter sp.exe

Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http ://umontreal-ca .com/word/word.exe ... This has a VirusTotal detection rate of 2/55*.
umontreal-ca .com (89.144.10.200 / ISP4P, Germany) is a -known- bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE: This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208 "
* https://www.virustotal.com/en/file/419af0d5a4136749b2be17933355c17ffd568fb07f30a9d19e07144a91b57cea/analysis/1438087963/
___

Fake 'cash prizes for shopping' SPAM – PDF malware
- http://myonlinesecurity.co.uk/get-cash-prizes-for-shopping-fake-pdf-malware/
28 July 2015 - "Another set of emails with subjects including 'Get cash prizes for shopping' and 'Get cash payments for purchasing' with a zip attachment is another one from the current bot runs... The email looks like:
Love purchasing? We have something special for you!
Do you want to get cash compensations on buys you make in your favorite stores? Just get our debit card to make your purchases, and then you will commence enhancing the rewards. Bear in mind only one rule – the more you use it – the more you receive. So kindly check out the applied info to learn how this offer proceeds and how to open your bank account.
It was never so pure, fast and so close to your dreams. Don’t lose your time. Join us, keep to us and shopping will give!
-Or-
Being fond of shopping? We propose something special for you!
Do you want to get cash rewards on purchases you make in your favorite shops? Just use our debit card to make your purchases, and then you will start increasing the remunerations. Bear in mind one rule – the more you use it – the more you get. So please read the enclosed documentations to see how it operates and how to open your account.
It was never so elementary, fast and so close to your dreams. Don’t lose your chance. Join us, stick to us and shopping will pay!

And numerous other similar computer generated text...
28 July 2015: bank_offering_and_card_information.zip: Extracts to: special_offering_and_card_details.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/813aa75ac878b2da882944be368341acdc144bcb365f8820803d1fd9fbdc11dc/analysis/1438090452/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
24.33.131.116: https://www.virustotal.com/en/ip-address/24.33.131.116/information/
95.100.255.176: https://www.virustotal.com/en/ip-address/95.100.255.176/information/
___

Russian Underground - Revamped
- http://blog.trendmicro.com/trendlabs-security-intelligence/the-russian-underground-revamped/
July 28, 2015 - "When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices. News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence. 2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot. The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?... right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc... several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of -fresh- credit card leaks... Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement..."
> https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/russian-underground-automized-infrastructure-services-sophisticated-tools
July 28, 2015

:fear::fear: :mad:

FYI...

Fake 'New mobile banking app' SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-mobile-banking-application-fake-pdf-malware/
29 July 2015 - "Today’s set of Upatre downloaders come with an email subject of 'New mobile banking application / The latest mobile banking application / Renewed mobile banking app' with a zip attachment is another one from the current bot runs... The email looks like:
Dear patron!
We would like to introduce you new mobile banking app for our bank patrons. Our mobile banking options help you to enter your bank account safely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial operations. Our application is simple to use and highly safe.
To learn more about application features and work, please view the enclosed info. Download link is also included.
-Or-
Dear client!
We would like to introduce you new mobile banking app for our bank customers. Our mobile banking services help you to access your bank account securely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial procedures. Our application is toiless to use and extremely safe.
To know more about application details and work, please see the attached information. Download link is also inside.
-Or-
Dear patron!
We are glad to present you new mobile banking app for our bank patrons. Our mobile banking accommodations help you to enter your bank account safely any place you want. A quick and simple registration is all you need to begin using mobile banking options. With mobile banking, you can realize most of all bank operations. Our app is toiless to use and very safe.
To know more about application details and functioning, kindly view the affixed document. Download link is also inside.

And numerous very similar computer generated versions of the above.
29 July 2015: id697062389app_features.doc.zip: Extracts to: app_brochure.exe
Current Virus total detections: 0/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ea3beef62c94916aef84962ddca1ef01c12783869875cec0498ef4cc27744baa/analysis/1438168067/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-address/216.146.38.70/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
176.36.251.208: https://www.virustotal.com/en/ip-address/176.36.251.208/information/
95.101.72.123: https://www.virustotal.com/en/ip-address/95.101.72.123/information/
___

Fake 'Get our deposit card' SPAM – PDF malware
- http://myonlinesecurity.co.uk/get-our-deposit-card-and-receive-067-fake-pdf-malware/
29 July 2015 - "The latest upatre downloader to hit the presses is an email with a subject of 'Get our deposit card and receive 067' (varying amounts) pretending to come from jesse_rice with a zip attachment is another one from the current bot runs... The email looks like:
Deposit card containing many profitable features is new extraordinary proposal of ours.
One of the great items that will actually intrigue you is the 98 money back pize. When you outlay 300 USD or more within 3,2,5,4,6 months buying by this card, you will earn a 23 award. There is also 5% cash back award function that give you opportunity to take 5% cash back on up to 1500 USD during each three month quarter. It’s not a disposable prize. You will turn on your feature every 3 month quarter without any extra fees! There are a lot of other bonuses that you will have. You can browse them in the applied to learn more about it and find all details. Feel free to to ask if you have any questions.
We sincerely look forward to your response

29 July 2015: 220317964deposit_card_features_details.zip: Extracts to: card_features_details.exe
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1d362c19a4be98d26405f785d86e196b73d474134fd9f3237f18ae2f48d0ad8e/analysis/1438176115/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-address/104.238.141.75/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
69.144.171.44: https://www.virustotal.com/en/ip-address/69.144.171.44/information/
2.20.143.37: https://www.virustotal.com/en/ip-address/2.20.143.37/information/
___

USA TODAY Fantasy Sports... serves Malware
- https://blog.malwarebytes.org/exploits-2/2015/07/usa-today-fantasy-sports-discussion-forum-serves-malware/
July 28, 2015 - "... We routinely detect infections coming from forums during our daily crawl of potentially malicious URLs. One of the reasons for this comes from the underlying infrastructure that powers those sites. Indeed, server side pieces of software such as Apache or vBulletin are often abused by cyber criminals who can easily exploit security holes especially if these applications are not kept up to date. Case in point, the Fantasy Sports discussion forum part of USA TODAY Sports Digital Properties was recently redirecting members towards scam sites and even an exploit kit that served malware. The forum statistics show a total of 117,470 threads, 3,348,218 posts and 18,447 members.
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/graph.png
... domain is involved in multiple nefarious activities via -malvertising- such as -fake- Flash Player applications, tech support scams or exploit kits. In some cases, all of the above combined...
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/scampage.png
Nuclear exploit kit: Probably the worst case scenario is to be -redirected- to an exploit kit page and have your computer infected.
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/Fiddler21.png
In this particular instance, we were served the Nuclear EK, although given the URL pattern it would have been very easy to call this one Angler EK. This change was noted by security researcher @kafeine* about a week ago...
* https://twitter.com/kafeine/status/623564043345858562
Had the exploit been successful, a piece of malware known as Glupteba (VT link**) would have been dropped and executed. Compromised machines are enrolled into a large botnet that can perform many different malicious tasks... We have notified USA Today about this security incident..."
** https://www.virustotal.com/en/file/7b9f9656e3b43e3d49e67c0a6b6685fe488398bc12d2332f6bc39dcd8c1f89d2/analysis/1437954473/
... Behavioural information
TCP connections
195.22.103.43: https://www.virustotal.com/en/ip-address/195.22.103.43/information/

:fear::fear: :mad:

FYI...

Fake 'settlement failure' SPAM – PDF malware
- http://myonlinesecurity.co.uk/calculated-response-settlement-failure-fake-pdf-malware/
30 July 2015 - "Today’s first set of Upatre downloaders come with email subjects that include 'Calculated response settlement failure / Estimated response settlement failure / Estimated response payment default / Calculated invoice payment default' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/07/Calculated-response-settlement-failure.png

30 July 2015: official_document_copies_id942603754.pdf.zip: Extracts to: public_order_copies.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/94616a968c2f3fb4317f6c711823e55d72b2adb863c8378a3742eac96a48e9ad/analysis/1438249041/
___

Fake 'ADP Payroll' SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoice-random-numbers-adp-payroll-services-fake-pdf-malware/
30 July 2015 - "'Invoice #[random numbers]' pretending to come from ADP – Payroll Services <payroll.invoices@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
Attached are the latest statements received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices@adp.com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc.
1 ADP Boulevard
Roseland
NJ 07068
© Automatic Data Processing, Inc. (ADP®) . All rights reserved...

30 July 2015: ADP_Invoice _0700613.zip : Extracts to: ADP_Invoice.scr
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e11575f7d8abee81f345f6a754d0d42b2bf42f6b05b3a9c64b531830b4268d24/analysis/1438267744/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en/ip-address/104.238.136.31/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
178.222.250.35: https://www.virustotal.com/en/ip-address/178.222.250.35/information/
2.18.213.56: https://www.virustotal.com/en/ip-address/2.18.213.56/information/
___

Fake 'check returned' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-cheque-has-been-returned-jobs-asia-fake-pdf-malware/
30 July 2015 - "'Your cheque has been returned' pretending to come from jobs-asia with a zip attachment is another one from the current bot runs... The email looks like:
I enclose a check that has been returned unpaid for occasions shown there.
We have written off you with the sum.
If you have any questions, kindly write to us. We’ll endeavor to help you.
Faithfully,
Lloyd Bailey
Service department

30 July 2015: cheque_and_description_i4Aev0CF.zip: Extracts to: cheque_and_explanation.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c6f3221a7ff2c76991f3df67530dd2bbf30599df5dfa6e7ef6565658d3d5562c/analysis/1438267061/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-address/104.238.141.75/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
67.221.195.6: https://www.virustotal.com/en/ip-address/67.221.195.6/information/
2.18.213.24: https://www.virustotal.com/en/ip-address/2.18.213.24/information/
___

Fake 'Income tax settlement failure' SPAM – PDF malware
- http://myonlinesecurity.co.uk/income-tax-settlement-failure-sent-id-fake-pdf-malware/
29 July 2015 - "'Income tax settlement failure sent id: [number]' with a zip attachment is another one from the current bot runs... The email looks like:
In accordance with taxing authority information You have defaulted a term to settle the estimated tax sums.
Kindly see attached the official order from the revenue service.
Furthermore please be noted of the fact that additory penalties would be applied unless the debt amounts are not remitted within four working days.
Regard this reminder as highly important.
Rebecca Crouch Tax Department

29 July 2015: public_order_scan713432229.zip: Extracts to: official_order_copies.exe
Current Virus total detections: 3/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5ef779a0b20504629fd9f62f931ee2c526258cfb16a814b7e80c708546a62360/analysis/1438208026/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en/ip-address/104.238.136.31/information/
93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
87.249.142.189: https://www.virustotal.com/en/ip-address/87.249.142.189/information/
88.221.14.145: https://www.virustotal.com/en/ip-address/88.221.14.145/information/

:fear::fear: :mad:

FYI..

Fake 'Chess Bill' SPAM – doc malware
- http://myonlinesecurity.co.uk/your-latest-chess-bill-is-ready-word-doc-malware/
31 July 2015 - "'Your latest Chess Bill Is Ready' pretending to come from CustomerServices@ chesstelecom .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
Your bill summary
Account number: 24583
Invoice Number: 2398485
Bill date: July 2015
Amount: £17.50
How can I view my bills?
Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you’ve incurred since your last bill, just sign into My Account www .chesstelecom .com/myaccount ...

31 July 2015 : 2015-07-Bill.docm - Current Virus total detections: 5/56*
Downloads Dridex banking malware from:
http ://laboaudio .com/4tf33w/w4t453.exe
http ://chateau-des-iles .com/4tf33w/w4t453.exe
http ://immobilier-ctoovu .com/4tf33w/w4t453.exe
http ://delthom .eu.com/4tf33w/w4t453.exe
http ://ctoovu .com/4tf33w/w4t453.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b5ee8925742637a8484f6e1cb08a1c989cb4a8f9e66a8179c929dd789c07c06d/analysis/1438334839/

laboaudio .com: 94.23.55.169: https://www.virustotal.com/en/ip-address/94.23.55.169/information/
chateau-des-iles .com: 94.23.1.145: https://www.virustotal.com/en/ip-address/94.23.1.145/information/
immobilier-ctoovu .com: 94.23.55.169
delthom .eu.com: 94.23.1.145
ctoovu .com: 94.23.55.169
___

Apple Care – phish
- http://myonlinesecurity.co.uk/apple-care-phishing/
31 July 2015 - "'Apple Care' pretending to come from Apple <secure@ appletechnicalteam .com> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/07/Apple-Care.png

... The actual site this sends you to is http ://applesurveillance .com/account/?email=a@a.a which can very easily be mistaken for a genuine Apple site. To make it even worse, the phishers have gone to the effort of setting up the domain properly and are using an email address to send from “Apple <secure@ appletechnicalteam .com> ” which has the correct domainkeys and SPF records so it doesn’t look like spam and will be allowed past most spam filters. They have also set up the applesurveillance .com site so that it appears to a security researcher or investigator that the account has been suspended by the hosting provider, when it actually is -live- when you put any email address into the url:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID.png
When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID_2.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

:fear::fear: :mad:

FYI...

Countrywide Money Ltd SPAM
- http://blog.dynamoo.com/2015/08/spam-countrywide-money-ltd.html
1 Aug 2015 - "You know things must be desperate when a business turns to spam. Here's a dubious-looking spam that seems to be presenting itself in a way that looks like a get-rich-quick scheme:
From: Countrywide Money [info@ countrywidemoney .co.uk]
Reply-To: Info@ countrywidemoney .co.uk
Date: 1 August 2015 at 05:11
Subject: Extra Income FOR YOU!...
... to Unsubscribe Click Here!
Screenshot: https://1.bp.blogspot.com/-kPwPMrWfdWY/VbyME_KHarI/AAAAAAAAG1s/vylJGTUiyQk/s1600/countrywide.jpg

... the Unsubscibe link doesn't work. Tsk tsk. Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK... A non-trading individual? Let's look at that web site for a moment:
> https://1.bp.blogspot.com/-nlwptGhT5Bc/VbyOIG-tggI/AAAAAAAAG14/OBaj-o-Sk3w/s1600/countrywide2.jpg

Well, it doesn't look like a personal homepage to me... It turns out that the sole director is one "Tony Edwards"... A little bit more digging at DueDil* shows some equally disappointing looking financials... I'm not sure why this person feels that promoting their business through -spam- is appropriate. I certainly won't be signing up to this scheme."
* https://www.duedil.com/company/08095603/countrywide-money-limited
___

Your Files Are Encrypted with a 'Windows 10 Upgrade'
- http://blogs.cisco.com/security/talos/ctb-locker-win10
July 31, 2015 - 'Update 8/1: To see a video of this -threat- in action click here:
> http://cs.co/ctb-locker-video
Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a -spam- campaign that was taking advantage of a different type of current event. Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign:
> https://blogs.cisco.com/wp-content/uploads/win10_blacked_out.png
Email Message: The email message above is a sample of the type of messages that users are being presented with. There are a couple of key indicators in the message worth calling out.
First, the from address, the adversaries are spoofing the email to look like it is coming directly from Microsoft (update<at>microsoft.com). This is a simple step that tries to get users to read further:
> https://blogs.cisco.com/wp-content/uploads/win10_header.png
However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand. Second, the attackers are using a similar color scheme to the one used by Microsoft. Third, there are a couple of red flags associated with the text of the email. As you can see below, there are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email:
> https://blogs.cisco.com/wp-content/uploads/Character_errors.png
... Payload: Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message similar to the following:
>> https://blogs.cisco.com/wp-content/uploads/CTB-Locker.png
The payload is CTB-Locker, a ransomware variant. Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk...
Conclusion: The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise. As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers. Adversaries are always looking to leverage current events to get users to install their malicious payloads. This is another example, which highlights the fact that technology upgrades can also be used for malicious purposes..."

:fear::fear: :mad:

FYI...

Bogus Win10 'activators'
- http://net-security.org/malware_news.php?id=3082
03.08.2015 - "... bogus Windows 10 "activators".
* http://www.net-security.org/secworld.php?id=17960

> https://blog.malwarebytes.org/online-security/2015/02/windows-10-activation-programs-pups-and-surveys/
___

Fake 'E-bill' SPAM – doc malware
- http://myonlinesecurity.co.uk/e-bill-6200228913-31-07-2015-0018-word-doc-malware/
3 Aug 2015 - "'E-bill : 6200228913 – 31.07.2015 – 0018' pretending to come from noreply.UK.ebiller@ lyrecobusinessmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer,
Please find enclosed your new Lyreco invoicing document nA^ 6200228913 for a total amount of 43.20 GBP, and due on 31.08.2015
We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by you at any time.
For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.
Your Lyreco Customer Service
*** Please do not reply to the sender of this email...

3 August 2015: 0018_6200228913.docm - Current Virus total detections: 5/55*
Downloads Dridex banking malware from http ://immobilier-roissyenbrie .com/w45r3/8l6mk.exe or http ://scootpassion .com/w45r3/8l6mk.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a9f6427bda1f519341d52b3e02372c2bc2d5d1487fd01b7d831306888bdf98c5/analysis/1438596426/

** https://www.virustotal.com/en/file/b3d9e8cd0f2cebf4920a84156104f6c61748ae897d2fc138a971f25733a75ca6/analysis/1438596617/

immobilier-roissyenbrie .com: 94.23.55.169: https://www.virustotal.com/en/ip-address/94.23.55.169/information/

scootpassion .com: 37.0.72.24: https://www.virustotal.com/en/ip-address/37.0.72.24/information/

- http://blog.dynamoo.com/2015/08/malware-spam-e-bill-6200228913-31072015.html
3 Aug 2015
"... Recommended blocklist:
46.36.219.141
94.23.55.169 "
___

DHL DELIVERY - phish ...
- http://myonlinesecurity.co.uk/dhl-delivery-details-_-phishing/
3 Aug 2015 - "'DHL DELIVERY DETAILS' pretending to come from noreply@ dhl .com is one of the latest attempts to steal your email account details...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/DHL_phish_email.png

... click-the-link (DON'T) in the email you will be sent to http ://cherysweete1843 .org/DHL%20_%20Tracking/DHL%20_%20Tracking.htm (or whichever other site the phishers have set up to steal your information). The site looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/dhl_phish.png
... entering an email address and password, just gives you a download of the image that was originally in the email. It just looks like the phishers are trying to get email account details and hoping that an unwary user will be unwise enough to give them the password for their email account so it can be used for sending more spam. Of course there will be a few users who genuinely have DHL accounts and the log in details might be enough to compromise the account and use the account to send stolen or illegal items through the DHL network with minimum risk to the criminals. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

cherysweete1843 .org: 178.217.186.27: https://www.virustotal.com/en/ip-address/178.217.186.27/information/
___

First Firmware Worm That Attacks Macs
- http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/
8.03.15 - "... when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked... The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware... findings on August 6 at the Black Hat security conference in Las Vegas. A computer’s core firmware — also referred to at times as the BIOS, UEFI or EFI—is the software that boots a computer and launches its operating system. It can be infected with malware because most hardware makers don’t cryptographically sign the firmware embedded in their systems, or their firmware updates, and don’t include any authentication functions that would prevent any but legitimate signed firmware from being installed... it operates at a level below the level where antivirus and other security products operate and therefore does not generally get scanned by these products, leaving malware that infects the firmware unmolested. There’s also no easy way for users to manually examine the firmware themselves to determine if it’s been altered... malware infecting the firmware can maintain a persistent hold on a system throughout attempts to disinfect the computer. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate malicious code, the malicious firmware code will remain intact..."
___

Fake Android Virus Alert(s)...
- https://blog.malwarebytes.org/online-security/2015/08/fake-android-virus-alert-blames-chinese-hackers/
Aug 3, 2015 - "... messages of impending doom on a mobile device are always more worrying than on a desktop, because many device owners may not be locking down their phones the way they do their PCs. It’s even worse if on a mobile data package, because nobody wants to end up on premium rate services or websites and contend with spurious charges. Once the popups and redirects take hold, it’s sometimes hard to keep your composure and get a handle on multiple tiny screens doing weird things. In the above case, there’s no infection to worry about so no need to panic. Advert redirects to unwanted locations are always a pain – especially if younger members of your family happen to be on the phone at the time the -redirects- happen – but you’ve generally got to work at it to infect a mobile device with something bad. Keeping the “Allow installs from unknown sources” checkbox -unticked- and the “Very Apps” checkbox -ticked- won’t make your phone bulletproof, but it will go a long way towards keeping you secure."
___

Fake 'pictures' SPAM - JS malware
- http://myonlinesecurity.co.uk/my-relaxation-js-malware/
2 Aug 2015 - "'my relaxation' pretending to come from Facebook <update+pw_k1-d2r1@ facebookmail .com> with a zip attachment is another one from the current bot runs... The email looks like:

Here are some pictures!!
See you later! I love you.

2 August 2015: File_7866.zip: Extracts to: File_7866.js - Current Virus total detections: 10/56*
Downloads Adobe_update-86R8IJHUY0CCI.exe from http ://kheybarco .com and also downloads a genuine PDF file which is a German language hotel invoice from HRS group (this is an updated version of this Malspam run** from last week)...
** http://myonlinesecurity.co.uk/document-hrs-group-js-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5343e207eaac0600fbfe490b9edd252e6a33b37e5387079b66d71297a5a04de1/analysis/1438493868/

kheybarco .com: 176.9.8.205: https://www.virustotal.com/en/ip-address/176.9.8.205/information/

:fear::fear: :mad:

FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoice-hh-114954-hps-plumbing-word-doc-malware/
4 Aug 2015 - "'INVOICE HH / 114954' pretending to come from haywardsheath@ hpsmerchant .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached INVOICE HH / 114954
Automated mail message produced by DbMail.
Registered to Heating & Plumbing Supplies, License MBS2009358.

4 August 2015: R-20787.doc - Current Virus total detections: 5/56*
... downloads Dridex banking malware from http ://ilcasalepica .it/45g33/34t2d3.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1a074f920de27b663980a79a245f3379a96262d4f4bfc91e58844fa72565ed29/analysis/1438684390/

** https://www.virustotal.com/en/file/14e9840bdf98de7b9ad8aa0e9fc395ed7aefd31d75e92f7b5ab34a1d195a1328/analysis/1438684442/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustotal.com/en/ip-address/194.58.111.157/information/
8.254.218.142: https://www.virustotal.com/en/ip-address/8.254.218.142/information/

ilcasalepica .it: 195.234.171.179: https://www.virustotal.com/en/ip-address/195.234.171.179/information/

- http://blog.dynamoo.com/2015/08/malware-spam-invoice-hh-114954.html
4 Aug 2015 - "... The payload is the Dridex banking trojan.
Recommended blocklist:
194.58.111.157
62.210.214.106
31.131.251.33 "
___

Malware spam: "Need your attention"
- http://blog.dynamoo.com/2015/08/malware-spam-need-your-attention.html
4 Aug 2015 - "A variety of malicious spam messages are in circulation, each with "Need your attention" in the subject. Each message has a different sender, attachment name and reference number in the subject along with some other variations. Here is an example:
From: Hilda Buckner
Date: 4 August 2015 at 13:29
Subject: Need your attention: OO-6212/863282
Greetings
Hope you are well
Please find attached the statement that matches back to your invoices.
Can you please sign and return.

In that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro... What that macro does (other ones may be slightly different) is download a VBS script from pastebin .com/download.php?i=0rYd5TK3... which is then saved as %TEMP%\nnjBHccs.vbs. That VBS then downloads a file from 5.196.241.204 /bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero* (MD5 = 00dca835bb93708797a053a3b540db16). The Malwr report indicates that this phones home to 80.247.233.18 (NFrance Conseil, France). The payload is probably the Dridex banking trojan. Note that the malware also sends apparantly non-malicious traffic to itmages .ru , for example:
itmages .ru/image/view/2815551/2b6f1599
itmages .ru/image/view/2815537/2b6f1599
Therefore I would suggest that monitoring for traffic to itmages .ru is a fairly good indicator of compromise."
* https://www.virustotal.com/en/file/aaa9e39e451379135b1515f8a1ed3b2e6045474923b302955e8181b3a6733025/analysis/1438693059/
... Behavioural information
TCP connections
23.14.92.97: https://www.virustotal.com/en/ip-address/23.14.92.97/information/
178.255.83.2: https://www.virustotal.com/en/ip-address/178.255.83.2/information/
80.247.233.18: https://www.virustotal.com/en/ip-address/80.247.233.18/information/

5.196.241.204: https://www.virustotal.com/en/ip-address/5.196.241.204/information/

itmages .ru: 176.9.0.165: https://www.virustotal.com/en/ip-address/176.9.0.165/information/

comment: Derek Knight said...
"It is -ransomware- not Dridex this time and the most evil thing about it, is it uses a legitimate digital signature so it will blow past antiviruses and operating system protections. Correctly digitally signed files are treated as good."
4 Aug 2015
___

Fake 'AMEX Alert' SPAM - Phish... malware
- http://myonlinesecurity.co.uk/american-express-account-alert-important-cardmembership-notification-phishing-and-possible-malware/
4 Aug 2015 - "'Account Alert: IMPORTANT CardMembership Notification' pretending to come from American Express <AmericanExpress@ aecom .com> with an html webpage attachment... seems to be a malware downloader...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Amex-Account-Alert-IMPORTANT-CardMembership-Notification.png

The attached webpage looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Amex-Account-Alert-IMPORTANT-CardMembership-Notification_1.png
4 August 2015: AYNEUS018829.html - Current Virus total detections: 4/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1fcadd5d9ed561fb5f9535f065976e08d0d9ae7e254aef9ab08438e901d7e345/analysis/1438622967/
___

Malvertising Campaign Takes on Yahoo!
- https://blog.malwarebytes.org/malvertising-2/2015/08/large-malvertising-campaign-takes-on-yahoo/
Aug 3, 2015 - "June and July have set new records for malvertising attacks. We have just uncovered a large scale attack abusing Yahoo!’s own ad network. As soon as we detected the malicious activity, we notified Yahoo! and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at the time of publishing this blog.
This latest campaign started on July 28th, as seen from our own telemetry. According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 Billion visits per month making this one of the largest malvertising attacks we have seen recently... As with the previous reported cases this one also leverages Microsoft Azure websites... We did not collect the payload in this particular campaign although we know that Angler has been dropping a mix of ad fraud (Bedep) and ransomware (CryptoWall)... Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain. The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns."
> http://bits.blogs.nytimes.com/2015/08/03/hackers-exploit-flash-vulnerability-in-yahoo-ads/

- http://net-security.org/malware_news.php?id=3083
04.08.2015 - "... In the first half of this year the number of malvertisements has jumped 260 percent compared to the same period in 2014. The sheer number of unique malvertisements has climbed 60 percent year over year... fake Flash updates have replaced fake antivirus and fake Java updates as the most commonly method used to lure victims into installing various forms of malware including ransomware, spyware and adware..."

:fear::fear: :mad:

FYI...

Fake 'Ofcom Spectrum' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/important-document-from-ofcom-spectrum-licensing-word-doc-malware/
5 Aug 2015 - "'IMPORTANT – Document From Ofcom Spectrum Licensing' pretending to come from Spectrum.licensing@ ofcom. org.uk with a malicious word doc/xls attachment is another one from the current bot runs... The email looks like:
Dear Sir/Madam,
Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.
Please read the document carefully and keep it for future reference.
If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee’s responsibility to ensure all information we hold is correct and current.
If you have any enquiries relating to this document, please email
spectrum.licensing@ ofcom .org.uk
Yours faithfully,
Ofcom Spectrum Licensing ...

5 August 2015: logmein_pro_receipt.xls - Current Virus total detections: 6/55*
Downloads Dridex banking malware from http ://naturallyconvenient .co.za/75yh4/8g4gffr.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a/analysis/1438771928/

** https://www.virustotal.com/en/file/6b668ffa97a00d9e4d6ed0be6ae5dfbd191bb4201bb49e34d23c44a430c16ee6/analysis/1438771421/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustotal.com/en/ip-address/194.58.111.157/information/
2.18.213.40: https://www.virustotal.com/en/ip-address/2.18.213.40/information/

naturallyconvenient .co.za: 197.221.14.220: https://www.virustotal.com/en/ip-address/197.221.14.220/information/

- http://blog.dynamoo.com/2015/08/malware-spam-important-document-from.html
5 Aug 2015
"... downloads a malware executable from:
naturallyconvenient .co.za/75yh4/8g4gffr.exe
... phoning home to:
194.58.111.157 (Reg.RU, Russia)
That IP has been used for badness a few times recently and I definitely recommend that you block traffic to it..."
___

Fake 'Booking Confirmation' SPAM – doc malware
- http://myonlinesecurity.co.uk/booking-confirmation-accumentia-16915-david-nyaruwa-word-doc-or-excel-xls-spreadsheet-malware/
5 Aug 2015 - "'Booking Confirmation – Accumentia (16/9/15)' pretending to come from <david.nyaruwa @soci .org> with a malicious word doc is another one from the current bot runs... The email looks like:
Please find attached a proforma invoice for Accumentia’s booking of the council room on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance due by the date of the meeting.
Regards,
David Nyaruwa
Project Accountant ...

5 August 2015: Accumentia Booking (16-9-15).doc - Current Virus total detections: 7/55*
Downloads -same- Dridex banking malware as today’s other 2 malspam runs [1] [2]
1] http://myonlinesecurity.co.uk/statement-unpaid-swandean-foods-word-doc-malware/
...
2] http://myonlinesecurity.co.uk/important-document-from-ofcom-spectrum-licensing-word-doc-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/236c724d2aa44d57361ca825878aaac44b2855a2a0b8c79fdf6594fe7531c32b/analysis/1438773636/

- http://blog.dynamoo.com/2015/08/malware-spam-booking-confirmation.html
5 Aug 2015 - "... Accumentia Booking (16-9-15).doc which comes in at least two different versions [VirusTotal results 6/56* and 7/56**]... download -malware- from the following locations:
hunde-detektive .de/75yh4/8g4gffr.exe
naturallyconvenient .co.za/75yh4/8g4gffr.exe
This file has a detection rate of 4/55*** and the Malwr report shows that it phones home to the familiar IP of:
194.58.111.157 (Reg.RU, Russia)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan..."
* https://www.virustotal.com/en/file/3e9ae31f74f9b78619be6fa25279c86d13ac960257e9578d40018e6e81f005eb/analysis/

** https://www.virustotal.com/en/file/08f309a099ca24a110088d9d6f386dec982c343c71989a2e77dd8ac0bb95bff2/analysis/

*** https://www.virustotal.com/en/file/1bac0544e05b7914ee296ce1cee356d532487038e2b3508934c09b454a9b5633/analysis/1438773952/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustotal.com/en/ip-address/194.58.111.157/information/
2.18.213.40: https://www.virustotal.com/en/ip-address/2.18.213.40/information/

hunde-detektive .de: 81.169.145.89: https://www.virustotal.com/en/ip-address/81.169.145.89/information/
___

Fake 'passport' SPAM – JS malware cryptowall/fareit
- http://myonlinesecurity.co.uk/my-passport-reginald-vazquez-js-malware/
5 Aug 2015 - "'My passport – Reginald Vazquez' pretending to come from Reginald Vazquez <Reginald.Vazquez@ iconbrandingsolutions .com> with a zip attachment is another one from the current bot runs... The email looks like:
Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.
Kind regards,
Reginald Vazquez

5 August 2015: Reginald Vazquez.zip - Extracts to: Reginald Vazquez.js
Current Virus total detections: 0/55*. Downloads 2 files from 31072015a .com 1 is -cryptowall-, the second is -fareit- VirusTotal [1] [2]. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/314050de5b8ff9c3ca9b9b692ed3f11410ada9dbcc079e72b70a84f5e2396795/analysis/1438775249/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustotal.com/en/ip-address/188.165.164.184/information/
5.196.199.72: https://www.virustotal.com/en/ip-address/5.196.199.72/information/
45.56.87.253: https://www.virustotal.com/en/ip-address/45.56.87.253/information/
103.28.39.102: https://www.virustotal.com/en/ip-address/103.28.39.102/information/
81.218.71.215: https://www.virustotal.com/en/ip-address/81.218.71.215/information/
212.90.148.43: https://www.virustotal.com/en/ip-address/212.90.148.43/information/
184.168.47.225: https://www.virustotal.com/en/ip-address/184.168.47.225/information/
198.211.120.49: https://www.virustotal.com/en/ip-address/198.211.120.49/information/
98.130.136.200: https://www.virustotal.com/en/ip-address/98.130.136.200/information/

2] https://www.virustotal.com/en/file/90063ec35942f7aba8eafc978f31f296ac3ca8642061a2745bdf5aecc14f7fad/analysis/1438775261/
... Behavioural information
TCP connections
192.186.240.131: https://www.virustotal.com/en/ip-address/192.186.240.131/information/
82.208.47.134: https://www.virustotal.com/en/ip-address/82.208.47.134/information/
160.153.34.130: https://www.virustotal.com/en/ip-address/160.153.34.130/information/
50.62.121.1: https://www.virustotal.com/en/ip-address/50.62.121.1/information/
192.254.185.141: https://www.virustotal.com/en/ip-address/192.254.185.141/information/
50.63.93.1: https://www.virustotal.com/en/ip-address/50.63.93.1/information/

31072015a .com:
> http://centralops.net/co/DomainDossier.aspx
Registrant Country: RU
Admin Country: RU
Tech State/Province: RU ...
route: 178.151.105.0/24
descr: Kiev, Troyeshchyna
origin: AS13188
AS13188: https://www.google.com/safebrowsing/diagnostic?site=AS:13188
...
89.185.15.235: https://www.virustotal.com/en/ip-address/89.185.15.235/information/
94.45.73.242: https://www.virustotal.com/en/ip-address/94.45.73.242/information/
46.119.54.121: https://www.virustotal.com/en/ip-address/46.119.54.121/information/
31.43.132.156: https://www.virustotal.com/en/ip-address/31.43.132.156/information/
217.73.85.49: https://www.virustotal.com/en/ip-address/217.73.85.49/information/
62.244.60.154: https://www.virustotal.com/en/ip-address/62.244.60.154/information/
194.242.102.188: https://www.virustotal.com/en/ip-address/194.242.102.188/information/
176.111.43.241: https://www.virustotal.com/en/ip-address/176.111.43.241/information/
95.47.4.154: https://www.virustotal.com/en/ip-address/95.47.4.154/information/
194.44.37.3: https://www.virustotal.com/en/ip-address/194.44.37.3/information/

:fear::fear: :mad:

FYI...

Fake 'Voice message' SPAM – malware
- http://myonlinesecurity.co.uk/re-voice-message-from-07773403290-voiplicity-co-uk-fake-wav-malware/
6 Aug 2015 - "'RE: Voice message from 07773403290 pretending to come from tel: 07773403290 <non-mail-user@ voiplicity .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Voice-message-from-07773403290.png

6 August 2015: message_01983527496.wav.zip: Extracts to: message_01983527496.exe
Current Virus total detections: 0/58* . Downloads other files from mastiksoul .org or wedspa .su which appear to be Dridex/Cridex banking malware and posts stolen information to wedspa .su (VirusTotal**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/25a283556840d41562f44b97ec08e80cf722644b521e8dc7940e29eb79a85c33/analysis/1438846882/

** https://www.virustotal.com/en/file/f91405a19f09a3994a8c3c6f84fb4f82cf5bcf50f0aab600b56e14c002e15eb1/analysis/1438847706/
... Behavioural information
TCP connections
212.47.196.149: https://www.virustotal.com/en/ip-address/212.47.196.149/information/
8.254.218.94: https://www.virustotal.com/en/ip-address/8.254.218.94/information/

mastiksoul .org: 74.220.207.107: https://www.virustotal.com/en/ip-address/74.220.207.107/information/

wedspa .su:
94.229.22.39: https://www.virustotal.com/en/ip-address/94.229.22.39/information/
94.242.58.226: https://www.virustotal.com/en/ip-address/94.242.58.226/information/
185.26.113.229: https://www.virustotal.com/en/ip-address/185.26.113.229/information/

- http://blog.dynamoo.com/2015/08/malware-spam-voice-message-from.html
6 Aug 2015 - "... Recommended blocklist:
185.26.113.229
212.47.196.149 "
___

Chinese Actors Copy/Paste HackingTeam 0-Days in Site Hack
- https://blog.malwarebytes.org/exploits-2/2015/08/chinese-actors-copy-and-paste-hackingteam-zero-days-in-site-hack/
Aug 6, 2015 - "... The HackingTeam archive provided very easy to reuse zero-days that even contained instructions. Exploit kit authors still repackaged the exploits to their liking from the original copies, simply reusing the same vulnerability. Not all threat actors did that though. We found a particular attack on a Chinese website where the perpetrators literally copied and pasted the exploit code from HackingTeam, and simply replaced the default ‘calc.exe’ payload with theirs:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/copypaste.png
... The only thing that really differs is the payload... malicious binaries.
Files used:
mogujie.exe: https://www.virustotal.com/en/file/95d2b94f17ba09cfa8cc94690ad9b4a57ce1f853db63598166f0b718a8f4af1a/analysis/1438875540/
desktop.exe: https://www.virustotal.com/en/file/6bc32b3212a32ee93964666cbd3ac50fa52f15f831a18b4610aa8d46a3e0385d/analysis/1438875538/
SWF(1): https://www.virustotal.com/en/file/1a275895d3407a20c06d58188d26836149348538c1295c043701a69aa80ea588/analysis/1438459365/
SWF(2): https://www.virustotal.com/en/file/67ac1342db4f3e0dfb5fb1d73220482f9989ddafe2c2991a1c79bc2563dca76a/analysis/1438534343/ ..."

210.56.51.74: https://www.virustotal.com/en/ip-address/210.56.51.74/information/
___

Malware-injecting 'man-in-the-cloud' attacks
- http://www.theinquirer.net/inquirer/news/2421076/dropbox-and-onedrive-at-risk-from-malware-injecting-man-in-the-cloud-attacks
Aug 06 2015 - "... Imperva has revealed a new type of attack called 'man-in-the-cloud' (MITC) that allows hackers to access cloud storage services without the need for a password. The research was unveiled at the Black Hat security conference in Las Vegas, and shows how the attack enables hackers to hijack users of cloud-based storage services, such as Box, Dropbox, Google Drive and Microsoft OneDrive, without their knowledge. Imperva said that the hacker gains authentication to the cloud service by stealing a token that is generated the first time a cloud syncing service is used on a PC, without compromising the user's cloud account username or password. From here, an attacker can access and steal a user's files, and even add malware or ransomware to the victim's cloud folder. Imperva said in some cases "recovery of the account from this type of compromise is not always feasible"..."

- http://www.darkreading.com/cloud/man-in-the-cloud-owns-your-dropbox-google-drive----sans-malware-/d/d-id/1321501
8/5/2015
___

Threat Group-3390 Targets Organizations for Cyberespionage
- http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/
5 Aug 2015 - "... TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers. Despite the group's proficiency, there are still many opportunities to detect and disrupt its operation by studying its modus operandi. The threat actors work to overcome existing security controls, or those put in place during an engagement, to complete their mission of exfiltrating intellectual property. Due to TG-3390's determination, organizations should formulate a solid -eviction- plan before engaging with the threat actors to prevent them from reentering the network..."
(More detail at the URL above.)
* http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/#r01

:fear::fear: :mad:

FYI...

Fake ad 'Sleek Granite Computer' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-sleek-granite-computer.html
7 Aug 2015 - "What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment it comes with:
From: mafecoandohob [mafecoandohob@ bawhhorur .com]
To: Karley Pollich
Date: 7 August 2015 at 13:17
Subject: Sleek Granite Computer
Good day!
If you remember earlier this week we discussed with You our new project which we intend to start next month.
For Your kind review we enclose here the business plan and all the related documents.
Please send us an e-mail in case You have any comments or proposed changes.
According to our calculations the project will start bringing profit in 6 months.
Thanks in advance.
Karley Pollich
Dynamic Response Strategist
Pagac and Sons
Toys, Games & Jewelery
422-091-2468

The only sample of this I had was -malformed- and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe. This has a VirusTotal detection rate of 4/55* with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre/Dyre traffic pattern to:
195.154.241.208 :12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208 :12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM
This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom .eu. Traffic is also spotted to:
37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)
There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.
Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50 "
* https://www.virustotal.com/en/file/b17e5cc7b27fecb92f601b358963e22df77b4beb517936aaa9e95b4e61269d7d/analysis/1438950940/
___

Fake 'Tax Refund' SPAM – PDF malware
- http://myonlinesecurity.co.uk/tax-refund-new-message-alert-fake-pdf-malware/
7 Aug 2015 - "Amongst all of today’s usual bunch of spoofed HMRC tax refund phishing attempts, we are seeing an email tonight saying 'Tax Refund New Message Alert!' pretending to come from HM Revenue & Customs <security.custcon@ hmrc .gsi .gov .uk> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer,
After the last anual calculations of your fiscal activity we have discovered
that you are eligible to receive a tax refund of GBP 1048.55.
Kindly complete the tax refund request and allow 1-15 working days to process it.
Please download the document attached to this email and confirm your tax refund.
A refund can be delayed for a variety of reasons.
For example: Submitting invalid records or applying after the deadline.
Yours sincerely, Edward Troup
Tax Assurance Commissioner.
Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

7 August 2015: TaxRefund0036192.zip - Extracts to: TaxRefund0036192.pdf.exe
Current Virus total detections: 4/56* which looks to be this rather nasty ransom ware Trojan**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/186a9b8c038b8fafc5fe4a7cd1f09d54a9c0cc4e8849f37d414fdc134baa9be0/analysis/1438968024/

** https://usa.kaspersky.com/internet-security-center/threats/onion-ransomware-virus-threat#.VcURnHnbK70
"... via the Andromeda botnet"
___

Updates in... Ransomware
- http://blog.trendmicro.com/trendlabs-security-intelligence/price-hikes-and-deadlines-updates-in-the-world-of-ransomware/
Aug 7, 2015 - "... ransomware variants have evolved to do more than just encrypt valuable system files. CryptoFortress targeted files in shared network drives while TeslaCrypt targeted gamers and mod users. Now we are seeing another feature rapidly gaining ground in the world of ransomware: the ability to increase the ransom price on a deadline... A recent attack on an Australian company revealed a new TorrentLocker variant that can double the price of decryption after a deadline of five days. The cyber attack started with a business email. We noted a TorrentLocker spam run targeting Australia that probably delivered the infected email. TorrentLocker is a persistent threat in the region... After clicking on one of these infected emails, a manager’s system ended up with the crypto-ransomware TROJ_CRYPLOCK.XW. Nothing happened at first. The manager deleted the email and thought nothing of it until hours later. By then, it was too late. The malware had already encrypted 226 thousand files before it popped the warning and all IT admins can do is stare at a screen asking them for AU $640 in five days, after which the price will double to AU $1280:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/08/Cyptoransomware_updates_01.png
... Continuing upgrades in crypto-ransomware show that users need to be vigilant with attack vectors that may be used to get the malware in their machines. While installing security software to protect all endpoints is paramount to security, it is equally important to use a multi-layered approach.
- Always have a -backup- strategy, most efficiently by following the 3-2-1 rule*...
- Trust products proven to detect ransomware before it reaches your system—either as a bad URL, a malicious email, or via unpatched exploits.
- Noting the way that the Australian company was hacked, it pays to also educate employees about safe email and Web browsing procedures..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/world-backup-day-the-3-2-1-rule/
"... backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:
At least three copies,
In two different formats,
with one of those copies off-site..."
___

RIG Exploit Kit 3.0 - 1 Million Strong and Growing
- https://atlas.arbor.net/briefs/index#1344414045
Elevated Severity
Aug 6, 2015 - "The RIG exploit kit, used to deliver various forms of -malware- onto compromised systems, has seen a recent surge in victims. The surge, impacting more than 1.25 million systems globally, is spreading via a large -malvertising- campaign at an average rate of 27,000 new victims a day*..."
* https://www.trustwave.com/Resources/Trustwave-Blog/How-an-Upgraded-Version-of-the-RIG-Exploit-Kit-is-Infecting-27k-Computers-Per-Day/
___

Google, Samsung to issue monthly Android security fixes
- http://www.reuters.com/article/2015/08/07/us-android-security-idUSKCN0QC00320150807
Aug 6, 2015 8:03pm EDT - "... As with Apple's iPhones, the biggest security risk comes with apps that are not downloaded from the official online stores of the two companies... a key avenue was to convince targets to download legitimate-seeming Android and iPhone apps from imposter websites."

:fear::fear: :mad:

FYI...

Fake 'Your order' SPAM – doc malware
- http://myonlinesecurity.co.uk/your-order-10232-from-create-blinds-online-paid-word-doc-malware/
10 Aug 2015 - "'Your order 10232 from Create Blinds Online: Paid' pretending to come from orders@ createblindsonline .co.uk with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
... The email looks like:
We would like to thank you for your recent order. Order Status updated on: 10/08/2015 Your Customer ID: 1761 Your Order ID: 10232
Invoice Number: 10232
Delivery Note: We received your order and payment on Aug/102015 Your order details are attached:
Kind regards
Create Blinds Online Team ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Your-order-10232-from-Create-Blinds-Online.png

10 August 2015: invoice-10232.doc Current Virus total detections: 5/55* Downloads Dridex banking malware from http ://mbmomti .com.br/435rg4/3245rd2.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0d917831636f69503b6f0a96e27958c1727303042c7832e36c8516292e5f1165/analysis/1439189964/

** https://www.virustotal.com/en/file/64be05ce8131bbae5be0d68f45c0416aba5e06f6301962f6f03484b26ddccdd8/analysis/1439190149/
... Behavioural information
TCP connections
78.47.119.85: https://www.virustotal.com/en/ip-address/78.47.119.85/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

mbmomti .com.br: 187.17.111.99: https://www.virustotal.com/en/ip-address/187.17.111.99/information/

- http://blog.dynamoo.com/2015/08/malware-spam-your-order-10232-from.html
10 Aug 2015 - "... attempts to download a -malicious- binary from one of the following locations:
mbmomti .com.br/435rg4/3245rd2.exe
j-choi .asia/435rg4/3245rd2.exe
... generates traffic to 78.47.119.85 (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan."
j-choi .asia: 153.122.0.184: https://www.virustotal.com/en/ip-address/153.122.0.184/information/
___

Fake 'MI Package' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/premium-charging-mi-package-for-merchant-17143013-word-doc-or-excel-xls-spreadsheet-malware/
10 Aug 2015 - "'Premium Charging MI Package for Merchant 17143013' pretending to come from GEMS@ Worldpay .com with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
... The email looks like:
*** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.

10 August 2015: 17143013 01.docm - Current Virus total detections: 5/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6011af6c2682d6acc32673b68be89a42c274ea5988117cdc3a05616bc5cb6f8d/analysis/1439196186/

- http://blog.dynamoo.com/2015/08/malware-spam-premium-charging-mi.html
10 Aug 2015 - "... one sample with named 17143013 01.docm ... detection rate of 5/55* and it contains this malicious macro... which then downloads a component from:
gardinfo .net/435rg4/3245rd2.exe
This is exactly the -same- payload as seen in this spam run** also from this morning."
* https://www.virustotal.com/en/file/0cdec864ba6daa55b3f37e6cc5dbab00752efbccbe15459999af85493f31b349/analysis/1439198630/

** http://blog.dynamoo.com/2015/08/malware-spam-your-order-10232-from.html

gardinfo .net: 62.210.16.61: https://www.virustotal.com/en/ip-address/62.210.16.61/information/
___

Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-gabriel-daniel-resume.html
10 Aug 2015 "This fake résumé comes with a malicious attachment:
From: alvertakarpinskykcc@ yahoo .com
Date: 10 August 2015 at 19:40
Subject: Resume
Signed by: yahoo .com
Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter
Kind regards
Gabriel Daniel

Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro... which has a VirusTotal detection rate of 2/56*. As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on:
> https://1.bp.blogspot.com/-pVLYG1iCchQ/VcjC9aEOGPI/AAAAAAAAG4I/WNCsjruC-UA/s1600/cryptowall.png
So, it is pretty clear that the payload here is -Cryptowall- (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01
It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).
Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay .com "
*https://www.virustotal.com/en/file/48f68ceeb094bd8c72c0a65ec5efd09a8da33934d854296b73c2dce99aff50d8/analysis/1439219044/

conopizzauruguay .com: 208.113.240.70: https://www.virustotal.com/en/ip-address/208.113.240.70/information/
___

.COM.COM Used For Malicious Typo Squatting
- https://isc.sans.edu/diary.html?storyid=20019
2015-08-10 - "... domains ending in ".com.com" are being -redirected- to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "com.com" domain name was sold by CNET to known typo squatter dsparking .com [1]. Apparently, dsparking .com paid $1.5 million for this particular domain. Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud. All .com.com hostnames appear to resolve to 54.201.82.69, also hosted by Amazon (amazon .com .com is also directed to the same IP, but right now results in more of a "Parked" page, not the -fake- anti-malware as other domains). The content you receive varies. For example, on my first hit from my Mac to facebook .com .com , I received the following page:
> https://isc.sans.edu/diaryimages/images/Screen%20Shot%202015-08-10%20at%202_34_58%20PM.png
And of course the -fake- scan it runs claims that I have a virus :) . As a "solution", I was offered the well known scam-app "Mackeeper". Probably best to -block- DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I don't think there is any valid content at any ".com.com" host name. The Whitehat article does speak to the danger of e-mail going to these systems... Amazon EC2 abuse was notified."
1] https://blog.whitehatsec.com/why-com-com-should-scare-you/

54.201.82.69: https://www.virustotal.com/en/ip-address/54.201.82.69/information/

:fear::fear: :mad:

FYI...

Fake 'Website Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/here-is-your-bt-website-invoice-pdf-malware/
11 Aug 2015 - "'Here is your BT Website Invoice. pretending to come from btd.billing.noreply@ bt .com with a PDF attachment is another one from the current bot runs... The email comes in corrupt... There is an HTML attachment which contains what the actual email should read:
***Please do not reply to this automated e-mail as responses are not read***
Hello
Here is your latest billing information from BT Directories – please check the details carefully.
If you need to contact us then you’ll find the numbers in the attachment.
Kind Regards
BT Directories Billing & Credit Management ...

And there is a PDF attachment which contains the malware:
11 August 2015 : DirectDebit Invoice_5262307_011220140151449702826.pdf
Current Virus total detections: 4/56* which is a PDF containing a word doc with embedded macros in the same way as described in today’s earlier malspam run**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/08af5513378e9186ba26b4ba1aa8b2e3951d61328f8d7a8c98a43f087cb7a97a/analysis/1439286155/

** http://myonlinesecurity.co.uk/interparcel-documents-pdf-malware/
11 Aug 2015 - "'Interparcel Documents' pretending to come from Interparcel <bounce@ interparcel .com> with a PDF attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Interparcel-Documents.png

11 August 2015: Shipping Labels (938854744923).pdf - Current Virus total detections: 4/57*
... downloads Dridex from http ://sonicadmedia .com/334f3d/096uh5b.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9fde36d6b82a8c2f81448cf053ca74637bef98a6e0b8a8bdfbf11908840917e4/analysis/1439281100/

** https://www.virustotal.com/en/file/b134e2be463dcdbb48cb8081e2fac1ff2c1c32796abafbc03d6f38105f7d5db1/analysis/1439284911/

sonicadmedia .com: 192.185.5.3: https://www.virustotal.com/en/ip-address/192.185.5.3/information/
___

Fake 'Congratulations on your purchase Windows' SPAM – fake PDF malware
- http://myonlinesecurity.co.uk/congratulations-on-your-purchase-windows-fake-pdf-malware/
11 Aug 2015 - "'Congratulations on your purchase Windows' with a zip attachment is another one from the current bot runs... The email looks like:
The invoice for the license windows 10.
Invoice id: 5661255582
License number: 211883074666
License serial number: XXXXXX-XXXXXX-XXXXXX-QF7303-DG7S86
Details of the attachment.
THANKS A LOT FOR BEING WITH US.

Todays Date: Invoice Windows10 1648726511-en.zip:
Extracts to: Invoice Windows10 7848342350-en.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ac95e5be477cbddf2478632d28ada80bd4d235bef526de210c964084460fcabf/analysis/1439303996/
___

Asprox botnet... disappears
- http://www.infoworld.com/article/2969322/malware/asprox-botnet-a-longrunning-nuisance-disappears.html
Aug 11, 2015 - "The Asprox botnet, whose malware-spamming activities have been followed for years by security researchers, appears to be gone... the botnet seemed to be shut down, wrote Ryan Olson, intelligence director for Palo Alto Networks, in a blog post:
> http://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/
Olson wrote that Palo Alto thought the botnet's operators may have changed their tactics, and Palo Alto missed the shift. But they verified that Asprox's command-and-control structure shut down - at least for now... Earlier this year, Brad Duncan, a security researcher at Rackspace, also noticed a change:
> https://isc.sans.edu/forums/diary/What+Happened+to+You+Asprox+Botnet/19435/
... Spam that appeared stylistically close to that sent by Asprox had -different- malware. Asprox has taken a hit before. In November 2008, it was one of several botnets affected by the shutdown of McColo, a notorious California-based ISP that was providing network connectivity for cybercriminals. The shutdown of McColo dramatically cut the amount of spam, but Asprox as well as other botnets came back. The most frequent malware now seen by Palo Alto is Upatre. That malware downloads other harmful programs to a computer, and Palo Alto has seen it involved in installing a banking trojan called Dyre and the Cryptowall ransomware..."
>> http://researchcenter.paloaltonetworks.com/wp-content/uploads/2015/08/kuluoz-2.png

:fear::fear: :mad:

FYI...

Fake 'Invoices payable' SPAM – JAVA malware
- http://myonlinesecurity.co.uk/re-re-invoices-payable-java-malware/
12 Aug 2015 - "'RE: Re: Invoices payable' with a jar attachment pretending to come from info@ fulplanet .com is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Invoices-payable.png

12 August 2015: Invoice.jar - Current Virus total detections: 4/57*
Luckily, Outlook (as you can see from the screenshot above) and many other email clients automatically -block- java jar files from being accessed or opened in the email client. Webmail clients are more at risk as most allow any attachment. Java is a crossbrowser and cross OS program and that is why it is so dangerous. Malicious Java files can infect and compromise ANY computer whether it is windows or Apple or Android or Linux. You will not be infected and cannot be harmed if you do -not- have Java installed on the computer.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown instead of the java executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f2188d223305092fe0a9c8be89c69e149c33c3ea4b1c0843fda00771ac72272d/analysis/1439362101/
___

Fake 'list attached' SPAM – PDF drops word doc – malware
- http://myonlinesecurity.co.uk/list-attached-as-requested-danielle-cc-signs-ltd-pdf-drops-word-doc-malware/
12 Aug 2015 - "'list attached as requested' pretending to come from Danielle | CC Signs Ltd. <orders@ ccsigns .co.uk> with a malicious PDF attachment that drops a word doc is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email has a -blank- body with just this image inside it and looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/CC-Signs-Ltd.jpg

12 August 2015: smo.pdf - Current Virus total detections: 5/56*
... which drops/creates 4.docm (VirusTotal**) which contains a macro that connects to http ://konspektau.republika .pl/07jhnb4/0kn7b6gf.exe and downloads Dridex banking malware (VirusTotal***). Other download locations include http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a4a7b540630853ca92c87ddbde759e85dbfe762ff13ab917b6db3433dea28d7a/analysis/1439370949/

** https://www.virustotal.com/en/file/e8889312bec248f762c14c519ecdbbe1ae01b6c011cd29ae6b1ca4544417dbb2/analysis/1439371138/

*** https://www.virustotal.com/en/file/6dbe2d872dd324d5204e0dcc596bfd20f62d3d95e7533383fd42e4cc6a1cdf70/analysis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustotal.com/en/ip-address/74.119.194.18/information/
95.101.128.113: https://www.virustotal.com/en/ip-address/95.101.128.113/information/

konspektau.republika .pl: 213.180.150.17: https://www.virustotal.com/en/ip-address/213.180.150.17/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustotal.com/en/ip-address/81.169.145.158/information/
___

Fake 'Invoice for 415 Litmus' SPAM – doc malware
- http://myonlinesecurity.co.uk/invoice-for-415-litmus-word-doc/
12 Aug 2015 - "'Invoice for 415 Litmus' pretending to come from angela_lrc088128@ btinternet .com (the lrc088128 is random and I am seeing -hundreds- of lrc******@ btinternet .com being -spoofed- as the from addresses) with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Invoice-for-415-Litmus.png

12 August 2015: 415 Litmus Cleaning invoice.docm - Current Virus total detections: 6/56*
The -malicious- macro inside this version of the word doc connects to and downloads Dridex banking malware from http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe (Virus Total**) Which is the -same- malware as described in today’s other Malspam run[1] containing malicious PDF dropping word docs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8cc4da70ab176d2f942325ac74615d80b5968d817e3e52377ad2c9feb1ee1484/analysis/1439371782/

** https://www.virustotal.com/en/file/6dbe2d872dd324d5204e0dcc596bfd20f62d3d95e7533383fd42e4cc6a1cdf70/analysis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustotal.com/en/ip-address/74.119.194.18/information/
95.101.128.113: https://www.virustotal.com/en/ip-address/95.101.128.113/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustotal.com/en/ip-address/81.169.145.158/information/

1] http://myonlinesecurity.co.uk/list-attached-as-requested-danielle-cc-signs-ltd-pdf-drops-word-doc-malware/
___

Fake 'transferred into Your account HSBC' SPAM – PDF malware
- http://myonlinesecurity.co.uk/this-is-to-confirm-that-amounts-were-transferred-into-your-account-hsbc-fake-pdf-malware/
12 Aug 2015 - "A series of emails on the theme of 'This is to confirm that amounts were transferred into Your account' with subjects like 'Payment affirmation' or 'Conducted transaction information' with an email -link- to entice you into downloading a zip attachment is another one from the current bot runs... Some of the subjects include:
Conducted transaction information
Deposited funds receipt
Fund transfer receipt
Deposited funds acknowledgment
Transaction statement
Transfer verification
Deposited funds affirmation
Deposited funds statement
Balance change receipt
The senders pretend to be bank employees from HSBC and include such titles as:
Forward Applications Strategist
Principal Assurance Developer
Corporate Web Architect™
Principal Factors Director
And hundreds of other similar style of seemingly important sounding titles. The sender matches the job title in the body of the email although the names are totally random...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Payment-affirmation.png

12 August 2015: invoice.pdf.zip: Extracts to: invoice.pdf.exe*
Current Virus total detections: 3/56*. These -Upatre- downloaders normally download either Dridex or Dyreza banking malware. So far the automatic tools haven’t managed to get any actual download. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/21d56cfe59c7ae00096ccee20bf480350ca88bac5f2c4b267442b07f876bc64c/analysis/1439376577/
___

Fake 'Important documents BoA' SPAM – PDF malware
- http://myonlinesecurity.co.uk/fw-important-documents-bankofamerica-com-fake-pdf-malware/
12 Aug 2015 - "'FW: Important documents' pretending to come from Guadalupe Aldridge <Guadalupe.Aldridge@ bankofamerica .com> or Mariano Cotton <Mariano.Cotton@ bankofamerica .com> (and probably loads of other random names @ bankofamerica .com) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/B-of-A-Important-documents.png

12 August 2015: AccountDocuments.zip: Extracts to: AccountDocuments.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6ac32eeb2a0be4b0f8aac5c306f3c99eeabfa71afc1777adcc75ea9fe5489f0a/analysis/1439398277/
___

Win10 Store, Mail client down for some
- http://www.zdnet.com/article/microsofts-windows-10-store-mail-client-down-for-some/
Updated Aug 10, 11 - "... having problems accessing the Windows 10 Store and a number of Store apps, including Microsoft's new Mail client, for more than a day:
> http://zdnet2.cbsistatic.com/hub/i/r/2015/08/09/6500f82d-e2ca-4bcc-85f7-bdd8738e5bb1/resize/770x578/f03d307cee48206e18f434fbefba03f4/win10storedown.jpg "

:fear::fear: :mad:

FYI...

Fake 'Invoice Bristan' SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoice-i623792760-bristan-fake-pdf-invoice-malware/
13 Aug 2015 - "'Invoice I623792760' (Random characters and numbers) pretending to come from Bristan Documents <Prism@ bristan .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Invoice-I623792760.png

13 August 2015: INVOICE_I623792760.zip: Extracts to: INVOICE_I9288320.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3eb08a1fc4c27ecc5bb1e512327fc645076b00c3a62555871d8b8ed395517c79/analysis/1439455676/
___

Fake 'Incident' RBS SPAM – doc malware
- http://myonlinesecurity.co.uk/re-incident-im07298646-word-doc-malware/
13 Aug 2015 - "'RE: Incident IM07298646' (random numbers) pretending to come from RBS <secure.message@ rbs .co.uk> with a malicious word doc attachment is another one from the current bot runs... This particular version pretends to be signed with an RSA secure key and you need to enable editing and macros to see the content... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/RSA-key-protected-view.png

13 August 2015: AccountDocuments.doc - Current Virus total detections: 5/56*
This goes through a convoluted download procedure linking to: http ://hutsul .biz/administrator/components/com_joomlaupdate/rara.txt which is just a simple instruction to download what looks like -Upatre- downloader which will eventually download Dridex banking malware from http ://klosetaffair .com/scripts/jquery-1.8.3.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c683e3a12ab2e80aa4247a1c8ed6b9c565e0241212bc9730596e69ee54807b57/analysis/1439461278/

** https://www.virustotal.com/en/file/a887578ad7657b18d3b889a53ed123c30ba3d9b8c5d6795723555ee7333ce7ca/analysis/1439461900/

hutsul .biz: 144.76.80.78: https://www.virustotal.com/en/ip-address/144.76.80.78/information/

klosetaffair .com: 192.185.48.205: https://www.virustotal.com/en/ip-address/192.185.48.205/information/

- http://threattrack.tumblr.com/post/126606969628/rbc-secure-webmail-spam
Aug 13, 2015 - Subjects Seen:
RBC Secure Webmail/Courriel secure
Typical e-mail details:
Hello
You have received a secure e-mail, which may contain personal/confidential information.
To read and/or reply to the secure e-mail, please follow the simple steps below:
· Double click on the attached Click2View.zip
IMPORTANT:
1.) You must be connected to the Internet to view the secure e-mail.
2.) Please ONLY reply from the above link. DO NOT reply by clicking the “reply” option as this will not be secured.

Malicious File Name and MD5:
Click2View.scr (51cabd5eb93920043db1b18cf163b108)

Tagged: RBC, Upatre
___

Fake 'Notice of payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/notice-of-payment-national-bank-of-canada-fake-pdf-malware/
13 Aug 2015 - "'Notice of payment' pretending to come from sac.sbi@ sibn .bnc.ca with a zip attachment is another one from the current bot runs... The email looks like:
You can view and print the notice of payment using the Netscape or Microsoft
Explorer browsers, versions 6.2 and 5.5. You can export and store the
notice of payment data in your spreadsheet by choosing the attached file in
pdf format “.pdf”.
If you have received this document by mistake, please advise us immediately
and return it to us at the following E-mail address: “sac.sbi@ sibn .bnc .ca“.
Thank you.
National Bank of Canada
600 de La Gauchetire West, 13th Floor
Montreal, Quebec H3B 4L2 ...

13 August 2015: PaymentNotice.zip: Extracts to: PaymentNotice.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a978053fe90cc25dacc95b3f8e71884c88c3757027b98be120f1df46bf80f202/analysis/1439483960/
___

SSL Malvertising Campaign Continues
- https://blog.malwarebytes.org/malvertising-2/2015/08/ssl-malvertising-campaign-continues/
Aug 13, 2015 - "The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites. We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers:
- drudgereport .com 61.8M visits per month
- wunderground .com 49.9M visits per month
- findagrave .com 6M visits per month
- webmaila.juno .com 3.6M visits per month
- my.netzero .net 3.2M visits per month
- sltrib .com 1.8M visits per month
The malvertising is loaded via AdSpirit .de and includes a -redirection- to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/malvertising.png
Redirection chain
Publisher’s website
https ://pub.adspirit .de/adframe.php?pid=[redacted]
https ://pr2-35s.azurewebsites .net/?=pr2-35s-981ef52345
abcmenorca .net/?xvQtdNvLGcvSehsbLCdz
Angler Exploit Kit...
We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down."

Update 08/14: The campaign has -moved- to another advertiser (AOL) and new Azure domain:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/ebayadvertisement.png

abcmenorca .net: 88.198.188.158:
- https://www.virustotal.com/en/ip-address/88.198.188.158/information/
Country: DE
Autonomous System: 24940 (Hetzner Online AG)
Diagnostic page for AS24940 (HETZNER-AS)
- https://www.google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 2335 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-08-13, and the last time suspicious content was found was on 2015-08-13... this network has hosted sites that have distributed malicious software in the past 90 days. We found 224 site(s)... that infected 837 other site(s)..."

:fear: :mad:

FYI...

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoice-bristol-rope-twine-co-word-doc-or-excel-xls-spreadsheet-malware/
14 Aug 2015 - "'Invoice Bristol Rope & Twine Co' pretending to come from Roger Luke <rogerluke@ bristolrope .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email looks like:
Thank you for your order. Your Invoice – 14/0238 – from Bristol Rope &
Twine Co is attached.

14 August 2015: 140238.XLS - Current Virus total detections: 6/57*
... Downloads Dridex banking malware from http ://buero-kontierservice .de/7656/4563.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f299af94bcb39bbcad5668ac9e7d0591ec7c6d90be2332f8fcbcbb8588be41d7/analysis/1439545269/

** https://www.virustotal.com/en/file/57bde530100143b81c804d5cd9082aab2f42c7f1f8e11f5c5c37d41a433cf20b/analysis/1439545437/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustotal.com/en/ip-address/62.152.36.25/information/
2.18.213.90: https://www.virustotal.com/en/ip-address/2.18.213.90/information/

buero-kontierservice .de: 81.169.145.157: https://www.virustotal.com/en/ip-address/81.169.145.157/information/
___

Fake 'Account management' SPAM – PDF malware
- http://myonlinesecurity.co.uk/account-management-was-limited-jpmorgan-chase-bank-fake-pdf-malware/
14 Aug 2015 - "'Account management was limited' pretending to be a message from JPMorgan Chase Bank with a zip attachment is another one from the current bot runs... Other subjects in this malware run include:
Personal account access has been minimized
Bank account control has been minimized
Personal account management had been restricted
Bank account access was blocked ...
The email looks like:
Dear Bank member,
Please consider this e-mail alert highly urgent. Kindly note that our
security department has detected the attempt to withdraw money from Your
account without confirmation.
As a security measure the bank had to restrict access to the account
until we get relevant request from the signatory. Please see attached
the document to be filled in order to get full access to the account.
Peter Malcolm,
Security Department Specialist
JPMorgan Chase Bank PLC

14 August 2015: Formsheet_to_be_filled in_.zip: Extracts to: Formsheet_to_be_executed_.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6b18f506d572f8f422a5568a84797ce355aedb897353310eb30d959986565e31/analysis/1439572799/

:fear::fear: :mad:

FYI...

Multi-language Tech Support Scams
- https://blog.malwarebytes.org/fraud-scam/2015/08/the-multi-language-tech-support-scam-is-here/
Aug 17, 2015 - "The Microsoft tech support scam has been going on for -years- starting with cold calls originating from India. Over time fake websites and pop ups warning of infections for Windows, Mac, Android and even iOS users were created. The vast majority of victims are from the U.S., Canada, the U.K., Australia, South Africa and New Zealand; in essence countries where English is the primary language spoken. This is about to change though, as tech support scammers are tapping into brand new markets in Europe but also Japan... The latest iteration we uncovered is targeting -multiple- new countries and considerable efforts were spent to make the templates look professional and authentic.
New targets:
France (population 66 M)
Spain (population 46 M)
Germany (population: 81 M)
Japan (population: 126 M)
... fraudulent pages typically show up via -malvertising- campaigns or as part of a bundle within Potentially Unwanted Programs... Translation to English:
' Warning! A virus has been detected on your computer. Please call the number provided immediately to remove adware, spyware and viruses from your computer. Seeing this message means that all your personal information, pictures, passwords and credit card details are at risk and vulnerable to attacks. Do not use the Internet, do not connect to any website or make any purchase until you call the phone number provided.'
Actual native speakers: We called one of the numbers for the French campaign and talked with an agent that spoke fluent French. He turned out to be working from Québec, Canada...
Avoiding the scam: The best protection against these scams is awareness. Please pass the word around to family and friends, especially older ones or those not computer savvy. We also have a resource page* with plenty of information that is well worth a read. What we can say looking back at all these years since the tech support scams started is that crooks have been able to adapt the con, often times getting inspired by actual malware authors and their practices (i.e. Browlock, fake BSOD, etc…). This latest twist is without a doubt going to have a serious impact on countries that have never really experienced tech support scams before. Not only are people not prepared for it, but also the fraudster will appear genuine by speaking the local tongue..."
* https://blog.malwarebytes.org/tech-support-scams/

:fear::fear:

FYI...

Fake 'SHIPMENT NOTICE' SPAM – PDF malware
- http://myonlinesecurity.co.uk/shipment-notice-safilo-com-fake-pdf-malware/
19 Aug 2015 - "'SHIPMENT NOTICE' pretending to come from serviceuk@ safilo .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/safilo-SHIPMENT-NOTICE.png

19 August 2015: ship20150817.zip: Extracts to: ship20150817.exe
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b936cf05514ede49c63a732717ac901d22d3038e46a5820d7955f55c1ef7d6d0/analysis/1439977857/

- http://blog.dynamoo.com/2015/08/malware-spam-shipment-notice.html
19 Aug 2015 - "... the malware attempts to phone home to:
megapolisss006 .su/go/gate.php
.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to -all- of them. This domain is hosted on the following IPs:
195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)
You might want to consider blocking:
195.2.88.0/24
94.229.16.0/21
This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42 ..."
___

Fake 'lawsuit' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/wtf-is-thislawsuit-word-doc-or-excel-xls-spreadsheet-malware/
19 Aug 2015 - "'wtf is this?lawsuit?' coming from random names and random email addresses with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email looks like:
why have you sued me? wtf is this?
i am attaching the subpoena

19 August 2015: subpoena.doc - Current Virus total detections: 5/54*
Connects to http ://bigdiscountsonline .info/css/_notes/rara.txt which is a simple text instruction to download Dridex banking malware from http ://allthatandmore .info/css/_notes/pa.exe (VirusTotal**). It also connects to http ://bigdiscountsonline .info/css/_notes/8179826378126.txt which is a VBS downloader (VirusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/61f94cafd9a0186dcc2f50bd907f712ddda5a284fe8900543014177c9bf484b9/analysis/1439998392/

** https://www.virustotal.com/en/file/a0d84fe3721c23db1de2c9b8952ccbb3d66b0eed1c27659cd60bee73ba36d6f9/analysis/1439996382/
... Behavioural information
TCP connections
148.251.34.82: https://www.virustotal.com/en/ip-address/148.251.34.82/information/
62.149.142.168: https://www.virustotal.com/en/ip-address/62.149.142.168/information/

*** https://www.virustotal.com/en/file/6097eee70a23b8912d36a70f42b0972bd34e4bda2debd6c9e47758b1fff5e43e/analysis/1439995932/

bigdiscountsonline .info: 97.74.4.87: https://www.virustotal.com/en/ip-address/97.74.4.87/information/
allthatandmore .info: 97.74.4.87
___

Out of band I/E patch - all versions...
- http://myonlinesecurity.co.uk/out-of-band-emergency-patch-for-all-versions-of-internet-explorer-on-windows-18-august-2015/
18 Aug 2015

>> https://forums.spybot.info/showthread.php?862-Microsoft-Alerts&p=465708#post465708

:fear::fear: :mad:

FYI...

Fake 'Shared from Docs app' SPAM – xls Malware
- http://myonlinesecurity.co.uk/shared-from-docs-app-excel-xls-spreadsheet-malware/
20 Aug 2015 - "'Shared from Docs app' coming from Admin at random email addresses with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The Excel spreadsheet in this one looks like this... DO NOT follow their suggestion and enable editing or macros:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/LIST_141114_jpg-2.xls.png
The email is very plain and terse and simply says :

Sent from Mail for Windows 10

20 August 2015: LIST_141114_jpg (2).xls - Current Virus total detections: 4/56*
So far automatic analysis hasn’t retrieved any payload so we are waiting for a manual analysis to be performed. These normally download Dridex banking malware...
Update: we now have managed to get an automatic analysis[2] which gave us: ceece.exe that looks like Dridex but no download location for it (VirusTotal)[3]... We always have problems with automatic analysis when the Doc or LS file is in Russian language and character set... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5e77f6a84ef5179824f2a110a73c10927d32cb8efe306f6d333295a5cbac9467/analysis/1440065594/

2] https://malwr.com/analysis/YzdlYjBjMDFmMTM1NGMwZGE4MjE2ZThlNGU0MTcwMzQ/

3] https://www.virustotal.com/en/file/cfc7d0bab0e11ce1bcdbbf05dc2817933109a5f7523748370a2c000ce4897d4a/analysis/1440066467/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustotal.com/en/ip-address/62.152.36.25/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'new ID and password' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-new-id-and-password-fake-pdf-malware/
20 Aug 2015 - "'Your new ID and password' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

Your ID name and password has been changed according to your request dated August 19, 2015. Check attachment to view the renewed information.

20 August 2015: doc_ad78120.zip : Extracts to: doc_in30541.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6f90a6b02b5de4bee197449581a10c8b897aa784e63579ae40e2d0597692a427/analysis/1440069970/
___

Fake 'order not avaliable' SPAM – doc malware
- http://myonlinesecurity.co.uk/we-are-sorry-but-the-product-youve-ordered-is-not-avaliable-now-fake-word-doc-malware/
20 Aug 2015 - "An email saying 'We are sorry but the product you’ve ordered is not avaliable now' with a subject of Order #y0CD3mxQizcBk88ovaw [random characters] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Good afternoon,
We are sorry but the product you’ve ordered is not avaliable now.
Please fill up the attached form of refund and choose a gift as a token
of our apology for the inconvenience.
Order #fNcszeK2PW9J1rjN
Date sent: Thu, 20 Aug 2015 11:42:51 +0100
Mariam Olson Sr...
-Or-
Good afternoon,
We are sorry but the product you’ve ordered is not avaliable now.
Please fill up the attached form of refund and choose a gift as a token
of our apology for the inconvenience.
Order #4y3Rs24VDxJ8BBW8
Date sent: Thu, 20 Aug 2015 11:45:02 +0100
Carolyn Raynor...

20 August 2015: Order Beier-Swaniawski_fNcszeK2PW9J1rjN.zip: Extracts to: order id283694136_Angus Ferry.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word document instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6e57b64a48eda1b367d41502dd4251521cb30799f3b371f236c806d97328f4bf/analysis/1440070000/
___

Fake 'Transport for London' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-email-from-transport-for.html
20 Aug 2015 - "This -fake- TfL spam comes with a malicious attachment:
From "Transport for London" [noresponse@ cclondon .com]
Date Thu, 20 Aug 2015 17:04:26 +0530
Subject Email from Transport for London
Dear Customer
Please open the attached file(7887775.zip) to view correspondence from Transport
for London.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost...
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative...

The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56* and 1/57**... Hybrid Analysis reports... show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:
93.185.4.90 :12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90 :12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM
These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you -block- it."
* https://www.virustotal.com/en/file/6bd9680283424eb294a6a2b788bac911a15b47eb7f1a251cc6ad501df7e1acff/analysis/1440071767/

** https://www.virustotal.com/en/file/e40a32e6781af530eb6a544b185156d1a25384a78b7771bca52f05744af811f1/analysis/1440071784/
___

Fake 'ACH failed' SPAM – doc malware
- http://myonlinesecurity.co.uk/ach-failed-due-to-technical-error-the-electronic-payments-association-word-doc-malware/
20 Aug 2015 - "'ACH failed due to technical error' pretending to come from The Electronic Payments Association with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
This malicious word doc has what pretends to be a RSA encrypted security key and it wants you to enable editing to see the content. This is almost identical to this slightly older version with a different date. Once again DO NOT not enable editing or macros:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/RSA-key-protected-view.png
The email looks like:
ACH PAYMENT REJECTED
The ACH Payment (ID: 49583071624518), recently initiated from your savings account (by you or any other person), was REJECTED by other financial institution.
Rejection Reason: See details in the attached report.
Payment Report: report_49583071624518.doc (Microsoft Word)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

20 August 2015 : report_49583071624518.doc - Current Virus total detections 16/57*
... connects to http ://luckytravelshop .info/wp-content/uploads/2015/05/sasa.txt which tells it to download a Dridex banking malware from http: //tadarokab .com/temp/recent.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/617e96e03ed78aae59ea049c5f856aead2f6cf3ba958aa38629503c6f51fca48/analysis/1440087068/

** https://www.virustotal.com/en/file/2bc39fee6e884348c3490214160e0882cfd0bc416f9b8c4165d93a3307e0ff02/analysis/1440081269/

luckytravelshop .info: 23.229.232.199: https://www.virustotal.com/en/ip-address/23.229.232.199/information/

tadarokab .com: 38.110.76.140: https://www.virustotal.com/en/ip-address/38.110.76.140/information/
___

Fake 'ACH Payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ach-payment-notification-logicease-solutions-inc-fake-pdf-malware/
20 Aug 2015 - "'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a zip attachment is another one from the current bot runs...
The email looks like:
LOGICEASE SOLUTIONS INC Vendor:10288253 Pay Dt: 20150820 Pay Ref Num: 2000542353
Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
The net amount deposited to account number ending XXXX8014 designated by you is $1843.73
IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.6174...

20 August 2015: Pay_Advice.zip: Extracts to: Pay_Advice.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6272900d5bec803b6150d753c0b53b2aa090f0e415d780e7f5cc9be6b964dc3d/analysis/1440085153/

:fear::fear: :mad:

FYI...

Fake 'bank birthday bonus' SPAM - PDF malware
- http://myonlinesecurity.co.uk/our-bank-have-a-birthday-today-so-we-would-like-to-give-you-some-bonuses-as-youre-the-most-valuable-client-of-ours-fake-pdf-malware/
21 Aug 2015 - "A series of emails saying 'Our bank have a birthday today so we would like to give you some bonuses as you’re the most valuable client of ours' with a subject of 'You are our most valued customer. Your ID 23428458 [random numbers]' coming from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/You-are-our-most-valued-customer-Your-ID-23428458.png

All these emails have random senders & companies, random phone numbers but the alleged sender matches the name in the body of the email and the name of the attachment.
21 August 2015: Bank-Reagan Bashirian DDS_(278) 789-4975_client-268119023428458.zip:
Extracts to: Bank Client992322638_West Jermainemouth.exe - Current Virus total detections: 2/57*.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3f81ba9dd277971969eab270e00dfcd590a42b41d20ab8123a2369590ab58f06/analysis/1440154416/
___

Fake 'translator job' SCAMs
- http://myonlinesecurity.co.uk/real-translator-jobs-scam/
21 Aug 2015 - "We all see thousands of adverts and get loads of emails offering us jobs. This one caught my eye earlier:
'Earn Up To $315 A Day Translating Words'. Sent by Real Translator Jobs <realtranslatorjobs@ freonjob .org>
The email reads like a godsend for somebody who speaks an extra language and needs a few $$ or ££ but has all the hallmarks of a scam/multi level marketing/pyramid scheme.

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/translator-job-scam.png

... If you follow the links to the website you see http ://www.realtranslatorjobs .com/ and a referrer link at the end of the url. I have blanked out the referrer link so he/she doesn’t get any income from the scam by following links from here:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/translator-jobs-website.png
... The first thing that jumps out at you is:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/home-sidebar-checklist2.jpg
... The only people who get rich and make a lot of money are the originators for this scam and the “affiliates” who promote it and get a commission on every sign up or click through to the website... it will cost you $68 to sign up but there is a special offer for today only for $34 dollars (save 50%!)... don’t fall for it and don’t waste your money. You won’t earn a thing..."
___

Fake 'invoice 2018' SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoice-2018-garry-white-whitechappell-co-uk-fake-pdf-malware/
21 Aug 2015 - "'invoice 2018' pretending to come from Garry White <garry@ whitechappell .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/invoice-2018.png

21 August 2015 : CRFC, Invoice 2018.pdf.zip: Extracts to: CRFC, Invoice 2018.pdf.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/229e15d3a63ad632045395f7fee9c0193ccfdeba25c0d5205f382cb2ab57aa83/analysis/1440155507/
___

What is event.swupdateservice .net?
- http://blog.dynamoo.com/2015/08/what-hell-is-eventswupdateservicenet.html
21 Aug 2015 - "... I saw some mysterious outbound traffic to event.swupdateservice .net/event (138.91.189.124 / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive. The WHOIS details for the domain are -anonymised- (never a good sign), and the IP address is also used by event.ezwebservices .net which uses similarly -hidden- details. Team Cymru have an analysis* of what is being phoned home to this mystery server, and I found an existing Malwr analysis** referencing the alternate domain. I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine... The binary itself does not identify its creator. I found various references (such as in this report***) linking this software and the domains to Emaze .com (a "free" presentation tool)... Neither domain identifies itself through the WHOIS details, nor can I find any contact details on either site... I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend -blocking- traffic to:
visualbee .com: 168.62.20.37: https://www.virustotal.com/en/ip-address/168.62.20.37/information/
emaze .com: 54.83.51.169: https://www.virustotal.com/en/ip-address/54.83.51.169/information/
swupdateservice .net
ezwebservices .net "
* https://totalhash.cymru.com/analysis/?a10211e1a1549147630704aa6cfd89b27bc51970

** https://malwr.com/analysis/MWUzZmM5M2UyN2Q5NGU0M2E4M2U3NTE3MWUzNWNhZjE/

*** https://www.hybrid-analysis.com/sample/f479a3779efb6591c96355a55e910f6a20586f3101cd923128c764810604092f?environmentId=1

138.91.189.124: https://www.virustotal.com/en/ip-address/138.91.189.124/information/
___

Fake Malwarebytes?...
- https://blog.malwarebytes.org/online-security/2015/08/exploring-an-mbam-for-windows-10-website/
Aug 21, 2015 - "Here at Malwarebytes, we offer support for a wide variety of Windows Operating Systems – from XP right up to Windows 10. The latter OS is the starting point for this blog post, with a website located at: malwarebytes-windows10(dot)com which seemed to offer up a “Windows 10 ready” version of Malwarebytes Anti-Malware:

Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2015/08/mbam101.jpg

This installer is -not- ours, so it’s clear that this is a download manager of some sort, and – one would hope – gave the downloader a copy of MBAM at the end of the process. However, the download kept breaking, so we couldn’t get any further than the initial installer splash...
Since we started looking into this, the site has also now apparently rolled down the shutters:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/mbam104.jpg
However, the EULA / Privacy Policy on the installer took us to a site located at
qpdownload(dot)com which also offered up a variety of programs including Adblock Plus and yet another MBAM:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/mbam105.jpg
... Users of Malwarebytes Anti-Malware will find we detect the “Download Manager” as PUP.Optional.InstallCore.A. Download sites can be cool, but it seems counter-intuitive to offer products designed to reduce advertisements / advertising software on your desktop alongside... adverts..."

malwarebytes-windows10(dot)com: 107.180.24.239: https://www.virustotal.com/en/ip-address/107.180.24.239/information/

qpdownload(dot)com: 96.43.136.163: https://www.virustotal.com/en/ip-address/96.43.136.163/information/
___

Malvertising on Telstra Media Homepage ...
- https://blog.malwarebytes.org/news/2015/08/telstra-medias-homepage-pushes-malvertising/
Aug 21, 2015 - "The media home page of Australia’s -largest- telecommunications company, Telstra, was pushing some malvertising similar to the attack we just documented*...
* https://blog.malwarebytes.org/malvertising-2/2015/08/malvertising-hits-online-dating-site-plentyoffish/
The infection chain goes like this:
media.telstra .com.au/home.html (Publisher)
frexw .co.uk/public/id-55048502/300×250.php (Malvertising)
gp-urti .info/bard-vb4735/vcyz-46820t.js (Malicious redirector)
goo .gl/s3LrVw (Abuse of Google URL shortener to load an exploit kit)
augpdoiof .info/document.shtml?AfWlx={redacted} (Nuclear Exploit Kit)
>> https://blog.malwarebytes.org/wp-content/uploads/2015/08/telstra_graph.png
While we did not collect the particular sample dropped in this campaign, it is quite likely to be the Tinba banking Trojan... The Google link has now been disabled:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/google.png
The malvertising attack lasted for a few days and was last seen on the 17th."

augpdoiof .info: 45.32.238.228: https://www.virustotal.com/en/ip-address/45.32.238.228/information/

gp-urti .info:
104.24.120.10: https://www.virustotal.com/en/ip-address/104.24.120.10/information/
104.24.121.10: https://www.virustotal.com/en/ip-address/104.24.121.10/information/

:fear::fear: :mad:

FYI...

Neutrino Campaign leveraging WordPress, Flash for CryptoWall
- http://research.zscaler.com/2015/08/neutrino-campaign-leveraging-wordpress.html
Aug 20, 2015 - "Neutrino Exploit Kit... in the past few days we've seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises... the image below illustrates the components involved in this campaign:
> https://4.bp.blogspot.com/-f2_q0ogBa9I/VdZGAFpgoHI/AAAAAAAAAYU/s7NvxOgAHZs/s1600/WordPress_Neutrino_nexus.PNG
... there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino... The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page... the primary IP for the observed Neutrino landing pages is '185.44.105.7' which is owned by VPS2DAY .com. Many of the domains pointing to that IP utilize 'xyz', 'ga', 'gq', and 'ml' TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name 'Max Vlapet' for .XYZ domains... This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena..."
- http://it.slashdot.org/story/15/08/22/030246/wordpress-hacks-behind-surging-neutrino-ek-traffic
Aug 22, 2015

185.44.105.7: https://www.virustotal.com/en/ip-address/185.44.105.7/information/

:fear::fear: :mad:

FYI...

Fake 'Message from scanner' SPAM – PDF malware
- http://myonlinesecurity.co.uk/message-from-scanner-fake-pdf-malware/
24 Aug 2015 - "'Message from scanner' pretending to come from scanner.coventrycitycentre@ brianholt .co.uk with a zip attachment but a completely -empty/blank- body of the email is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Message-from-scanner.png

24 August 2015: Sscanner15081208190.zip: Extracts to: Sscanner15081208190.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/891f5c4ca2a835e32b773b6179b21e9737000a862bce81229fbc8b8930992e38/analysis/1440408248/

- http://blog.dynamoo.com/2015/08/malware-spam-message-from-scanner.html
24 Aug 2015 - "... malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54*. The Hybrid Analysis report** shows the malware POSTing to:
smboy .su/mu/tasks.php
.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to -block- the whole range to be on the safe side. The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware."
* https://www.virustotal.com/en/file/891f5c4ca2a835e32b773b6179b21e9737000a862bce81229fbc8b8930992e38/analysis/1440414098/

** https://www.hybrid-analysis.com/sample/891f5c4ca2a835e32b773b6179b21e9737000a862bce81229fbc8b8930992e38?environmentId=1

95.172.146.73: https://www.virustotal.com/en/ip-address/95.172.146.73/information/
___

German site dwdl .de -hacked- serving malware via 94.142.140.222
- http://blog.dynamoo.com/2015/08/popular-german-wesite-dwdlde-hacked.html
24 Aug 2015 - "... German media website dwdl .de has been -hacked- and is serving up malware, according to this URLquery report*. URLquery's IDS function detects what looks like the RIG Exploit kit:
> https://3.bp.blogspot.com/-pFLpyrW75e8/VdslyFeXKgI/AAAAAAAAG50/onTPoRZf0So/s1600/dwdl-de.png
The exploit is injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops .com which is a -hijacked- GoDaddy domain. The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:
> https://3.bp.blogspot.com/-XrAJ6DxnJcM/VdsoSNqVIdI/AAAAAAAAG6A/meF5SsbUOeA/s640/domain_graph.php.gif
VirusTotal** gives an overview of other malicious domains on this server. It indicates that the following domains have been -hijacked- and malicious subdomains set up..."
(Long list at the dynamoo URL - top of this post.)
* http://urlquery.net/report.php?id=1440424952903

** 94.142.140.222: https://www.virustotal.com/en/ip-address/94.142.140.222/information/

:fear::fear: :mad:

FYI...

Fake 'Visa Card' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-visa-card-aug-2015.html
25 Aug 2015 - "This -fake- financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment:
From [david@ ellesmere .engineering]
To "'Sharon Howarth'" [sharon@ ellesmere .engineering]
Date Tue, 25 Aug 2015 09:52:47 +0200
Subject Visa Card Aug 2015
Visa Card payments this month
---
This email has been checked for viruses...

Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of -three- malicious macros... that then attempt to download a malicious binary from one of the following locations:
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
This executable has a detection rate of just 1/55* and the Malwr report** shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- that IP address. The payload to this is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/d9b5eca403c6298be00a4854bc279e0046930cbb3dedf59926672b0207fc0f78/analysis/1440489790/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustotal.com/en/ip-address/91.239.232.9/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

** https://malwr.com/analysis/YzFkMGQyNTdjYzdmNGFjNjk1NTc4ZjdjMjRjODg5NDY/

internetdsl .pl: 80.48.169.1: https://www.virustotal.com/en/ip-address/80.48.169.1/information/

free .fr: 212.27.48.10: https://www.virustotal.com/en/ip-address/212.27.48.10/information/

- http://myonlinesecurity.co.uk/visa-card-aug-2015-ellesmere-engineering-word-doc-macro-malware/
25 Aug 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Visa-Card-Aug-2015.png
25 August 2015: Visa Card Aug 2015.docm - Current Virus total detections 7/55*
Downloads Dridex banking malware.
* https://www.virustotal.com/en/file/9d7f5f07fe16900b082bf5f38ef5f900de12bced7147ba60fa2775f4f6b22b80/analysis/1440499540/
___

Fake 'Dropbox' SPAM - leads to malware
- http://blog.dynamoo.com/2015/08/malware-spam-updatevacationsschedule092.html
25 Aug 2015 - "This -fake- Dropbox email leads to malware, hosted on the sharing service sugarsync .com.
From: June Abel via Dropbox [no-reply@ dropbox .com]
Date: 25 August 2015 at 12:59
Subject: June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you
June used Dropbox to share a file with you!
Click here to download.
© 2015 Dropbox

I have seen three different samples with different download locations:
https ://www.sugarsync .com/pf/D3941255_827_052066225?directDownload=true
https ://www.sugarsync .com/pf/D160756_82_6104120627?directDownload=true
https ://www.sugarsync .com/pf/D2694666_265_638165437?directDownload=true
In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55*. Analysis is pending, but the payload appears to be the Dyre banking trojan.
UPDATE: The Hybrid Analysis report** shows traffic to 197.149.90.166 (Cobranet, Nigeria) which I recommend you block."
* https://www.virustotal.com/en/file/8f1d2ccdce1e260b4ec648a71210250eedaa8af5c9d8a7e64366343d9e384a4f/analysis/1440506327/

** https://www.hybrid-analysis.com/sample/8f1d2ccdce1e260b4ec648a71210250eedaa8af5c9d8a7e64366343d9e384a4f?environmentId=1

sugarsync .com: 74.201.86.21: https://www.virustotal.com/en/ip-address/74.201.86.21/information/

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'Invoice 26949' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-invoice-26949-from-i-spi.html
25 Aug 2015 - "My spam traps did not collect the body text from this message, so all I have is headers. However, this -fake- financial email is not from i-Spi Ltd and is instead a simple forgery with a malicious attachment:
From [sales@ ispitrade .com]
Date Tue, 25 Aug 2015 20:37:09 +0800
Subject Invoice 26949 from I - SPI Ltd

Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions... which contains a malicious macro... that downloads an executable from one of the following locations:
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://claudio.locatelli .free .fr/45gf3/7uf3ref.exe
http ://spitlame.free .fr/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
This Hybrid Analysis report* shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
This is the same bad IP as found in this earlier spam run**, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan."
* https://www.hybrid-analysis.com/sample/5e4b69e8ce31c8cf51cc6d5b49651bec9e239b7616f81744b656b7228a63a065?environmentId=1

** http://blog.dynamoo.com/2015/08/malware-spam-visa-card-aug-2015.html

- http://myonlinesecurity.co.uk/invoice-26949-from-i-spi-ltd-word-doc-macro-malware/
25 August 2015: Inv_26949_from_I__SPI_Ltd_7888.doc "... Downloads the -same- Dridex banking malware as described in today’s earlier malspam run of malicious word docs*..."
* http://myonlinesecurity.co.uk/visa-card-aug-2015-ellesmere-engineering-word-doc-macro-malware/
___

Browsefox variant High Stairs - browser hijackers
- https://blog.malwarebytes.org/security-threat/2015/08/browsefox-variant-high-stairs/
Aug 25, 2015 - "Browsefox aka Sambreel aka Yontoo is a family of browser hijackers. When advertised they promise to “customize and enhance your interaction with the websites you visit”, but in reality they are almost never a users choice install. They come -bundled- with other software at many major download sites and at best you will see this screen when the installation starts:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/main1.png
High Stairs is one of the latest additions to this family. It is being offered as a browser extension -without- making clear what it does for the user. If you want to have a look at the EULA and Privacy Policy you will have to visit their website:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/EULA.png
... The EULA clearly states that it allows the “Software” to use -any- means imaginable to deliver advertisements and that it will collect your data. The Privacy Policy lets you know that they will use, share and sell those data to any and all parent, subsidiary or affiliate companies. Bottom line, as long as it brings in cash. Browser hijackers of this family are VM aware, meaning they will not do a full install if they detect they are run on a Virtual Machine. Sometimes the files are downloaded and put in place, but the extensions are not installed and enabled. The -hijackers- from this family do provide browser extensions for IE, Firefox, Chrome and Opera (and probably more)... invisible iframes can be used to deliver anything and everything to your computer, ranging from advertisements (which is very likely in this case) to (in theory) exploit kits. In theory in this case means, that we haven’t seen any exploit kits being delivered through the advertisements these PUPs deliver, but if the PUP has a vulnerability or their network is compromised a third party could use this in the same manner as has been done with malvertisements on legitimate sites. This browser hijacker is relatively easy to remove. Other variants have been known to install services as well, making them a bit harder to tackle. Unfortunately “High Stairs” is not alone. We see a new Sanbreel variant at least a few times every week. The installer and the installed files are all detected as 'PUP.Optional.HighStairs.A'. Logs, more screenshots and removal instructions for “High Stairs” can be found on our forums*..."
* https://forums.malwarebytes.org/index.php?/topic/171926-removal-instructions-for-high-stairs/

:fear::fear: :mad:

FYI...

Fake 'Scanned image - MX-2600N' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-word-doc-macro-malware/
26 Aug 2015 - "'Scanned image from MX-2600N' pretending to come from noreply@ your email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email looks like:
Reply to: noreply@ securityandprivacy .co.uk <noreply@ securityandprivacy .co.uk>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

26 August 2015: noreply@ securityandprivacy.co.uk_20150826_181106.doc
Current Virus total detections 7/57*:
Downloads Dridex banking malware from one of these locations:
detocoffee.ojiji .net/45ygege/097uj.exe (virus Total**)
students.johnbryce .co.il/nagare/45ygege/097uj.exe
groupedanso .fr/45ygege/097uj.exe
asterixpr.republika .pl/45ygege/097uj.exe
fotolagi .com/45ygege/097uj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/38736bb58af7e8a640656a661129d0150dd3a46c996f9fb91a6586108333c17d/analysis/1440582748/

** https://www.virustotal.com/en/file/e9167fdb431320b249a7874511986f668cb52bd62d3eb20ed2e74d9fe8c7102a/analysis/1440583201/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustotal.com/en/ip-address/91.239.232.9/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

- http://blog.dynamoo.com/2015/08/malware-spam-scanned-image-from-mx.html
26 Aug 2015 - "... The email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@ victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros... which attempt to download a malicious component from one of the following locations:
http ://fotolagi .com/45ygege/097uj.exe
http ://asterixpr.republika .pl/45ygege/097uj.exe
http ://detocoffee.ojiji .net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis... shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan."
1] https://www.virustotal.com/en/file/7bd4d8d48a4e64ee8bdd8814c805a8a5ff69ad0fe8200b86a10bfbe81e193b9d/analysis/1440583485/

2] https://www.virustotal.com/en/file/8143e0f0570c67142b7c9fb872e9723e409559711a3e23a0359cd1f21ddce90e/analysis/1440583498/

3] https://www.virustotal.com/en/file/5ce26cd8d2cf8df20f826384c37ab854f4dd2aa49d62b9dfdf89bbffb0c237bc/analysis/1440583515/
___

Fake 'invoice A4545945' SPAM - PDF malware
- http://myonlinesecurity.co.uk/screwfix-copy-of-invoice-a4545945-please-find-your-invoice-attached-fake-pdf-malware/
26 Aug 2015 - "'Copy of invoice A4545945. Please find your invoice attached' pretending to come from Screwfix Direct <online@ screwfix .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer
Thank you for shopping at Screwfix.
As requested please find attached a copy of invoice: A4545945.
You will require a PDF file reader in order to view and print the invoice. Should your invoice not be attached please email invoice@ screwfix .com ensuring that you quote your order reference.
Please do not reply to this e-mail.
If you have any queries, please quote the Invoice Number: A4545945, when contacting us:
Phone: 0500 41 41 41 (03330 112 320 from a mobile) UK based Contact Centre
E-mail: online@ screwfix .com
Write to: Screwfix, Trade House, Mead Avenue, Yeovil, BA88 8RT ...

26 August 2015: Invoice_A3176864.zip: Extracts to: Invoice.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a3bc75083b29d70f6c156d3f987bbe654b56f58708755528ecc7eeab13eee30a/analysis/1440580919/
___

Fake 'Invoices from UBM' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-invoices-from-ubm-fake-pdf-malware-2/
26 Aug 2015 - "'Your Invoices from UBM' pretending to come form UBM (UK) Limited <ubm@ ubm .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your invoice(s) from UBM. If you have any queries regarding the invoice, payment or service delivered please don’t hesitate to contact us on the details below.
Regards,
UBM Receivables Team.
Tel : +44 207 921 8506 (21627)
Email : bogumila.murzyn@ ubm .com
Fax :
****PLEASE DO NOT REPLY TO THE EMAIL ADDRESS ubm@ ubm .com AS IT IS NOT MONITORED**** ...

26 August 2015:65550757_Invoices_26-AUG-2015.zip:
Extracts to: 65550757_Invoices_26-AUG-2015.scr ... which is the -same- Upatre malware that is described in today’s other malspam run with Zip attachments*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/screwfix-copy-of-invoice-a4545945-please-find-your-invoice-attached-fake-pdf-malware/
___

Fake 'new fax delivery svc' – PDF malware
- http://myonlinesecurity.co.uk/we-are-a-new-fax-delivery-service-fake-pdf-malware/
26 Aug 2015 - "A series of emails saying 'We are a new fax delivery service' with the subject reading Fax #[ random characters] from [random name] with a zip attachment is another one from the current bot runs... The email looks like:
You have a fax.
Data sent: Wed, 26 Aug 2015 14:08:41 +0000
TO: [redacted]
*********************************
We are a new fax delivery service – Walker-Gerlach.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: “Fast. Cheap. Best quality.”
*********************************
-Or-
You have a fax.
Data sent: Wed, 26 Aug 2015 14:06:21 +0000
TO: [REDACTED]
*********************************
We are a new fax delivery service – Hirthe-Bayer.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: “Fast. Cheap. Best quality.”
*********************************

26 August 2015: fax_jxJ3O9_Walker-Gerlach_Colton Leffler.zip
Extracts to: Invoice East Marta.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/87a540174bab81d657b678ef03872a70113db3989609d290776773e9f8f0d62e/analysis/1440598735/

- http://blog.dynamoo.com/2015/08/fake-fax-spam-spoofs-multiple-senders.html
26 Aug 2015 - "... - fake- fax spam comes from random senders - company names and attachment names vary from spam to spam... Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56* detection rate at VirusTotal. The Hybrid Analysis report** shows it phoning home to:
197.149.90.166 /260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166 /260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.*** "
* https://www.virustotal.com/en/file/93b1f8dbe6a531475b90f1d426e918790960f924180ec3c172f037342f00a4d1/analysis/1440599515/

** https://www.hybrid-analysis.com/sample/93b1f8dbe6a531475b90f1d426e918790960f924180ec3c172f037342f00a4d1?environmentId=1

*** http://blog.dynamoo.com/2015/08/malware-spam-updatevacationsschedule092.html
___

Bank of America Invoice Spam
- http://threattrack.tumblr.com/post/127641667433/bank-of-america-invoice-spam
Aug 26, 2015 - "Subjects Seen
Invoice Annabell Yost
Typical e-mail details:
Dear Customer,
Invoice14768170 from Annabell Yost.
Sincerely,
Ellsworth Abbott
1-100-532-7314
Bank of America PLC.

Screenshot: https://40.media.tumblr.com/b3655d7b077d99d0da5d88c9fce8ba49/tumblr_inline_ntp5auEovG1r6pupn_500.png

Malicious File Name and MD5:
InvoiceFaker__Number.number(5)info_324986219861.exe (276646dc44bb3a2e4bf7ba21f207b5be)

Tagged: bank of america, Upatre

:fear::fear: :mad:

FYI...

Angler Exploit Kit strikes MSN.com via Malvertising Campaign
- https://blog.malwarebytes.org/malvertising-2/2015/08/angler-exploit-kit-strikes-on-msn-com-via-malvertising-campaign/
Aug 27, 2015 - "The same ad network – AdSpirit .de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN .com. This is the work of the -same- threat actors that were behind the Yahoo! malvertising. The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers. The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain.
Infection chain:
msn .com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
lax1.ib.adnxs .com/{redacted} (AppNexus Ad network)
pub.adspirit .de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
trkp-a1009.rhcloud .com/?tr28-0a22 (OpenShift redhat Redirection)
fox23tv .com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
abbezcqerrd.irica.wieshrealclimate .com (iframe to exploit kit)
hapme.viwahcvonline .com (Angler EK landing page)
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/redir_flow.png
This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud .com to perform multiple -redirections- to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure). While we did not collect the malware payload associated with this campaign, we believe it is either Ad fraud or ransomware, Angler’s trademark. Angler has been acting up strange lately, for instance last week it fell out of favour briefly for the Neutrino EK when compromised sites decided to redirect to the latter. Following our report, AppNexus -deactivated- the creative in question and said they were investigating this issue in greater depth..."

viwahcvonline .com: 141.8.224.93: https://www.virustotal.com/en/ip-address/141.8.224.93/information/

> https://www.virustotal.com/en/url/a4c438e0b72054de22350f9d057dd3092d8f4d9644eb20558e0baeb8257f2078/analysis/
___

Fake 'resume' SPAM leads to Cryptowall
- http://blog.dynamoo.com/2015/08/malware-spam-reresume-leads-to.html
26 Aug 2015 at 22:48 - "This -fake- resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware. In the only sample I saw, the spam looks like this:
From: emmetrutzmoser@ yahoo .com
To:
Date: 26 August 2015 at 23:29
Subject: RE:resume
Signed by: yahoo .com
Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
Best regards
Janet Ronald

Attached was a file Janet_Ronald_resume.doc [VT 5/56*] which contains a malicious macro... The format of this message is very similar to this other fake resume spam seen recently[1], and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
1] http://blog.dynamoo.com/2015/08/malware-spam-gabriel-daniel-resume.html
Deobfuscating the macro shows that a file is downloaded from http :// 46.30.46.60 /444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report** shows some of this in action, but Techhelplist[2] did the hard work of decrypting it..
> https://4.bp.blogspot.com/-gMHNsx2OEeE/Vd4xLWvpCAI/AAAAAAAAG6U/R7cFcGN5BGE/s1600/cryptowall.png
...
2] https://twitter.com/Techhelplistcom/status/636633492441268224
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report*** on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report[3] which has some nice screenshots.
3] https://www.hybrid-analysis.com/sample/853ee12c93e294225e9eda9b3dc9434f1bc0e06cb0c393fc3d32d311accbcf3c?environmentId=2
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo .net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really."
* https://www.virustotal.com/en/file/df31db887b398acd01940fc16fc2d33388b366d3707cd96011733b98ddf99402/analysis/1440622900/

** https://www.hybrid-analysis.com/sample/df31db887b398acd01940fc16fc2d33388b366d3707cd96011733b98ddf99402?environmentId=1

*** https://www.virustotal.com/en/file/442b94326e76b1da36799d12f7adc88a419cc30afb21d0c5d1af21c42f732b93/analysis/1440622920/#comments
___

Fake 'Attachement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/attachement-word-doc-or-excel-xls-spreadsheet-malware/
27 Aug 2015 - "A -blank- email with the subject of 'Attachement' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email has a totally empty-blank body and just an XLS Excel spreadsheet attachment:

27 August 2015 : 20131030164403.xls - Current Virus total detections 4/57*
Downloads Dridex banking malware from http ://pintart .pt/43t3f/45y4g.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a5228a5e04b79e137c8b8a02781564101864ab3f94d47aadc7e14514340bd78b/analysis/1440669673/

** https://www.virustotal.com/en/file/0c3631f4cb7c6c20d671500f4c3b769457486b5afa0c685920d64c3c7297fb0e/analysis/1440670039/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-address/91.239.232.145/information/
23.14.92.27: https://www.virustotal.com/en/ip-address/23.14.92.27/information/

pintart .pt: 80.172.241.24: https://www.virustotal.com/en/ip-address/80.172.241.24/information/
___

Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecurity.co.uk/payslip-for-period-end-date-27082015-fake-pdf-malware/
27 Aug 2015 - "'Payslip for period end date 27/08/2015' pretending to come from noreply@ fermanagh. gov.uk with a zip attachment is another one from the current bot runs... The email looks like:
Dear administrator
Please find attached your payslip for period end 27/08/2015
Payroll Section ...

Some emails have arrived malformed-and-damaged and look like:
This is a multi-part message in MIME format.
——————=_Next_25232_7367279505.4684370133215
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Dear ae48852507a
Please find attached your payslip for period end 27/08/2015
Payroll Section ...

27 August 2015: payslip.zip: Extracts to: payslip.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6bfc6e82b5a288ffa91a1cab9dae06c968b3bc36d5fd07d2557f517b79465298/analysis/

- http://blog.dynamoo.com/2015/08/malware-spam-payslip-for-period-end.html
27 Aug 2015 - "... Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly. This executable has a detection rate of 3/56* and the Hybrid Analysis report** indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking."
* https://www.virustotal.com/en/file/6bfc6e82b5a288ffa91a1cab9dae06c968b3bc36d5fd07d2557f517b79465298/analysis/1440677452/

** https://www.hybrid-analysis.com/sample/6bfc6e82b5a288ffa91a1cab9dae06c968b3bc36d5fd07d2557f517b79465298?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'Girls List' Spam ...
- https://blog.malwarebytes.org/online-security/2015/08/girls-list-spam-landing-in-mailboxes/
Aug 27, 2015 - "... spammers are changing up their dating site spam tactics a little bit in the wake of the continued Ashley Madison fallout, with the below curious missives landing in spamtraps over the last day or so:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/crowdspam1.jpg
... emails are identical, and read as follows:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/crowdspam2.jpg
... well, they -would- read as follows if they had any text in them to read. The emails are entirely -blank- instead offering up two attachments called “girls_list”. A “girl list” would seem to conjure up visions of swiped data and things you’re not supposed to have access to; as it turns out, opening up the .HTML attachment -redirects- you in a browser to a -porn- dating site which splashes... many nude photos around the screen... These emails are already caught by Gmail as spam, but other providers may -not- be flagging them yet. While I’m sure there are lots of fun things you can do with a list, allowing yourself to be redirected-to-porno-spam is probably not one of them and you should avoid these mails. With websites and services jumping on the AM data bandwagon*, it’s clear that anything involving dating and lists is going to be a hot topic for some time to come. Don’t fall for it."
* http://www.troyhunt.com/2015/08/ashley-madison-search-sites-like.html
24 Aug 2015 - "... harvesting email addresses and spamming searched victims..."
___

Malvertising campaigns increase 325%
- http://net-security.org/malware_news.php?id=3088
26.08.2015 - "Cyphort* investigated the practices used by cyber criminals to inject malicious advertisements into legitimate online advertising networks. Researchers found that malvertising campaigns carried out by hackers increased 325 percent in the past year... The problem of malvertising isn’t going away and cyber criminals will continue finding ways to monetize their attacks. According to the Association of National Advertisers, ad-fraud will cost global advertisers more than $6 billion in 2015..."
* http://www.cyphort.com/category/malvertising/

:fear::fear: :mad:

FYI...

Fake 'Payment Receipt' SPAM – xls malware
- http://myonlinesecurity.co.uk/dartford-crossing-payment-receipt-excel-xls-spreadsheet-malware/
28 Aug 2015 - "'Payment Receipt' pretending to come from donotreply@ dartford-crossing-charge.service .gov.uk with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/daerford-crossing-Payment-Receipt.png

28 August 2015: PaymentReceipt.xls - Current Virus total detections 5/56*:
Downloads Dridex banking malware from http ://cheaplaptops.pixub .com/3453/5fg44.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d15299c96ed5d869cfb53e42f39e2565b4c080ddb7f45dc7f178841d4b41bf8c/analysis/1440757199/

** https://www.virustotal.com/en/file/f04faffe8884d590a471c64b85f3240c1ed63b3b026faea98bfa1298c3d0b8fc/analysis/1440756592/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-address/91.239.232.145/information/
23.14.92.35: https://www.virustotal.com/en/ip-address/23.14.92.35/information/
91.239.232.9: https://www.virustotal.com/en/ip-address/91.239.232.9/information/
31.131.251.33: https://www.virustotal.com/en/ip-address/31.131.251.33/information/

pixub .com: 93.188.160.103: https://www.virustotal.com/en/ip-address/93.188.160.103/information/
___

Dropbox Spam
- http://threattrack.tumblr.com/post/127784805983/dropbox-spam
Aug 28, 2015 - "Subjects Seen:
Brad Waters shared “TP Resignation Letter 2.pdf” with you
Reed Contreras shared “TP Resignation Letter 2.pdf” with you
Typical e-mail details:
Brad used Dropbox to share a file with you!
Click here to view.

Screenshot: https://40.media.tumblr.com/5e54ebbf60e08681eabf792e77c83982/tumblr_inline_ntslh2x8Os1r6pupn_500.png

Malicious URLs:
newyearpartyistanbul .com/securestorage/getdocument.html
Malicious File Name and MD5:
TP Resignation Letter 2.scr (90a60d95b2f0db6722755e535e854e82)

Tagged: Dropbox, Upatre

newyearpartyistanbul .com: 93.89.224.6: https://www.virustotal.com/en/ip-address/93.89.224.6/information/

:fear::fear: :mad:

FYI...

Fake 'FedEx delivery problem' SPAM – JS malware
- http://myonlinesecurity.co.uk/fedex-shipment-delivery-problem-0000639746-js-malware/
31 Aug 2015 - "An email with the subject of 'Shipment delivery problem #0000639746' pretending to come from FedEx... with a zip attachment that extracts to a JS file is another one from the current bot runs...The content of the email says :
Dear Customer,
Your parcel has arrived at August 28. Courier was unable to deliver the parcel to you.
Please, open email attachment to print shipment label.
Yours faithfully,
Jeffrey Kendall,
Operation Agent.

31 August 2015: FedEx_ID_0000639746.zip: Extracts to: FedEx_ID_0000639746.doc.js
Current Virus total detections 17/57*. I am not getting any payload via the automatic analysers so far although Wepawet indicates it connects to one of these sites:
selmaryachtmarket .com
riggst .com
harmacrebar .com ...

Update: managed to get the malware 92305548.exe (VirusTotal**) and ba892f004ed[1].gif (VirusTotal***)

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bbf7013ea5a379a5baac93fdf6e2e26a344d1914382038127ebf763610e7b5c5/analysis/1441042826/

selmaryachtmarket .com: 174.137.191.22: https://www.virustotal.com/en/ip-address/174.137.191.22/information/
riggst .com: 108.175.152.86: https://www.virustotal.com/en/ip-address/108.175.152.86/information/
harmacrebar .com: 96.31.35.62: https://www.virustotal.com/en/ip-address/96.31.35.62/information/

** https://www.virustotal.com/en/file/aee17eb41e299114b62d19c2fa1fedca08be956b284fa7cb923350e523c39f7e/analysis/1441044798/
0/57

*** https://www.virustotal.com/en/file/4f74781a1ff472f8f7e5c5efac9cb9d93c839646d0f3e89b232b199a7f613fe0/analysis/1441029511/
1/56

:fear::fear: :mad:

FYI...

Fake 'Private message' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-private-message.html
1 Sep 2015 - "This spam comes with a malicious attachment:
From: Adrien Abbott
Date: 1 September 2015 at 12:34
Subject: Private message notification 41447
You've received a private message. Please open the attached to view it.
Adrien Abbott
Chief Tactics Executive
home: 1-583-761-3793
work: 380.022.2492
twitter: @nicole
skype: nicole
messenger: nicole

I have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other -variants- could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56*, the Hybrid Analysis report** shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:
197.149.90.166 (Cobranet, Nigeria)
..which is an IP that has been used several times for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor."
* https://www.virustotal.com/en/file/8092a0200a1fbc9e1917aa58483af308120f22fe750e83ba944e0adfe7d51bc5/analysis/1441111004/

** https://www.hybrid-analysis.com/sample/8092a0200a1fbc9e1917aa58483af308120f22fe750e83ba944e0adfe7d51bc5?environmentId=1

- http://myonlinesecurity.co.uk/private-message-notification-fake-pdf-malware/
1 Sep 2015 - "... random names and email addresses from with a zip attachment is another one from the current bot runs... -hundreds- of other names. All details in the body of the email are random. The alleged sender matches the name in the body of the email and the attachment contains those names as well...
1 September 2015: 27121259_Zemlak-Rodriguez_Hans Mohr.zip: Extracts to: velmasuscipit.incidunt.exe
Current Virus total detections 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/27c1a31c9896a8f9fd6e62265934dcba3d6842c7b45932d1dad77ebe6701a73b/analysis/1441109597/
___

Fake 'Complaint notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/complaint-notice-fake-pdf-malware/
1 Sep 2015 - "Following on from the earlier malspam run* we now have a series of emails with the subject of 'Complaint notice' [random numbers] also coming from random names and email addresses with a zip attachment is another one from the current bot runs...
* http://myonlinesecurity.co.uk/private-message-notification-fake-pdf-malware/
The content of the email says :
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Martine McDermott
Lead Metrics Designer
T: (104) 644-7068
F: 174.118.9422
-Or-
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Jordane Emard
Internal Intranet Designer
T: 576-698-2292
F: 1-167-549-0752

And -hundreds- of other names. All details in the body of the email are random. The alleged sender matches the name in the body of the email and the attachment contains those names as well...
1 September 2015: 8961683689_Bahringer-Jacobs_Martine McDermott.zip:
Extracts to: alekvoluptatibus-at.exe
Current Virus total detections 2/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/09873fd725eb7a1d7ea7914afc41c854627179b7371607251923fe0f7c5b17e5/analysis/1441122287/

- http://blog.dynamoo.com/2015/09/malware-spam-complaint-of-your-internet.html
1 Sep 2015 - "This spam comes with a malicious attachment:
From: Margret Kuhic
Date: 1 September 2015 at 16:10
Subject: Complaint of your Internet activity
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045

All the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a -valid- attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56*. This Hybrid Analysis report** shows it to be just another variant of Update/Dyre with the same characteristics as the malspam seen earlier today***, sending traffic to an IP that I suggest you -block- or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494 "
* https://www.virustotal.com/en/file/17795e0988bd3a5326ef445c5d35a2e30c8b5bbad0e90d3242573f16e4e52e17/analysis/1441121661/

** https://www.hybrid-analysis.com/sample/17795e0988bd3a5326ef445c5d35a2e30c8b5bbad0e90d3242573f16e4e52e17?environmentId=1

*** http://blog.dynamoo.com/2015/09/malware-spam-private-message.html
___

Fake 'ACH rejection' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ach-rejection-due-to-system-malfunctioning-fake-pdf-malware/
1 Sep 2015 - "An email with the subject of 'ACH rejection due to system malfunctioning' pretending to come from The ACH Network <Stevie.Espinoza@ nacha .org> with a link to download a zip attachment is another one from the current bot runs... The content of the email says :
ACH PAYMENT CANCELLED
The ACH Transaction (ID: 86440585067071), recently sent from your savings account (by you or any other person), was CANCELLED by other financial institution.
Rejection Reason: See details in the report below
Transaction Report: New Banking Details.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

The link in the email sends you to http ://cheenichetty .com/securestorage/get_document.html where a zip file is downloaded automatically and you are -bounced- immediately to Dropbox and you think you were on Dropbox the whole time. These 'NACHA/ACH/The Electronic Payments Association payment cancelled' or 'payment rejected' emails are a persistent method of trying to deliver malware to your computer...
1 September 2015: New Banking Details.zip: Extracts to: New Banking Details.scr
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/58e9c8f22f7d06cff615fb95ecdc201d902bf15c078ca2c9130e3a8d1926439f/analysis/1441127390/

cheenichetty .com: 160.153.50.129: https://www.virustotal.com/en/ip-address/160.153.50.129/information/
___

Your Worst Day In IT
- http://www.darkreading.com/partner-perspectives/tenable/your-worst-day-in-it/a/d-id/1321999
9/1/2015 - "At VMworld 2015 in San Francisco, I roamed the floor with a camera asking attendees, "What was your worst day in IT?" When we initially came up with this question, we thought everyone's worst day would have something to do with a security breach or malware. Turns out that hardware failures and human error are far more common. As much as we talk about threat protection, what we really need to watch out for is our equipment and ourselves."

:fear::fear: :mad:

FYI...

Fake 'toll road invoice' SPAM – JS malware
- http://myonlinesecurity.co.uk/pay-for-driving-on-toll-road-invoice-00212297-js-malware/
2 Sep 2015 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [ random numbered] pretending to come from E-ZPass Agent with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Pay-for-driving-on-toll-road-invoice-00212297-1024x476.png

2 September 2015: E-ZPass_00212297.zip: Extracts to: E-ZPass_00212297.doc.js
Current Virus total detections 2/57* which downloads 2 files 51053011.exe (virus total**) and 9360abf00281f3aa[1].gif (VirusTotal***) from a combination of these 3 sites
ihaveavoice2 .com
leikkihuone .com
etqy .com
... the 51053011.exe has a stolen digital signature from ESET Antivirus, which has been blocked and at least in Internet Explorer, Smart Filter warns about an invalid digital signature and blocks the file. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/15c7846d81bfb2b62431d57ee39e12e0cc30ba907d7281a162181c8b430078d1/analysis/1441173827/

** https://www.virustotal.com/en/file/925b2e615c7c34c1020285ffd56b90d0a357f84aad008e51bc6a1770e693915b/analysis/1441160077/

*** https://www.virustotal.com/en/file/873ac56a261e84a5b23f43d5383d712964bec0d27c808339a52ac2698dd608e7/analysis/1441173275/

ihaveavoice2 .com: 50.116.104.205: https://www.virustotal.com/en/ip-address/50.116.104.205/information/
leikkihuone .com: 23.91.123.160: https://www.virustotal.com/en/ip-address/23.91.123.160/information/
etqy .com: "... query for etqy .com failed"
___

Fake 'order cancelled' SPAM - PDF malware
- http://myonlinesecurity.co.uk/the-shipment-of-your-ordered-goods-is-impossible-fake-pdf-malware/
2 Sep 2015 - "An email with the subject of 'The shipment of your ordered goods is impossible' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Unfortunately, the delivery of you order # 003313 was cancelled since
the specified address of the recipient was not correct. You’re recommended to
complete the attached form and send it back or print it and get this package
on your own at our office.
Alf Gottlieb, Corporate Intranet Director ...
-Or-
Hello!
Unfortunately, the delivery of you order # 4534481 was cancelled since
the specified address of the recipient was not correct. You’re recommended to
complete the attached form and send it back or print it and get this package
on your own at our office.
Arnoldo Strosin, Dynamic Markets Producer

And hundreds of other random names and job titles and companies. Some of the subjects in this series of emails include:
The shipment of your ordered goods is impossible
The delivery of your ordered goods isn’t finished
The shipment of your parcel is impossible
The shipping of your parcel is impossible to complete
The shipping of your items has failed
The shipping of your items isn’t finished
The delivery of your items was cancelled
The shipping of your goods is impossible
The delivery of your parcel has failed ...
2 September 2015: orderHayes Flat.zip: Extracts to: orderYost Dale.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/181abcb33da097a74629da8e8ab270f02f99683700fa29051e234e6e2a614831/analysis/1441191343/
___

Fake 'Companies House' SPAM – PDF malware
- http://myonlinesecurity.co.uk/companies-house-webfiling-service-fake-pdf-malware/
2 Sep 2015 - "Another perennial email that constantly does the rounds has a subject matter about 'Companies House WebFiling service' and pretends to be either a complaint or a filing acknowledgement. They come with a zip attachment which is another one from the current bot runs... The content of the email says :
This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
(CC01) Company Complaint for the above company was accepted on 02/09/2015.
The submission number is 1GS31QZLMK1BCRG
Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Not yet filing your accounts online? See how easy it is…
Note: reference to company may also include Limited Liability Partnership(s).
Thank you for using the Companies House WebFiling service.
Service Desk tel +44 (0)303 1234 500 or email...
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

2 September 2015: Case_1GS31QZLMK1BCRG.zip: Extracts to: Case_081415.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2fbc98468f5486be0dba974aa0d5ac3488bb60fee454a297b159655f3796de7b/analysis/1441193027/

:fear::fear: :mad:

FYI...

Malvertising found on Dating Site Match[dot]com
- https://blog.malwarebytes.org/malvertising-2/2015/09/malvertising-found-on-dating-site-matchdotcom/
Sep 3, 2015 - "In an attack similar to the one that happened last month on PlentyOfFish, the UK version of online dating site Match .com was caught serving malvertising. Both companies are actually related since the Match Group bought out POF.com last summer. This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit.
Infection flow:
Initial URL: uk.match .com/search/advanced_search.php
Malvertising: tags.mathtag .com/notify/js?exch={redacted}&price=0.361
Malvertising: newimageschool .com/adframe/banners/serv.php?uid=215&bid=14&t=image&w=728&h=90
Malicious Redirector: goo .gl/QU2x0w
Exploit Kit (Angler): med.chiro582help .com/carry.shtm?{redacted}
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/math.png
The malvertising goes through a Goo.gl shortened URL (already blacklisted) that loads the Angler exploit kit:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/google.png
Angler EK is known to serve the Bedep ad fraud Trojan as well as CryptoWall ransomware. The cost per thousand impressions (CPM) for the booby trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $5oo per victim. We alerted Match .com and the related advertisers but the malvertising campaign is still-ongoing via other routes."

chiro582help .com: 74.207.227.69: https://www.virustotal.com/en/ip-address/74.207.227.69/information/
___

Fake 'chat history' SPAM – PDF malware
- http://myonlinesecurity.co.uk/you-need-to-read-this-chat-history-fake-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You need to read this chat history' coming from random senders and email addresses from with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
You should know this. View the chat history that I’ve attached. Remember
it’s strongly confidential, so please don’t show it to anyone.
Mrs. Edmund Schultz | (859) 913-2400
Toys | Hackett-Kiehn

And hundreds of other random names, email addresses, phone numbers and companies. Other subjects in this series include:
You should view this correspondence
Please view this correspondence
You need to view it
Please see it
You need to review this information
You need to review this chat history
Please see this messages
You need to read this chat history
You should read this messages
You should view this correspondence
And hundreds of other similar variations on the theme of messages and chat history...
3 September 2015: history Ward LockUG.zip: Extracts to: history Chelsea VillagePY.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/256cbf204f7b7c73cc896a27ac8dd11e582872fc675065ddff985d92ee8ace33/analysis/1441271691/
___

Fake 'Invoice / credit note' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoice-or-credit-note-from-random-companies-fake-pdf-malware/
3 Sep 2015 - "The latest set of -Upatre- downloader emails are 'Invoice' or 'credit note' from random companies. An email with the subject of 'Invoice INV-91659 from [random company]' for [Your web domain] (random numbers) or 'Credit Note CN-85402 from [random company]' for [Your web domain] (random numbers) pretending to come from Accounts with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Invoice-INV-96032-from-Pharmacia-Corp-for-thespykiller.co_.uk-0394-1024x493.png

3 September 2015: Invoice INV-91659.zip: Extracts to: Invoice.scr
Current Virus total detections 1/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cd1164f4f319bf558d75528116bff0bbf8319153042a9f56dd79098ca334e5f8/analysis/1441279729/
___

Fake 'Lloyds Bank' SPAM – PDF malware
- http://myonlinesecurity.co.uk/customer-account-correspondence-lloyds-bank-commercial-finance-fake-pdf-malware/
3 Sep 2015 - "An email with the subject of 'Customer Account Correspondence' pretending to come from Lloyds Bank Commercial Finance <customermail@ lloydsbankcommercialfinance .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Customer-Account-Correspondence-1024x490.png

3 September 2015: Lloyds-Commercial_Documents.zip: Extracts to: Lloyds-Commercial_Documents.scr
Current Virus total detections 3/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cd1164f4f319bf558d75528116bff0bbf8319153042a9f56dd79098ca334e5f8/analysis/1441281692/
___

Fake 'overdue balance' SPAM – PDF malware
- http://myonlinesecurity.co.uk/overdue-balance-from-random-companies-fake-pdf-malware/
3 Sep 2015 - "Following on from the earlier -Upatre- downloaders, the latest set of emails are about an overdue balance from random companies. An email with the subject of 'Urgent' e-mail letter of 'overdue balance' or 'Important reminder notice about outstanding balance' or very similar wording with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Important-reminder-letter-about-outstanding-remittances-1024x314.png

Some of the subjects so far seen include:
Important reminder letter about outstanding remittances
Urgent e-mail letter of overdue balance
Important reminder letter about outstanding remittances
Urgent letter of past due balance
Urgent reminder about your delinquent balance
Important reminder notice of delinquent remittances
Urgent reminder about outstanding balance ...
3 September 2015: documents Heidenreich MillsDE.zip: Extracts to: documents Stark LodgeFR.exe
Current Virus total detections 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/61117160bb1981f2668da4dc2592255e0ebba9db26ee0f00aaf076896ffc23eb/analysis/1441291670/
___

Fake 'Canadian Bank' SPAM - PDF malware
- http://myonlinesecurity.co.uk/you-have-received-a-secure-e-mail-vous-avez-reu-un-courriel-protg-canadian-imperial-bank-of-commerce-fake-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You have received a secure e-mail / Vous avez reu un courriel protégé' pretending to come from Canadian Imperial Bank of Commerce <noreply@ cibc .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/CIBC-You-have-received-a-secure-e-mail-1024x580.png

3 September 2015: SecureMail.zip: Extracts to: SecureMail.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5bc46a26cb91f90e1fb53c09468a17fda00e23ba3584d7faa6803b70ac47f4d9/analysis/1441298777/
___

Skype Spam...
- https://blog.malwarebytes.org/fraud-scam/2015/09/steer-clear-of-this-skype-spam/
Sep 3, 2015 - "Over the last few weeks, there’s been a spam campaign taking place on Skype which involves the following steps:
> Scammers use an automated technique to break old/weak Skype passwords (this has been contested by Skype users in that forum thread*).
* http://community.skype.com/t5/Security-Privacy-Trust-and/Spoofed-message-from-contact/m-p/4038620#M47813
> They then use these accounts to send spam messages to contacts.
> The spam frequently hides the “real” destination by providing (say) a Baidu search engine link instead – along with the Skype Username of the person who clicked the link in the URL.
> The websites the “masked” URls lead to tend to use redirects – it’s possible they’ve been compromised – before dumping the end-user on a diet spam page.
Here’s an example of the spam currently going around:
>> https://blog.malwarebytes.org/wp-content/uploads/2015/09/skypespam0.jpg
“Hi [username] | baidu(dot)com/[URL string] advise”
Below you can see the initial landing page, the final destination and a screenshot of a Fiddler log:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/skypespam3.jpg
...
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/skypespam2.jpg?w=564
If your Skype password is in need of a spring clean... feel free to check out the list of hints and tips on the Skype Security page**."
** https://www.skype.com/en/security/

:fear::fear: :mad:

FYI...

Fake 'RE:resume' SPAM / Cryptowall
- http://blog.dynamoo.com/2015/09/malware-spam-reresume-aka-what-happened.html
4 Sep 2015 - "This -fake- résumé spam leads to ransomware:
From: fredrickkroncke@ yahoo .com
Date: 5 September 2015 at 03:50
Subject: RE:resume
Signed by: yahoo.com
Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply
Kind regards
Teresa Alexander

The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:
> https://1.bp.blogspot.com/-f1xY7yoduuE/Ven599VsUyI/AAAAAAAAG88/qDKaCyJKegs/s1600/protected-document.png
Following these steps would be a Very-Bad-Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56*.
The Hybrid Analysis report** shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga .net)
192.186.235.39 (satisgoswamicollege .org)
52.88.9.255 (entriflex .com)
23.229.143.32 (eliasgreencondo .com)
-Blocking- those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56***.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report):
> https://3.bp.blogspot.com/-KrTiQq4qfks/Ven8lPdB9_I/AAAAAAAAG9I/F61pWEz3pDM/s1600/cryptowall2.png
This further references another bunch of domains that you might want to -block- especially in a corporate environment:
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com
This further Hybrid Analysis report**** on the dropped binary also identifies the following malicious site:
68.178.254.208 (erointernet .com)
... it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr .es - although this is -not- a malcious site, you can consider it to be a potential indicator of compromise. The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.
Recommended blocklist:
46.30.46.0/24
gaiga .net
satisgoswamicollege .org
entriflex .com
eliasgreencondo .com
erointernet .com
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com "
* https://www.virustotal.com/en/file/6617b8f15f9dc0cec8928421497d9843d06b62d156385cda8a87a15d09f3897f/analysis/1441396906/

** https://www.hybrid-analysis.com/sample/17ea45dc9784c14a5ffe3a157491de981accad527915b1a807c289e6ceb0c06c?environmentId=1

*** https://www.virustotal.com/en/file/6617b8f15f9dc0cec8928421497d9843d06b62d156385cda8a87a15d09f3897f/analysis/1441396906/

**** https://www.hybrid-analysis.com/sample/6617b8f15f9dc0cec8928421497d9843d06b62d156385cda8a87a15d09f3897f?environmentId=1
___

Fake 'reservation confirmed' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-reservation-is-now-confirmed-booking-com-fake-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Your reservation is now confirmed!' pretending to come from Booking .com with a zip attachment is another one from the current bot runs... The content of the email says:
Thanks! Your reservation is now confirmed.
To view additional information about your reservation, please open the attachment.
Booking number: 376627092
PIN Code: 6524
Email: [Redacted]
Your reservation: 1 night, 1 room
Check in: Saturday, September 05, 2015
(2:00 pm – 00:00 am)
Check out: Sunday, September 06, 2015
(until 12:00 pm)
Superior Double Room £1,799.68
VAT (20%) included £449.92
Total Price £2,249.60
Please note: additional supplements (e.g. extra bed) are not added to this total.
The total price shown is the amount you will pay to the property. Booking.com does not charge any reservation, administration or other fees.
You can easily change or cancel this booking for free before September 05 – 2015, to cancel or modify your reservation please complete the attached form and fax it to:
+1 888 850 5250
Have a great trip!
– The Booking.com Team
Copyright 1996 – 2013 Booking .com. All rights reserved.
This email was sent by Booking .com, Herengracht 597, 1017 CE Amsterdam, Netherlands

4 September 2015: Booking number 376627092.zip: Extracts to: Booking.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/07c3a23facdc59ae8ea8b07da3165c8adb5b448664a2eeb2575423f7c97b9e26/analysis/1441343056/
___

Fake 'account security' SPAM
- http://myonlinesecurity.co.uk/important-system-notification-about-account-security/
4 Sep 2015 - "An email with the subject of 'Important system notification about account security' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... However the attachment is defective and corrupt. If previous experience is anything to go by, the bad guys controlling the botnet will soon realise their mistake and send out a new batch of -working- emails and attachments. The content of the email says:
This is an automatically generated security system alert. It happens when something goes wrong with your account.
To view full details, please open the attached report.
Mrs. Myriam Dach
tel: 1-606-773-7379
Email : cyineosoy5964lqw@ allpromoprint .com

... other subjects include:
Notice concerning your account
Important system notification about your account protection ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake 'Order' SPAM - PDF malware
- http://myonlinesecurity.co.uk/order-is-finished-fake-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Order is finished' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Many thanks for purchasing! Please retain attached transaction summary for your records.
Please do not respond to this e-mail message. It’s automatically generated.
Terence Kilback
tel: 936.953.8037
Lehner LLC
Email: ...

Other subjects in this series of emails include:
Your purchase is finished
Your order is finished
Your purchase is confirmed ...
4 September 2015: Krystel StreetMT_report.zip: Extracts to: Tristin LandBL_report.exe
Current Virus total detections 5/57 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/203cfc5d93c887c20ae22812b7d33b229a768ac9fd9d7f2c3ada67ecaa48c50d/analysis/1441384453/

:fear::fear: :mad:

FYI...

Fake 'Court appearance' SPAM - JS malware
- http://myonlinesecurity.co.uk/notice-of-appearance-in-court-js-malware/
5 Sep 2015 - "An email with the subject of 'Notice of appearance in Court #0000440904' [random numbered] pretending to come from County Court with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Notice-of-appearance-in-Court-0000440904.png

5 September 2015: 0000440904.zip: Extracts to: 0000440904.doc.js
Current Virus total detection 9/57* ... which downloads 2 files 14136619.exe (Virus total**) and 1e0e6fda2680957[1].gif (VirusTotal***) from a combination of these 3 sites:
selmaryachtmarket .com
fibrasinteticafm .com
laterrazzafiorita .it
... None of the automatic analysers even mention any reference to digital signatures whatsoever: Hybrid Analysis Win8.1 [1] | Hybrid Analysis Win 7 [2] | MALWR [3]
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1327708cb19e41778db7bb9327e2bb7b2ae1753cb7b0dff62e89846d5c9ae73e/analysis/1441437273/

** https://www.virustotal.com/en/file/2e63237cba07498e9ba0c5958e264c94aebf6a93432edb9c9f9f3e998860dc26/analysis/1441413005/

*** https://www.virustotal.com/en/file/753b137ff616a5a4b7ddf0117df2d3bdb375bffecbf8de8e8f0de910aa1c8474/analysis/1441438363/

1] https://www.hybrid-analysis.com/sample/2e63237cba07498e9ba0c5958e264c94aebf6a93432edb9c9f9f3e998860dc26?environmentId=3

2] https://www.hybrid-analysis.com/sample/2e63237cba07498e9ba0c5958e264c94aebf6a93432edb9c9f9f3e998860dc26?environmentId=1

3] https://malwr.com/analysis/ZDE5ODQxNTU1MWYxNGZkOTllNDA1NWMzNTM2ZGU1OTY/

selmaryachtmarket .com: 174.137.191.22: https://www.virustotal.com/en/ip-address/174.137.191.22/information/
fibrasinteticafm .com:
54.228.191.204: https://www.virustotal.com/en/ip-address/54.228.191.204/information/
45.55.195.124: https://www.virustotal.com/en/ip-address/45.55.195.124/information/
177.71.183.219: https://www.virustotal.com/en/ip-address/177.71.183.219/information/
54.241.242.142: https://www.virustotal.com/en/ip-address/54.241.242.142/information/
54.83.41.200: https://www.virustotal.com/en/ip-address/54.83.41.200/information/
177.71.188.70: https://www.virustotal.com/en/ip-address/177.71.188.70/information/
laterrazzafiorita .it: 208.43.65.115: https://www.virustotal.com/en/ip-address/208.43.65.115/information/
___

UK bank phish-sites on teamhelpers .com
- http://myonlinesecurity.co.uk/uk-bank-phishing-sites-on-teamhelpers-com/
5 Sep 2015 - "I received a couple of -phishing- emails this morning that both lead to UK bank phishing sites on teamhelpers .com. So far I have seen one for Halifax Bank and one for Lloyds Bank. The subjects include 'Your Halifax online banking needs updating' and 'Your Lloyds online banking needs updating'. I would not be at all surprised to find out that there are many other different UK bank phishing sites on teamhelpers .com. I just haven’t found them yet...

Screenshot1: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Your-Halifax-online-banking-needs-updating-1024x610.png

Screenshot2: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Your-Lloyds-online-banking-needs-updating-1024x612.png

They are both common subjects in a bank phishing attempt. We see them pretending to be from PayPal and your Bank or Credit Card, with a message saying some thing like :
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your online banking needs updating
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
... These will NEVER be genuine emails from PayPal or Your Bank so don’t ever follow the link-in-the-email which leads to a website that looks at first glance like the genuine bank website. This particular phishing campaign starts with an email with-a-link. In this case to a newly created base domain teamhelpers .com Which is hosted on Godaddy .com... you would be very hard-pressed to tell the difference from the -fake- one and the genuine site. The only way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)... This either means that the new domain has been hacked already due to insecurities in the site software and Godaddy servers or more likely that the entire site was set up to act as a -fraud- site and Godaddy are not being as efficient and proactive as they should be with weeding out fake registrations..."

Phish1: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/halifax_teamhelpers-1024x678.png

Phish2: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/lloyds_teamhelpers-1024x707.png

Genuine: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Halifax_real_site-1024x672.png

teamhelpers .com: 107.180.41.152: https://www.virustotal.com/en/ip-address/107.180.41.152/information/

:fear::fear: :mad:

FYI...

Fake 'Companies House' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-companies-house.html
7 Sep 2015 - "This spam does -not- come from Companies House, but is instead a simple forgery with a malicious attachment:
From "Companies House" [WebFiling@ companieshouse .gov.uk]
Date Mon, 7 Sep 2015 12:40:01 +0100
Subject RE: Case 0676414
The submission number is: 0676414
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@ companies-house .gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message...

The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file. This executable has a detection rate of 4/56*. The Hybrid Analysis report** shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre."
* https://www.virustotal.com/en/file/c7a6bb9475912a7534deed4bba564b4f42152e4bd0ade5c087d77df6aa983252/analysis/1441627466/

** https://www.hybrid-analysis.com/sample/c7a6bb9475912a7534deed4bba564b4f42152e4bd0ade5c087d77df6aa983252?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'scanner notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/important-system-scanner-notice-fake-pdf-malware/
7 Sep 2015 - "An email with the subject of 'Important system scanner notice' coming from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Our system scanner indicates 69405063 error(s). Please see the attached documentation and contact with us ASAP.
Regards,
Online system security
Mrs. Kendall Howell
tel. 503-012-0597
Email : prabha@ klcc .com.my

The alleged sender matches the name of the company and email address in the body of the email. The numbers of errors are random. Some of the other subjects inn this series of -Upatre- downloaders include:
Important system e-mail
Protection shield system scanner report
Urgent security system notification
Protection shield system scanner e-mail
Security system scanner notification
Urgent system scanner notice
Protection shield system scanner e-mail
And -hundreds- of other variations along the same theme...
7 Serptember 2015: Cary PlazaGL_report-HUDY9Ife7_.zip: Extracts to: Imogene CoveBR_report.exe
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/645a4eb88461f6b266510d023a9c6c9e58f1618d2b461261f7a3447494d6529d/analysis/1441621866/
___

Something evil on 184.105.163.192/26 ...
- http://blog.dynamoo.com/2015/09/something-evil-on-18410516319226-white.html
7 Sep 2015 - "... I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243* hosted on what appears to be a Hurricane Electric IP... I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26... given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking-traffic to 184.105.163.192/26 to be on the safe side."
(More detail at the dynamoo URL above.)
* 184.105.163.243: https://www.virustotal.com/en/ip-address/184.105.163.243/information/

:fear::fear: :mad:

FYI...

Evil network: 89.144.2.0/24 / Echo Romeo LLP (AS199762)
- http://blog.dynamoo.com/2015/09/something-evil-on-891442024-echo-romeo.html
8 Sep 2015 - "This post at malware.kiwi* caught my eye after a sort-of challenge by Techhelplist**. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.
* http://malware.kiwi/compromised-pti-edu-email-accounts-phishing-campaign/
...
** https://twitter.com/Techhelplistcom/status/641107799796137984
This appears to be a binary options scam*** that is using illegally -hacked- sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit .me...
*** http://www.cftc.gov/ConsumerProtection/FraudAwarenessPrevention/CFTCFraudAdvisories/fraudadv_binaryoptions
It turns out that dailybusinessdirect .com is hosted alongside a cluster of related domains on a set of IPs belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they operate an IP range 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites... Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, -none- of those customer sites are actually hosted in this IP address range. The first thing I noticed was a cluster of sites and IPs[4] that appear to be closely related to dailybusinessdirect .com:
4] http://pastebin.com/mieQQj5s
... Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon[5] shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?"
5] https://www.damballa.com/new-poseidon-spotted/
(More detail at the dynamoo URL at the top of this post.)

AS199762 (ECHOROMEO-AS)
> https://www.google.com/safebrowsing/diagnostic?site=AS:199762

- https://www.google.com/safebrowsing/diagnostic?site=t9e.net/

- https://www.google.com/safebrowsing/diagnostic?site=89.144.2.0/

searchingprofit .me: 82.192.91.16: https://www.virustotal.com/en/ip-address/82.192.91.16/information/

dailybusinessdirect .com: 89.144.2.158: https://www.virustotal.com/en/ip-address/89.144.2.158/information/
___

ipserver .su, 5.133.179.0/24 and 212.38.166.0/24
- http://blog.dynamoo.com/2015/09/ipserversu-5133179024-and-21238166024.html
8 Sep 2015 - "A follow-up to this post*, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:
person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
phone: +18552100465
e-mail: abuse@ ipserver .su
nic-hdl: ON929-RIPE
mnt-by: IPSERVER-MNT
changed: abuse@ ipserver .su 20150528
created: 2015-05-28T11:11:09Z
last-modified: 2015-05-28T11:11:09Z
source: RIPE

I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165**), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service. Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating... I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all. I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation***, then my suggestion is that you block traffic to:
5.133.179.0/24
212.38.166.0/24
In the meantime I will continue digging.."
* http://blog.dynamoo.com/2015/09/something-evil-on-891442024-echo-romeo.html

** 5.133.179.165: https://www.virustotal.com/en/ip-address/5.133.179.165/information/

*** https://www.abuse.ch/?p=3581

Diagnostic page for AS20860 (IOMART-AS)
- https://www.google.com/safebrowsing/diagnostic?site=AS:20860
"... over the past 90 days, 289 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-09-08, and the last time suspicious content was found was on 2015-09-08... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 9 other site(s)... We found 97 site(s)... that infected 127 other site(s)..."
___

Fake 'FedEx' SPAM - JS malware
- http://myonlinesecurity.co.uk/fedex-standard-overnight-we-could-not-deliver-your-parcel-js-malware/
8 Sep 2015 - "An email with the subject of 'We could not deliver your parcel, #00184416 [ random numbered]' pretending to come from FedEx Standard Overnight <kevin.swartz@ 189-38-86-3 .net2 .com.br> with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Customer,
We could not deliver your parcel.
Delivery Label is attached to this email.
Regards,
Kevin Swartz,
Station Agent.

8 September 2015: Delivery_Notification_00184416.zip: Extracts to: Delivery_Notification_00184416.doc.js
Current Virus total detections 9/56* ... which downloads 2 files 97823c.gif (VirusTotal**) | 12918408.exe (VirusTotal***) from a combination of these 3 sites:
dominaeweb .com
idsecurednow .com
les-eglantiers .fr
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/208fdb11e8530cd0b8cc50d91003c28bef96cdc66c721fe5af65726afa300416/analysis/1441689276/

** https://www.virustotal.com/en/file/5a80fca028805557c64d507cf35adc4108b7d240c5b95d9334e9d22e5b86fd18/analysis/1441689928/

*** https://www.virustotal.com/en/file/51b227a255f21f5df62f87233af7b01edf4c84f1ca8bf1aeca61e636062fbe7e/analysis/1441658746/

dominaeweb .com: 174.36.231.69: https://www.virustotal.com/en/ip-address/174.36.231.69/information/
idsecurednow .com: 96.31.36.46: https://www.virustotal.com/en/ip-address/96.31.36.46/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-address/76.74.242.190/information/
___

Fake 'contract' SPAM - PDF malware
- http://myonlinesecurity.co.uk/edits-of-contract-fake-pdf-malware/
8 Sep 2015 - "An email with the subject of 'Edits of contract #oyMolGA of Tue, 08 Sep 2015 12:33:32 +0200 (random characters and times)' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Good day,
Please check out the edits of contract 181254053. Pay your particular attention to
paragraphs 121.39 and 148.85.
Until this contract isn’t signed, an amount won’t be remitted. If you have any questions,
please mail or call me on my additional number 63779928.
Emmalee Schaden
phone: 842-690-4561
Robel, McCullough and Gibson

8 September 2015: agreement changes Bruen Mall_jEHqrF.zip: Extracts to: renewed agreement Harber Village.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/704807e20fc1a6de2c63d14120cbb939406dda931a04aaabfb4dc6a88b44c89e/analysis/1441708637/
___

PayPal Overpayment Scams that target Craigslist Sellers
- https://isc.sans.edu/diary.html?storyid=20115
Last Updated: 2015-09-08 - "... when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off. With this in mind, I'd like to describe my recent interactions with miscreants who target sellers on Craigslist. This encounter, which involved SMS messages, emails and a click, is a variation of a PayPal-themed overpayment -scam- that has been quite prolific in the recent years... The -fake- PayPal message in my inbox clarified that I might not see the funds in my PayPal account until I sent money to the buyer's pickup agent using MoneyGram... Soon, I received two more messages claiming to be from PayPal and impressing upon me of the 'safety' of the transaction... more of my articles about online scams, take a look at How Victims Are Redirected to IT Support Scareware Sites* and Conversation With a Tech Support Scammer**."
(More detail at the isc URL at the top of this post.)
* https://isc.sans.edu/diary/How+Victims+Are+Redirected+to+IT+Support+Scareware+Sites/19487/

** https://zeltser.com/tech-support-scammer-conversation/
___

Com[dot]com site leads to -Fake- Daily Mail Article, Other Dodgy Sites
- https://blog.malwarebytes.org/fraud-scam/2015/09/comdotcom-site-leads-to-fake-daily-mail-article-other-dodgy-sites/
Sep 7, 2015 - "When news of “com .com” (previously owned by CNET) being quietly sold to dsparking .com*, a known entity in the realm of browser hijacking and domain squatting, had rippled within the security industry a couple of years ago, some experts expressed concern**...
* https://www.virustotal.com/en/domain/www.dsparking.com/information/
...
** https://blog.whitehatsec.com/why-com-com-should-scare-you/
... We recently encountered the URL, dw[DOT]com[DOT]com, that directed us to various destinations whenever we refresh it. Although this site is no longer accessible as we write this post, we were still able to visit one particular live URL destination that stood out among the rest during our testing. It is a -fake- Daily Mail news piece[3] reporting about British citizens finding a loophole wherein they can get the iPhone 6 for £1...
3] https://blog.malwarebytes.org/wp-content/uploads/2015/09/dailymail00.png
... All links on the fake Daily Mail article point to one URL, which then leads users to -random- destinations where they are offered freebies-behind-surveys or certain services... A little more digging around about dw[DOT]com[DOT]com has revealed that it also has a history of housing adware, PUPs[4], and spyware[5]... there are relatively few reports of com .com sites getting abused. That may be a good thing — at least for now; however, there may come a time when criminals would make full use of these sites for their malicious campaigns. So be advised, dear Reader, to avoid and proactively -block- them as early as now..."
4] https://www.herdprotect.com/domain-dw.com.com.aspx

5] https://www.f-secure.com/sw-desc/dw_com_com.shtml

dw .com .com: 54.201.82.69: https://www.virustotal.com/en/ip-address/54.201.82.69/information/

com .com: 209.132.243.234: https://www.virustotal.com/en/ip-address/209.132.243.234/information/

dsparking .com: 141.8.225.89: https://www.virustotal.com/en/ip-address/141.8.225.89/information/

:fear::fear: :mad:

FYI...

Fake 'Internship' SPAM – doc malware
- http://myonlinesecurity.co.uk/internship-word-doc-malware/
9 Sep 2015 - "An email with the subject of 'Internship' pretending to come from SAMETRICE BLACKBURN <pwlc@ healthassets .net> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Internship-1024x571.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
... 9 September 2015: My_Resume_7049.doc . Current Virus total detections 7/56*.
Downloads Dridex banking malware from http ://bakingsoda404 .com/dd/12345.exe (VirusTotal** 1/57)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bcef317d97dc98bfc3d80f6ab42e35cb55da2344fcb0f4cdd8e526bea50cf01b/analysis/1441779828/

** https://www.virustotal.com/en/file/e38aa044c7324c7bf83aac7b441fa8b6610fb6b1ff318f8176273ac01a74f6e4/analysis/1441780825/
___

Fake 'new contract' SPAM - PDF malware
- http://myonlinesecurity.co.uk/we-have-submitted-a-new-contract-for-your-approval-please-view-the-attached-documentation-fake-pdf-malware/
9 Sep 2015 - "An email saying 'We have submitted a new contract for your approval. Please view the attached documentation' with the subject of 'Please view' pretending to come from FAX with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Please-view-1024x481.png

9 September 2015: renewed contract Blanda Common.zip: Extracts to: agreement Braden Views.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/afaccab3175e24bbbf2dde0d79f9216b30555b48cecc7f2ca5737a63ef1d7eb2/analysis/1441795477/
___

Fake 'MP2541' SPAM – PDF malware
- http://myonlinesecurity.co.uk/message-from-mp2541-fake-pdf-malware/
9 Sep 2015 - "An email with the subject of 'Message from “MP2541” (random numbers)' pretending to come from DoNotReply@ b(your own email domain) with a zip attachment is another one from the current bot runs... The content of the email says :
This E-mail was sent from “MP2541” (MP 2541).
Scan Date: Wed, 09 Sep 2015 10:33:34 GMT
Queries to: DoNotReply@ ...

9 September 2015: omp cheque.zip: Extracts to: omp cheque.scr
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a61b06f03909b05e8130c7347cd66af6757280a7182880963f2f27c9071c8e51/analysis/1441799167/
___

Fake 'enrollment contract' SPAM – doc macro malware
- http://myonlinesecurity.co.uk/re-enrollment-contract-word-doc-macro-malware/
9 Sep 2015 - "An email with the subject of 'RE: enrollment contract' pretending to come from Calvin Hobbs <accounting@ steelgrill .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/enrollment-contract-1024x506.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
9 September 2015: charles_contract.doc - Current Virus total detections 2/56* ... Which goes through a convoluted download process via thetunaslab .com/wp-snapshots/sasa.txt (which simply contains the download link) and thetunaslab .com/wp-snapshots/66836487162.txt (a VB script to transform the downloaded .exe to a new location and name and autorun it) to end up with what is almost certainly a Dridex banking Trojan from http ://www. heavensound .it/wp-content/uploads/2015/06/pa.exe (VirusTotal 2/57 **)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/51440d736274490b2b764749601549f045baf776686b8f962005e0deec2f472e/analysis/1441810073/

** https://www.virustotal.com/en/file/f5d5218282dc56789951945d383e5c274e714998689743895a0dedabbbadc18e/analysis/1441811453/
... Behavioural information
TCP connections
93.170.105.115: https://www.virustotal.com/en/ip-address/93.170.105.115/information/
128.199.119.166: https://www.virustotal.com/en/ip-address/128.199.119.166/information/
___

'Famous Spy Software' - SCAM
- https://blog.malwarebytes.org/online-security/2015/09/thousands-of-hacked-sites-lead-to-offer-of-famous-spy-software/
Sep 9, 2015 - "... received a tip from one of our researchers, Steven Burn, who is continuously investigating on several persistent Facebook hacking scams... the individuals or group behind them merely rehashing the same lures and tactics; services that offer the hacking of Facebook accounts is one such scam. Using a single line of text to look for potential scam destinations, Burn came across not one but -thousands- of compromised sites offering this particular type of hacking service... Once users click any of the search result links, they are -redirected- multiple-times and then land on a page in the domain, trackphone[DOT]tk:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/trackphone.png
Clicking the big-green-button that says “Go to new site” directs to a page from mspy[DOT]com:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/mspy.png
... mSpy is a highly popular and controversial software that markets itself as a tool that a parent can use to monitor their child’s activities on their mobile devices -or- a tool that a doubting husband or wife can use to catch their cheating partners red handed... others who are contemplating on using tools similar to mSpy, especially if you’re a parent, we implore that you think this through carefully before using it, because you may inadvertently expose your child to harm more than good this way."

mspy .com: 104.20.26.47: https://www.virustotal.com/en/ip-address/104.20.26.47/information/
104.20.27.47: https://www.virustotal.com/en/ip-address/104.20.27.47/information/

:fear::fear: :mad:

FYI...

Fake 'QuickBooks Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/quickbooks-invoice-payment-overdue-fake-pdf-malware/
10 Sep 2015 - "An email with the subject of 'Payment Overdue' pretending to come from QuickBooks Invoice <auto-invoice@ quickbooks .com> with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached your invoices for the past months. Remit the payment by 10/09/2015 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Rosendo Numbers
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure...

10 September 2015: Invoice.zip: Extracts to: Invoice.scr
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5eed6039d5073f26a4b347dfb2379d4c72d391a020f01ba2faf7fe2698c5b979/analysis/1441880136/

- http://blog.dynamoo.com/2015/09/malware-spam-payroll-received-by-intuit.html
10 Sep 2015 - "... Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56*. The Hybrid Analysis report** shows traffic patterns that are consistent with the Upatre downloader -and- Dyre banking trojan. In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block ..."
* https://www.virustotal.com/en/file/5eed6039d5073f26a4b347dfb2379d4c72d391a020f01ba2faf7fe2698c5b979/analysis/1441886437/

** https://www.hybrid-analysis.com/sample/5eed6039d5073f26a4b347dfb2379d4c72d391a020f01ba2faf7fe2698c5b979?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'America Airlines' SPAM – JS malware
- http://myonlinesecurity.co.uk/america-airlines-your-ticket-order-00000239643-js-malware/
10 Sep 2015 - "An email with the subject of 'Your ticket order #00000239643 approved' [random numbered] pretending to come from America Airlines with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/America-Airlines_Your-ticket-order-00000239643-approved-1024x504.png

10 September 2015: Order_00000239643.zip: Extracts to: Order_00000239643.doc.js
Current Virus total detections 13/57* ... which downloads 2 files 42809780.exe (Virus total 1/57 **) (Hybrid analysis***) and 3233543213348c1[1].gif (VirusTotal 10/56 [4]) (Hybrid Analysis[5]) from a combination of these 3 sites:
64.239.115.111: https://www.virustotal.com/en/ip-address/64.239.115.111/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-address/76.74.242.190/information/
readysetgomatthew .com: 205.144.171.28: https://www.virustotal.com/en/ip-address/205.144.171.28/information/
See MALWR report[6] and Wepawet[7] ... which decodes or deobfuscates the javascript... note that the 42809780.exe has a -stolen- digital signature from Microsoft, which has been blocked (at least in Internet Explorer), Smart Filter warns about an invalid digital signature:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/corrupt-signature.png
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/db414dd5666ebc0f4323c612cce3212057d0fc652e45d3a33f5120636143d5bf/analysis/1441858346/

** https://www.virustotal.com/en/file/bf6fc83f1faa959a16a2a35650e44382e00608198f881f2cab72fe65fd14265c/analysis/1441845045/

*** https://www.hybrid-analysis.com/sample/bf6fc83f1faa959a16a2a35650e44382e00608198f881f2cab72fe65fd14265c?environmentId=1

4] https://www.virustotal.com/en/file/ca304658a124a4f39429425c674eacd69d2cb4463fd79775c5be184d747a02c5/analysis/1441859040/

5] https://www.hybrid-analysis.com/sample/ca304658a124a4f39429425c674eacd69d2cb4463fd79775c5be184d747a02c5?environmentId=1

6] https://malwr.com/analysis/ODEyYTNjZTNjNzM4NGE2YmFkZDQ2OWZiNzQ0OGZmMDk/

7] https://wepawet.iseclab.org/view.php?hash=23de9e6aad67d8a516acd6e60d90f4e9&type=js
___

Fake 'New Fax' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-new-fax-3901535011-uk2fax.html
10 Sep 2015 - "This -fake- fax spam comes with a malicious attachment:
From "UK2Fax" [fax2@ fax1.uk2fax .co.uk]
Date Thu, 10 Sep 2015 14:07:11 +0100
Subject New Fax - 3901535011
UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT

Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the -same- Upatre/Dyre payload as seen in this attack also seen today*."
* http://blog.dynamoo.com/2015/09/malware-spam-payroll-received-by-intuit.html
___

'Spear-phishing' - Know the Risk, Raise Your Shield
- http://arstechnica.com/security/2015/09/us-counterintelligence-czar-tells-government-employees-raise-your-shields/
Sep 9, 2015 - "... the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches. Called 'Know the Risk, Raise Your Shield', the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people -not-to-click-on 'those links'*... The Office of the Director of National Intelligence, which the NCSC is part of, is pushing out materials for the campaign through its website and social media channels..."
* https://www.youtube.com/embed/videoseries?list=PLfaSGHp0IgDBzfD8dnJ3CpklC2vNkbtiD
Video 2:53
Know the Risk, Raise Your Shield

:fear::fear: :mad:

FYI...

Fake 'e-invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-latest-e-invoice-from-tnt-1568467424-9445661-fake-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Your latest e-invoice from TNT 1568467424 9445661 (random numbers)' pretending to come from eInvoicing <groupadminstubbinsDONOTREPLY@ tnt .com> with a zip attachment is another one from the current bot runs... The content of the email says :
PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Please find attached your TNT Invoice. Please note that our standard payment terms require cleared funds in our account by the 15th of the month following the month of invoice.
IMPORTANT CONTACT DETAILS
To register an invoice query please contact us at ukinvoicequeries@ tnt .co.uk
To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@ tnt .com
To set up a Direct Debit plan please contact us at tntdirectdebit@ tnt .co.uk
For quick and easy access to your invoices simply log in using your user name and password to https ://express .tnt .com/eInvoicing and you’ll be able to view and download your electronic invoices immediately.
If you have forgotten your user name or password please follow the above link where you will be able to reset your log-in details. If you are experiencing any technical issues with your e-Invoicing account please contact us at ukeinvoice@ tnt .co.uk
Rest assured, we operate a secure system, so we can confirm that the invoice PDF originates from TNT and is authenticated with a digital signature. Thank you for using e-invoicing...

11 September 2015: 1568467424_9445661.zip: Extracts to: 0230516548_6835403.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4d962c3ba8f89cc9ccad9fc2a943236fa86a4054b3b2e6339f859dbf2b746c59/analysis/1441967307/
___

Fake 'Sales Order' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sales-order-acknowledgement-order-no-7m661725-your-reference-89-bud-fake-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Sales Order Acknowledgement – Order No: 7M661725 – Your Reference: 89 /Bud (random numbers and names)' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached your sales order acknowledgement
Order No: 7M661725
Account: MGQ313
Your Reference: 89 /Bud
Web Reference:
Kind Regards
Office Team

11 September 2015: SalesOrderAcknowledgement_2G060028.zip: Extracts to: SalesOrderAcknowledgement.scr
Current Virus total detections 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/955b41ec93d517b348a485b377848d102bdc74a81bb712ec416addc6c9997b8d/analysis/1441964692/

- http://blog.dynamoo.com/2015/09/malware-spam-sales-order.html
11 Sep 2015 - "This -fake- financial spam comes with a malicious payload:
From "reports@officeteam .co.uk" [reports@ officeteam .co.uk]
Date Fri, 11 Sep 2015 10:39:32 GMT
Subject Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085...
... SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report** shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet)... the payload is Upatre downloading the Dyre banking trojan."
* https://www.virustotal.com/en/file/955b41ec93d517b348a485b377848d102bdc74a81bb712ec416addc6c9997b8d/analysis/1441972298/

** https://www.hybrid-analysis.com/sample/955b41ec93d517b348a485b377848d102bdc74a81bb712ec416addc6c9997b8d?environmentId=1
___

Fake 'SOP Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sop-invoice-single-ppl-leeds-co-uk-fake-pdf-malware/
11 Sep 2015 - "An email with the subject of 'SOP Invoice (Single)' pretending to come from “Carlene Kidd” <Carlene.Kidd@ ppl-leeds .co.uk> (random names @ ppl-leeds .co.uk) with a zip attachment is another one from the current bot runs... The content of the email says :
Hi Nicolas
Please find attached copy Invoice No: J292G64W as requested.
Regards
Carlene
The attached file is a Sage Report in PDF (Adobe Acrobat) format. To view
the report you will need Acrobat Reader, available as a free download...

11 September 2015: Invoice_J292G64W.zip: Extracts to: invoice.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3b35c46305ed2c213d3257cb4e9b5d3c4b1171bf9410dfd01dd95379868c09af/analysis/1441965422/
___

Fake 'PO & New Order' SPAM – doc malware
- http://myonlinesecurity.co.uk/po-new-order-word-doc-rtf-exploit-malware/
11 Sep 2015 - "An email with the subject of 'PO & New Order' pretending to come from Sales with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/PO-New-Order-1024x599.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be -blank- or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode.png
11 September 2015: PO & New Order.doc - Current Virus total detections 23/56* .
Downloads http ://creativelinkspk .com/.css/ashok.exe (VirusTotal** 18/57). This looks like an old exploit CVE-2012-0158 that was fixed in MS12-027... but there is always a possibility that the exploit creators have added to it to work in modern office versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/259d002304dcd933598733d0b126a4882fcc8279a1af667e5999c30d0e7c0bb0/analysis/1441931051/

** https://www.virustotal.com/en/file/25bdb0eb8ddd9c219b1124642d41359d86493a5d1721f5cc30445e2e360f3d4c/analysis/1441887586/

creativelinkspk .com: 192.3.105.250: https://www.virustotal.com/en/ip-address/192.3.105.250/information/

:fear::fear: :mad:

FYI...

Fake 'Pretrial requirements' SPAM – JS malware
- http://myonlinesecurity.co.uk/pretrial-requirements-js-malware/
13 Sep 2015 - "An email with the subject of 'Pretrial requirements' pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Pretrial-requirements-1024x388.png

12 September 2015: pretrial_requirements488.zip: Extracts to: pretrial_requirements488.js
Current Virus total detections 21/57* . (Wepawet**) (MALWR***) which downloads multiple files including Adobe_update-S3NS81Y2MJC[1].exe (virus total 0/56 [4]) and Adobe_update-1SGMQ65OVG[1].exe (VirusTotal 0/57 [5]) and a genuine pdf (Adobe_update-BI5T99S2B9W[1].pdf) which displays an invoice to think that the entire download is innocent from a combination of these sites (this particular version only uses the first 2 sites, but if it cannot contact either of them, it will try each site in turn until it downloads the malware):
ERVINSOLAR .NET: 88.198.60.20: https://www.virustotal.com/en/ip-address/88.198.60.20/information/
JAIINSTITUTEFORPARENTING .NET: 50.62.232.1: https://www.virustotal.com/en/ip-address/50.62.232.1/information/
C3SMS .COM: 72.249.68.39: https://www.virustotal.com/en/ip-address/72.249.68.39/information/
www .prairiehouse .ie: 80.93.29.15: https://www.virustotal.com/en/ip-address/80.93.29.15/information/
DIGITALCONTACT .COM: 54.154.210.110: https://www.virustotal.com/en/ip-address/54.154.210.110/information/
LIVINGLAVIDAPYME .COM: 72.47.236.23: https://www.virustotal.com/en/ip-address/72.47.236.23/information/
LASALCHICHONERIA .COM: 72.47.236.23
AZHINEHPS .COM: 149.3.137.13: https://www.virustotal.com/en/ip-address/149.3.137.13/information/
XINHFURNITURE .COM: 112.78.2.205: https://www.virustotal.com/en/ip-address/112.78.2.205/information/
The PDF is genuine and obviously a stolen invoice from an Italian company Eco srl being -reused- to try to fool you into thinking that it is only an invoice being displayed while the other malware is silently downloaded and run in the background:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/eco_pdf-1024x619.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0ef3c63ee62fca913da44b8b070d3d8953e8dcd8608c06c6530e232977ea0eb7/analysis/1442130826/

** https://wepawet.iseclab.org/view.php?hash=7f38d9df842a87500e5be65061a149de&type=js

*** https://malwr.com/analysis/Mjk4ZDIyYjM2OTA1NGZhMmJiODFkZDM3MzNhOWM1ZTQ/

4] https://www.virustotal.com/en/file/1c12159581ea7e065e1feba7463feb50176cf30ee2272b10ced51674f48675ce/analysis/1442105203/

5] https://www.virustotal.com/en/file/459e1130d677ce75e1131358770dc0125757204bbdb927a4033f43d078f62202/analysis/1442131135/

:fear::fear: :mad:

FYI...

HMRC Tax Refund / Phish ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/avoid-this-hmrc-tax-refund-phish/
Sep 14, 2015 - "... here’s the spam mail, which is titled 'Tax Refund New Message Alert!':
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/hmrcform0.jpg
Some standouts:
1. The -typo- in the sender address. Yes, we already mentioned it but it’s such an amazingly silly way to blow the cover of an attempted phish that I’m going to point and roll my eyes at it twice.
2. Do Tax Departments send anybody emails with exclamation-marks in the subject? It doesn’t seem in line with the notion of serious people sending out serious tax emails, really.
3. “See this email? Yeah, don’t tell anyone about it okay? It’s our little secret. Cough cough.”
4. “Download and fill out a form” HMRC don’t send out mails about tax rebates.
5. “Allow 5 to 9 business days, because we won’t have enough time to rip-off the card details you just sent us if you’re checking your account every five minutes”.
Note that in the above example, the mail was sent to an Outlook account and was-flagged as spam – not all mail providers catch something, so it pays to always be on your guard.
Clicking the link offers up a HTML file download from: liveinlove(dot)us/index(dot)php:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/hmrcform1.jpg
Opening up the file in a browser will fetch elements of real HMRC pages to add that little extra splash of authenticity:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/hmrcform2.jpg
There is, of course, no HTTPS / padlock which one would hope sets off a few alarm bells. The form follows the common pattern of not letting you proceed unless you’ve entered information in the relevant boxes. They want full card details, bank name, security code, name, DOB, address – the works. Once the submit button is hit, the victim will be redirected to a real HMRC page via the liveinlove URL. It seems the website being used for this scam has been -hacked-... In a first for me, I’ve had to let someone know their site has been compromised via a wedding RSVP form. As the wedding was due to take place back in -2014- I’m not entirely sure someone will be there to pick up the message but we’ll see how it goes. Should you receive one of these mails, feel free to delete it."

liveinlove .us: 192.186.248.162: https://www.virustotal.com/en/ip-address/192.186.248.162/information/
___

Next Gen ATM Malware
- https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html
Sep 11, 2015 - "You dip your debit card in an automated teller machine (ATM) and suddenly realize it is stuck inside, what happened?
a) You took too much time entering details.
b) There was an error in the network connection to the bank.
c) The machine is infected with malware and your card was intentionally retained to be ejected to the crooks once you walk away asking for help.
If you answered ‘c’ you might be correct! FireEye Labs discovered a new piece of ATM malware (4BDD67FF852C221112337FECD0681EAC) that we detect as Backdoor.ATM.Suceful (the name comes from a typo made by the malware authors), which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks. ATM malware is not new, back in 2013 and 2014 threats like Ploutus[1] or PadPin[2] (Tyupkin) were used to empty ATMs in Mexico, Russia and other countries, but SUCEFUL offers a new twist by targeting the cardholders. SUCEFUL was recently uploaded to VirusTotal (VT) from Russia, and based on its timestamp, it was likely created on August 25, 2015. It might still be in its development phase; however, the features provided are shocking and never seen before in ATM malware:
> https://www.fireeye.com/content/dam/fireeye-www/blog/images/SUCEFUL/suceful1.png
Potential SUCEFUL capabilities in Diebold or NCR ATMs include:
1. Reading all the credit/debit card track data
2. Reading data from the chip of the card
3. Control of the malware via ATM PIN pad
4. Retention or ejection of the card on demand: This could be used to steal physical cards
5. Suppressing ATM sensors to avoid detection ..."
(More detail at the fireye URL above.)

:fear::fear: :mad:

FYI...

Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecurity.co.uk/payment-summary-group-certificate-for-201415-financial-year-paysliphss-health-nsw-gov-au-fake-pdf-malware/
15 Sep 2015 - "2 sets of emails pretending to come from payslip@ hss.health.nsw. gov.au with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' or 'Payslip for the period 31 Aug 2015 to 14 sep 2015' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Payment-Summary-Group-Certificate-1024x506.png

15 September 2015: PAYG-EoY-2014-15-11577085-181466719.zip: Extracts to: PAYG-EoY-2014-15-04831806-000718002.scr
Current Virus total detections 11/56*
15 September 2015: Payslip13526234054137704-78242.zip: Extracts to: Payslip00477196470196471-00038.scr
Current Virus total detections 6/57**
... Techhelplist.com have done a breakdown of these Upatre downloaders from yesterday’s versions of these emails with similar attachments... HERE[3] and Here[4].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1557a4bf5fecd2fc71102f8a32ff2dc215c9181b1868bd58438619b9091cc6e9/analysis/1442293989/

** https://www.virustotal.com/en/file/c290b05920fa0947ef92cc30f405b8715d245b68f080ff90a8c75f6ed18dd977/analysis/1442282228/

3] https://techhelplist.com/spam-list/923-payment-summary-group-certificate-for-financial-year-malware

4] https://techhelplist.com/spam-list/924-payslip-for-the-period-date-to-date-malware
___

Fake 'Unsettled invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsettled-invoice-e-mail-notice-fake-pdf-malware/
15 Sep 2015 - "The latest -Upatre- style downloaders are attached to series of emails with the subject of 'Unsettled invoice e-mail notice' pretending to come from random addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Hello dear customer,
I urgently ask you to settle an invoice from Tue, 15 Sep 2015 11:39:13 +0100

Other subjects in this malspam run include:
Unsettled invoice e-mail reminder
Important invoice e-mail notice
Overdue invoice e-mail reminder
Unsettled invoice notification
Outstanding invoice e-mail notice
Important invoice final reminder
The times are all random, but the dates all say Tue, 15 Sep 2015..
15 September 2015: Voluptas soluta laborum illum aperiam praesentium molestiae sequi..zip:
Extracts to: Consequatur sint consectetur qui esse..exe
Current Virus total detections 1/57*
This doesn’t actually appear to be Upatre and we haven’t managed to get any other downloads from it via automatic analysis so far... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e508a362c02b96c29a1257cab1dad4ff9577b1fa68f41fccb354f065e8f5d1a4/analysis/1442313814/
___

WhatsApp scam/SPAM ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/dont-get-stuck-on-whatsapp-stickers/
Sep 15, 2015 - "We’ve spotted a WhatsApp scam using the same general template as the previously covered WhatsApp Elegant Gold*, located at:
stickers-whatsapp(dot)com
... which asks for your WhatsApp Number in return for some “stickers“. You typically have to pay for stickers via a number of Apps, so potential freebies are always going to pull in some eyeballs.
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/whatstickers1.jpg
It follows the familiar pattern of “Spam a bunch of people and we’ll give you what you want”, complete with inevitable Shyamalan-style plot twist at the end (no, your phone wasn’t a ghost the whole time). Here’s the spam request:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/whatstickers2.jpg
... As with other sites of a similar nature**, we advise you to not bother and stick to legit apps on your mobile store of choice if you really want to plaster your texts with images. All you’ll get for your time and trouble with these websites are adverts, PUPs and surveys (also, your phone was totally a ghost the whole time)."
* https://blog.malwarebytes.org/fraud-scam/2015/07/whatsapp-elegant-gold-hits-the-digital-catwalk/

** https://blog.malwarebytes.org/fraud-scam/2015/03/scams-pups-target-would-be-whatsapp-voice-users/

stickers-whatsapp(dot)com: 54.254.185.159: https://www.virustotal.com/en/ip-address/54.254.185.159/information/
___

Cisco router break-ins bypass cyber defenses
- http://www.reuters.com/article/2015/09/15/us-cybersecurity-routers-cisco-systems-idUSKCN0RF0N420150915
Sep 15, 2015 - "... researchers* say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected. In the attacks, a highly sophisticated form of malicious software, dubbed "SYNful Knock'*, has been implanted in routers made by Cisco..."
* https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
Sep 15, 2015 - "... recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least -14- such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India... Conclusion: ... It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence..."
1] http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html

:fear::fear: :mad:

FYI...

Fake 'Renewed insurance policy' SPAM – PDF malware
- http://myonlinesecurity.co.uk/renewed-insurance-policy-e-mail-fake-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Renewed insurance policy' e-mail pretending to come from random companies (all appearing to be either Australian or New Zealand addresses) with a zip attachment is another one from the current bot runs... The content of the email says :
Good afternoon,
This email address was specified to get a new insurance policy. Your policy is attached

Other subjects include:
Important insurance e-mail notice
Insurance policy e-mail notice
Health insurance notice
Renewed insurance policy e-mail notice
Important insurance e-mail
16 September 2015: 23720.zip: Extracts to: 96998.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5adbfb4c61acd3f446554fd6dc1cbd09791c2880ea67b1b63fbd7056c2c3a709/analysis/1442351794/
___

Fake 'HSBC SecureMail' SPAM - malicious payload
- http://blog.dynamoo.com/2015/09/malware-spam-hsbc-securemail-you-have.html
16 Sep 2015 - "This -fake- HSBC email message has a malicious payload:
From: HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@ hsbc .co.uk]
Date: 16 September 2015 at 13:13
Subject: You have received a secure message ...

... file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56*. Automated analysis is pending... but the payload is most likely to be Upatre/Dyre."
* https://www.virustotal.com/en/file/a0c4f616758a29bf0386de439c61729918a3637dab281089f2115ba8c35957c2/analysis/1442407433/
___

Fake 'Lloyds Bank' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/you-have-received-a-new-debit-and-lloyds-bank-pendeford-securities-please-read-action-required-word-doc-or-excel-xls-spreadsheet-malware/
16 Sep 2015 - "A BOGOF (Buy one, get one free) today pretending to come from various Lloyds bank email addresses with 2 different subjects both containing the same word macro downloader malware: 'You have received a new debit and Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 1831383/' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshots:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Lloyds-Bank-Pendeford-Securities-Please-Read-Action-Required-1024x742.png
-Or-
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/You-have-received-a-new-debit-1024x511.png

DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
The version of this word doc that I received actually has this content which tries to suggest it is protected with an RSA digital signature key that needs you to enable macros and editing to be able to see the proper content. You definitely do-not-want-to-enable-macros or editing or you-will-be-infected:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/ReportonTitle0045168.1Final_doc-1024x597.png

16 September 2015: ReportonTitle0045168.1Final.doc - Current Virus total detections 4/53* .
The malicious macros in this malware are giving problems to the automatic analysers, who aren’t able to actually get the malware. The macro contacts:
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/
... which is an open directory where it gets various instructions to download the actual malware from http ://vandestaak .com/css/libary.exe and autorun it (VirusTotal**) which is itself an Upatre downloader that will download today’s version of the Dyre/dyreza/dridex banking Trojan malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/aeb8c585e9fcc35d5470bec8284e59a0a0150114c1f60d106a3b2f284ee6c8b4/analysis/1442403104/

** https://www.virustotal.com/en/file/0c91c33093c576294b6266fa21959bf45f8afc2c4fe55d3251cb2769266d628e/analysis/1442407381/

obiectivhouse .ro: 178.156.230.216: https://www.virustotal.com/en/ip-address/178.156.230.216/information/

- http://blog.dynamoo.com/2015/09/malware-spam-lloyds-bank-pendeford.html
16 Sep 2016 - "...In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56*)... malicious macro. The macro attempts to download components from the following locations:
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt
A further download then takes place from:
vandestaak .com/css/libary.exe
This has a detection rate of 3/56**. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run [3] (automated analysis is pending).
Recommended blocklist:
197.149.90.166
vandestaak .com
thebackpack .fr
obiectivhouse .ro "
* https://www.virustotal.com/en/file/aeb8c585e9fcc35d5470bec8284e59a0a0150114c1f60d106a3b2f284ee6c8b4/analysis/1442408475/

** https://www.virustotal.com/en/file/0c91c33093c576294b6266fa21959bf45f8afc2c4fe55d3251cb2769266d628e/analysis/1442411964/

3] http://blog.dynamoo.com/2015/09/malware-spam-hsbc-securemail-you-have.html

vandestaak .com: 213.179.202.11: https://www.virustotal.com/en/ip-address/213.179.202.11/information/
thebackpack .fr: 195.144.11.40: https://www.virustotal.com/en/ip-address/195.144.11.40/information/
obiectivhouse .ro: 178.156.230.216: https://www.virustotal.com/en/ip-address/178.156.230.216/information/
___

Fake 'Autopay information' SPAM – PDF malware
- http://myonlinesecurity.co.uk/autopay-information-fake-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Autopay information' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello,
A new monthly invoice for the services is available to view online and is included as an attachment.
No action is required because you’ve signed up for the AutoPay.
Just review and retain this invoice #52467 for your records.

Other subjects in this series of emails include:
Settled invoice info
Online service invoice info ...
16 September 2015: Get new check MacGyver Station.zip: Extracts to: Repay insurance bill Ullrich Falls.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/847e54508b08cff2a694451d5334f70c2e7c8347ef5f474dec9b3c8273558dad/analysis/1442410631/
___

Fake Amazon UK Mail - phish...
- https://blog.malwarebytes.org/fraud-scam/2015/09/fake-amazon-uk-mail-asks-you-to-verify-your-account-after-breach/
Sep 16, 2015 - "There is an Amazon phishing scam currently making rounds, so you better keep an eye on your inboxes, assuming your spam traps haven’t picked up on this one yet. And much like majority of phish campaigns, this one also begins with an email. The samples we retrieved all originated from the Linode server (24.236.39.51):
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-phish-mail.png
... The “Get Started” text is, of course, a link leading to the phishing page (screenshot below), which is at ukamazonverify[DOT]com:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-phish-page-one.png
... After text boxes have been filled out, the user is taken to another page asking for -more- details, which includes personally identifiable information (PII), payment card details, and account security details (screenshot below), while data about email address and password are saved to Verify.php, which is located within the domain:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-verify-page.jpg
Data that users enter on this page are saved to Finish.php after clicking the Validate button. The page then changes to tell users to wait as this site processes all their details, complete with a “spinny” indicator to denote that indeed some semblance of data processing is taking place at the background:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-phish-spinny.png
What users don’t realize is that they’re actually taking their cue from a GIF file, and not an actual indicator, as they wait for what happens next. In the end, they are directed to the real Amazon UK site.
ukamazonverify[DOT]com was created two-days-ago, along with other domains registered under a specific email address from 126[DOT]com, a popular email provider in China. Some browsers have already flagged the domain as a potential threat, which is great... when you see a similar email like the one above in your inbox, simply delete them..."

ukamazonverify[DOT]com: 103.42.180.253: https://www.virustotal.com/en/ip-address/103.42.180.253/information/
___

Fake 'New payment for tax refund' SPAM – JS malware
- http://myonlinesecurity.co.uk/new-payment-for-tax-refund-0000255599-js-malware/
16 Sep 2016 - "An email with the subject of 'New payment for tax refund #0000255599' [random numbered] pretending to come from Internal Revenue Service <office@ irs .gov> with a zip attachment is another one from the current bot runs... The content of the email says :
This is to inform you that your tax refund request has been processed.
Please find attached a copy of the approved 94035N form you have submitted.
Transaction type – Tax Refund
Payment method – Wire transfer
Amount – $ 3214.00
Status – Processed
Form – 94035N
Additional information regarding tax refunds can be found on our website...
Regards,
Internal Revenue Service
Address: 1111 Constitution Avenue, NW
Washington, DC 20224 ...
Phone: 1-800-829-1040

16 September 2015: Tax_Refund_0000255599_Processed.zip: Extracts to: Tax_Refund_0000255599_Processed.doc.js
Current Virus total detections 22/56* ... which downloads -3- files
53212428.exe (Virustotal 1/57 **)
13876688.exe (VirusTotal 2/57 ***) and
0cedc1[1].gif (VirusTotal 1/57 ****) from a combination of these 3 sites:
crossfitrepscheme .com
dickinsonwrestlingclub .com
les-eglantiers .fr
(MALWR[5])
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2af8cee2185ef4d9d4c29eeb8b126bd60eab7a749130d0024eda1fa87c01baa3/analysis/1442419074/

** https://www.virustotal.com/en/file/4d3c3075482d12b0b71e337e7c53ffa844959e63b7bafecb03bad847a091f09b/analysis/1442414485/

*** https://www.virustotal.com/en/file/d098f4b68a9ab8e477985d0cde798026b150d150a8f17853e57deff162a29eda/analysis/1442414434/

**** https://www.virustotal.com/en/file/52f8b985d9e725d19db68fa055e055f6073b07d360b3e2f32dfe92dc35d4e6b0/analysis/1442419912/

5] https://malwr.com/analysis/MDc5NThhYzRiMDIxNDY0Mjg0MDA5MDBlMzNmMDU0OTU/

crossfitrepscheme .com: 199.175.49.19: https://www.virustotal.com/en/ip-address/199.175.49.19/information/
dickinsonwrestlingclub .com: 72.20.64.58: https://www.virustotal.com/en/ip-address/72.20.64.58/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-address/76.74.242.190/information/

:fear::fear: :mad:

FYI...

Fake 'E-Bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-shell-e-bill-for-week-38.html
17 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From [invoices@ ebillinvoice .com]
To administrator@ victimdomain .com
Date Thu, 17 Sep 2015 11:10:15 GMT
Subject Shell E-Bill for Week 38 2015
Customer No : 28834
Email address : administrator@ victimdomain .com
Attached file name : 28834_wk38_2015.PDF
Dear Customer,
Please find attached your invoice for Week 38 2015.
In order to open the attached PDF file you will need
the software Adobe Acrobat Reader...
Yours sincerely
Customer Services...

Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56*. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you -block- or monitor that IP."
* https://www.virustotal.com/en/file/1d8ec411516159ec752aef930991d3c981c9d64ac8be7fe9121339df52fbda83/analysis/1442489503/
___

Fake 'REFURBISHMENT' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-hrwfmailerprodlancashirego.html
17 Sep 2015 - "This -fake- financial spam... comes in several different variants (I saw two):
From "Workflow Mailer" [hrwfmailerprod@ lancashire. gov.uk]
To hp_printer@ victimdomain .com
Date Thu, 17 Sep 2015 12:16:26 GMT
Subject FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
__
From Mabel Winter
To hp_printer@ victimdomain .com
Sent Thu, 17 Sep 2015 12:12:26 GMT
ID 7216378
Number 6767609,1
Title Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment.

The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55*. The payload appears to be Upatre/Dyre..."
* https://www.virustotal.com/en/file/ec80290064cdcad4d20ac6b610d26f1bc93bc7588815f277b946692a1c9b9f44/analysis/1442492094/
___

Fake 'Important notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/important-notice-about-document-signing-fake-pdf-malware/
17 Sep 2015 - "An email with the subject of 'Important notice about document signing' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello,
You have been sent the document to sign it using Signority. To view this document, user’s personal data and secured link to signing, please open the attachment.
Regards,
The Signority Team

Other subjects in this malspam run delivering Upatre downloaders include:
Notice of documentation signing
Important notification of document signing
Important notice about documentation signing ...
17 September 2015: Gain infringement fine .zip: Extracts to: Send proposed sum .exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7bd9692f17ca135cae60bfb2a51b50893033d87c56f3f95adbf2908c8021df5b/analysis/1442507711/

:fear::fear: :mad:

FYI...

Fake 'Transaction confirmation' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-transaction-confirmation.html
18 Sep 2015 - "This -fake- banking spam comes with a malicious attachment:
From donotreply@ lloydsbank .co.uk
Date Fri, 18 Sep 2015 11:52:36 +0100
Subject Transaction confirmation
Dear Customer,
Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.
Best regards,
Your personal Manager
Thora Blanda
tel: 0345 300 0000
LLOYDS BANK.

Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report** shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria."
* https://www.virustotal.com/en/file/129421186aed9a2bb2177fe5ab51342decca0f0b6508cae765dbc279d25c2568/analysis/1442574773/

** https://www.hybrid-analysis.com/sample/129421186aed9a2bb2177fe5ab51342decca0f0b6508cae765dbc279d25c2568?environmentId=1
___

Fake 'Approval' SPAM - PDF malware
- http://myonlinesecurity.co.uk/approval-of-the-pages-fake-pdf-malware/
18 Sep 2015 - "An email with the subject of 'Approval of the pages' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hi,
Please take a quick look at the headlines of the attached docs.
As I’ve told you before, the main part of project is almost ready.
I guarantee that I’ll send it to you within this week.
Please remember: the attached information is strongly confidential.

Other subjects in this series of -Upatre- downloaders include:
Check out the following pages
Approval of renewed project part
See the part of work
Check updated part of work
Review updated pages
View renewed pages ...
18 September 2015: Do obligatory agreeement .zip: Extracts to: Maintain remittance fund .exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2b7ba26dcaefa42297d2308f97db51c646579e1fa149ba1ff59bcd7808da93ff/analysis/1442583621/
___

'Tax Credits Refund' - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/warning-tax-credits-refund-phish/
Sep 18, 2015 - "... scammers leap onto the bandwagon with promises of tax credit refunds – effectively targeting those already most under threat from potential financial loss. If you’ve clicked-on-a-message along these lines in the last few days, you may want to get in touch with your bank as soon as possible. The message, which reads as follows, makes use of a Goo.gl shortening URL to -redirect- victims to what appears to be a compromised website:
"Dear valued customer, we are happy to inform you that you have a new tax credit refund from HMRC. Click on the following link [URL] to claim your HMRC refund"
... Here’s the stats for the shortened URL:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/taxcreditsphish1.jpg
• 731 clicks so far, with the majority of them coming from the UK.
• 440 of those were on iPhone, and 252 were using Android. Just 31 people were browsing via Windows.
• The shortened link is 4 days old, so the scam is pretty fresh.
Here’s the phishing page, located at savingshuffle(dot)com/hmrc/Tax-Refund(dot)php:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/taxcreditsphish3.jpg
As you can see, they want name, address, phone, email, telephone number, card details, sort code and account number. Further down the page, they also want some “Identity Verification” in the form of driving license number, national insurance number and mother’s maiden name. There’s also a pre-filled refund amount of £265.48 next to the submit button:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/taxcreditsphish4.jpg
... By the time you end up checking to see if the money has gone in, they’ll likely have tried to clean you out. Given we’re talking about those who might be severely affected by the changes to the tax credits system, this would be quite the blow to say the least (and even if you’re not impacted, it’s still not a nice thing to happen either way)... HMRC does -not- send out missives offering refunds."

savingshuffle(dot)com: 50.63.202.37: https://www.virustotal.com/en/ip-address/50.63.202.37/information/
___

Malicious SYNful Cisco router implant found on more devices...
- https://zmap.io/synful/
Sept 16, 2015 - "... The attack is known to affect Cisco 1841, 2811, and 3825 series routers, but may also affect similar Cisco devices... Further details on the -firmware- implant can be found in the original FireEye post:
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
... by modifying ZMap to send the specially crafted TCP SYN packets. We completed four scans of the public IPv4 address space on September 15, 2015 and found -79- hosts displaying behavior consistent with the SYNful Knock implant. These routers belong to a range of institutions in -19- countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations). We note that the -25- hosts in the United States belong to a single service provider on the East Coast, and that the hosts in both Germany and Lebanon belong to a single satellite provider that provides coverage to Africa. A map of devices is available here:
> https://zmap.io/synful/map.html "

> https://zmap.io/synful/graph.png

> https://www.eecs.umich.edu/eecs/about/articles/2013/zmap.html

>> http://net-security.org/malware_news.php?id=3104
18.09.2015
___

Fake 'Monthly account report' SPAM – PDF malware
17 Sep 2-15 - "An email with the subject of 'Monthly account report' pretending to come from info@ nab. com.au with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Monthly-account-report-1024x645.png

17 September 2015: Finance received statement .zip: Extracts to: Transfer online paying system cashback .exe
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/084ae8f07ef3c60ff24475de5f9ab10d16d81fd057ae682919b1279ceea5c84f/analysis/1442524683/

:fear::fear: :mad:

FYI...

Active malware campaign uses thousands of WordPress sites to infect visitors
15-day-old campaign has spiked in past 48 hours, with >5,000 new infections daily.
- http://arstechnica.com/security/2015/09/active-malware-campaign-uses-thousands-of-wordpress-sites-to-infect-visitors/
Sep 18, 2015 - "Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday. The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday, Daniel Cid, CTO of security firm Sucuri, said in a blog post*. The hijacked sites are being used to -redirect- visitors to a server hosting attack code made available through the Nuclear exploit kit**, which is sold on the black market. The server tries a variety of different exploits depending on the operating system and available apps used by the visitor... On Thursday, Sucuri detected thousands of compromised sites, 95 percent of which are running on WordPress. Company researchers have not yet determined how the sites are being hacked, but they suspect it involves vulnerabilities in WordPress plugins. Already, 17 percent of the hacked sites have been blacklisted by a Google service that warns users before they visit booby-trapped properties... Administrators can use this Sucuri scanning tool*** to check if their site is affected by this ongoing campaign."

* https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html
Sep 18, 2015

** https://heimdalsecurity.com/blog/nuclear-exploit-kit-flash-player/

*** https://sitecheck.sucuri.net/

Latest Wordpress update: https://forums.spybot.info/showthread.php?867-Alerts&p=466236&viewfull=1#post466236
___

Trojan targets online poker sites, peeks at players’ cards
Malware targets two of the largest gambling sites, PokerStars and Full Tilt Poker.
- http://arstechnica.com/security/2015/09/trojan-targets-online-poker-sites-peeks-at-players-cards/
Sep 18, 2015 - "Anybody who has ever played poker, online or offline, always suspects that they might be the victim of cheating when the cards aren't going their way. Now there's evidence to suspect that the hunch is real when it comes to two of the world's most popular online gambling portals. "Several hundred" gamblers on the Pokerstars and Full Tilt Poker platforms have been hit with a cheating trojan, according to ESET* security researcher Robert Lipovsky:
' Every once in a while, though, we stumble upon something that stands out, something that doesn’t fall into the “common” malware categories that we encounter every day — such as ransomware, banking trojans, or targeted attacks (APTs) — just to name a few of those that are currently causing the most problems. Today, we’re bringing you one of those uncommon threats — a trojan devised to target players of online poker.'
The latest Windows malware discovery, called Odlanor, comes two years after ESET warned of the PokerAgent botnet propagating on Facebook in connection to the Zynga Poker app..."
* http://www.welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/
17 Sep 2015
(Country locations infected with Odlanor)
- http://www.welivesecurity.com/wp-content/uploads/2015/09/ESET_Odlanor_infected.jpg

Threat Detail: http://virusradar.com/en/Win32_Spy.Odlanor/detail

:fear::fear: :mad:

FYI...

Fake 'Paymark' SPAM – PDF malware
- http://myonlinesecurity.co.uk/paymark-transtrack-report-fake-pdf-malware/
21 Sep 2015 - "An email with the subject of 'Paymark TransTrack Report' pretending to come from Paymark TransTrack <onlineassist@ paymark .co.nz> with a zip attachment is another one from the current bot runs... The content of the email says:
Thank you for using the Paymark TransTrack Transaction Reporting email service.
Please find attached your requested transaction report.
The report is in PDF format, suitable for importing into a variety of finance and spreadsheet applications such as Xero, MYOB and Microsoft Excel.
The attached report is in a zip-formatted compressed file so you will need to extract it before viewing it.
If you experience any difficulties or would like more information about Paymark TransTrack please visit ...
This email was sent to [REDACTED]
This email has been filtered by SMX. For more information visit ...

21 September 2015: report.zip: Extracts to: report.scr
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/32911bb8871ed6869eb3809b8001fb044199caeca203d600735d32e4af21eb0a/analysis/1442811837/
___

Fake 'Sage invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-sage-subscription-invoice-is-ready-fake-pdf-malware/
21 Sep 2015 - "An email with the subject of 'Your Sage subscription invoice is ready' pretending to come from noreply@ sage .com with a link-for-you-to-download a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Your-Sage-subscription-invoice-is-ready-1024x674.png

21 September 2015: invoice.zip: Extracts to: invoice.scr
Current Virus total detections 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a25f58a57a01ec6c14ad5118137afd0563d5f453f1b2bf73633ca692c3184edd/analysis/1442827749/

- http://blog.dynamoo.com/2015/09/malware-spam-your-sage-subscription.html
21 Sep 2015 - "... contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56*. The Hybrid Analysis report** shows that this is -Upatre- dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria."
* https://www.virustotal.com/en/file/a25f58a57a01ec6c14ad5118137afd0563d5f453f1b2bf73633ca692c3184edd/analysis/1442835086/

** https://www.hybrid-analysis.com/sample/a25f58a57a01ec6c14ad5118137afd0563d5f453f1b2bf73633ca692c3184edd?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'order not competed' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-order-is-not-competed-fake-pdf-malware/
21 Sep 2015 - "The Upatre malware spreading gang are hard at work again today with a new set of emails with the subject of 'Your order is not competed' pretending to come from random companies with a zip attachment is another one from the current bot runs... The body of the email simply contains the -name- of the attachment, so in this case the body reads: 'file: Receive rental contract.pdf'. Every email so far received has had a -different- subject and attachment name. Other subjects include:
Order isn’t done
Your order is not done
Order is not finished
Your order is not paid
Order is not processed ...

21 September 2015: Receive rental contract.zip: Extracts to: Imprint tax business.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/18823bcb4f4a00f1ad58c6dfdbc04c709b4a24f338b1fddf9b2c5d0c1e2ba71e/analysis/1442828635/
___

Tainted Network - VPS Hosting of Latvia (91.226.32.0/23) ...
- http://blog.dynamoo.com/2015/09/tainted-network-kfciilluminationescomsn.html
21 Sep 2015 - "I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one which sends traffic to:
[donotclick]kfc.i.illuminationes .com/snitch
This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action:
> [url]https://2.bp.blogspot.com/-9JiDUjob_AI/Vf_J3mhrGEI/AAAAAAAAHDI/bDMRc9G0AF4/s1600/tds-ek.png
The injected script sends the keywords and referring site upstream... Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock... shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish (-block-) this range from your network."
* https://urlquery.net/report.php?id=1442826023324

illuminationes .com: 91.226.32.69: https://www.virustotal.com/en/ip-address/91.226.32.69/information/

91.226.33.54: https://www.virustotal.com/en/ip-address/91.226.33.54/information/
> https://www.virustotal.com/en/domain/kfc.i.illuminationes.com/information/
___

NSW Health Payslip Spam
- http://threattrack.tumblr.com/post/129567671538/nsw-health-payslip-spam
Sep 21, 2015 - "Subjects Seen
Payslip for the period 21 Aug 2015 to 21 sep 2015
Typical e-mail details:
This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender.
Views expressed in this message are those of the individual sender, and are not necessarily the views of NSW Health or any of its entities.

Screenshot: https://40.media.tumblr.com/433050ff0f62b72379fdd04b4f512c3b/tumblr_inline_nv151zgxyC1r6pupn_500.png

Malicious File Name and MD5:
Payslip-21092015.scr (fa73a8adc4a7a1b037b8dded1eb9ac90)

Tagged: NSWHealth, Upatre
___

iOS users endangered by Trojanized apps from the App Store
- http://net-security.org/malware_news.php?id=3105
21.09.2015 - "Unknown malware pushers have managed to trick Apple into offering for download from the company's official App Store a considerable number of malicious apps - apps that collect device information and try to get users' iCloud login credentials. The current list* of infected iOS apps includes many extremely popular apps in China and the rest of the world..."

Malware XcodeGhost Infects 39 iOS Apps ...
* http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/
Sept 18, 2015
- http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware-and-affected-ios-apps/
Sep 21, 2015

- https://blog.malwarebytes.org/mac/2015/09/xcodeghost-malware-infiltrates-app-store/
Sep 21, 2015
___

Skype 'glitch' preventing some users from making calls
- http://www.reuters.com/article/2015/09/21/us-microsoft-skype-idUSKCN0RL0YC20150921
Sep 21, 2015 - "Skype, Microsoft's online telephone and video service, said some users are unable to make calls on Monday because their settings show that they and their contacts are offline, even when they are logged in. In an updated blog post*, Skype also said some messages to group chats are not being delivered and that users who are not already signed in may face difficulty while accessing their accounts:
> http://heartbeat.skype.com/2015/09/skype_presence_issues.html
Skype added that users could experience delays in seeing changes made to their accounts, such as credit balance and profile details. Users may also face difficulty loading web pages on the Skype Community... In an earlier post, Skype had said its instant messaging and Skype for Web services were not facing technical issues."

:fear::fear: :mad:

FYI...

Malvertising attack hits Realtor .com visitors
- https://blog.malwarebytes.org/malvertising-2/2015/09/malvertising-attack-hits-realtor-com-visitors/
Sep 22, 2015 - "... malvertising keeps on striking high profile sites. The latest victim is popular real estate website realtor.com, ranked third in its category with an estimated 28 million monthly visits... People browsing the site in the last few days may have been exposed to this malvertising campaign and consequently infected if their computers were -not- patched or did -not- have adequate security software. Like all other malvertising attacks, this one did -not- require to click on the -bogus- ad to get infected. The same gang that was behind the recent campaign we documented on this blog is still going at it using the same stealth tactics, which we will elaborate on a little more here:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/realtor_flow.png
Rogue advertisers are putting a lot of efforts into making ad banners that look legitimate and actually promote real products or services. We should also note that the use of SSL to encrypt web traffic is getting more and more common in the fraudulent ad business and that only makes tracking bad actors more difficult. We have alerted both the publisher (Realtor .com) and the ad serving technology platform (AdSpirit) about this attack and the latter has already taken action to disable the malicious creative... the Bedep Trojan (ad fraud, ransomware) via the Angler exploit kit."
___

Fake 'Dislike' Facebook scam ...
- http://www.theregister.co.uk/2015/09/22/facebook_dislike_survey_scam/
22 Sep 2015 - "Survey scammers have already capitalised on Facebook's tentative plans to develop a 'Dislike' button... no such app is yet available and the offers are a scam, designed to hoodwink people into filling in pointless online surveys or buying into get-rich-quick schemes. Survey scams are a well-worn short con on the internet that, at best, waste surfers' time while yielding nothing in return. Victims are not infrequently tricked into disclosing their mobile numbers through survey scams and are subsequently signed up to premium rate services. Either ruse might also be used to coax marks into handing over Facebook login credentials. More details on the resurgence of Facebook Dislike -scams- can be found in a blog post by security industry veteran Graham Cluley here*, and by on Sophos's Naked Security blog here**."
* https://grahamcluley.com/2015/09/right-cue-come-facebook-dislike-button-scams/

** https://nakedsecurity.sophos.com/2015/09/21/guess-what-facebook-dislike-scams-are-back/
___

Fake 'Grand Theft Auto online' scams ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/gta-5-money-generator-scams-theyre-wheelie-bad/
Sep 22, 2015 - "Grand Theft Auto online is still as popular as ever, with new content being released soon and everybody ramping up their “Must play it now” levels to the max. Money makes the online GTA world go round, and you certainly need a lot of it to progress. With that in mind, you might want to avoid the following sites claiming to offer up ridiculous amounts of money via a few “simple steps”. First out of the gate, we have
gta5moneyserver(dot)com
... which has an amazing line in -faked- videogame site news pieces about their awesome money grabbing technique. Totally can’t see the Photoshop, guys:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney1.jpg
...
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney2.jpg
... The focus of this one is what they’ve chosen to call “Genius Theft Auto”, where you enter your Username into the box and a pile of money awaits (or something):
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney3.jpg
... Elsewhere, we have
gta5moneyhackonline(dot)com
... which doesn’t beat about the bush, dispensing with pretty much everything other than a box asking for your info, desired money amount and a -survey- pop immediately after hitting the generate button... it’s a safe bet that every single “Money Generator” website you visit will end in little more than -spamming- a website to your friends, lots of -surveys- and the occasional download:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney8.jpg
... you’ll likely see a burst of activity on the GTA fakeout front, so steer clear of the following:
Money generators
Free DLC generators
Rank improvement
Account unbanning
“DNS codes“
Follow these steps, and you won’t get caught up in a 'Grand Theft Internet'."

gta5moneyserver(dot)com: 104.152.168.16: https://www.virustotal.com/en/ip-address/104.152.168.16/information/

gta5moneyhackonline(dot)com: 162.255.118.48: https://www.virustotal.com/en/ip-address/162.255.118.48/information/
___

Fake 'Worldpay' SPAM - xls malware
- http://myonlinesecurity.co.uk/premium-charging-mi-package-for-merchant-82682006-fake-xls-excel-malware/
21 Sep 2015 - "An email with the subject of 'Premium Charging MI Package for Merchant 82682006' pretending to come from GEMS@ Worldpay .com with a zip attachment is another one from the current bot runs... The content of the email says :
*** Please do not reply to this Message *** Attached is the Management
Information to support your Monthly Invoice. Should you have any queries,
please refer to your usual helpdesk number.
This e-mail and any attachments are confidential, intended only for the
addressee and may be privileged. If you have received this e-mail in error,
please notify the sender immediately and delete it. Any content that does
not relate to the business of Worldpay is personal to the sender and not
authorised or endorsed by Worldpay. Worldpay does not accept responsibility
for viruses or any loss or damage arising from transmission or access.
Worldpay (UK) Limited (Company No: 58544680/ Financial Conduct Authority
No: 42068), Worldpay Limited (Company No:03424752 / Financial Conduct
Authority No: 640149), Worldpay AP Limited (Company No: 82351023 ...

21 September 2015: 82682006.zip: Extracts to: 70346783.scr
Current Virus total detections 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Xls Excel file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e35bc813a4b09d99e259c4d14691b2411d7fe791e76b0506dcfe32c42a84dec1/analysis/1442846468/

:fear::fear: :mad:

FYI...

Fake 'NDISPlan' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ndisplan-fake-pdf-malware/
23 Sep 2015 - "An email with the subject of 'NDISPlan' pretending to come from random names @ndis .gov.au <filepoint@ dss .gov.au> with a zip attachment is another one from the current bot runs... The content of the email says:
You have received 1 secure file from Edgar.Townsend@ ndis .gov.au.
Use the secure link below to download.
Hi Loik, As requested, please find attached a copy of Shelby’s plan. Cheers, Edgar
Secure File Downloads:
Available until: 16 October 2015
Click link to download:
Shelby-MyNDISPlan.zip
681.07 KB, Fingerprint: 3F540085E625C8C2E5EB84A6B060E403 (What is this?)
You have received secure links within this email sent via filepoint.dss .gov.au. To retrieve the files, please click on the links above.
The link is to https ://www.sugarsync .com/pf/D8992504_764_6670557430?directDownload=true and not any gov.au site

Todays Date: Shelby-MyNDISPlan.zip: Extracts to: Shelby-MyNDISPlan.scr
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/78073cd80cd2ce04aa2f089760a60ffc494bd241eaa9787b17573eb152692ba5/analysis/1442985111/

sugarsync .com: 74.201.86.21: https://www.virustotal.com/en/ip-address/74.201.86.21/information/
___

Fake 'Bankline ROI' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-bankline-roi-password-re.html
23 Sep 2015 - "This -fake- banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:
From "RBS" [secure.message@ rbs .co.uk]
Date Wed, 23 Sep 2015 11:28:48 GMT
Subject Bankline ROI - Password Re-activation Form
Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3. A signatory on the bank mandate must sign the form.
Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk
On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.
Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.
If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.
If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.
Regards
Bankline Product Support ...

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56*. The Hybrid Analysis report** shows behaviour consistent with Upatre/Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend -blocking- or monitoring."
* https://www.virustotal.com/en/file/98c6cf1304a449f37d9b6e099388e0656b1f25d815316c668b1c91f703d87ad1/analysis/1443010402/

** https://www.hybrid-analysis.com/sample/98c6cf1304a449f37d9b6e099388e0656b1f25d815316c668b1c91f703d87ad1?environmentId=1
___

'DHL Courier' - Phish ...
- http://blog.dynamoo.com/2015/09/phish-shipment-label-dhl-courier.html
23 Sep 2015 - "This DHL-themed spam is actually a phishing email:
From: DHL Courier Services [roger@community .mile .org]
To:
Date: 23 September 2015 at 11:15
Subject: SHIPMENT LABEL
Signed by: community. mile.org
Dear customer,
Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.
The mailing label is attached in this email. Please print and show at the nearest DHL office to receive the shipment.
Thank you for using DHL services...

Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report*):
> https://4.bp.blogspot.com/-dIqTVhvNLlI/VgKhYr-6ByI/AAAAAAAAHDw/gz2xk6GXVPk/s1600/dhl5.png
If the potential victim clicks "Click here" then they are directed to ow .ly/Sq9to and from there to a phishing page at br1-update .be/wg/lhd.php on 64.20.51.22 (Inetserver Inc, US) which belongs to a netblock 64.20.51.16/29 which -also- looks highly suspect:
> https://1.bp.blogspot.com/-mNlcOztRLbE/VgKjULTyCCI/AAAAAAAAHD8/osQ1Y-sftp0/s1600/dhl6.png
The phishing page itself is a complex script which is Base 64 encoded, then hex encoded... which is presumably phishing for email accounts. The spam itself appears to have been sent from a -compromised- webmail account at community .mile.org . For the moment, I would suggest that the entire 64.20.51.16/29 range is malicious and should be -blocked-."
* https://www.hybrid-analysis.com/sample/d70dfd1c8dd1af5888c1eb60a5d58ed70a91eaa12de72c9a0836dc7232db8e25?environmentId=1

br1-update .be: 64.20.51.22: https://www.virustotal.com/en/ip-address/64.20.51.22/information/

:fear::fear: :mad:

FYI...

Evil network: 64.20.51.16/29 ...
- http://blog.dynamoo.com/2015/09/evil-network-6420511629-interserver-inc.html
24 Sep 2015 - "This DHL-themed phish* got me looking at an IP address range of 64.20.51.16/29 which is a range belonging to Interserver Inc in the US, but which has been -reallocated- to a customer... the WHOIS details for that block are not valid..
* http://blog.dynamoo.com/2015/09/phish-shipment-label-dhl-courier.html
... an analysis of the sites currently and formerly hosted in that range indicate a very high proportion of -phishing- sites.. in fact, the range is a hotbed of sophisticated fraud sites, many of which seem to be undiscovered. I combined current reverse IP data from DomainTools and current and historical data from DNSDB and then ran them through an IP lookup and a check against the Google Safe Browsing... a very large number of sites -flagged- by SURBL in particular, amounting to 47 out of 167 sites (i.e. 28%) that I can identify as being currently hosted in that range. In addition, a large number of phishing and other malicious sites have been hosted on 64.20.51.16/29 in the past and are now hosted elsewhere...
Conclusion: I really just skimmed the surface with my analysis here, but it is clear that the 64.20.51.16/29 block is being used almost exclusively for fraud. Moreover, the fraud is extremely sophisticated involving things like -fake- business registries and couriers. It is also clear that the Pakistani web hosts apparently providing these services have been doing so for some time.
Recommended blocklist:
64.20.51.16/29
76.73.85.136/29
185.24.233.16 "
(Much more detail at the dynamoo URL at the top of this post.)
___

Fake 'Federal Fiscal evasion' SPAM - PDF malware
- http://myonlinesecurity.co.uk/federal-fiscal-evasion-notification-fake-pdf-malware/
24 Sep 2015 - "An email with the subject of 'Federal Fiscal evasion notification' pretending to come from random email addresses at random companies with a zip attachment is another one from the current bot runs... The content of the email says:
Hi
Last Monday our colleagues were delivered final notice letter of tax authority.
They are accusing You of tax avoidance that is considered a federal crime and might lead to considerable fines.
In the attachment kindly see scan-copy of above official notice.
You are highly asked inspect the enclosure very carefully so as to argue to the contrary later.
According to our executive management’s information the appointment with Internal Revenue authorities is to be confirmed this week.
We strictly advise You to be prepared for upcoming deposition because serious charges are brought against You.
Right after getting Your approval specialists will commence filling required form-sheets.
Katherine Dowson Senior Associate

Other subjects in this malspam run include:
Federal levy avoidance prosecution
Federal levy avoidance indictment
State Fiscal evasion charges
Federal levy avoidance conviction
Federal Fiscal dodging notification ...
24 September 2015: Doc_320762_Federal Fiscal evasion notification .pdf.zip:
Extracts to: timber carrier dive gamma.exe - Current Virus total detections 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1afea22bd677091b4318eded9a3129c03bf29d58569b6c2d9cd66b7ebb0b62df/analysis/1443113149/
___

Apple tackles XcodeGhost by removing apps, alerting devs and users
- http://net-security.org/malware_news.php?id=3111
24.09.2015 - "The XcodeGhost incident has demonstrated that however secure a system is thought to be, there's always a way in. It also shows how the very human tendency of trying to simplify and hasten the execution of a task can lead to decreased security. Apple has expanded on its initial comment about the malware and its proliferation in the App Store, and has explained that they have removed the infected apps from the store and that they are blocking submissions of new apps that contain the malware. They listed* the top 25 most popular apps impacted, among which is the popular messaging app WeChat, and noted that "after the top 25 impacted apps, the number of impacted users drops significantly."
Users are advised to update those apps as soon as possible (once they are available on the App Store once again). Uninstalling the affected apps until that time is also a good idea, although the company says that the found malware was only capable of harvesting some general information about the apps and the OS... This incident might ultimately prove very beneficial for both Apple and app developers. As noted above, the former has already decided to do something about the downloading difficulties developers outside the US are facing..."
* https://www.apple.com/cn/xcodeghost/#english

:fear::fear: :mad:

FYI...

Fake 'Cancellation' SPAM – PDF malware
- http://myonlinesecurity.co.uk/cancellation-of-your-last-transaction-fake-pdf-malware/
25 Sep 2015 - "Another series of emails delivering Upatre downloaders with the subject of 'Cancellation of your last transaction' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :

Unfortunately your remittance transfer was cancelled. Please verify your transaction details. Full info attached.

Other subjects in this malspam run include:
Cancellation of transaction
Suspension transaction
Invaild data in your transaction
Suspension your transaction
Blocking transaction
Problems with your last transaction ...
25 September 2015: Doc_26638351_Cancellation of your last transaction .pdf.zip
Extracts to: mgt emblem abreact.exe - Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5dbc3a6e3a4e3835b1175f6d75ee3e54052b0d22b9654324222fafa6225c3b57/analysis/1443176862/
___

Fake online -Avast- scanner
- https://blog.malwarebytes.org/social-engineering/2015/09/fake-online-avast-scanner/
Sep 25, 2015 - "... we came across a -fake- online scanner that abuses the good name of Avast. The idea to get you to visit this site is by waiting for someone to make a typo and end up at facebooksecuryti(dot)com; The site shows a picture of a pornographic nature just long enough to -redirect- you to the fake online scanner at avast(dot)services:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/site.png
The scanner page looks a bit like Jotti’s malware scan, and they have quite a few logos in common:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/jotti.png
The -fake- scanner will end up showing you that there is only one antivirus that can find a problem which is... you guessed it, avast! A bit predictable given the name and the logo of the site. This is where we hope that our readers would get very suspicious. A security software company offering to scan your computer using the scanning engines of competitors would be strange enough, but I’m sure if anyone did they would make it a fair competition and not declare themselves the one and only solution every time:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/prompt.png
It immediately offers you the options to “Install” or “Save” the file Avast.exe which is obviously -not- the installer for the actual Avast antivirus software. What the installer really does is drop an information stealing Trojan in several places on the victims system and point to them from two startup locations. One is a Run key for the current user pointing to a file in a temporary “System Restore” folder... This type of Trojan can be used to gather information on the victims’ computer and encrypt it. The encrypted information will be sent to the operator, who can determine which kind of information will be gathered from the compromised system... The files involved are detected as Trojan.InfoStealer.Generic and Stolen.Data. Thanks to our friend at hpHosts* for the tip."
* http://www.hosts-file.net/

avast(dot)services: 160.153.16.36: https://www.virustotal.com/en/ip-address/160.153.16.36/information/

> https://www.virustotal.com/en/url/20743f156f62a60968fc4adca2506e73e9521d63181e81122d380b7c649a036a/analysis/
2015-09-25
7/65
___

Scandinavian users hit with -fake- post office emails, ransomware
- http://net-security.org/malware_news.php?id=3112
25.09.2015 - "Scandinavian PC users are the latest group to be targeted with Cryptolocker ransomware. According to Heimdal Security*, the threat comes via email. The malware peddlers are impersonating the Norwegian, Swedish and Danish postal services, and are trying to trick users into believing that there has been a failed delivery of a package. They are instructed to click-on-the-link in the email, supposedly to download the document needed to claim the package at the post office, but what they'll get is an executable. Those users who -fail- to find this suspicious and run the file will have all their files encrypted (both on the computer and on connected devices), and will be faced with a ransom message... The emails are usually written in the victim's language, and are equipped with the logos and images associated with that country's postal services (e.g. in Denmark: Post Denmark and PostNord):
> http://www.net-security.org/images/articles/denmark-25092015.jpg
The delivered malware is Cryptolocker2. When the campaign was first noticed earlier this week, the delivered malware variant had an extremely low AV detection rate - only one out of 56 AV engines used by VirusTotal** flagged it as malware. Three days later, the numbers are better (34 out of 55), but the danger is still present. Anyone can fall for this type of scheme, although it has been most successful with home users and employees of small-to-medium size businesses. Users of all kinds should educate themselves about the danger, and first and foremost should stop clicking-on-links contained in emails whose senders they haven't verified..."
* https://heimdalsecurity.com/blog/security-alert-the-global-get-your-cryptolocker-as-a-package-campaign-continues/

** https://www.virustotal.com/en/file/1b41c32c55de43ddb3871260fd0ea30d067dc27840b7f63d857afa7f9267c73a/analysis/1442488273/

dshome .ru: 37.140.192.89: https://www.virustotal.com/en/ip-address/37.140.192.89/information/
___

Cisco releases tool for detecting malicious router implants
- http://net-security.org/malware_news.php?id=3114
25.09.2015 - "Cisco Systems has provided a tool* that allows -enterprise- users to scan their networks and discover if their routers have been compromised with malicious SYNful Knock implants:
* http://talosintel.com/scanner/
... If a compromised router is found, the scanner will provide instructions on what to do next. Users are can also contact the Cisco Product Security Incident Response Team (PSIRT) for help. The SYNful Knock router implant was first discovered by FireEye researchers, and other researchers have found instances of compromised routers around the world. The discovery came roughly a month after Cisco warned about attackers replacing the Cisco IOS ROMMON (IOS bootstrap) with a -malicious- ROMMON image, after gaining administrative or physical access to a Cisco IOS device. These compromises are not the result of the exploitation of a vulnerability, but of a legitimate feature that allows network admins to install an upgraded ROMMON image on IOS devices for their own purposes. For more technical details and tool caveats, check out McVey's blog post**."
** http://blogs.cisco.com/security/talos/synful-scanner
Sep 23, 2015 - "... We updated the tool to version 1.0.1."

:fear::fear: :mad:

FYI...

Fake 'toll road payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsettled-toll-road-payment-reminder-fake-pdf-malware/
28 Sep 2015 - "Another load of emails from the Upatre downloaders with the subject of 'Unsettled toll road payment reminder' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Good day!
Your toll road ticket #2515380112 is still unsettled. Please make a remittance to avoid additional fees within 12 days.
The copy of ticket is attached to this e-mail.

Other subjects in today’s malspam run include:
Turnpike road invoice reminder
Outstanding turnpike invoice message
Outstanding turnpike payment email reminder
Oustanding toll road ticket notification
Oustanding toll road payment notification
Unsettled toll road bill notice
Turnpike road bill reminder
Toll road bill notice
Toll road payment message
Turnpike road ticket notification

28 September 2015: Doc_9911815_Unsettled toll road payment reminder .pdf.zip:
Extracts to: copious strumpet kernel mode.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1b4a4b0f33096d31b99a64991ed664c9a0f5ad6b6d2dbccf325e4655d4fb08df/analysis/1443433322/

Similar: https://isc.sans.edu/diary.html?storyid=20191
2015-09-28
Screenshot: https://isc.sans.edu/diaryimages/images/Screen%20Shot%202015-09-28%20at%206_25_33%20AM.png
[1] https://www.virustotal.com/en/file/80237fc10155567a68163bfd5bbf0afc5cb521bfdd1d486e1c3682083b5f61f8/analysis/1443436044/
4/55
___

Fake 'latest proposal' SPAM – PDF malware
- http://myonlinesecurity.co.uk/the-latest-proposal-fake-pdf-malware/
28 Sep 2015 - "Another set of emails with Upatre downloaders involve the subject of 'The latest proposal' pretending to come from random email addresses and companies with a zip attachment is another one from the current bot runs... The content of the email says :
Good day,
I’ve attached a new project and business proposal to this e-mail. I suppose it will interest you.
... This message and any attachments are confidential and intended for the named
addressee(s) only.If you have received this message in error, please notify
immediately the sender, then delete the message. Any unauthorized modification,
edition, use or dissemination is prohibited. The sender does not be liable for
this message if it has been modified, altered, falsified, infected by a virus
or even edited or disseminated without authorization...

Other subjects in this Malspam run include:
My commercial proposal
Please read my new commercial proposal
Please read my new business project
Please view my new project
New business proposal
The latest proposal of common business ...
28 September 2015: Doc_21123802_My commercial proposal .pdf.zip:
Extracts to: attendee parent bank manage to.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1d0508b269aad864b86a0267e8e688bebb25133058b89769a1136ef7e3b262b4/analysis/1443448919/
___

Pornhub, YouPorn - Malvertising ...
- https://blog.malwarebytes.org/malvertising-2/2015/09/pornhub-youporn-latest-victims-of-adult-malvertising-campaign/
Sep 28, 2015 - "The xHamster malvertising campaign we wrote about last week[1] was part of several attacks against many top adult sites. It is unclear whether this was a planned effort from threat actors but the timing is certainly strange. Over the week-end we detected -another- incident affecting Pornhub and YouPorn, some of the biggest adult websites with a combined 800 million monthly visits... Overview:
Publishers: Pornhub .com/YouPorn .com
Ad network: syndication.exoclick .com/{redacted}
Malicious code: trackitsup .com/cookiecheck.js?{redacted}
Redirection to exploit-kit: beatiful.sextubehard .pw/{redacted}
Angler Exploit Kit: knutterigemukaantulolleen.colleenmhammond .org
Rogue advertisers abused the ExoClick ad network by inserting a seemingly legitimate piece of code as an ad banner. The first documented instance of the ‘cookiecheck.js‘ campaign appears to have taken place on Sept. 19th according to this tweet from malware hunter Malekal:
> https://twitter.com/malekal_morte/status/645148983959113728
#Browlock #Ransomware at @Exoclick network...
'The ‘cookiecheck’ malvertising campaign. Rotating domain names all use the same JavaScript snippet.'
Fortunately, the malvertising on Pornhub and YouPorn did not last as long, thanks to an immediate action from both the publisher and ad network... During the past several months, high profile malvertising attacks against top adult sites have been sparse. This makes what we have seen during the past couple of weeks very unusual but also impactful given the sheer volume of traffic these sites receive. What’s more, the attack against top adult ad network TrafficHaus we documented last week[1] may have been the result of a security breach, according to a comment left on security blogger Graham Cluley’s site**. Users should make sure that their computers are fully patched and protected with several layers of security (the 3 A’s is a very effective line of defense: Anti-exploit, Antivirus, Anti-malware) in order to defeat malvertising and drive-by download attacks."
1] https://blog.malwarebytes.org/malvertising-2/2015/09/ssl-malvertising-campaign-targets-top-adult-sites/
Sep 24, 2015
* https://grahamcluley.com/2015/09/xhamster-malware/
Sep 25, 2015
** https://grahamcluley.com/2015/09/xhamster-malware/#comment-49405
Sep 27, 2015 - "... 89.187.142.208..."
> https://www.virustotal.com/en/ip-address/89.187.142.208/information/

Pornhub .com: 31.192.117.132: https://www.virustotal.com/en/ip-address/31.192.117.132/information/

exoclick .com: 178.33.165.129: https://www.virustotal.com/en/ip-address/178.33.165.129/information/

trackitsup .com: 80.86.89.178: https://www.virustotal.com/en/ip-address/80.86.89.178/information/

sextubehard .pw: "A temporary error occurred during the lookup..."

colleenmhammond .org: 184.168.221.56: https://www.virustotal.com/en/ip-address/184.168.221.56/information/

:fear::fear: :mad:

FYI...

Fake 'Western Union' SPAM – PDF malware
- http://myonlinesecurity.co.uk/contract-61936417-about-to-expire-final-notice-western-union-business-solutions-online-fx-for-corporate-fake-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Contract 61936417 About to Expire: Final Notice – Western Union Business Solutions Online FX for Corporate' pretending to come from Western Union via random email addresses and companies with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Contract-61936417-About-to-Expire-Final-Notice-Western-Union-Business-Solutions-Online-FX-for-Corporate-1024x779.png

29 September 2015: WU Business Contract 45827544.zip:
Extracts to: WU Business Contract 770352457.scr
Current Virus total detections 18/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6b0aaf37c4b1ff7897f575d01d32e1af596e59c882c9aada682df20f303d8b41/analysis/1443506282/
___

Fake 'Blocked profile' SPAM – PDF malware
- http://myonlinesecurity.co.uk/blocked-profile-management-notification-nab-bank-australia-fake-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Blocked profile management notification' pretending to come from NAB Bank Australia with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
We have detected suspicious activity with Your Online-Banking profile. Please be informed that
the access and some capabilities of Your profile were restricted for security reasons. Temporarily
You cannot conduct transactions with online-banking profile. In order to obtain full management
powers You have to fill in and send back the attached form.
Please use codename for authorization (contained in the attachment).
Online-Banking profile: 8947626947780852875
Code Name: no doubt insolvent noncancerogenic
Our security department representative will contact You later to provide further instructions.
Regards,
Patrick Olsen
NAB Support Team.

29 September 2015: Bank_no doubt insolvent noncancerogenic_protection.zip:
Extracts to: whose noodle soullessness.exe
Current Virus total detections 15/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/55dc4a5993068d4d691a53e72dc7e7af4318d350c5a8aab27124d193aa407c38/analysis/1443507454/
___

Fake 'SantanderBillpayment' SPAM - malware attachment
- http://blog.dynamoo.com/2015/09/malware-spam-info-from.html
29 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From "Santanderbillpayment-noreply@ SantanderBillPayment .co.uk" [Santanderbillpayment-noreply@ SantanderBillPayment .co.uk]
Date Tue, 29 Sep 2015 12:33:56 GMT
Subject Info from SantanderBillpayment .co.uk
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 29 September 2015 at 09:11:36.
Payment type: VAT
Customer reference no: 0343884
Card type: Visa Debit
Amount: GBP 4,683.00
For more details please check attached payment slip.
Your transaction reference number for this payment is IR0343884.
Please quote this reference number in any future communication regarding this payment.
Yours sincerely,
Banking Operations ...

The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to 197.149.90.166 in Nigeria which is worth -blocking- or monitoring."
___

Fake 'Attorney-client' SPAM – PDF malware
- http://myonlinesecurity.co.uk/attorney-client-agreement-fake-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Attorney-client agreement' pretending to come from random names and random companies with a zip attachment is another one from the current bot runs... The content of the email says :
It went OK. The court understood that it may be that you might not have much relevant
information but he couldn’t rule as a matter of law that you had no relevant information
and did not need to appear. However he ordered the other side to make clear when they were
going to call you and provide information on that so that you are not standing around
waiting to be called. He also made it clear that I preserve my right to object to their
questions on grounds of relevance, so, you need to be available on Monday or Tuesday the
29th and 30th to appear but I will let you know as we get closer what time and day.
We will also need to prepare for your testimony the week before.
With regard to the other motions, the court ruled that they cannot present any evidence as
damages of costs incurred or the fee received while Gary Ferguson was representing the
Grover’s. That is pretty good ruling.
As to many of the other issues he simply punted them for trial, preserving our arguments
The only issue that we need to discuss is the Court’s willingness to consider their claim
for breach of contract. The court is going to allow them to assert a claim for breach of
contract. The Court indicated that it was a close call, but they have one paragraph in
their complaint suggesting a claim for breach of contract, but he limited the breach of
contract claim to their allegation that under the fee agreement you would not take any
money without paying the Grovers under your retainer agreement. That is the only breach
of contract claim. If you look at the retainer agreement attached, I don’t think it says
that (paragraph 1) . What it says is that if the case is settled, you can take your fee
and pay costs. However they are arguing that the whole case had to be settled before you
took any fee.
Even if that were the case, then you should have been able to receive the 63,665 at the end
of the case after they lost to Timpanogos (either under P&M’s agreement or your agreement.)
and they would’ve had to pay the costs. In other words, I think we have the stronger
argument here. And, if we win, we will be able to assert a claim for attorny’s fees.
But if they win, they also have that right.
However, because the court allowed them to assert this claim for breach of contract ruled
that he would allow me to conduct more limited discovery before trial if I think I needed to.
Upon first glance of the issue, I don’t think I need any additional discovery. But I wanted
to run this by you guys. Let me know your thoughts as soon as possible. He also said he
might consider bumping the trial if I tell him why I need to for this new claim. but I think
if it is limited to that issue. I don’t think ‘ll be able to convince him to bump the trial
unless I simply demand it.
I would like your thoughts.
Ana Marvin | Grady-Wintheiser | 49544 Josue Hills | Lake Kennith City, 32914
Direct: (628) 652-6347 | Facsimile: (628) 652-6347 ... vCard
This email is from a law firm and may contain privileged or confidential information.
Any unauthorized disclosure, distribution, or other use of this email and its contents
is prohibited. If you are not the intended recipient, please contact the sender and
delete this email. Thank you.

29 September 2015: View financial bargain.zip: Extracts to: Finish past due invoice.exe
Current Virus total detections 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c58be63f372925fc03c4aa0cb255d2757e6f58d27eb25e592eee921178205efb/analysis/1443537708/
___

Instagram Account preys on Trust Issues
- https://blog.malwarebytes.org/online-security/2015/09/this-instagram-account-preys-on-your-trust-issues/
Sep 29, 2015 - "Questionable posts from random users — usually from those with a significant number of (bot) followers — are already becoming not uncommon within the photo- and video- sharing social site, Instagram. In fact, we have encountered a number of them before, with some falsely claiming to increase your follower count — an attempt we’ve seen floating around on Twitter and Facebook in the past — and with others attesting to a mass purge of accounts unless they have been verified. Recently, we’ve discovered an attempt at baiting users with the lure of catching his/her potentially cheating partner red-handed using a “trusted” service. All one needs is their target’s phone number.
Enter @INSTANTPHONELOOKUP.
Below is mobile screenshot of the post that my test account received:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/dodgy-post.png
... whoever came up with this kind of bait has been following stories revolving around the Ashley Madison hacking incident, probably a little too closely. Anyway, the link on the profile page of @INSTANTPHONELOOKUP is a bit.ly shortened URL that points to the destination, cheaterslookup[DOT]com:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/dodgy-post-bitly.png
As of this writing, traffic to the destination has reached more than -100K- clicks since the bit.ly URL has been created last month. And this is just one of the many high-trafficked sub-pages from the same domain we’ve seen so far:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/bitly-destination-traffic.png
Clicking the shortened link points to try[DOT]textspy[DOT]us, wherein one is asked to enter their target’s mobile number. Once done, he/she sees a series of pages that were created to make him/her believe that the site is scanning for data related to the number. The final destination is an advertorial piece written on instantcheckmate[DOT]com... Users of Malwarebytes Anti-Malware are already protected from accessing cheaterslookup[DOT]com, including other sites such as the following that are found to be similar or related to it:
caughtcheating[DOT]co
spytext[DOT]us
textingspy[DOT]com
textspy[DOT]us
Although it’s tempting to try out such services either out of curiosity or for the fun of it, it’s still best to -avoid- shenanigans such as these. Your wallet and perhaps your partner will thank you for it."

caughtcheating[DOT]co: 192.64.119.193: https://www.virustotal.com/en/ip-address/192.64.119.193/information/
spytext[DOT]us: 162.255.119.144: https://www.virustotal.com/en/ip-address/162.255.119.144/information/
textingspy[DOT]com: 160.153.47.40: https://www.virustotal.com/en/ip-address/160.153.47.40/information/
textspy[DOT]us: 162.255.118.48: https://www.virustotal.com/en/ip-address/162.255.118.48/information/
instantcheckmate[DOT]com:
141.101.113.31: https://www.virustotal.com/en/ip-address/141.101.113.31/information/
190.93.242.31: https://www.virustotal.com/en/ip-address/190.93.242.31/information/
141.101.123.31: https://www.virustotal.com/en/ip-address/141.101.123.31/information/
190.93.241.31: https://www.virustotal.com/en/ip-address/190.93.241.31/information/
190.93.240.31: https://www.virustotal.com/en/ip-address/190.93.240.31/information/
cheaterslookup[DOT]com: 192.163.198.92: https://www.virustotal.com/en/ip-address/192.163.198.92/information/
___

Scam Texts 'Phish' for Banking Info
- https://www.bbb.org/blog/2015/09/scam-texts-phish-for-banking-info/
Sep 29, 2015 - "Watch out for this text message scam. Con artists are trying to fool users into sharing personal information by sending text messages that look like alerts from banks.
How the Scam Works:
You receive a text message that appears to be from a bank. It’s prompting you to update your profile and provides a link to a website. The link may even have the bank’s name as -part- of the domain...
If you click on the URL, you will be taken to a form that looks-like part of the bank’s website. The page will prompt to “confirm” your identity by entering your name, user ID, password and/or bank account number.
Don’t do it! Sharing this information puts you at-risk for identity theft.
Protect yourself from text message scams.
> Just hit delete! -Ignore- instructions to confirm your phone number or visit-a-link. Some scam texts instruct you to text “STOP” or “NO” to prevent future texts. But this is a common ploy by scammers to confirm they have a real, active phone number.
> Read your phone bill. Check your phone bill for services you haven’t ordered. Some charges may appear only once, but others might be monthly 'subscriptions'..."
___

Malvertising Via Google AdWords - Fake BSOD
- https://blog.malwarebytes.org/fraud-scam/2015/09/malvertising-via-google-adwords-leads-to-fake-bsod/
Sep 28, 2015 - "... fraudulent businesses also use online advertising as a way to reel in potential victims. This is nothing new and we have seen many examples of targeted keywords on search engine results before. Many times these rogue advertisers will abuse legitimate brands to trick people and provide services on behalf of these companies. Beyond copyright infringement laws, there is also the almost always present social engineering aspect that follows, to con people into spending hundreds of dollars for no good reason. And then you have advertisers that aren’t shy about doing their dirty deed at all. Take for example this recent campaign we spotted on AdWords, Google’s largest online advertising service:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/youtube_search.png
Here the crooks bid on the “youtube” keyword and got their ads displayed way at the top, before the organic search results. What’s interesting in this case is that the supposed destination URL is the actual YouTube.com site itself, and even placing the mouse over the ad shows a link to a YouTube channel. This really makes it look like a click-on-the-link would take you directly to YouTube but unfortunately that was not the case:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/flow2.png
Clicking on either one of the ads leads to a scary and convincing looking web page with the infamous Blue Screen of Death.The BSOD is a popular theme as of late and an effective way to display -bogus- but legitimate error codes that would trouble many internet users. As with most similar -scam- pages, users are instructed to call a toll-free ‘helpline’ to resolve their computer issues. This is no help line at all however; con artists are waiting for victims to phone in so that they can further scare them into purchasing expensive – and unnecessary – support packages. Innocent and unsavvy computer users will be defrauded from anywhere between $199 to $599. However, many online crooks don’t stop here, often committing identity theft and trying to empty out their victims’ bank accounts:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/BSODandpopup.png
The actors behind this particular malvertising attack had registered (at least) two domains to perform the illicit redirection from the Google advert to the BSOD page... Both of these domains are hosted on IP address 166.62.28.107 where the rest of the -fraudulent- sites also reside... We reported this campaign to Google and the bogus ads were pulled right away. The best defense against tech support scams (in all their forms) is awareness. For more information on this topic, please check out our help page*."
* https://blog.malwarebytes.org/tech-support-scams/

166.62.28.107: https://www.virustotal.com/en/ip-address/166.62.28.107/information/
___

Compromised WordPress Campaign - Spyware Edition
- http://research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html
Sep 25, 2015 - "... started investigating multiple WordPress related security events earlier this month and came across a -new- widespread compromised WordPress campaign leading to the download of unwanted applications. This has been briefly covered by dynamoo* and has been reported by some users on official WordPress forums**...
* http://blog.dynamoo.com/2015/09/tainted-network-kfciilluminationescomsn.html
...
** https://wordpress.org/support/topic/virus-not-found-in-wordfence
During our research, we discovered that this campaign started in the first week of August, 2015 and has been fairly active since then resulting in over 20,000 security events to date from over 2,000 web pages. Majority of the WordPress sites affected by this campaign -are- running latest version 4.3.1 but the compromise could have occurred -prior- to the update... The infection starts when a user visits a compromised WordPress site. The compromised pages will have injected JavaScript... Although the target domains varied across the transactions that we saw, the associated server IP address has remained the same... The IP Address 91.226.33.54 associated with these domains is hosted in Latvia through a VPS hosting provider... In one of the cases, we observed the user is prompted to update the Flash Player as seen below:
> https://4.bp.blogspot.com/-GCAJIizxulc/VgQXxjFc8qI/AAAAAAAAASA/qqnQ6OVYElc/s1600/1.png
The page prompts the user to update or install a new flash player update. Regardless of the option the user selects, a -fake- Adobe Flash Player application is downloaded...
> https://3.bp.blogspot.com/-UpnA1hfbfSo/VgQXx6BOw5I/AAAAAAAAASI/4E96GKYaibs/s1600/2.png
... Conclusion: WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals. Unlike previous campaigns involving Malware Authors and Exploit Kit operators, the end payload getting served in this campaign involves spyware and potentially unwanted applications. These applications may seem innocuous but can facilitate malvertising based attacks through unsolicited advertisements..."

91.226.33.54: https://www.virustotal.com/en/ip-address/91.226.33.54/information/
2015-09-29

:fear::fear: :mad:

FYI...

Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecurity.co.uk/payment-summary-group-certificate-for-201415-financial-year-fake-pdf-malware/
30 Sep 2015 - "An email with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' pretending to come from payslip@ hss.health.nsw. gov.au with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached a copy of your 2014/15 Payment Summary (Group Certificate).
Note: You will receive a separate payment summary for each Health Agency you worked for during the 2014/15 financial year. Payment Summaries are also available in Employee Self Service.
Further information, including fact sheets ...
For taxation advice and information, visit ...
Thank you,
Recruitment and Employee Transactional Services
HealthShare NSW ...

30 September 2015: PAYG-EoY-2014-15-77015286-008001475.zip:
Extracts to: PAYG-EoY-2014-15-77015286-008001475.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/357eede871cf78c4891425bd0f711a14f33a90f5d84546a712d9241b6b4662e2/analysis/1443589224/
___

Fake 'Optus agreement' SPAM – PDF malware
- http://myonlinesecurity.co.uk/completed-optus-agreement-no-rdre-211363-fake-pdf-malware/
30 Sep 2015 - "An email with the subject of 'Completed: Optus agreement no RDRE-211363' pretending to come from DocuSign via DocuSign <dse_eu8@ docusign .net> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Completed-Optus-agreement-1024x647.png

30 September 2015: Optus agreement no RDRE-211363.zip:
Extracts to: Optus agreement no CDDO-248440.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4fe126eea18a7b6f8fc0139784c1a90190683ef480e08c74b547e4b913ba74d3/analysis/1443586066/
___

Fake 'ein Foto' SPAM – jpg malware
- http://myonlinesecurity.co.uk/ein-foto-fake-jpg-malware/
30 Sep 2015 - "An email with the subject of 'ein Foto' pretending to come from Z@ t-mobile .de with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/ein-photo-1024x521.png

30 September 2015: 77895767_IMG ‘jpeg’.zip:
Extracts to: 77266374_IMG ‘jpeg’.JPEG.exe
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper JPG (Image) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b4c9f5a6de8a5979ae2325c190527cd3dd9a98e69d108fb21a44caa67dd03b0d/analysis/1443597445/
___

Fake 'SWIFT transfer' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-fw-incoming-swift-clyde.html
30 Sep 2015 - "This -fake- banking email comes with a malicious attachment:
From "Clyde Medina" [Clyde.Medina@ swift .com]
Date Wed, 30 Sep 2015 12:35:56 GMT
Subject FW : Incoming SWIFT
We have received this documents from your bank regarding an incoming SWIFT transfer.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.

Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56*. Automated analysis is pending, although the payload is almost definitely Upatre/Dyre..."
* https://www.virustotal.com/en/file/5a40ea145028c1f09ba4a78970359489380d75ce65f74cf662e60da779896e11/analysis/1443616096/
UPDATE: "The Hybrid Analysis report** shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 197.149.90.166 in Nigeria which I recommend you -block- or monitor."
** https://www.hybrid-analysis.com/sample/5a40ea145028c1f09ba4a78970359489380d75ce65f74cf662e60da779896e11?environmentId=2
197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
2015-09-30
___

Optus DocuSign Spam
- http://threattrack.tumblr.com/post/130196981088/optus-docusign-spam
Sep 30, 2015 - "Subjects Seen
Completed: Optus agreement no AELT-773123
Typical e-mail details:
Carole Dean,
All parties have completed the envelope ‘Optus agreement no AELT-773123’.
Please find attached the signed agreement.

Malicious File Name and MD5:
Optus agreement no CDDO-248440.scr (ADCAED61174AF9FA4C1DB3F27A767316)

Screenshot: https://41.media.tumblr.com/fce5190eff6e1733726d81f67aa793d3/tumblr_inline_nvhoy953JK1r6pupn_500.png

Tagged: Optus, DocuSign, Upatre
___

ATM Skimmer Gang -firebombed- A/V Firm
- http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus-firm/
Sep 29, 2015 - "... cybercime spills over into real-world, physical attacks... a Russian security firm whose operations were pelted with Molotov cocktail attacks after exposing an organized crime gang that developed and sold malicious software to steal cash from ATMs. The threats began not long after December 18, 2013, when Russian antivirus firm Dr.Web posted a writeup about a new Trojan horse program designed to steal card data from infected ATMs. Dr.Web received an email warning the company to delete all references to the ATM malware from its site. The anonymous party, which self-identified as the 'International Carders Syndicate', said Dr.Web’s ATM Shield product designed to guard cash machines from known malware 'threatens activity of Syndicate with multi-million dollar profit'... In an interview with KrebsOnSecurity, Dr.Web CEO Boris Sharov said the company did not comply with the demands. On March 9, 2014, someone threw a Molotov cocktail at the office of a third-party company that was distributing Dr.Web’s ATM Shield product. Shortly after that, someone attacked the same office again... After a third attack on the St. Petersburg office, a suspect who was seen running away from the scene of the attack was arrested but later released because no witnesses came forward to confirm he was the one who threw the bomb. Meanwhile, Sharov said Dr.Web detected two physical intrusions into its Moscow office... Sharov said Dr.Web analysts believe the group that threatened the attacks were not cyber thieves themselves but instead an organized group of programmers that had sold — but not yet delivered — a crimeware product to multiple gangs that specialize in cashing out hacked ATM cards... Sharov said he also believes that the group of malware programmers who sent the threats weren’t the same miscreants who threw the Molotov cocktails. Rather, Dr.Web maintains that those attacks were paid for and ordered over the Internet, for execution by strangers who answered a criminal help wanted ad... Sharov said his office got confirmation from a bank in Moscow that the team behind on the ATM Trojan that caused all the ruckus was operating out of Kiev, Ukraine. In the 18 months since then, the number of ATM-specific Trojans has skyrocketed, although the attackers seem to be targeting mainly Russian, Eastern European and European banks with their creations..."
(More detail at the krebsonsecurity URL above.)

:fear::fear: :mad:

FYI...

Fake 'Please print' SPAM - doc malware
- http://myonlinesecurity.co.uk/chelsee-gee-ucblinds-please-print-word-doc-malware/
1 Oct 2015 - "An email with the subject of 'Please print' pretending to come from 'Chelsee Gee <chelsee@ ucblinds .co.uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Please-print-1024x742.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
01 October 2015 : Order-SO00653333-1.doc - Current Virus total detections 6/56 * . MALWR**
The Payload Security Hybrid analysis*** shows a download from www .ifdcsanluis .edu.ar/123/1111.exe [5]
(VirusTotal 1/57 [4]) which is most likely to be Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/436c99c88ea0a7312f3d60b127d0735e4698599b2f83b4df3a1dc67764235256/analysis/1443691578/

** https://malwr.com/analysis/NTU0YzdhOWQyOTIyNDhlYjgwNjlhOWIwMDRkMGJkNWQ/

*** https://www.hybrid-analysis.com/sample/436c99c88ea0a7312f3d60b127d0735e4698599b2f83b4df3a1dc67764235256?environmentId=1

4] https://www.virustotal.com/en/file/30cd60d723b84e16e832d467d66f5e95f09b19222deb80a636ac2e2465e9e9a0/analysis/1443690542/

5] "... There are frequently 5 or 6 download locations all delivering exactly the same malware..."

- http://blog.dynamoo.com/2015/10/malware-spam-please-print-chelsee-gee.html
1 Oct 2015 - "... received several copies of this, and the normal method is that there are several different email attachments.. 'will look at just one. Named Order-SO00653333-1.doc this file has a detection rate of 6/56*, and it contains this malicious macro... The Hybrid Analysis report** for this particular document shows the malware downloading from:
hobby-hangar .net/123/1111.exe
Other locations are:
miastolomza .pl/123/1111.exe
www .ifdcsanluis .edu.ar/123/1111.exe
www .norlabs .de/123/1111.exe
zahnrad-ruger .de/123/1111.exe
This binary has a VirusTotal detection rate of 2/56*** and the Hybrid Analysis report for that is here[4].
The payload is the Dridex banking trojan, and in fact this is the first Dridex I have seen in over a month after some of the alleged perpatrators were arrested[5].
Recommended blocklist:
miastolomza .pl
ifdcsanluis .edu.ar
norlabs .de
zahnrad-ruger .de
hobby-hangar .net "
* https://www.virustotal.com/en/file/761b17c4f926c403813b5c2c4c79f3d64c3b5d5a96e841e454fd5791e56f67db/analysis/1443701260/

** https://www.hybrid-analysis.com/sample/761b17c4f926c403813b5c2c4c79f3d64c3b5d5a96e841e454fd5791e56f67db?environmentId=1

*** https://www.virustotal.com/en/file/a497de7f2488f093aa74562695a2ce705cbddbd2c4a357f5c785f23ea7450f43/analysis/1443701636/

4] https://www.hybrid-analysis.com/sample/a497de7f2488f093aa74562695a2ce705cbddbd2c4a357f5c785f23ea7450f43?environmentId=1

5] http://krebsonsecurity.com/2015/09/arrests-tied-to-citadel-dridex-malware/
___

Tax Refund Due HMRC – Phish ...
- http://myonlinesecurity.co.uk/tax-refund-due-hmrc-phishing/
1 Oct 2015 - "One of the major common subjects in a phishing attempt is 'Tax return' and 'tax refunds' where especially in UK, you need to submit your Tax Return online. This email with a subject of 'Tax Refund Due' pretending to come from HMRC is more unusual in that it is directly targeted at a user by your full correct name instead of the usual 'dear Tax Payer' or such similar generic title. This one wants your personal details, email address and your credit card and bank details as well as driving licence and National Insurance number . Many of them are also designed to specifically steal your email, Facebook and other social network log in details. The information from this -phish- can make a new version of you and cause untold damage... It will NEVER be a genuine email from HMRC so don’t ever fill in the html ( webpage) form that comes attached to the email. Some versions of this phish will have a -link- to a website that looks at first glance like the genuine HMRC website. That is also false:
Tax Refund
Dear [REDACTED]
This is a reminder that you have not yet claimed your refund of 265.48 GBP. We have calculated that this the amount you will be refunded. Press Request Refund below in order to complete your refund request.
Please wait 4 weeks after making an online claim and 6 weeks after making a postal claim before contacting HMRC about the payment.
Terms & Conditions | Policy | Freedom of Information

The links in the email go to http ://www .revenue-apply .gov.uk.medi7.xyz/Tax-Refund.php? where if you aren’t very wary you won’t notice the fact that it is -not- a genuine gov.uk site but one ending in .xyz another reason to be-wary of these new domains that can be anything. If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Tax-Refund-Due_web_page.png
Once you fill in the details you are -bounced- on to the genuine HMRC site. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Recent trends in Nuclear Exploit Kit activity
- https://isc.sans.edu/diary.html?storyid=20203
2015-10-01 - "Since mid-September 2015, I've generated a great deal of Nuclear exploit kit (EK) traffic after checking -compromised- websites. This summer, I usually found Angler EK. Now I'm seeing more Nuclear. Nuclear EK has also been sending -dual- payloads... I hadn't noticed it again from Nuclear EK until recently. This time, one of the payloads appears to be ransomware... To be clear, Nuclear EK isn't always sending two payloads, but I've noticed a dual payload trend with this recent increase in Nuclear EK traffic. Furthermore, on Wednesday 2015-09-30, the URL pattern for Nuclear EK's landing page changed... Like other EKs, Nuclear EK keeps evolving. We will continue to keep an eye on the situation and let you know of any significant developments. Packet captures of the 2015-09-30 Nuclear EK traffic are available..."
(More detail at the isc URL above.)
___

Commonwealth Bank NetBank Spam
- http://threattrack.tumblr.com/post/130271990733/commonwealth-bank-netbank-spam
Oct 1, 2015 - "Subjects Seen
First NetBank Third Party Payment
Typical e-mail details:
First NetBank Third Party Payment
Your first transfer to the following third party account(s) has been successfully processed:
From Account: **** **** **** 4362 MasterCard To Account(s): Raul Murphy 574-152 ***6782 Maestro $4,326.78 Credit help Date: 01/10/2015
Please check attached file for more information about this transaction.
Yours sincerely,
Commonwealth Bank of Australia

Malicious File Name and MD5:
CBA Third Party Payment 510569701.scr (3BBC3DBE68B6AB28F2516F8F814D8005)

Screenshot: https://36.media.tumblr.com/aa2ac3b404944698e722b7890bab7ed8/tumblr_inline_nvjro2JXzq1r6pupn_500.png

Tagged: Commonwealth Bank, Upatre

:fear::fear: :mad:

FYI...

Fake 'SecureMail' SPAM - doc malware
- http://myonlinesecurity.co.uk/anz-bank-securemail-you-have-1-new-message-word-doc-malware/
2 Oct 2015 - "An email with the subject of 'SecureMail: You have 1 new message' pretending to come from ANZ Bank <secure@ anz .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
You have received a secure message
Read your secure message by opening SecureMessage.doc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the attachment please open it using your email client (Microsoft Outlook, Mozilla Thunderbird, Lotus ).
First time users – will need to register after opening the attachment.
About Email Encryption please check our website ...

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode.png
... This particular version pretends to have a digital RSA key...
2 October 2015: SecureMail.doc - Current Virus total detections 11/56* ... Some antivirus companies are indicating that this is downloading Upatre which will in turn download Dyre or Dridex banking malware... Edit:.. the Upatre binary is -embedded- inside the word doc that gets extracted and run from %temp%/w1.exe (VirusTotal 21/56 **). So far I have only examined 1 version of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8c177787a0a0247663385e620636e294549f0e126bcb159019c41440f3437fda/analysis/1443754962/

** https://www.virustotal.com/en/file/c9fccadb69836a372c5c6a6b53eb2391c2c8732471a3213b46cdbc16a5af75b5/analysis/1443785738/
___

Fake 'PayPal' SPAM - fake app/Trojan
- http://net-security.org/malware_news.php?id=3119
2.10.2015 - "An email spam run impersonating PayPal is actively targeting German Android users and trying to trick them into downloading what is ostensibly the official PayPal app, but is actually a banking Trojan. The -fake email- looks pretty believable - the PayPal logo, (relatively) good German, some basic clean design - and some recipients were likely convinced into installing the app. According to Trend Micro researchers*, the malicious app is -not- hosted on Google Play. This is where the Android setting set on disallowing the installation of non-Market application can really save users. If a user proceeds with downloading and installing the app, the Trojan will ask to be made a "Device Administrator". This will help it hide from the user's sight and make it more difficult to remove, as well as allow it to perform a number of other changes:
> http://www.net-security.org/images/articles/paypal-fake-02102015.jpg
... The fake app/Trojan is able to perform UI hijacking, which will allow it to impersonate a number of legitimate apps when the user is required to enter their login credentials to perform an action. "Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user’s PayPal credentials," they explained. The same thing happens when the victim tries to use the official online banking app of German Commerzbank, and several other banks popular in the country. Unfortunately for potential targets, the crooks behind this scheme are not only misusing the good name of PayPal to trick users into installing this Trojan. The same malware also comes disguised as Flash Player, game apps and adult apps. Users are advised to be careful about the apps they install (check the permissions it asks), and not to trust unsolicited emails urging them to download something."
* http://blog.trendmicro.com/trendlabs-security-intelligence/german-users-hit-by-dirty-mobile-banking-malware-posing-as-paypal-app/
___

'PDF version not supported' - Phish ...
- https://blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish/
Oct 2, 2015 - "We noticed a certain Bit .ly link getting some attention over the last few days, and stopped to take a closer look. The bit .ly link, which has had 1,901 clicks since September 7th (985 of occured over the last 3 days), shows numerous Email service referrers in the Bit.ly stats in relation to “Where this is being shared”. While we don’t have a copy of an -email- it seems a safe bet to think it would be one of those “You have an important document waiting” messages so beloved of spammers everywhere. We managed to find a hit for the Bit .ly link contained in a particular PDF document called “Scan002.pdf”. Piecing it all together, the run of play appears to be:
- Potential victim receives a “You have a document waiting” type missive via email (and possibly other channels).
- They either open an attached PDF document, or are linked to it directly (the latter would be a somewhat more cumbersome method).
- The PDF document, which does not appear to be malicious, displays the following:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/pdfphish3.jpg
'This PDF version is not supported. Click here to view online'
Clicking the Bit.ly link takes the clicker to
groovytouchmedia(dot)com/grail/pdnet(dot)html
From there, the URL will suddenly appear to make little sense to most people as it switches from something the above, to what may seem like a long line of gibberish:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/pdfphish1.jpg
What’s actually happening here is something called Data URI phishing, an attempt at disguising a phish attack from potential victims which we see every now and again*. After entering an email address and password, hitting the “Your Document” button leads to the following “Document has been removed” splash:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/pdfphish4.jpg
After this, the victim is forwarded on to the frontpage of a free file hosting service to complete the illusion. Regardless of how a “file waiting for you online” comes to your initial attention, always be wary and -never- hand over your login credentials to unfamiliar websites – especially if a random email should come into play. It simply isn’t worth the risk."
* https://blog.malwarebytes.org/fraud-scam/2015/01/avoid-this-outlook-phish/

groovytouchmedia(dot)com: 50.28.9.115: https://www.virustotal.com/en/ip-address/50.28.9.115/information/

>> https://www.virustotal.com/en/url/651b953ecf6c3878ae4e612a727b4836c183679518f48744c4178aa106028295/analysis/

:fear::fear: :mad:

FYI...

Fake 'FedEx delivery' SPAM – JS malware
- http://myonlinesecurity.co.uk/fedex-international-next-flight-shipment-delivery-problem-js-malware/
Last revised or Updated on: 3rd Oct, 2015 - "An email with the subject of 'Shipment delivery problem #0000701821 [random numbered]' pretending to come from 'FedEx International Next Flight' with a zip attachment is another one from the current bot runs... The content of the email says :
Dear Customer,
We could not deliver your parcel.
You can review complete details of your order in the find attached.
Regards,
Johnny Cantrell,
Sr. Operation Agent...

... Other subjects in this set of malicious malspam include:
Problem with parcel shipping, ID:00000953180
Problems with item delivery, n.0000823595
Other senders pretend to be:
FedEx Standard Overnight
FedEx International MailService ...
2 October 2015: Delivery_Notification_0000701821.zip: Extracts to: Delivery_Notification_0000701821.doc.js
Current Virus total detections 2/57*... which should be contacting these 3 sites
alejandrosanchezvejar .com: 198.252.71.136: https://www.virustotal.com/en/ip-address/198.252.71.136/information/
icandymobile .com: 23.91.123.48: https://www.virustotal.com/en/ip-address/23.91.123.48/information/
laurenszedlak .com: 96.31.35.72: https://www.virustotal.com/en/ip-address/96.31.35.72/information/
... but doesn’t appear to be downloading any malware or actually contacting them (Payload Security Hybrid analysis**)
3 October 2015: Delivery_Notification_00000953180.zip:
Extracts to: Delivery_Notification_00000953180.doc.js
Current Virus total detections 8/57 ***... which contacts these 3 sites
clicks-tec .com: 96.31.35.72
dominaeweb .com: 174.36.231.69: https://www.virustotal.com/en/ip-address/174.36.231.69/information/
laurenszedlak .com: 96.31.35.72
... and downloads these files 74404411.exe (VirusTotal 4/57 [4]) and e13dbe35c0786[1].gif (VirusTotal 1/56 [5])
(Payload Security Hybrid analysis [6]) MALWR[7] Note: the automatic tools seem to have problems analysing these javascript files and aren’t getting the payload in many cases.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d94a7d5694df9c079443b2e52d0b1b3d44529cf3a9409c36f03ecfd58e7ca486/analysis/1443817957/

** https://www.hybrid-analysis.com/sample/d94a7d5694df9c079443b2e52d0b1b3d44529cf3a9409c36f03ecfd58e7ca486?environmentId=1

*** https://www.virustotal.com/en/file/3f2662d815b03c2fce41005b9aa4a070ca2ccd3850c3a9982ece5934d0908e0e/analysis/1443849155/

4] https://www.virustotal.com/en/file/e5af273c04c9c941a0e7d3615618ff1fd03b476eb72be968e93b82a854df9203/analysis/1443850296/

5] https://www.virustotal.com/en/file/3f2662d815b03c2fce41005b9aa4a070ca2ccd3850c3a9982ece5934d0908e0e/analysis/1443849155/

6] https://www.hybrid-analysis.com/sample/3f2662d815b03c2fce41005b9aa4a070ca2ccd3850c3a9982ece5934d0908e0e?environmentId=1

7] https://malwr.com/analysis/MGY2YTliOWFlMzE2NGY4ZWFjZWQxOTRlNDU5NmM3NWM/

:fear::fear: :mad:

FYI...

Fake 'Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-your-invoices-incident.html
5 Oct 2015 - "This -fake- financial spam is not from Incident Support Group Ltd but is instead a simple -forgery- with a malicious attachment:
From repairs@ isgfleet .co.uk
Date Mon, 05 Oct 2015 15:47:11 +0700
Subject Your Invoices - Incident Support Group Ltd
Please find attached your invoices from Incident Support Group Ltd. If you wish to
change the email address we have used please email repairs@ isgfleet .co.uk with the
correct details.

In the sample I saw, the attached file was 216116.xls which has a VirusTotal detection rate of 6/56* and contains this malicious macro... which then downloads a compenent from the following location:
agridiotiko .com/432/4535.exe
Note that at the time of writing, I only have one sample of this. There are usually several versions of the attachment in these spam runs, with different download locations. The malicious binary has a detection rate of 4/56**. The VirusTotal report and this Hybrid Analysis report[3] indicate traffic to:
84.246.226.211 (ELB Multimedia, France)
Blocking or monitoring traffic to and from the port would probably be prudent. The payload is most likely the Dridex banking trojan.
UPDATES: Other download locations spotted so far:
www .poncho-zwerfkatten .be/432/4535.exe "
* https://www.virustotal.com/en/file/7c26fd0ff77b5f15a22381661a4d48ffd53fd48354ec0e8b3f7a8d3e1d67e758/analysis/1444035346/

** https://www.virustotal.com/en/file/8e4e8440b685a3bdcdd3c06b3c9b992b3872cd7e2b9cfde70296a4de7dca7f49/analysis/1444035400/
... Behavioural information
TCP connections
84.246.226.211: https://www.virustotal.com/en/ip-address/84.246.226.211/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

3] https://www.hybrid-analysis.com/sample/8e4e8440b685a3bdcdd3c06b3c9b992b3872cd7e2b9cfde70296a4de7dca7f49?environmentId=1

agridiotiko .com: 80.67.28.152: https://www.virustotal.com/en/ip-address/80.67.28.152/information/

poncho-zwerfkatten .be: Could not find an IP address for this domain name.

- http://myonlinesecurity.co.uk/your-invoices-incident-support-group-ltd-excel-xls-spreadsheet-malware/
5 October 2015: 216116.xls
Current Virus total detections 7/56*
Downloads conserpa.vtrbandaancha .net/432/4535.exe (VirusTotal**)
* https://www.virustotal.com/en/file/50530bc27d7a5d23de2fe4428f83b6bab7673e2fc30380a080306847f0fb0e8d/analysis/1444044622/

** https://www.virustotal.com/en/file/8e4e8440b685a3bdcdd3c06b3c9b992b3872cd7e2b9cfde70296a4de7dca7f49/analysis/1444040840/
... Behavioural information
TCP connections
84.246.226.211: https://www.virustotal.com/en/ip-address/84.246.226.211/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

vtrbandaancha .net: Could not find an IP address for this domain name.

:fear::fear: :mad:

FYI...

Fake 'Copy of Invoice(s)' SPAM – doc malware
- http://myonlinesecurity.co.uk/copy-of-invoices-hammondsofknutsford-co-uk-word-doc-malware/
6 Oct 2015 - "An email with the subject of 'Copy of Invoice(s)' pretending to come from Anny Beckley <Anny@ hammondsofknutsford .co.uk> with a malicious word doc is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Copy-of-Invoices-1024x559.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
6 October 2015 : Q_46Q0VWHU4.DOC - Current Virus total detections 7/57*
Hybrid analysis** . ... A manual interpretation of the malicious macro gives me http ://measelaw .com/65yg3f/43g5few.exe which returns a 'not found' but a search by file name gives http ://rothschiller .net/~medicbt9/65yg3f3/43g5few.exe (VirusTotal 2/56 ***)... There appear to be 2 different files of that name on the server 1st one is 132 kb (VirusTotal 2/56 [4]) 2nd one is 285kb (VirusTotal 1/57 [5]). Further update: I am getting responses from the antivirus companies that the first file is Dridex... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d74b2bb9b4f01c372c1f5be43ac2428f72028ea23d7363fd5571bfd9f8155610/analysis/1444120771/

** https://www.hybrid-analysis.com/sample/d74b2bb9b4f01c372c1f5be43ac2428f72028ea23d7363fd5571bfd9f8155610?environmentId=5

*** https://www.virustotal.com/en/file/74a4752e05511b66858a9da1ef6d894ad354be6450ca4ac85b85c11554aec863/analysis/1444126336/
...Behavioural information
TCP connections
84.246.226.211: https://www.virustotal.com/en/ip-address/84.246.226.211/information/
92.123.225.120: https://www.virustotal.com/en/ip-address/92.123.225.120/information/

4] https://www.virustotal.com/en/file/74a4752e05511b66858a9da1ef6d894ad354be6450ca4ac85b85c11554aec863/analysis/1444126336/
...Behavioural information
TCP connections
84.246.226.211
92.123.225.120

5] https://www.virustotal.com/en/file/759cbdbd55a5cfb43a2757c115248d84774ea7fd9a114500c83564a19f3eb93c/analysis/1444126999/
...Behavioural information
TCP connections
84.246.226.211
92.123.225.120

measelaw .com: 216.87.186.107: https://www.virustotal.com/en/ip-address/216.87.186.107/information/

rothschiller .net: 162.144.72.10: https://www.virustotal.com/en/ip-address/162.144.72.10/information/

- http://blog.dynamoo.com/2015/10/malware-spam-copy-of-invoices-anny.html
6 Oct 2015 - "This -fake- financial spam does not come from Hammonds of Knutsford but is instead a simple forgery with a malicious attachment:
From Anny Beckley [Anny@ hammondsofknutsford .co.uk]
Date Tue, 06 Oct 2015 12:29:23 +0430
Subject Copy of Invoice(s)
Please find attached a copy of Invoice Number(s) 82105

In the two samples that I have seen, the attached file was named Q_46Q0VWHU4.DOC with a VirusTotal detection rate of 7/56*. This document contains a malicious macro... which downloads a further component from the following location:
rothschiller .net/~medicbt9/65yg3f3/43g5few.exe
This currently has a detection rate of just 1/56** and it appears to be saved as %TEMP%\rrdDhhm.exe . Note that there are usually several different document versions spammed out with different download locations, but the payload is the same in every case.
Automated analysis is pending, but the payload is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/3275e353aededbcf66c8673af2800cf662ce6b147daaac525c3dafceaee05cd5/analysis/1444127245/

** https://www.virustotal.com/en/file/759cbdbd55a5cfb43a2757c115248d84774ea7fd9a114500c83564a19f3eb93c/analysis/1444128214/
... Behavioural information
TCP connections
84.246.226.211: https://www.virustotal.com/en/ip-address/84.246.226.211/information/
92.123.225.122: https://www.virustotal.com/en/ip-address/92.123.225.122/information/
___

Fake 'BL Draft' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bl-draft-is-ready-for-review-cargosmart-fake-pdf-malware/
6 Oct 2015 - "An email with the subject of 'OOCL – B/L:4747679656(XIN YANG PU F2NM3) – BL Draft is Ready for Review' pretending to come from support@ cargosmart .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/BL-Draft-is-Ready-for-Review-1024x567.png

6 October 2015: 4747679656drft.zip: Extracts to: 4017334330drft.scr
Current Virus total detections 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/720ff0228fdd432b8385a9f7c6c063184fb0357bfab9b4ed0803117486fe761a/analysis/1444116810/
___

Fake 'WeTransfer' SPAM - malicious payload
- http://blog.dynamoo.com/2015/10/malware-spam-has-sent-you-file-via.html
6 Oct 2015 - "This -fake- "WeTransfer" spam comes with a malicious payload.
info@ucaqld .com .au has sent you a file via WeTransfer
1 message
WeTransfer 6 October 2015 at 13:36
To: [redacted]
info@ucaqld .com .au
sent you some files
‘Hey Nicole,
I have given you these federal reminder
Many thanks
Stacey'
Download
Files (101 KB total)
Document.doc
Will be deleted on
07 Oct, 2015
Get more out of WeTransfer, get Plus
About WeTransfer Contact= Legal Powered by Amazon Web Services

In this case, the malicious link is actually at..
storage-hipaa-2.sharefile .com/download.ashx?dt=dt3b07281f2b9440708a4b8a411e2f0e18&h=WAOCUIfIJJIYoHSVimogW83t4TXwSsltx0MYcStbmyQ%3d
The attachment is -malicious- in nature, but analysis is still pending. In the meantime, here is an initial Hybrid Analysis report*."
* https://www.hybrid-analysis.com/sample/3c642092835415c8f139d91341339b1b52a01576c099930f464319d2a89bf486?environmentId=1
(See 'Malicious Indicators')

> https://www.virustotal.com/en/domain/storage-hipaa-2.sharefile.com/information/
"... This domain has been seen to resolve to the following IP addresses.
2015-06-08 54.208.209.126"
54.208.209.126: https://www.virustotal.com/en/ip-address/54.208.209.126/information/

- http://myonlinesecurity.co.uk/infobogoroch-com-has-sent-you-a-file-via-wetransfer-word-doc-malware/
6 Oct 2015 - "An email with the subject of 'info@ bogoroch .com has sent you a file via WeTransfer' pretending to come from WeTransfer <noreply@ wetransfer .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/info@bogoroch.com-has-sent-you-a-file-via-WeTransfer-1024x848.png

The link behind the download is to https ://storage-hipaa-2.sharefile .com/download.ashx?dt=dt3b07281f2b9440708a4b8a411e2f0e18&h=WAOCUIfIJJIYoHSVimogW83t4TXwSsltx0MYcStbmyQ%3d
Other subjects seen in this malspam run include:
info@ bmonster .com has sent you a file via WeTransfer
info@ sundaymail .co.uk has sent you a file via WeTransfer
info@ bluepulse .com.au has sent you a file via WeTransfer ...
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...
6 October 2015 2015 : Document.doc - Current Virus total detections 2/56*.
... which doesn’t connect to a webserver but has the Upatre binary embedded inside the word doc that gets extracted and run from %temp%\< random name >.exe (VirusTotal 2/56**). So far I have only examined 1 version of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3c642092835415c8f139d91341339b1b52a01576c099930f464319d2a89bf486/analysis/1444143437/

** https://www.virustotal.com/en/file/4cfa68bba20b6df11c0739a021582427c36ee2efca36b584b5fc6d1769110079/analysis/1444140338/
___

Cisco security researchers disable big distributor of 'ransomware'
- http://www.reuters.com/article/2015/10/06/us-ransomware-cisco-idUSKCN0S01F020151006
Oct 6, 2015 - "... about half of computers infected with Angler were connecting to servers at a hosting provider in Dallas, which had been hired by criminals with stolen credit cards. The provider, Limestone Networks, pulled the plug on the servers and turned over data that helped show how Angler worked. The research effort, aided by carrier Level 3 Communications, allowed Cisco to copy the authentication protocols the Angler criminals use to interact with their prey. Knowing these protocols will allow security companies to cut off infected computers... Cisco said that since Limestone pulled the plug on the servers, new Angler infections had fallen off dramatically. Limestone's client relations manager told Reuters his company had unwittingly helped the spread of Angler before the Cisco investigation. Often sold in clandestine Internet forums or in one-to-one deals, exploit kits combine many small programs that take advantage of flaws in Web browsers and other common pieces of software. Buyers of those kits must also arrange a way to reach their targets, typically by sending spoof emails, hacking into websites or distributing malicious advertisements. Once they win control of a target's computer, exploit kit buyers can install whatever they want, including so-called ransomware. This includes a number of branded programs, also sold online, that encrypt users' computer files and demand payment to release them. -Talos- estimated that if three percent of infected users paid the ransom averaging $300, the criminals that had used the Limestone servers to spread Angler could have made about $30 million a year."
> http://blogs.cisco.com/security/talos/angler-exposed
Oct 6, 2015 - "... Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers. The proxy server is the system that users communicate with, allowing the adversary to quickly pivot and change while still shielding the exploit server from identification and exposure. Additionally, there is a health monitoring server that is conducting health checks, gathering information about the hosts that are being served exploits, and remotely erase the log files once they have been fetched. This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity. A single health server was seen monitoring 147 proxy servers over the span of a month and generating in excess of $3,000,000 USD in revenue. This single adversary was responsible for approximately half of the Angler activity we observed and is making more than $30,000,000 USD annually from Ransomware infections alone..."

- https://blog.opendns.com/2015/10/06/cisco-disrupts-major-ransomware-campaign/
Oct 6, 2015
> https://blog.opendns.com/wp-content/uploads/2015/10/IN_cisco-angler-infographic_100515.png

:fear::fear: :mad:

FYI...

Fake 'Scanned document' SPAM - malicious payload
- http://blog.dynamoo.com/2015/10/malware-spam-scanned-document-from-mx.html
7 Oct 2015 - "This -fake- scanned document has a malicious payload attached:
From: xerox@ victimdomain .tld
Reply-To: xerox@ victimdomain .tld
Date: 7 October 2015 at 10:08
Subject: Scanned document from MX-2600N
Reply to: xerox@ victimdomain .tld victimdomain .tld
> Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned document in XLS format... Attached is a file in the format xerox@ victimdomain .tld_20151007_160214 .xls (where victimdomain.tld is the victim's own domain), which has a VirusTotal detection rate of 3/56*. This Excel file contains a malicious macro... which in THIS case downloads a binary from the following location:
alarmtechcentral .com/fw43t2d/98kj6.exe
There will be other versions of the XLS file which will download components from other locations, however the payload will be the same, and it currently has a detection rate of 2/56**. The VirusTotal report indicates traffic to:
84.246.226.211 (ELB Multimedia, France)
Blocking traffic to and from that IP is recommended. Automated analysis is pending, please check back later. The payload is probably the Dridex banking trojan.
UPDATE: Here are the Hybrid Analysis reports for the XLS file[3] and executable[4]."
* https://www.virustotal.com/en/file/20b8c4dcefcb1fbb38c4bf63a504b30af9bfeb56923d4e2d52bf78ab8683f5bb/analysis/1444209423/

** https://www.virustotal.com/en/file/3409a5e117bcce19fc616ab870ab04b8bbdebd5952482ea932c3b02c609f8c10/analysis/1444209808/
... Behavioural information
TCP connections
84.246.226.211: https://www.virustotal.com/en/ip-address/84.246.226.211/information/
92.123.225.120: https://www.virustotal.com/en/ip-address/92.123.225.120/information/

3] https://www.hybrid-analysis.com/sample/20b8c4dcefcb1fbb38c4bf63a504b30af9bfeb56923d4e2d52bf78ab8683f5bb?environmentId=1

4] https://www.hybrid-analysis.com/sample/3409a5e117bcce19fc616ab870ab04b8bbdebd5952482ea932c3b02c609f8c10?environmentId=3

alarmtechcentral .com: 69.195.85.248: https://www.virustotal.com/en/ip-address/69.195.85.248/information/

- http://myonlinesecurity.co.uk/scanned-document-from-mx-2600n-excel-xls-spreadsheet-malware/
7 Oct 2015 - "An email with the subject of 'Scanned document from MX-2600N' pretending to come from a printer or scanner at your own email domain with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
... Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned document in XLS format.
Use Microsoft(R)Excel(R) to view the document.

... these pretend to be sent from these email addresses at your own email domain or company:
Xerox@
Canon@
Printer@
MX-2600N@
Other subjects include:
Scanned image from MX-2600N
Scanned file from MX-2600N
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
7 October 2015: canon @... _20151007_160214.xls - Current Virus total detections 3/57*
Payload Security Hybrid analysis** shows that this downloads what is almost certainly Dridex banking malware from http ://frozenfoods2004 .com/fw43t2d/98kj6.exe (VirusTotal 3/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7112c65769068574a64c25906293e916da288f442d1dcf0ee3b8a422d116cd13/analysis/1444209116/

** https://www.hybrid-analysis.com/sample/7112c65769068574a64c25906293e916da288f442d1dcf0ee3b8a422d116cd13?environmentId=1

*** https://www.virustotal.com/en/file/3409a5e117bcce19fc616ab870ab04b8bbdebd5952482ea932c3b02c609f8c10/analysis/1444209437/
... Behavioural information
TCP connections
84.246.226.211: https://www.virustotal.com/en/ip-address/84.246.226.211/information/
92.123.225.120: https://www.virustotal.com/en/ip-address/92.123.225.120/information/

frozenfoods2004 .com: 66.111.47.38: https://www.virustotal.com/en/ip-address/66.111.47.38/information/
___

Fake 'Confirmation' SPAM – doc malware
- http://myonlinesecurity.co.uk/red-funnel-ferries-confirmation-5838547-word-doc-malware/
7Oct 2015 - "An email that appears to come from 'Red Funnel Ferries' with the subject of 'Confirmation 5838547' pretending to come from post@ redfunnel .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/red_funnel-Confirmation-5838547-1024x760.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
7 October 2015: 5838547.doc - Current Virus total detections 6/55*
Downloads the same Dridex banking malware from http ://frozenfoods2004 .com/fw43t2d/98kj6.exe that was described in today’s earlier malspam run** of malicious office docs with macros... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9b15fe1a47a4eca6251e05f7fe8d79940d1333fad70d5e03a71d7b6e32f9c09e/analysis/1444215510/

** http://myonlinesecurity.co.uk/scanned-document-from-mx-2600n-excel-xls-spreadsheet-malware/
___

New Outlook mailserver attack steals massive number of passwords
Backdoor in Outlook Web Application operates inside target's firewall
- http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-massive-number-of-passwords/
Oct 5, 2015 - "Researchers have uncovered advanced malware that can steal virtually all of a large organization's e-mail passwords by infecting its Outlook Web Application (OWA) mail server over an extended period of time. Researchers from security firm Cybereason discovered the malicious OWA module after receiving a call from an unnamed company that had more than 19,000 endpoints. The customer had witnessed several behavioral abnormalities in its network and asked Cybereason to look for signs of an infection. Within a few hours, the security firm found a suspicious DLL file loaded into the company's OWA server. While it contained the same name as a benign DLL file, this one was unsigned and was loaded from a different directory. The OWAAUTH.dll file contained a backdoor. Because it ran on the server, it was able to retrieve all HTTPS-protected server requests after they had been decrypted. As a result, the attackers behind this advanced persistent threat — the term given to malware campaigns that target a specific organization for months or years — were able to steal the passwords of just about anyone accessing the server. "The hackers in this case managed to gain a foothold into a highly strategic asset: the OWA server," Cybereason researchers wrote in a blog post published Monday*... Cybereason didn't say how widespread the attack is beyond it targeting the one customer. Chances are, malware as detailed as this isn't a one-off thing, so it wouldn't be surprising to see it hitting other large organizations."
* http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf

- http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx
7 Oct 2015

:fear::fear: :mad:

FYI...

Fake 'Norfolk Dance' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/receipt-from-norfolk-dance-word-doc-or-excel-xls-spreadsheet-malware/
8 Oct 2015 - "An email with the subject of 'Receipt from Norfolk Dance' pretending to come from <info@ norfolkdance .co.uk> with a malicious word doc attachment is another one from the current bot runs... Please find receipt for payment attached.
Many Thanks
Norfolk Dance
14 Chapel Field North
Norwich
Norfolk
NR2 1NY
Telephone: 01603 283399
E mail...

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...
8 October 2015: Receipt.doc - Current Virus total detections 2/56*
Downloads the same Dridex Banking malware from the same locations as described in today’s earlier malspam run of malicious macro enabled word docs**...
** http://myonlinesecurity.co.uk/swagbags-biz-new-order-confirmation-3535-word-doc-or-excel-xls-spreadsheet-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/70f483f464b7f5e2361fd9eb5a3a90dbaed5f6cda7ba7628d7f2d9050722ad4f/analysis/1444298476/

- http://blog.dynamoo.com/2015/10/malware-spam-receipt-from-norfolk-dance.html
8 Oct 2015 - "This -fake- financial email is not from Norfolk Dance but is instead a simply -forgery- with a malicious attachment:
From "info" [info@ norfolkdance .co.uk]
Date Thu, 08 Oct 2015 12:39:28 +0300
Subject Receipt from Norfolk Dance
Please find receipt for payment attached.
Many Thanks
Norfolk Dance
14 Chapel Field North
Norwich
Norfolk
NR2 1NY
Telephone: 01603 283399
E mail...

Attached is a file Receipt.doc which I have seen in two different versions (VT detection rate 4/56* and 3/56**) each containing a different malicious macro... which download a malicious binary from one of the following locations:
katastimataone .com/bvcb34d/983bv3.exe
archives.wnpvam .com/bvcb34d/983bv3.exe
This is saved as %TEMP%\fDe12.exe and currently has a VirusTotal detection rate of 4/55***. The VirusTotal report indicates traffic to the following IP:
198.61.187.234 (Rackspace, US). I recommend that you block traffic to this IP. Automated analysis is pending (check back later) but the payload is almost definitely the Dridex banking trojan..."
* https://www.virustotal.com/en/file/89642abbfd4e8cc382f155b1d1b27c1aa94ced34636c1c6d0f34de19914e1b29/analysis/1444298450/

** https://www.virustotal.com/en/file/c7e31528eb9b11bdb035d00095ed8b3ad3c4179c6960764a56ac8ff565ae7c86/analysis/1444298460/

*** https://www.virustotal.com/en/file/46d1a934e7335934236c903abbb6c82cb73ac9c2f13354edc3339b6357c71549/analysis/1444298587/

katastimataone .com: 209.139.209.187: https://www.virustotal.com/en/ip-address/209.139.209.187/information/

wnpvam .com: 38.96.175.221: https://www.virustotal.com/en/ip-address/38.96.175.221/information/

198.61.187.234: https://www.virustotal.com/en/ip-address/198.61.187.234/information/
___

Fake 'SwagBags Order' SPAM - doc malware
- http://myonlinesecurity.co.uk/swagbags-biz-new-order-confirmation-3535-word-doc-or-excel-xls-spreadsheet-malware/
8 Oct 2015 - "An email with the subject of 'New Order Confirmation: 3535' pretending to come from SwagBags .biz <customerservices@ swagbags .biz> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/New-Order-Confirmation-3535-SwagBags-1024x558.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content...
8 October 2015 : Invoice_3535.doc - Current Virus total detections 2/54*.
Both MALWR** and Payload security*** shows the download to be what looks like Dridex banking malware from http ://vsehochuti.unas .cz/bvcb34d/983bv3.exe (VirusTotal 1/56 [4])
Other download locations that I have been informed about are:
katastimataone .com/bvcb34d/983bv3.exe
swaineallen .uk/bvcb34d/983bv3.exe
archives.wnpvam .com/bvcb34d/983bv3.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6cf70f0c0df1f9073326b5ae19726d68511f7938735069d4cd0c82f8ca31fe50/analysis/1444293293/

** https://malwr.com/analysis/YzJkMjBlNGY0NzM0NDUzOTllNzMyMzI3NThhOTlhOTY/

*** https://www.hybrid-analysis.com/sample/6cf70f0c0df1f9073326b5ae19726d68511f7938735069d4cd0c82f8ca31fe50?environmentId=1

4] https://www.virustotal.com/en/file/46d1a934e7335934236c903abbb6c82cb73ac9c2f13354edc3339b6357c71549/analysis/1444293943/

unas .cz: 88.86.117.145: https://www.virustotal.com/en/ip-address/88.86.117.145/information/

katastimataone .com: 209.139.209.187: https://www.virustotal.com/en/ip-address/209.139.209.187/information/

swaineallen .uk: 94.136.40.15: https://www.virustotal.com/en/ip-address/94.136.40.15/information/

wnpvam .com: 38.96.175.221: https://www.virustotal.com/en/ip-address/38.96.175.221/information/
___

Fake 'Deposit' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-deposit-payment-frederico.html
8 Oct 2015 - "This -fake- financial email does not comes from Frederico Kessler but is instead a simple -forgery- with a malicious attachment:
From Frederico Kessler [Frederico.Kessler@ Gamesys .co.uk]
Date Thu, 08 Oct 2015 04:14:23 -0700
Subject Deposit Payment
Hi,
Attached is receipt of transfer regarding the deposit increase for our new contract
to the Cherry Tree Cottage.
Let me know if its all sorted.
Frederico Kessler
Product Owner | Games Platform
[cid:9DCD81C9-9267-4802-AAE1-B3AF9887E131]
[gamesysign]
4th Floor, 10 Piccadilly
London, W1J 0DD
Email...

Attached is a malicious Excel document named Payments Deposit.xls which comes in -five- different versions... each containing a slightly modifed macro... which downloads a malicious executable from the following locations:
archives.wnpvam .com/bvcb34d/983bv3.exe
swaineallen .uk/bvcb34d/983bv3.exe
katastimataone .com/bvcb34d/983bv3.exe
vsehochuti.unas .cz/bvcb34d/983bv3.exe
dmedei.3x .ro/bvcb34d/983bv3.exe
These download locations have been in use for a couple of other spam runs.. [2] but now the payload has been altered and has a VirusTotal detection rate of 3/56*. That VirtusTotal report and this Hybrid Analysis report** show traffic to:
198.61.187.234 (Rackspace, US). I recommend that you block traffic to that IP."
* https://www.virustotal.com/en/file/8030e075bd21b43f759a7095f34773df6316a5c38ea2956e6acfa76d0e82bd84/analysis/1444305640/
... Behavioural information
TCP connections
198.61.187.234: https://www.virustotal.com/en/ip-address/198.61.187.234/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

** https://www.hybrid-analysis.com/sample/8030e075bd21b43f759a7095f34773df6316a5c38ea2956e6acfa76d0e82bd84?environmentId=6

2] http://blog.dynamoo.com/2015/10/malware-spam-receipt-from-norfolk-dance.html

wnpvam .com: 38.96.175.221: https://www.virustotal.com/en/ip-address/38.96.175.221/information/

swaineallen .uk: 94.136.40.15: https://www.virustotal.com/en/ip-address/94.136.40.15/information/

katastimataone .com: 209.139.209.187: https://www.virustotal.com/en/ip-address/209.139.209.187/information/

unas .cz: 88.86.117.145: https://www.virustotal.com/en/ip-address/88.86.117.145/information/

3x .ro: 89.42.39.160: https://www.virustotal.com/en/ip-address/89.42.39.160/information/
___

Fake 'eBay Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-ebay-invoice-is-ready-fake-pdf-malware/
8 Oct 2015 - "An email with the subject of 'Your eBay Invoice is Ready' pretending to come from eBay <ebay@ ebay .com> with a zip attachment is another one from the current bot runs... The content of the email which shouldn’t fool anybody because it has -no- eBay logos or links and is totally in plain text, which EBay -never- sends because they want to grab you and get you on the eBay site spending money, says :
PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Dear Customer,
Please open the attached file to view invoice.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment...
This email has been scanned by the Symantec Email Security.cloud service.
This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient... Blah, blah, blah.

8 October 2015: ebay_4175127742232_081015.zip: Extracts to: ebay_4175127742232_081015.exe
Current Virus total detections 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/435dd0aa3913593544496d81ccab776e14c169263f277aeeb86ca699ef747643/analysis/1444304267/
___

Fake 'HMRC Online Service Complaints' SPAM – PDF malware
- http://myonlinesecurity.co.uk/online-service-complaints-submission-received-by-hm-revenue-and-customs-fake-pdf-malware/
8 Oct 2015 - "An email with the subject of 'Online Service Complaints – Submission received by HM Revenue and Customs' pretending to come from HMRC Complaints <helpdesk@ ir-efile .gov.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Online-Service-Complaints-Submission-received-by-HM-Revenue-and-Customs-1024x556.png

8 October 2015: HMRC.Complaint.zip: Extracts to: HMRC.Complaint.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/345e1cf51b6e3ae7dbe60b50e803e494145c63affd104ae7a7cb62c2c33c6818/analysis/1444302682/
___

Fake 'eFax' .doc attachment - malware
- https://isc.sans.edu/diary.html?storyid=20225
Last Updated: 2015-10-08 - "... Below is a screenshot from the malspam example Wayne sent us. Links in the email -all- went to the appropriate eFax URLs. The attached Word document is the -only- malicious part of the message:
> https://isc.sans.edu/diaryimages/images/2015-10-08-ISC-diary-image-01a.jpg
... Looking at the email headers, you'll find the recipient's email server received the message from a Unified Layer IP address at 67.222.39.168... The Word document has macros. If macros are enabled, the document will try to drop malware and infect the Windows host:
> https://isc.sans.edu/diaryimages/images/2015-10-08-ISC-diary-image-03.jpg
Below are indicators of compromise (IOCs) for the malware associated with this malspam:
185.42.15.7 - babsuptono .ru - POST /gate.php
151.236.10.194 - toftereventhi .ru - POST /gate.php
93.171.158.226 - buteventheckand .ru - POST /gate.php
136.243.24.4 - germantest.redsnapper .net - GET /m.exe
... Attachment name: fax_message_326-816-3257.doc
First submission: 2015-10-06 14:28:27 UTC
Virus Total link* - Hybrid-Analysis link** ..."
* https://www.virustotal.com/en/file/9686caf5e37a676ce63054959dfe7ab3e09863f86fd13fb720dc2921621aa8a5/analysis/

** https://www.hybrid-analysis.com/sample/9686caf5e37a676ce63054959dfe7ab3e09863f86fd13fb720dc2921621aa8a5?environmentId=2

185.42.15.7: https://www.virustotal.com/en/ip-address/185.42.15.7/information/
151.236.10.194: https://www.virustotal.com/en/ip-address/151.236.10.194/information/
93.171.158.226: https://www.virustotal.com/en/ip-address/93.171.158.226/information/
136.243.24.4: https://www.virustotal.com/en/ip-address/136.243.24.4/information/

"... same signature": https://www.hybrid-analysis.com/search?query=signatureid%3Anetwork-1

:fear::fear: :mad:

FYI...

Fake 'contract' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/contract-word-doc-or-excel-xls-spreadsheet-malware/
8 Oct 2015 - "An email with the subject of 'contract' pretending to come from random companies and email addresses with a zip file containing a malicious word doc attachment is another one from the current bot runs... The email looks like:
Dear customer,
I’m sending you a new contract of the project (Double ordinary certificate)
-Or-
Dear customer,
I’m sending you a new contract of the project (Information about updated summary)

The name in brackets in the body of the email matches the name of the zip attachment that contains the word doc which also has random names... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode.png

8 October 2015: Double ordinary certificate.zip - Extracts to: Collect corporate business inventories.doc
Current Virus total detections 3/56* ... which doesn’t connect to a webserver but has the Upatre binary embedded inside the word doc inside a rtf file that gets extracted and run from %temp%\w13.exe (VirusTotal 3/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a70501f92f222723a0d6d836df0a22371175a68b5218334fdae20fb48db69d03/analysis/1444322597/

** https://www.virustotal.com/en/file/adcf5faaac14ec77c173beb22a34aa8f174049184196758f9623285de85af2e4/analysis/1444323758/
___

Fake 'GTA V for Mobile' sites lead to 'Surveys'
- https://blog.malwarebytes.org/online-security/2015/10/gta-v-for-mobile-sites-lead-to-surveys/
Oct 8, 2015 - "... GTA V used as -bait- in many cases... here's one which focuses on the allure of portability to reel in unsuspecting fans of the title. A number of sites are claiming to offer up mobile versions of the game, despite it requiring an Xbox 360 / Xbox One / PS3 / PS4 / decent gaming PC to run – not to mention the disk space taken up, which is a fair amount to say the least (you aren’t going to find many phones with -50GB- available just to be able to install a game). The sites in question are:
gta5forpsp(dot)com
androidgta5(dot)com
iosgta5(dot)com
Despite this, mobile gamers are being told they can run it on Android, iOS and PSP. The three sites we looked at all share similar designs, displaying what they claim to be GTA V running on the aforementioned devices and a download link:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/gtahandheld11.jpg
... they also use the well worn technique of saying “As seen on…” and listing numerous well known online publications (none of which appear to mention their mysterious version of GTA V)... the creators of the Grand Theft Auto titles, Rockstar Games, don’t mention a handheld version of GTA V anywhere either. It’s almost like it doesn’t exist. This is probably a good time to make a callback to that -50GB- game size, and then see how big one of the mobile downloads is:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/gtahandheld4.jpg
... If in doubt, check the official website of a game developer and discover straight from the source which platform your desired evening’s entertainment runs on. In the above case, there is -no- official version of GTA V for handhelds whatsoever..."

gta5forpsp(dot)com: 91.121.223.39: https://www.virustotal.com/en/ip-address/91.121.223.39/information/
androidgta5(dot)com: https://www.virustotal.com/en/url/025d79aed8df93ec300d6d3c8f08c8282323e8cc27dba4f2b52833cbe73653e1/analysis/
iosgta5(dot)com: https://www.virustotal.com/en/url/08361bab9668cd14a75caea107c271b4e26ecc1b2015c8c178f4928323623744/analysis/

:fear::fear: :mad:

FYI...

Fake 'DHL invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-latest-dhl-invoice-mse7396821-word-doc-or-excel-xls-spreadsheet-malware/
9 Oct 2015 - "An email that appears to come from DHL with the subject of 'Your latest DHL invoice : MSE7396821' pretending to come from e-billing.uk1@ dhl .com with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Your-latest-DHL-invoice-MSE7396821-1024x549.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...
9 October 2015 : MSE7396821.doc - Current Virus total detections 5/56*
Downloads a Dridex banking malware http ://roadmark .co.uk/fsf4fd32/8ik6sc.exe which is saved as %temp%\vtsabd.exe (VirusTotal 2/56**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9f2ed6c452fb3575495b9fdfc00caa51bdb9aa6d56af0014f0448ccda8a8c223/analysis/1444382592/

** https://www.virustotal.com/en/file/07be668d67a90794eb0e83302275adc8330ac20dea08d6a5e62965daf0d17374/analysis/1444382939/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustotal.com/en/ip-address/86.105.33.102/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

roadmark .co.uk: 88.208.252.196: https://www.virustotal.com/en/ip-address/88.208.252.196/information/

- http://blog.dynamoo.com/2015/10/malware-spam-your-latest-dhl-invoice.html
9 Oct 2015 - "... In the only sample I have seen, the attached file is named MSE7396821.doc and has a VirusTotal detection rate of 5/55*. This contains a malicious macro... which downloads a file from the following location:
flexicall .co.uk/fsf4fd32/8ik6sc.exe
There will undoubtedly be different versions of the document with different download locations. This binary is saved as %TEMP%\vtsAbd.exe and has a VirusTotal detection rate of 2/54**. That VirusTotal report, this Malwr report[3] and this Hybrid Analysis report[4] show network traffic to:
86.105.33.102 (Data Net SRL, Romania)
I recommend that you block traffic to and from that IP address. The payload appears to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/d34435cc5780f450438716372a57417a079dde909a2f72a81a67b46fcdfd6f8a/analysis/1444381402/

** https://www.virustotal.com/en/file/07be668d67a90794eb0e83302275adc8330ac20dea08d6a5e62965daf0d17374/analysis/1444381818/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustotal.com/en/ip-address/86.105.33.102/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

3] https://malwr.com/analysis/NTMwN2Q3OWVkZmFkNDg0ZWI5NGMwNzViOGNmYzIzOWU/

4] https://www.hybrid-analysis.com/sample/d34435cc5780f450438716372a57417a079dde909a2f72a81a67b46fcdfd6f8a?environmentId=3

flexicall .co.uk: 109.228.12.96: https://www.virustotal.com/en/ip-address/109.228.12.96/information/

"... same signature": https://www.hybrid-analysis.com/sample/d34435cc5780f450438716372a57417a079dde909a2f72a81a67b46fcdfd6f8a?environmentId=3

:fear::fear: :mad:

FYI...

Fake 'Insurance' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-insurance.html
12 Oct 2015 - "This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.
From [accounts@ nolettinggo .co.uk]
Date Mon, 12 Oct 2015 11:43:16 +0330
Subject Insurance
Dear all
Please find attached insurance paperwork including EL certificate. Invoices
will follow at the beginning of November.
Regards
Karen

In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56*. This particular document contains this malicious macro... which downloads a malware component from the following location:
ukenterprisetours .com/877453tr/rebrb45t.exe
The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56**. That VirusTotal report and this Hybrid Analysis report[3] show network traffic to:
149.210.180.13 (TransIP BV, Netherlands)
I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan..."
* https://www.virustotal.com/en/file/fc4bd160119744f41bfdb71d7bde347c12b3b1263528bfbc7f836bfd813007ef/analysis/1444637908/

** https://www.virustotal.com/en/file/0572ee84a21904e6ce63a8001c4549d48de57d54f666275ac69190bbb94446dc/analysis/1444638547/
... Behavioural information
TCP connections
149.210.180.13: https://www.virustotal.com/en/ip-address/149.210.180.13/information/
92.123.225.120: https://www.virustotal.com/en/ip-address/92.123.225.120/information/

3] https://www.hybrid-analysis.com/sample/fc4bd160119744f41bfdb71d7bde347c12b3b1263528bfbc7f836bfd813007ef?environmentId=3

ukenterprisetours .com: 46.20.120.64: https://www.virustotal.com/en/ip-address/46.20.120.64/information/

- http://myonlinesecurity.co.uk/nolettinggo-co-uk-insurance-word-doc-malware/
12 Oct 2015 - "An email that appears to come from nolettinggo .co.uk with the subject of 'Insurance' pretending to come from accounts@ nolettinggo .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/insurance-nolettinggo-1024x497.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
12 October 2015 : SKMBT_C36014102815580.doc - Current Virus total detections 7/55*
.. Downloads Dridex banking malware from http ://capricorn-cleaning .co.uk/877453tr/rebrb45t.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4287b74ab29ff490474af7c8e36f1419f492c2246c24403b44b76abae76f9efa/analysis/1444635759/

capricorn-cleaning .co.uk: 109.108.129.21: https://www.virustotal.com/en/ip-address/109.108.129.21/information/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-water-services-invoice.html
12 Oct 2015 - "This -fake- financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:
From "UUSCOTLAND" <UUSCOTLAND@ uuplc .co.uk>
Date Mon, 12 Oct 2015 17:12:12 +0530
Subject Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.
If you would like any more help, or information, please contact me...
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)...
The information contained in this e-mail is intended only for the individual to whom it is addressed. It may contain legally privileged or confidential information or otherwise be exempt from disclosure. If you have received this Message in error or there are any problems, please notify the sender immediately and delete the message from your computer. You must not use, disclose, copy or alter this message for any unauthorised purpose...

Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least -four- different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro... Download locations spotted so far are:
ukenterprisetours .com/877453tr/rebrb45t.exe
eventmobilecatering .co.uk/877453tr/rebrb45t.exe
thewimbledondentist .co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty .co.uk/877453tr/rebrb45t.exe
All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64: https://www.virustotal.com/en/ip-address/46.20.120.64/information/
109.108.129.21: https://www.virustotal.com/en/ip-address/109.108.129.21/information/
213.171.218.221: https://www.virustotal.com/en/ip-address/213.171.218.221/information/
This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56[5]...
149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)
I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.
Recommended blocklist:
149.210.180.13: https://www.virustotal.com/en/ip-address/149.210.180.13/information/
86.105.33.102: https://www.virustotal.com/en/ip-address/86.105.33.102/information/
.
1] https://www.virustotal.com/en/file/da2cac6b46e2ca605dc8afa5d9c8a75e813c1c0d276c65b55bf16254fdcf4057/analysis/1444652575/

2] https://www.virustotal.com/en/file/b209b71606f294e241ed75105f11bf194360aadf8aa415aaa9138bb97abb22c7/analysis/1444652586/

3] https://www.virustotal.com/en/file/b0a43774c6e27788bd52503cbf2ba4388b7c0e159e46ad11aa140728f721b61e/analysis/1444652597/

4] https://www.virustotal.com/en/file/fc4bd160119744f41bfdb71d7bde347c12b3b1263528bfbc7f836bfd813007ef/analysis/1444652607/

5] https://www.virustotal.com/en/file/d389ae390f7301644fceec70eb63300c542b0522ba6ac1c278b0c160dd010802/analysis/1444652695/

- http://myonlinesecurity.co.uk/water-services-invoice-uuscotland-united-utilities-scotland-word-doc-malware/
12 Oct 10`5 - "An email that appears to come from United Utilities Scotland with the subject of 'Water Services Invoice' pretending to come from UUSCOTLAND <UUSCOTLAND@ uuplc .co.uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Water-Services-Invoice-1024x690.png

.. DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
12 October 2015: 12 October 2015 Invoice Summary.doc - Current Virus total detections 8/55*
... Downloads from the same locations as described in today’s earlier malspam run** of malicious word docs, but delivers an updated Dridex version (VirusTotal 1/56 ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b209b71606f294e241ed75105f11bf194360aadf8aa415aaa9138bb97abb22c7/analysis/1444654116/

** http://myonlinesecurity.co.uk/nolettinggo-co-uk-insurance-word-doc-malware/

*** https://www.virustotal.com/en/file/d389ae390f7301644fceec70eb63300c542b0522ba6ac1c278b0c160dd010802/analysis/1444652695/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustotal.com/en/ip-address/86.105.33.102/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'Invoice 1377' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoice-1377-peachsoftware-co-uk-fake-pdf-malware/
12 Oct 2015 - "An email with the subject of 'Invoice 1377' pretending to come from info@ peachsoftware .co.uk with a zip attachment is another one from the current bot runs... The content of the email says:

Please see invoice attached

12 October 2015: invoice-1377.zip: Extracts to: invoice-1377.exe
Current Virus total detections 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5596573bb9ac8a26a4d15b6918478439c89ac8a142c02f3bff9730fd7b9cf0ca/analysis/1444648227/
___

Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles
- http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/
7 Oct 2015 - "Summary: While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.
Fake LinkedIn accounts: The 25 fake LinkedIn accounts identified by CTU researchers fall into two categories: fully developed personas (Leader) and supporting personas (Supporter). The table in the Appendix lists details associated with the accounts. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity...
Legitimate endorsers of -fake- TG-2889 LinkedIn accounts by country:
> http://www.secureworks.com/assets/image_store/png/image007_500px.png
... Ongoing threat: Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical. It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks:
- Avoid contact with known fake personas.
- Only connect to personas belonging to individuals they know and trust.
- Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not -verified- outside of LinkedIn.
When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer. Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites..."

:fear::fear: :mad:

FYI...

Fake 'Customer Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/quickhostuk-customer-invoice-word-doc-malware/
13 Oct 2015 - "An email appearing to come from 'QuickHostUK' with the subject of 'Customer Invoice' pretending to come from QuickHostUK <info@ quickhostuk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer,
This is a notice that an invoice has been generated on 11/10/2015.
Your payment method is: Credit/Debit Card
Invoice #302673
Amount Due: £40.00GBP
Due Date: 18/10/2015
Invoice Items
Fully Managed Hosting – Starter (18/10/2015 – 17/11/2015) £40.00GBP
Sub Total: £40.00GBP
Credit: £0.00GBP
Total: £40.00GBP
Payment will be taken automatically on 18/10/2015 from your credit card on record with us. To update or change the credit card details we hold for your account please login...

13 October 2015: Invoice-302673.doc - Current Virus total detections 5/56*
... Which downloads Dridex banking malware from http ://thelureofnoma .com/~web/34fc34t45t/8ijfew.exe (VirusTotal 1/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e11453a59492d91a0925f7e28ca711d3695813beccee7a081898420f9b627774/analysis/1444732952/

** https://www.virustotal.com/en/file/9f937b9f15be07f35bf109477f6a57e675f22429a0ebeecd4bdaee002330f7b6/analysis/1444733145/

thelureofnoma .com: 69.72.240.66: https://www.virustotal.com/en/ip-address/69.72.240.66/information/
___

Fake 'Bank - Third Party Payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/commonwealth-bank-of-australia-first-netbank-third-party-payment-fake-pdf-malware/
13 Oct 2015 - "An email appearing to come from 'Commonwealth Bank of Australia' with the subject of 'First NetBank Third Party Payment' pretending to come from NetBankNotification@ cba .com.au with a zip attachment is another one from the current bot runs... The content of the email says :
First NetBank Third Party Payment
Your first transfer to the following third party account(s) has been successfully processed:
From Account: **** **** **** 6439 MasterCard
To Account(s): Bonnie Sharpe 511-187 ***7654 AMEX $6,990.72 Assistance to Refugees
Date: 13/10/2015
Please check attached file for more information about this transaction.
Yours sincerely,
Commonwealth Bank of Australia
Please do not reply. To confirm this is a genuine email sent by the Bank, please check your inbox on the NetBank home page.
Message: 932750168

13 October 2015: CBA Third Party Payment 932750168.zip: Extracts to: CBA Third Party Payment 949078743.scr
Current Virus total detections 10/57*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0bbb0cf30454687ae422e301eb707ac3e7c791acf87ddfe3fdadc2545b0740f8/analysis/1444709718/

:fear::fear: :mad:

FYI...

Flash 0-Day used in Pawn Storm...
>> http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/
Oct 14, 2015 - "... the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years... Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207... We have notified Adobe about our discovery and are working with them to address this security concern. Updates to this entry will be made once more information is available."

'Just released 10.13.2015 .'Suggest Flash be -disabled- immediately until a new fix/release from Adobe is available...

* 'Suggest Java be disabled, too. Next scheduled release of Java update due 10.20.2015.
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/10/13/patch-tuesday-october-2015
Oct 13, 2015 - "... Oracle will have their CPU later this month, on the 20th..."
___

Fake 'DocuSign' SPAM – PDF malware
- http://myonlinesecurity.co.uk/docusign-completed-optus-agreement-no-jtjw-650508-fake-pdf-malware/
14 Oct 2015 - "An email with the subject of 'Completed: Optus agreement no JTJW-650508' pretending to come from thiaminenz570@ cintas .com; on behalf of; 'DocuSign via DocuSign <dse_eu1@ docusign .net>' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Completed-Optus-agreement_docusign-1024x780.png

14 October 2015: Optus agreement no JTJW-650508.zip: Extracts to: Optus agreement no LPRH-300726.scr
Current Virus total detections 6/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/20ecca005e18a7c4c7f5ca2696edf98d22df9c73cacd0601c6263d064dac36b2/analysis/1444797213/
___

Fake 'SMSF Gateway Svc Msg' SPAM – PDF malware
- http://myonlinesecurity.co.uk/australia-post-smsf-gateway-service-message-fake-pdf-malware/
14 Oct 2015 - "An email with the subject of 'Australia Post SMSF Gateway Service Message' pretending to come from SMSF Gateway Team <SMSFGateway-NO-REPLY@ smsfmsg .auspost .com.au> with a zip attachment is another one from the current bot runs... The content of the email says:
We’re pleased to advise you that the Australia Post SMSF Gateway Service has received a superannuation contribution message.
The details of this message are in the attached PDF.
The contribution payment should appear in your nominated bank account with a payment reference number listed in the PDF to allow for easy reconciliation.
Kind Regards
The SMSF Gateway Team ...

14 October 2015: Contribution448772241.zip: Extracts to: Contribution308911799.scr
Current Virus total detections 4/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7220b1e202086914c187e9437b0e5f5d5bec7b1b7b53bfc5d8c7e0f6d4ec272f/analysis/1444789129/
___

FBI, Security Vendors Partner for DRIDEX Takedown
- http://blog.trendmicro.com/trendlabs-security-intelligence/us-law-enforcement-takedown-dridex-botnet/
Oct 13, 2015 - "Multiple command-and-control (C&C) servers used by the DRIDEX botnet have been taken down by the Federal Bureau of Investigation (FBI), following the action taken by the National Crime Agency (NCA) in the UK. US law enforcement officials obtained court orders that resulted in the seizure of multiple servers used by DRIDEX. This crippled the malware’s C&C network, which is used by the malware to send the stolen information to the cybercriminals and to download configuration files that include the list of targeted banks. Furthermore, charges have been made against Andrey Ghinkul, aka Andrei Ghincul and Smilex, the Moldovan administrator of the botnet. Taking down cybercriminals is no small feat. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise. The takedown of the command-and-control (C&C) network used by the banking malware DRIDEX is the latest example of that partnership’s success... DRIDEX has slowly been making a name for itself this past year and has been viewed as the successor to the Gameover Zeus (GoZ) malware. Its prevalence in the threat landscape can be attributed to its business model, P2P (peer-to-peer) architecture, and unique routines. Unlike other malware, DRIDEX operates using the BaaS (Botnet-as-a Service) business model. It runs several bot networks, each identified by a number and each containing a specific set of target banks. Our investigation revealed that its target banks mostly come from the US and Europe (particularly Romania, France, and the UK)... users in the US and the UK accounted for more than 35% of DRIDEX infections:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/10/dridex.jpg
The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture. Learning from the GoZ takedown, creators of DRIDEX added a another layer in its architecture before the command-and-control (C&C) server. Apart from these, DRIDEX is also equipped to remove or hide tracks in the system. Similar to the Chthonic variant of ZBOT, it uses an invisible persistence technique which involves writing autostart reg key upon system shutdown and deleting autostart reg key upon system startup. However, only DRIDEX cleans up the stored configuration in the registry and changes the malware copy location. DRIDEX is easily spread using malicious email attachments, usually Microsoft Office documents that contain macros. The use of macros could be seen as one way of ensuring a higher chance of successful attacks. Macros are commonly used in automated and interactive documents. The feature is usually deactivated by default, but if it was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. Furthermore, we found that the macro code contains garbage and useless code... While the takedown of the C&C servers now prevents DRIDEX from executing malicious activities, total cleanup still requires users to ensure that DRIDEX has been removed from their systems..."

>>> http://www.justice.gov/usao-wdpa/pr/bugat-botnet-administrator-arrested-and-malware-disabled
Oct 13, 2015 - "... Victims of Bugat/Dridex may use the following webpage created by US-CERT for assistance in removing the malware:
> https://www.us-cert.gov/dridex ..."
Oct 13, 2015

:fear::fear: :mad:

FYI...

Fake 'Scan' SPAM - doc malware
- http://myonlinesecurity.co.uk/ray-white-scan-2015-10-14-52954-p-m-word-doc-malware/
15 Oct 2015 - "An email with the subject of '[Scan] 2015-10-14 5:29:54 p.m.' pretending to come from 'Ray White <rw@raylian .co.uk>' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Scan-2015-10-14-52954-pm-1024x357.png

15 October 2015: 2015-10-14 5-29-54 p.m..doc . Current Virus total detections 4/54*
... Which downloads Dridex banking malware from http ://23.229.157.230/~gwhill2377/86575765/6757645.exe (VirusTotal 0/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dc7754256622945c6574a806e5c35d59cad40e111d66fd0495bbeedd6213130b/analysis/1444898925/

** https://www.virustotal.com/en/file/2587300cc5c250b1c79e664363d1ca81d61e7e063b90212ab222753f8c0f6e04/analysis/1444899628/
... Behavioural information
TCP connections
89.32.145.12: https://www.virustotal.com/en/ip-address/89.32.145.12/information/
88.221.14.138: https://www.virustotal.com/en/ip-address/88.221.14.138/information/

23.229.157.230: https://www.virustotal.com/en/ip-address/23.229.157.230/information/
> https://www.virustotal.com/en/url/d4ece27daccce8915be08ce4590464732ba0e5a907b791b894dc0a78621fd790/analysis/

- http://blog.dynamoo.com/2015/10/malware-spam-scan-2015-10-14-52954-pm.html
15 Oct 2015 - "This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery:
From Ray White [rw@ raylian .co.uk]
Date Thu, 15 Oct 2015 10:56:35 +0200
Subject [Scan] 2015-10-14 5:29:54 p.m.
Amanda's attached.

In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro... The Hybrid Analysis report* shows this particular version (there will be others) downloading a binary from:
sdhstribrnalhota .xf .cz/86575765/6757645.exe
Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56** and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report*** for this indicates connections to:
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.
Recommended blocklist:
89.32.145.12
195.154.251.123
* https://www.hybrid-analysis.com/sample/5f211cfd6cd1b01dda2d29ab143b5bc7f32425945630b63c3b93f60c1d1ce857?environmentId=1

** https://www.virustotal.com/en/file/2587300cc5c250b1c79e664363d1ca81d61e7e063b90212ab222753f8c0f6e04/analysis/1444903993/
... Behavioural information
TCP connections
89.32.145.12: https://www.virustotal.com/en/ip-address/89.32.145.12/information/
88.221.14.138: https://www.virustotal.com/en/ip-address/88.221.14.138/information/

*** https://www.hybrid-analysis.com/sample/2587300cc5c250b1c79e664363d1ca81d61e7e063b90212ab222753f8c0f6e04?environmentId=1

:fear::fear: :mad:

FYI...

Fake 'DHL' SPAM - PDF malware
- http://myonlinesecurity.co.uk/dhl-australia-return-consignment-startrack-express-fake-pdf-malware/
16 Oct 2015 - "An email that appears to come from 'DHL Australia' with the subject of 'Return consignment AVD524417' pretending to come from DSC.AU.Returns@ dhl .com with a zip attachment is another one from the current bot runs... The content of the email says :
BOOKING OF YOUR CONTROLLED RETURN
Print off labels (on a LASER printer as this will ensure driver can scan barcode) and affix to carton.
Please ensure all other labels are removed from carton.
You can book your own freight by calling our Carrier Partner Startrack Express on 12 18 58 quoting Reference No. 524417
Alternatively, DHL will call within 3 business days after labels are sent to assist in booking in your freight for collection.
Quote the consignment Number that is on your labels (attached to your email with prefix AVD)
Startrack Express will provide you with a booking number, please retain this number.
Below is a mandatory TRANSFER SUMMARY. This must be completed prior to the arrival of driver; if not complete, this may result in a futile pick up.
Goods are required back into warehouse no later than 7 working days. Please ensure good are ready for collection.
STARTRACK EXPRESS TRANSFER SUMMARY REPORT ...

16 October 2015: FL-AVD524417.zip: Extracts to: FL-AVD084542.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/af52fc56d9f65203ebb425af6120440552b4853d32941b07d9b47332f6ee6917/analysis/1444969428/
___

Backdoor Zegost delivered via Hacking Team exploit
- http://research.zscaler.com/2015/10/chinese-backdoor-zegost-delivered-via.html
Oct 16, 2015 - "... In past two months, we've spotted multiple instances of Zegost Backdoor Trojan installation attempts leveraging Hacking Team's Adobe Flash exploit (CVE-2015-5119) payload. These attacks do not appear to be targeted, but the payload involved in the infection cycle has some resemblance to recent APT payloads from HttpBrowser & the PlugX RAT family. Attack Chain: The infection cycle starts with a legitimate Chinese real estate and shopping site www[.]kongquechang[.]com, which appears to have been compromised by the attackers and contains an injected script. The injected script will cause a series of -redirects- leading to Hacking Team's exploit payload... Attackers are abusing the Chinese URL shortening service t .cn to -redirect- victims to the attack server and also Baidu's URL shortening service dwz .cn to deliver the Adobe Flash exploit payload... Below is the complete list of C&Cs it tries to connect.
80.247.233.18: https://www.virustotal.com/en/ip-address/80.247.233.18/information/
91.121.82.113: https://www.virustotal.com/en/ip-address/91.121.82.113/information/
69.164.213.85: https://www.virustotal.com/en/ip-address/69.164.213.85/information/
79.143.191.147: https://www.virustotal.com/en/ip-address/79.143.191.147/information/
199.241.30.233: https://www.virustotal.com/en/ip-address/199.241.30.233/information/
162.243.12.14: https://www.virustotal.com/en/ip-address/162.243.12.14/information/
188.93.73.90: https://www.virustotal.com/en/ip-address/188.93.73.90/information/
195.154.184.240: https://www.virustotal.com/en/ip-address/195.154.184.240/information/
Conclusion: The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples..."
(More detail at the zscaler URL at the top.)

kongquechang[.]com: Could not find an IP address for this domain name.

:fear::fear: :mad:

FYI...

Fake 'Invoice / PO' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-cos007202-stephanie.html
19 Oct 2015 - "This -fake- financial spam does not come from Bombardier Transportation but is instead a simple -forgery- with a malicious attachment:
From "Stephanie Greaves" [sgreaves@ btros .co.uk]
Date Mon, 19 Oct 2015 12:06:42 +0430
Subject COS007202
Good morning,
Please see attached purchase order.
Kind regards,
Stephanie Greaves
Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD

Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro... Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan...
UPDATE: According to these Hybrid Analysis reports [4] [5] [6] , those macros download from the following locations:
euroagroec .com/35436/5324676645.exe
demo9.iphonebackstage .com/35436/5324676645.exe
webmatique .info/35436/5324676645.exe
The binary they download has a VirusTotal detection rate of 3/56[7] and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:
157.252.245.49 (Trinity College Hartford, US)
I recommend that you -block- traffic to that IP..."
1] https://www.virustotal.com/en/file/357807e192b591045f47e75eb8bf90ffd836334896975cead383459fabf05cf7/analysis/1445246850/

2] https://www.virustotal.com/en/file/44805663bb4a9593cef0aa693f363dbd60ccf4ce50fe04ed9ce6e96f1ff57212/analysis/1445246860/

3] https://www.virustotal.com/en/file/843fa344144221549eb5f11619601a5af465debf701d5ca8c65c0de997f1d3e5/analysis/1445246874/

4] https://www.hybrid-analysis.com/sample/357807e192b591045f47e75eb8bf90ffd836334896975cead383459fabf05cf7?environmentId=3

5] https://www.hybrid-analysis.com/sample/44805663bb4a9593cef0aa693f363dbd60ccf4ce50fe04ed9ce6e96f1ff57212?environmentId=3

6] https://www.hybrid-analysis.com/sample/843fa344144221549eb5f11619601a5af465debf701d5ca8c65c0de997f1d3e5?environmentId=1

7] https://www.virustotal.com/en/file/a640ebf7551d4f7cc6c4e910aea7434b3ebc6b2a08b4763d93165af20a8bb571/analysis/1445249638/
___

Fake 'Online banking app form' SPAM - PDF malware
- http://myonlinesecurity.co.uk/online-banking-application-form-crm-fake-pdf-malware/
19 Oct 2015 - "An email appearing to come from Nat West Leicester Business Banking Customer Support with the subject of 'Online banking application form********* CRM:013545192' (random numbers) pretending to come from 'NW – Leicester CRT <Leicester.CMT@ NatWest .com> with a zip attachment is another one from the current bot runs... The content of the email says:
Please find enclosed the requested online application form which
you will need to complete and return to myself via the post.
Kind Regards
Janine Lyles
Relationship Manager’s Assistant
Leicester Business Banking Customer Support
1st Floor
1 Granby Street
Leicester
LE1 6EJ
Tel: 0116 2752435
Fax: 0116 2575469
E Mail ...

19 October 2015: Online banking upd appl form.zip: Extracts to: Online banking upd appl form.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d46d08b4ee94c57efa56f55fdf995a88b64b3bd63a077577b5888fc750743d33/analysis/1445250902/

:fear::fear: :mad:

FYI...

Fake 'P.O.' SPAM - PDF malware
- http://myonlinesecurity.co.uk/purchaseorder-dr67cv_30hj-from-xstrata-by-emerson-vicky-prod-fake-pdf-malware/
20 Oct 2015 - "An email appearing to come from Xstrata with the subject of 'PurchaseOrder DR67CV_30HJ' from 'Xstrata' by 'Emerson, Vicky (PROD)' pretending to come from XstrataQLD@ axis.ventyx .com with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached a PurchaserOder from Xstarta for your action. It has been sent via Mincom Axis.
This PurhcaseOrder is in PDF format and can be viewed with Adobe Acrobat Reader. You may ACCEPT or REJECT this PurchaseOrdre from this email by following the isntructions below. In either case, an email will be generated for you to send to the Buyer via Mincom Axis. Type in any notes or comments you wish to convey to the buyer in the email Body and send the email but do not modify any part of the email Subject.
To ACCEPT the whole PucrhaseOrder, click the following link and complete your details ...

20 October 2015: PurchaseOrder_9EP31W_52M1_707850624.zip: Extracts to: PurchaseOrder_816785634_036545298.exe
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a8b8640efb893458b808f00bdad7d0f2a0e013df2dfa330f9fbd2ef225372e56/analysis/1445314610/
___

Fake 'P.O.' SPAM - doc malware
- http://blog.dynamoo.com/2015/10/malware-spam-purchase-order-no-48847.html
20 Oct 2015 - "This -fake- financial spam comes with a malicious payload:
From Harminder Saund [MinSaund77@ secureone .co.uk]
Date Tue, 20 Oct 2015 16:08:53 +0700
Subject Purchase Order No: 48847
Attached is a copy of our Purchase Order number 48847
Harminder Saund
Secure One

The sender's email address varies slightly, for example:
MinSaund77@ secureone .co.uk
MinSaund92@ secureone .co.uk
MinSaund94@ secureone .co.uk
MinSaund013@ secureone .co.uk
Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro... There are probably different versions of the document with different macros. Automated analysis is pending, however the payload is most likely the Dridex Shifu banking trojan. Please check back for updates..."
1] https://www.virustotal.com/en/file/9f598aa8751d9a7b5a6afe1d6e1e930d92c2131bd2f7c1839ba94307934b1e91/analysis/1445335728/

2] https://www.virustotal.com/en/file/a8e2788f371decce59d5cf7f02b7cf187406ae277e370fea112b58a437a55577/analysis/1445335747/
UPDATE: So far, three download locations have been identified..
ladiesfirst-privileges .com/656465/d5678h9.exe
papousek.kvalitne .cz/656465/d5678h9.exe
pmspotter. wz.cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/b1cffc6091e5dc9a15ca81787e986abdbf90b42125c39798f44d7ff9d7b740e8/analysis/1445341067/

1] https://www.hybrid-analysis.com/sample/9f598aa8751d9a7b5a6afe1d6e1e930d92c2131bd2f7c1839ba94307934b1e91?environmentId=3

2] https://www.hybrid-analysis.com/sample/a8e2788f371decce59d5cf7f02b7cf187406ae277e370fea112b58a437a55577?environmentId=3
___

Fake 'NOTIFICATION' SPAM - xls malware
- http://blog.dynamoo.com/2015/10/malware-spam-gomez-sanchezpostmailbella.html
20 Oct 2015 - "This spam comes with a malicious attachment:
From "GOMEZ SANCHEZ"[postmail@ bellair .net]
To
Date Tue, 20 Oct 2015 13:14:56 +0430
Subject victim@ victimdomain .tld
Congratulations
Print out the attachment file fill it and return it back by fax or email
Yours Sincerely
GOMEZ SANCHEZ

The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of -three- malicious macros... Analysis of the payload is pending, but is likely to be the Dridex Shifu banking trojan. Please check back later..."
1] https://www.virustotal.com/en/file/c9602e7c64ea66b4a90f9ad6ccabcbba4243dd04cbb87554a056e97239900258/analysis/1445335252/
FINAL NOTIFICATION .xls - 4/56
2] https://www.virustotal.com/en/file/80ded7a1e98b524e7b4a123a741892a40b862d3f05d949ae88f401e94c4b1a6a/analysis/1445335267/
FINAL NOTIFICATION-2 .xls - 4/54
3] https://www.virustotal.com/en/file/7f5fa44008064ca6cf59cf165770e4db8a7764bd14cf92586b8ecb65de756756/analysis/1445335281/
FINAL NOTIFICATION-3 .xls - 4/56
UPDATE: So far, three download locations have been identified..
ladiesfirst-privileges .com/656465/d5678h9.exe
papousek.kvalitne .cz/656465/d5678h9.exe
pmspotter.wz. cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you block traffic to that IP."
* https://www.virustotal.com/en/file/b1cffc6091e5dc9a15ca81787e986abdbf90b42125c39798f44d7ff9d7b740e8/analysis/1445341067/

1] https://www.hybrid-analysis.com/sample/c9602e7c64ea66b4a90f9ad6ccabcbba4243dd04cbb87554a056e97239900258?environmentId=3

2] https://www.hybrid-analysis.com/sample/7f5fa44008064ca6cf59cf165770e4db8a7764bd14cf92586b8ecb65de756756?environmentId=3

ladiesfirst-privileges .com: 159.253.148.199: https://www.virustotal.com/en/ip-address/159.253.148.199/information/

papousek.kvalitne .cz: 88.86.117.145: https://www.virustotal.com/en/ip-address/88.86.117.145/information/

pmspotter.wz. cz: 88.86.117.153: https://www.virustotal.com/en/ip-address/88.86.117.153/information/

Shifu banking trojan: http://news.softpedia.com/news/shifu-banking-trojan-comes-with-its-own-antivirus-to-keep-other-malware-at-bay-490580.shtml

:fear::fear: :mad:

FYI...

Fake 'E-Toll' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-e-toll-account-statement-fake-pdf-malware/
21 Oct 2015 - "An email with the subject of 'Your E-Toll account statement' pretending to come from RMSETollDontReply@ rms.nsw. gov.au with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Valued Customer,
Please find attached your E-Toll account statement.
If you would like to claim Cashback please:
Simply login to your account and click on the ‘Claim Cashback’ link on the Account Overview screen. Follow the easy steps and submit your claim online. Please note: Online claims can only be completed on E-Toll accounts with online access.
Mail the E-Toll transaction statements that list your toll usage for eligible trips and a completed Cashback rebate form to the following address: Roads and Maritime Services M5 Cashback Locked Bag 3 Dubbo NSW 2830
Rebates must be claimed within 12 calendar months of the end of the Cashback quarter.
Thank you for choosing E-Toll
Regards
The E-Toll Team Roads and Maritime Services
To view documents in PDF format, you must have Adobe Acrobat PDF reader software version 5 or above installed on your computer.
This email was sent to you by Roads and Maritime Services. This is an unmonitored email address so please do not reply to this email...

21 October 2015: Oct 2015ST.zip: Extracts to: Oct 2015ST.exe
Current Virus total detections 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e5342f1cd9a70222854eb8f5e1ed6cfec4b57389ad85a9ce070fb464d428687a/analysis/1445398880/
___

Fake 'Delayed tax return' SPAM - PDF malware
- http://myonlinesecurity.co.uk/australian-taxation-office-delayed-tax-returns-over-30-days-fake-pdf-malware/
21 Oct 2015 - "An email that appears to come from Australian Taxation Office with the subject of 'Delayed tax returns over 30 days' pretending to come from DelayedReturn <DelayedReturn@ ato. gov.au> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Delayed-tax-returns-over-30-days-1024x769.png

21 October 2015: TaxAgentReport516177320151020230248.zip: Extracts to: TaxAgentReport061836020151020223957.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/42a4eaa76aba21927a3f3480b656c71dad7ed1f309429b9b090c415dd0d51f64/analysis/1445398912/
___

Fake 'INVOICE' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-invoice-for-payment_21.html
21 Oct 2015 - "This -fake- financial spam is not from Lancashire Police but is a simple -forgery- with what appears to be a malicious attachment.
From: Whitehead, Lyn [Lyn.Whitehead@ lancashire.pnn.police .uk]
Date: 21 October 2015 at 10:15
Subject: INVOICE FOR PAYMENT - 7500005791
Hello
Please find attached an invoice that is now due for payment.
Regards
Lyn
Lyn Whitehead (10688)
Business Support Department - Headquarters
Email: Lyn.Whitehead@ lancashire.pnn.police .uk ...

The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending. The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive. Other analysis is pending please check back.
UPDATE 1: Another version of this is in circulation, also with zero detections at VirusTotal... The Hybrid Analysis for both samples in inconclusive...
UPDATE 2: An analysis of the documents shows an HTTP request to:
ip1.dynupdate.no-ip .com:8245
All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise...
UPDATE 4: The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros... in the document download a binary from the following locations:
www .sfagan.co .uk/56475865/ih76dfr.exe
www .cnukprint .com/56475865/ih76dfr.exe
www .tokushu. co.uk/56475865/ih76dfr.exe
www .gkc-erp .com/56475865/ih76dfr.exe
At present this has a zero detection rate at VirusTotal*... Those reports in addition to this Malwr report[4] indicate malicious traffic to the following IPs:
89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)
The payload is probably the Shifu banking trojan.
Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49 "
1] https://www.hybrid-analysis.com/sample/9a202c2fa7e5eae2e586e2db61ce3dc9d267ce334e81d699db3307d79d3e77a5?environmentId=1

2] https://www.hybrid-analysis.com/sample/aa7a05241105fd2da8e3b8c170baf7cee7a267230a1d462ff8f4a55784a89469?environmentId=1

3] https://www.hybrid-analysis.com/sample/9372b5d6122903a95daa5bcc4c1a51eb98c41d838e83d17296013e6d00b2b621?environmentId=1

4] https://malwr.com/analysis/NjE3YmRhOWE4NzFjNGM2M2JkZDI2NTRkZDE2ZTk1ZDM/

* https://www.virustotal.com/en/file/375ebf45b6ca6b13290efad5f4df6cdaec09e39620c2b64e31e355b3f848c19a/analysis/1445428911/
... Behavioural information
TCP connections
119.47.112.227: https://www.virustotal.com/en/ip-address/119.47.112.227/information/
8.254.218.14: https://www.virustotal.com/en/ip-address/8.254.218.14/information/
195.154.251.123: https://www.virustotal.com/en/ip-address/195.154.251.123/information/
___

Fake 'PNC' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-pnc-bank-online-statement-is-ready-to-be-viewed-fake-pdf-malware/
21 Oct 2015 - "An email with the subject of 'Your PNC Bank Online Statement is ready to be viewed' pretending to come from PNCBank_Statements@ pnc .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Your-PNC-Bank-Online-Statement-is-ready-to-be-viewed-1024x550.png

21 October 2015: Statement_7208_10212015.zip: Extracts to: Statement_3374_10212015.zip.scr
Current Virus total detections 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f628d09d91227bf46c503a44f33a1d887a5314fc656cd1ac41c31e7d4c633cf2/analysis/1445449142/
___

Chrome -clone- 'eFast' serves ads, collects info
- http://net-security.org/malware_news.php?id=3129
21.10.2015 - "A Google Chrome lookalike browser dubbed 'eFast' is being actively pushed onto users. The software is at best annoying and unwanted, and at worst can lead users to malware. Posing as a legitimate application that will benefit users, eFast is actually only helpful to its creators - it sidelines other browsers, generates intrusive online ads (the creators are paid for each click), redirects users to potentially malicious pages, and monitors their Internet browsing activity, which is then sold to third party companies. "eFast Browser is mostly proliferated as a 'bundle' with other (mostly free) software," PC Risk's Tomas Meskauskas warns*. "Users do not expect bundled applications to be concealed, and thus, developers intentionally hide them within the 'Custom' or 'Advanced' settings. Users who rush the download/installation processes and skip this section often inadvertently install potentially unwanted programs. In doing so, they expose their systems to risk of infection and compromise their privacy"... During installation, eFast will attempt to -replace- Chrome if that is already installed, by deleting all the shortcuts to it on your taskbar and desktop. "To make sure that you will use your new browser, eFast makes itself the default browser and takes over some file-associations. File-associations are settings that determine which program will run when files with a certain extension are opened," Malwarebytes' Pieter Arntz explains**..."
* https://www.pcrisk.com/removal-guides/9480-ads-by-efast-browser
eFast Browser removal instructions

** https://blog.malwarebytes.org/online-security/2015/10/efast-browser-hijacks-file-associations/

:fear::fear: :mad:

FYI...

Fake 'Invoice Summary.doc' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-water-services-invoice_22.html
22 Oct 2015 - "This -fake- invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment...
From "UUSCOTLAND" [UUSCOTLAND@ uuplc. co.uk]
Date Thu, 22 Oct 2015 19:30:13 +0700
Subject Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.
If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland ...

So far I have seen -three different- versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing... malicious macros... Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates."
1] https://www.virustotal.com/en/file/f8013369d58fbaaf15ebd320ce18510705b9462bfa0d0cf71892311d376b9cf5/analysis/1445520172/

2] https://www.virustotal.com/en/file/ab229e22f51cac1cc62c676f44839f12e75f7ca70b86c92f036c979172730a21/analysis/1445520186/

3] https://www.virustotal.com/en/file/3f3baaefba7dfdb7b54727e03d60c2de365c1b426885f1e9f79ad7f895d67793/analysis/1445520199/

UPDATE 1: This VirusTotal report* also identifies the following download locations:
beauty.maplewindows .co.uk/t67t868/nibrd65.exe
dtmscomputers .co.uk/t67t868/nibrd65.exe
namastetravel .co.uk/t67t868/nibrd65.exe
This file has a VirusTotal detection rate of 2/54** and that report indicates network traffic to: 198.74.58.153 (Linode, US)
Further analysis is pending, in the meantime I suggest that you -block- traffic to the above IP."
* https://www.virustotal.com/en/file/ab229e22f51cac1cc62c676f44839f12e75f7ca70b86c92f036c979172730a21/analysis/1445520186/

** https://www.virustotal.com/en/file/5fa54fea81f3a840f314a6923e98347f06a88c02082346392aa38186847dd033/analysis/1445521267/

198.74.58.153: https://www.virustotal.com/en/ip-address/198.74.58.153/information/
___

Fake Java "pop-ups for Download"
- https://blog.malwarebytes.org/online-security/2015/10/this-isnt-the-java-i-ordered/
Oct 22, 2015 - "... The downloaded file is called setup.exe and is recognized by a few scanners* that detect this file as potentially unwanted adware. (PUP.Optional.Media)... It installs a program called Media Downloader version 1.5:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/warning4w.png
The other one I want to show you is not actually a pop-up, but a background image that was made to look like one:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/site1w.png
Clicking this “Install” button downloads and prompts you to install a bundler that does install Java version 1.8.25 but not until they have offered the other components of the bundle. In this case I had to “Decline” Norton360, Weatherbug, PC Mechanic and Stormfall Age of War. Note that the latest version for my system is Version 8 Update 65. Version 8u25 is over a year old. Paying attention to the UAC prompt could have saved us some work here. Super IS (Fried Cookie Ltd.) somehow doesn’t have that official ring to it to convince me that this is the Java installer I was promised:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/UACpromptw.png
Probably triggered by the critical patch update that was released by Oracle there are some sites that use this opportunity to lure users into using Java prompt -lookalikes- or bundled installers (for outdated versions). As always, get your software from trusted sources..."
* https://www.virustotal.com/nl/file/5e04690a37361abb0556f4fa50881d3ea1bb9766253d8deb2453c6a282ab02a9/analysis/
___

Email account credentials - PHISH
- http://myonlinesecurity.co.uk/email-account-credentials-phishing/
22 Oct 2015 - "I came across this slightly different email -phishing- attempt this morning... The original email is quite bland, but just enticing enough to persuade a user to click and fill in the forms...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/weebly_phishing_email-1024x338.png

If you did follow the link, you would see a webpage looking like this:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/weebly_phishing_fillfree-1024x565.png
This site is hosted on a free hosting company weebly .com. Unfortunately these free hosts have minimal checks and it is easy to put up almost anything that can infect a user or act as a phishing site. Weebly does eventually respond to abuse reports but in my experience they are quite slow and take a long time to think about whether the site contravenes their T&Cs. Do -not- fill in the forms otherwise your email account will be compromised. You -never- need to give your email account password to anybody."
___

Apple Invoice - Phish
- https://blog.malwarebytes.org/fraud-scam/2015/10/steer-clear-of-this-apple-invoice-phish/
Oct 22, 2015 - "... a blatant attempt to swipe your payment information. Couched in the well-worn guise of a supposed Apple Store refund, the mail wants potential victims to hand over their Apple ID / password and then a chunk of personal / payment details:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/applephis01.jpg
... Of course, you probably did not authorise any sort of purchase for a “CoPilot Premium HD” which is exactly the “Oh no my money, I must retrieve it” reaction they’re banking on (unless you actually did buy one of these, in which case things might get a little confusing). Nothing will have people rushing to click buttons and hand over information faster than the possibility of someone making unauthorised payments – clicking the refund links will take them to a -fake- login, via a -redirect- on a potentially compromised t-shirt website. The phish pages themselves are located at
aut0carhire(dot)com/index/user12-appleid/index(dot)html
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/applephish1.jpg
After handing over Apple ID credentials, the victim is taken to the next step which involves them giving name, address, DOB and full payment information:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/applephish2.jpg
... Unfortunately, hitting the “Cancel Transaction” button here would be pretty much the exact opposite of cancelling a transaction and victims could expect to see many more actual payments suddenly leaving their bank account. If you have this sitting in your mailbox, delete it. If you’ve already sent the scammers your details, notify your bank and cancel the card – while keeping an eye out for any dubious payments. Apple themed phish scams are a popular choice for criminals, and whether faced with iTunes logins, “Find my phone” fakeouts, iCloud shenanigans or payment receipts such as the one above, recipients should be wary and – if in doubt – head to -official- Apple pages* to find out if a payment really is being processed."
* http://www.apple.com/shop/account/home

aut0carhire(dot)com: 97.74.181.128: https://www.virustotal.com/nl/ip-address/97.74.181.128/information/
>> https://www.virustotal.com/nl/url/6ac6c4879678706c9672cd88e1ee4a6a5f725086915baaa08db3094f72d0f05e/analysis/

:fear::fear: :mad:

FYI...

Fake 'cleaning invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-cleaning-invoice-deborah.html
23 Oct 2015 - "This -fake- financial spam comes with a malicious attachment:
From "deborah Sherer" [thesherers@ westnet .co.uk]
Date Fri, 23 Oct 2015 17:03:19 +0700
Subject cleaning invoice
Hello
attached is invoice for payment
thanks
Deborah Sherer
---
This email has been checked for viruses ...

Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro... and downloads a malicious binary from one of the following locations:
www .bhtfriends .org/tydfyyur54/43e67tko.exe
zomb.webzdarma .cz/tydfyyur54/43e67tko.exe
nisanyapi .com/tydfyyur54/43e67tko.exe
This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55* (that's just a generic detection by Kaspersky). That VirusTotal report plus this Hybrid Analysis report** show network traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
Private sources also identify these following IPs as part of the C2 infrastructure:
157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232 "
1] https://www.virustotal.com/en/file/4554fd639d5fe714dd65894af6fe5f96805f5da26bd0a8437ddb7d8e5c93df7b/analysis/1445595890/

2] https://www.virustotal.com/en/file/d8259073a5f3f0019bd5047fcb5149c0450ff8a6743f3e415db491389edc5344/analysis/1445595902/

3] https://www.virustotal.com/en/file/2e2afd4f2eab5514eff15e62ccd1d1610a137419caa15eca8383417843ba716f/analysis/1445595912/

* https://www.virustotal.com/en/file/a7fad7fc6421ba714f8b0dab8bc00adec860fb4059713ae68ec018f65ab174d0/analysis/1445595923/

** https://www.hybrid-analysis.com/sample/a7fad7fc6421ba714f8b0dab8bc00adec860fb4059713ae68ec018f65ab174d0?environmentId=1
___

Fake 'Credit Note' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-credit-note-cn-06536-from.html
23 Oct 2015 - "This -fake- financial spam has a malicious attachment:
From: Accounts [message-service@ post.xero .com]
Date: 23 October 2015 at 15:08
Subject: Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)
Hi Mattie,
Attached is your credit note CN-06536 for 8954.41 GBP.
This has been allocated against invoice number
If you have any questions, please let us know.
Thanks,
Avnet, Inc.

The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc .. but it's actually a -ZIP- file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe and has a VirusTotal detection rate of 4/55*. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan... the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.
UPDATE: The Hybrid Analysis report is here**, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe "
* https://www.virustotal.com/nl/file/9b56cf91316d423927cc4e293bde8b1659d97c712165119cba49a300427a1761/analysis/1445609013/

** https://www.hybrid-analysis.com/sample/9b56cf91316d423927cc4e293bde8b1659d97c712165119cba49a300427a1761?environmentId=1

197.149.90.166: https://www.virustotal.com/nl/ip-address/197.149.90.166/information/
___

Fake 'Scan Data' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-docucentre-v-c6675-t2-scan.html
23 Oct 2015 - "This -fake- document scan appears to originate from within the victim's own organisation, but doesn't. Instead it comes with a malicious attachment.
From: DocuCentre-V C6675 T2 [reception@ victimdomain .com]
Reply-to: reception@ victimdomain .com
Date: 23 October 2015 at 09:23
Subject: Scan Data from FX-D6DBE1
Number of Images: 1
Attachment File Type: DOC
Device Name: DocuCentre-V C6675 T2
Device Location:

Attached is a file 22102015160213-0001.doc which comes in a few different versions. The payload is Dridex and all the files and downloaded binaries are the same as used in this spam run*."
* http://blog.dynamoo.com/2015/10/malware-spam-cleaning-invoice-deborah.html
___

Fake 'Receipt for Payment' SPAM - PDF malware
- http://myonlinesecurity.co.uk/thank-you-for-filing-your-taxes-with-freetaxusa-receipt-for-payment-fake-pdf-malware/
23 Oct 2015 - "An email saying 'Thank you for filing your taxes with FreeTaxUSA' with the subject of 'Receipt for Payment' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Receipt-for-Payment-1024x939.png

23 October 2015: unjammed black fly.zip: Extracts to: 9842548_2377731824.exe
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/nl/file/cae02b6c3da2922c6ee9dff95a589bfdd877c8aa231caf959c091d8ac95aa527/analysis/1445596923/
___

Western Union Business Solutions Spam
- http://threattrack.tumblr.com/post/131744694803/western-union-business-solutions-spam
Oct 23, 2015 - "Subjects Seen:
Order 49746970 Booked - Western Union Business Solutions Online FX for Corporate
Typical e-mail details:
Please be advised that Order 49746970 totaling 70,494.00 USD has been booked on Oct 23 2015.
Click on the attached file to view details of the order or to print a receipt.
This email was sent by Western Union Business Solutions. We respect your right to privacy.
Thank you for using Western Union Business Solutions.
Sincerely,
Western Union Business Solutions

Malicious File Name and MD5:
westernunion_order_receipt.exe (E4510056BB38A37EE7AE485AA6C4B36A)

Screenshot: https://40.media.tumblr.com/356fe0f2e0891dc75b6dceac7dd39ac8/tumblr_inline_nwobc8fpqk1r6pupn_500.png

Tagged: Western Union, Upatre
___

Paypal - PHISH... again.
- http://myonlinesecurity.co.uk/paypal-your-account-access-is-limited-phishing/
23 Oct 2015 - "... There are a few major common subjects in a phishing attempt involving either PayPal or your Bank or Credit Card, with a message saying some thing like:
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your Account Access Is Limited
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Paypal-Your-Account-Access-Is-Limited-1024x780.png

... the links to the -phishing- website are behind the 'update your info' button or the 'update now' link... The eventual site is the highlighted part of the very long url which goes via googleadservices. Now many phishers have been using google search links to persuade a recipient to click-a-link. Hovering over the link in an email will show google which most people would think was safe... The only way is look at the address bar and in the -Genuine- PayPal site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/reactivepay_paypal_phish.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
___

Fake 'Notice to Appear' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-notice-to-appear.html
22 Oct 2015 - "This -fake- legal spam comes with a malicious attachment:
From: District Court
Date: 22 October 2015 at 19:03
Subject: Notice to Appear
Notice to Appear,
This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Michael Newell,
District Clerk

Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js... This obfuscated script translates into something a bit more understandable which clearly references the following domains:
www .flowarrior .com
www .abama .org
littlefacesofpanama-association .com
The Hybrid Analysis report* shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55** (possibly Cridex). It references the following IPs as being highly suspect:
91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)
A -large- number of IPs are queried... I have not had the chance to check those individual IP addresses, but I recommend that you -block- the following two at least:
91.121.108.77
78.24.220.229 "
* https://www.hybrid-analysis.com/sample/8df4e7a63c257fa95dd3cde83a3db033b3fe33d5429ecb2a1e7e6470103c898f?environmentId=1

** https://www.virustotal.com/nl/file/daf4d96a121c9e4935082d4e0264088ff352f14d868f8720d8fa7e4f99c82f05/analysis/1445547994/

> https://www.virustotal.com/nl/url/37eaf1a92d41215d876adb1dcb784e18acbeb95cf9caa6f02cffc8a785c51464/analysis/
___

G DATA Malware Report H1 2015
- https://www.gdata-software.com/g-data/newsroom/news/article/g-data-releases-malware-report-for-the-first-half-of-2015
Oct 22, 2015 - "... G DATA, is releasing their H1 2015 Malware Report, which looks at malware over the first half of 2015. Among the findings, researchers discovered a 64.8 percent spike of new malware strains as compared to the first half of 2014. This averages out to 12 new strains per minute. In all, the total number of malware strains this year is expected to be well above the level of 2014, with the U.S., China and France hosting the most malicious and fraudulent websites. In looking more closely at the banking industry, researchers found that Wells Fargo was the most frequently targeted financial services company by banking Trojans, and the Swatbanker family was the mostly frequently seen banking Trojan in the 6 month period, followed by the ZeuS family... websites related to the healthcare industry were most frequently classified as malicious (26.6 percent), with technology and telecom a distant second. The most commonly seen malware campaign was “Money Rain,” promising various ways to easily acquire money. While this campaign was seen on websites for all of the categories researched, 37 percent of the websites that were clearly connected to Money Rain were in the healthcare industry. Also of note, a new category, personal ads and dating, was revealed to be in the top 10 list of most prevalent malicious and fraudulent websites.
> https://static.gdatasoftware.com/110/_processed_/diagram_website_categories_H1_2015_v1_EN_HL_lowres_48890w417.jpg
Additional Key Findings Include:
• The "Top 10" list of prevented malware attacks is dominated by adware and Potentially Unwanted Programs (PUP). Dealply and Graftor are the most prevalent families in this field.
• Ukraine is new to the Top 10 list of countries most frequently found to be hosting malicious websites with 5% of the activity, putting the country in fourth place. This could potentially be due to the political havoc occurring in this region.
• Exploits for vulnerabilities are now being integrated into exploit kits after just a few days. Users who do not keep their systems up-to-date will easily fall victim to cyber criminals.
• The vulnerabilities in Adobe Flash were most frequently abused to silently and automatically attack and compromise PCs (Exploit)..."
PDF - Full report: https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_PCMWR_H1_2015_EN.pdf

> https://static.gdatasoftware.com/110/_processed_/diagram_malware_count_H1_2015_v1_EN_HL_lowres_48866w800.jpg

:fear::fear: :mad:

FYI...

Fake 'Tax Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/mbie-companies-office-tax-invoice-fake-pdf-malware/
26 Oct 2015 - "An email with the subject of 'MBIE Companies Office Tax Invoice' pretending to come from revenue@ med.govt .nz with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/MBIE-Companies-Office-Tax-Invoice-1024x557.png

26 October 2015: Notification20151026_MCX79GF[_var=nSYMBOL]-54.zip: Extracts to: Notification20151026-AUNK7401f-26.exe
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/771ab3b09f03b3d1dff6fd1c73a86602352b29decd3009b1bfae9197ea7b017b/analysis/1445819602/
___

Fake 'Sales Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-nc-242455-zmj-your-norwich.html
26 Oct 2015 - "This -fake- financial spam does not come from Norwich Camping but is instead a simple -forgery- with a malicious attachment:
From "Norwich Camping" [sales@ norwichcamping .co.uk]
Date Mon, 26 Oct 2015 13:43:14 +0430
Subject #NC-242455-Zmj Your Norwich Camping Order has shipped!
You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.
Kind regards,
The Norwich Camping & Leisure

Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55*. The document contains this malicious macro... which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe ... it is most likely that it downloads the Dridex banking trojan.
UPDATE: According to this Hybrid Analysis report** version of the malicious document downloads an executable from:
img1.buyersbestfriend. com/76r56e87y8/65df78.exe
This has a VirusTotal detection rate of 5/55***. That report indicates malicious traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
I recommend that you block traffic to that IP."
* https://www.virustotal.com/en/file/e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7/analysis/1445854612/

** https://www.hybrid-analysis.com/sample/e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7?environmentId=2

*** https://www.virustotal.com/en/file/231c6f348604eaf77747a1fdf83fab8431d1976f19e87c8eb1f22169be1a64cf/analysis/1445857776/
... Behavioural information
TCP connections
195.154.251.123: https://www.virustotal.com/en/ip-address/195.154.251.123/information/
88.221.14.130: https://www.virustotal.com/en/ip-address/88.221.14.130/information/
___

Fake 'PHS docs' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-your-new-phs-documents-are.html
26 Oct 2015 - "This spam does not come from PHSOnline, but is instead a simple -forgery- with a malicious attachment.
From "PHSOnline" [documents@ phsonline .co.uk]
Date Mon, 26 Oct 2015 20:28:50 +0700
Subject Your new PHS documents are attached

I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in -three- different versions... containing a macro... which downloads a malicious binary from one of the following locations:
tranquilosurf .com/~info/76r56e87y8/65df78.exe
masaze-rumburk .cz/76r56e87y8/65df78.exe
img1.buyersbestfriend .com/76r56e87y8/65df78.exe
The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55[4]. The Hybrid Analysis report for this binary[5] shows it downloading from the following location:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the -same- as the one use in this earlier attack*, but the payload has now changed."
* http://blog.dynamoo.com/2015/10/malware-spam-nc-242455-zmj-your-norwich.html

1] https://www.hybrid-analysis.com/sample/11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50?environmentId=1

2] https://www.hybrid-analysis.com/sample/8448dce775043e0fe09bf0dadaf7c7dabf901c129c503ef7f2668e4e2b6766aa?environmentId=2

3] https://www.hybrid-analysis.com/sample/e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7?environmentId=2

4] https://www.virustotal.com/en/file/abf627bab3a442891ec12aa583c68ed70b6258e52b7d86ff0b36e3275fe99879/analysis/1445868517/

5] https://www.hybrid-analysis.com/sample/abf627bab3a442891ec12aa583c68ed70b6258e52b7d86ff0b36e3275fe99879?environmentId=1
___

Despite takedown, the Dridex botnet is running again
- http://www.computerworld.com/article/2997513/security/despite-takedown-the-dridex-botnet-is-running-again.html
Oct 26, 2015 - " Spam emails containing the Dridex malware are being seen almost daily despite the arrest of one of its key operators in August. The finding confirms that while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations... Dridex, also referred to as Cridex or Bugat, is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts. The U.S. and U.K. said the Dridex botnet - or the collection of computers infected with the malware - had been disrupted following their operations. Two weeks before the DOJ's announcement, Palo Alto Networks wrote* that it noticed a drop in Dridex activity but that it resumed again around the start of October. Much of that activity has now resumed, wrote Brad Duncan, a security researcher with Rackspace, on the Internet Storm Center blog**... there appear to be more files labeled as Dridex on VirusTotal... Although some of the samples be could mislabeled, it backs up what Palo Alto noticed..."

* http://researchcenter.paloaltonetworks.com/2015/10/dridex-is-back-and-targeting-the-uk/
Oct 1, 2015

** https://isc.sans.edu/diary/Botnets+spreading+Dridex+still+active/20295
Last Updated: 2015-10-24

- http://www.secureworks.com/cyber-threat-intelligence/threats/dridex-bugat-v5-botnet-takeover-operation/
13 Oct 2015 - "... The malware... steals credentials, certificates, cookies, and other sensitive information from a compromised system, primarily to commit Automated Clearing House (ACH) and wire fraud. As of this publication, authorities have linked the botnet to an estimated £20 million (approximately $30.5 million) in losses in the UK, and at least $10 million in losses in the United States. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex) but is distinct from previous Bugat variants, particularly with respect to its modular architecture and its use of a hybrid peer-to-peer (P2P) network to mask its backend infrastructure and complicate takedown attempts..."

:fear::fear: :mad:

FYI...

Fake 'Payslip' SPAM – PDF malware
- http://myonlinesecurity.co.uk/datacom-pay-systems-payslip-for-period-ending-27oct2015-fake-pdf-malware/
27 Oct 2015 - "An email with the subject of 'Payslip for period ending 27/Oct/2015' pretending to come from Datacom Pay Systems <powerpay@ datacom .co.nz> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/datacom-Payslip-for-period-ending-1024x677.png

27 October 2015: Payslip 27Oct2015.zip: Extracts to: Payslip 27Oct2015.scr
Current Virus total detections 12/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2f15063ec9de09b5f11c6603d3414d9bd288563800c8daa7ae88975cc88e357d/analysis/1445921468/

- http://threattrack.tumblr.com/post/132013797878/datacom-payslip-spam
27 Oct 2015 - "Subjects Seen
Payslip for period ending 27/Oct/2015
Typical e-mail details:
Dear Customer,
Attached is your payslip for period ending 27/Oct/2015.
Please note the attached payslip is password protected - the password is the same as your employee self service login password.The content of this email and its attachments are confidential. If you are not the intended recipient of this message please contact Datacom on 0800 856 856 or +64 9 366 1150.This email message has been sent from an unmanned account. Please do not reply to this address...

Screenshot: https://41.media.tumblr.com/73f75ce999ef5347d35f14b398f1f88c/tumblr_inline_nwvp5bRrXw1r6pupn_500.png

Malicious File Name and MD5:
payslip (1CE90078C006CFEE77248E8EDFD68BD2)

Tagged: Datacom, Upatre
___

Fake 'BACS Remittance' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cyngor-sir-ddinbych-taliad-bacs-denbighshire-cc-bacs-remittance-fake-pdf-malware/
27 Oct 2015 - "An email with the subject of 'Cyngor Sir Ddinbych – Taliad BACS / Denbighshire CC – BACS Remittance' pretending to come from credbills@ denbighshire .gov.uk > <credbills@ denbighshire .gov.uk> with a zip attachment is another one from the current bot runs... The content of the email says :
Gweler manylion taliad BACS yn atodedig
Please see attached Bacs Remittance ...
The information contained in this e-mail message and any files transmitted with it is intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately. The contents of this e-mail represents the views of the individual(s) named above and do not necessarily represent the views of Denbighshire County Council. However, as a Public Body, Denbighshire County Council may be required to disclose this e-mail [or any response to it] under legislative provisions...

27 October 2015: DenbighshireCC.zip: Extracts to: DenbighshireCC.zip
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1dda68b78e84caf63bb32cae2dc1bd82111e49db85d127a36cb715e2e4ef3b16/analysis/1445942099/
New_Cardholder_Application_scr

- http://blog.dynamoo.com/2015/10/malware-spam-cyngor-sir-ddinbych-taliad.html
27 Oct 2015 - "I've never had malware spam in Welsh before.. this is not from Denbighsire County Council, but is instead a simple -forgery- with a malicious attachment:
From "credbills@ denbighshire .gov.uk" [credbills@ denbighshire .gov.uk]
Date Tue, 27 Oct 2015 17:46:01 +0530
Subject Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance
Gweler manylion taliad BACS yn atodedig
Please see attached Bacs Remittance ...
Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
yn dda...

Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55*. The Hybrid Analysis report** shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:
197.149.90.166 (Cobranet, Nigeria)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/1dda68b78e84caf63bb32cae2dc1bd82111e49db85d127a36cb715e2e4ef3b16/analysis/1445953248/

** https://www.hybrid-analysis.com/sample/1dda68b78e84caf63bb32cae2dc1bd82111e49db85d127a36cb715e2e4ef3b16?environmentId=2
___

Fake 'VeriFone' SPAM – PDF malware
- http://myonlinesecurity.co.uk/verifone-services-uk-and-ireland-ltd-fake-pdf-malware/
27 Oct 2015 - "An email with the subject of 'VeriFone Services UK and Ireland Ltd' pretending to come from donotreply_invoices@ verifone .com with a zip attachment is another one from the current bot runs... The content of the email says :
Please see attached Invoice(s).
Thanks and Regards,
VeriFone Services UK and Ireland Ltd
Confidentiality Note: This email message contains information that is confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this message is prohibited. If you have received this message or attachment in error, please notify us immediately by email and delete the original. Thank you.
While we use standard virus checking software, we accept no responsibility for viruses or anything similar in this email or any attachments. We also do not accept any responsibility for any changes to, or interception of, this email or any attachment after it leaves our information system. This electronic message, including attachments, is intended only for the use of the individual or company named above or to which it is addressed. The information contained in this message shall be considered confidential and proprietary...

27 October 2015: 20151027104526.zip: Extracts to: 20151027104526.scr
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1dda68b78e84caf63bb32cae2dc1bd82111e49db85d127a36cb715e2e4ef3b16/analysis/1445943801/
___

Fake 'RBS' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sunderland-city-council-hester-knapp-rbs-cardholder-application-form-fake-pdf-malware/
27 Oct 2015 - "An email appearing to come from Sunderland City Council with the subject of 'RBS Cardholder Application Form' pretending to come from Hester Knapp <Hester.Knapp@ sunderland .gov.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/RBS-Cardholder-Application-Form-Sunderland-City-Council-1024x540.png

27 October 2015: New_Cardholder_Application_Hester_Knapp.zip: Extracts to: New_Cardholder_Application_Hester_Knapp.scr
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1dda68b78e84caf63bb32cae2dc1bd82111e49db85d127a36cb715e2e4ef3b16/analysis/1445943801/

- http://blog.dynamoo.com/2015/10/malware-spam-rbs-cardholder-application.html
27 Oct 2015 - "This -fake- financial spam does not come from Sunderland City Council, but is instead a simple -forgery- with a malicious attachment:
From "Wm Palmer" [Wm.Palmer@ sunderland .gov.uk]
Date Tue, 27 Oct 2015 18:39:34 +0700
Subject RBS Cardholder Application Form
Dear Customer,
We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
Purchase Card. Please find attached the RBS application form which requires your
signature as cardholder on page 2. Also please add the date. Once done can you scan
the document and email it back to me or alternatively post it back to me c/o Purchase
Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
SR2 7DN.
Kind regards,
Wm.
Wm Palmer
Purchase Ordering Officer ...

Attached is a file New_Cardholder_Application_Wm_Palmer.zip containing a malicious executable New_Cardholder_Application.scr - which is exactly the -same- malware as used in this other fake council spam run today*."
* http://blog.dynamoo.com/2015/10/malware-spam-cyngor-sir-ddinbych-taliad.html

:fear::fear: :mad:

FYI...

Attackers are turning -MySQL- servers into DDoS bots
- http://net-security.org/malware_news.php?id=3134
28.10.2015 - "Someone has been compromising MySQL servers around the world and using them to mount DDoS attacks. The latest targets of these attacks are an (unnamed) US hosting provider and a Chinese IP address. Most of the servers affected in this campaign are located in India, China, Brazil and the Netherlands, but others can be found around the globe:
> http://www.net-security.org/images/articles/pie-28102015.jpg
"We believe that the attackers compromised MySQL servers to take advantage of their large bandwidth. With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets," Symantec researchers explained*. "MySQL is also the second most popular database management system in the world, giving the attackers a wide range of potential targets." The researchers didn't say how many servers in total were compromised. The attackers used a variant of the Chickdos Trojan to make the servers listen to their commands. The variant is very similar to the initial Chickdos Trojan first spotted by cyber defenders in December 2013. The attackers perform an SQL injection attack in order to install a malicious user-defined function (UDF) on the target server, which is then loaded into MySQL and executed... The researchers advised admins -never- to run SQL servers with administrator privileges (if possible), and to regularly patch apps** that use them..."
* http://www.symantec.com/connect/app#!/blogs/mysql-servers-hijacked-malware-perform-ddos-attacks
28 Oct 2015 - "... identified active command-and-control (C&C) servers for Chikdos are as follows:
•183.60.202.16: 10888
•61.160.247.7: 10991
•103.17.118.124: 10991 ..."

** http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixMSQL
"... contains -30- new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication..."

Trojan.Chikdos: https://www.symantec.com/security_response/writeup.jsp?docid=2013-121708-1045-99
___

Fake 'Ikea' SPAM - doc malware
- http://myonlinesecurity.co.uk/ikea-thank-you-for-your-order-word-doc-malware/
28 Oct 2015 - "An email with the subject of 'Thank you for your order!' pretending to come from DoNotReply@ ikea .com with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Ikea-Thank-you-for-your-order-1024x479.png

28 October 2015 : IKEA receipt 607656390.doc - Current Virus total detections 4/55* .
.. Downloads looks like Dridex banking malware from experassistance .fr/4f67g7/d6f7g8.exe
(VirusTotal 2/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8/analysis/1446022494/

** https://www.virustotal.com/en/file/05f4aa3d5df39c403a51237a6762c062c079480d974de61a4424d3c2d0b26d95/analysis/1446023464/

- http://blog.dynamoo.com/2015/10/this-fake-order-spam-does-not-come-from.html
28 Oct 2015 - "This -fake- order spam does not come from IKEA but is instead a simple -forgery- with a malicious attachment.
From: DoNotReply@ ikea .com
Date: 28 October 2015 at 08:57
Subject: Thank you for your order
Order acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015 ...

Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55*...
UPDATE 1: The reverse .it analysis** of the first sample shows a download from:
alvarezsantos .com/4f67g7/d6f7g8.exe
This dropped binary has a detection rate of just 2/55*. Two further samples have now been seen (VT results [1] [2]) and according to the analysis of one them, it downloads from:
experassistance .fr/4f67g7/d6f7g8.exe
... Two further samples have now been seen (VT results [1] [2]) and according to the analysis[3] of one them, it downloads from:
experassistance.fr/4f67g7/d6f7g8.exe
... UPDATE 2: A further reverse .it analysis[4] shows another download location of:
www .retrogame .de/4f67g7/d6f7g8.exe ..."

* https://www.virustotal.com/en/file/92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8/analysis/1446023495/

** https://www.hybrid-analysis.com/sample/92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8?environmentId=2

1] https://www.virustotal.com/en/file/03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8/analysis/1446024071/

2] https://www.virustotal.com/en/file/246ec2f4cdf0e18dc874644a09c369232ec70821a4b11a40dd7c133afb2ad70d/analysis/1446024082/

3] https://www.hybrid-analysis.com/sample/03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8?environmentId=1

4] https://www.hybrid-analysis.com/sample/246ec2f4cdf0e18dc874644a09c369232ec70821a4b11a40dd7c133afb2ad70d?environmentId=1
___

Fake 'eFax' SPAM - doc malware
- http://myonlinesecurity.co.uk/efax-message-from-booking-com-hylafa-1-pages-caller-id-031207944200-word-doc-malware/
28 Oct 2015 - "An email with the subject of 'eFax message' from “Booking.com – HylaFa” – 1 page(s), Caller-ID: 031207944200 pretending to come from eFax <message@ inbound .efax .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/eFax-message-from-Bookingdotcom-HylaFa-1024x640.png

28 October 2015 : FAX_20151028_1445421437_89.doc - Current Virus total detections 4/55*
... downloads -same- malware from the -same- locations as described in today’s earlier malspam run involving word docs**..."
* https://www.virustotal.com/en/file/92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8/analysis/1446026859/

** http://myonlinesecurity.co.uk/ikea-thank-you-for-your-order-word-doc-malware/

- http://blog.dynamoo.com/2015/10/malware-spam-efax-message-from.html
28 Oct 2015 - "This fake fax spam comes with a malicious attachment:
From: eFax [message@ inbound .efax .com]
Date: 28 October 2015 at 10:08
Subject: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200
Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.
* The reference number for this fax is lon1_did14-1445421403-1407880525-89.
View this fax using your Microsoft Word...

The attachment FAX_20151028_1445421437_89.doc is the -same- as used in this spam run* and the payload is the Dridex banking trojan."
* http://blog.dynamoo.com/2015/10/this-fake-order-spam-does-not-come-from.html
___

Fake 'ADP' SPAM - PDF malware
- http://myonlinesecurity.co.uk/adp-payroll-invoice-with-a-password-protected-zip-attachment-fake-pdf-malware/
28 Oct 2015 - "An email with the subject of 'ADP Payroll Invoice' pretending to come from ADPClientServices@ adp .com <billing.address.updates@ adp .com> with a password protected zip attachment is another one from the current bot runs... The content of the email says :
Your ADP Payroll invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Important: Please open the attached file using your temporary password. Your temporary password is: 941VAX332ED
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Thank you for choosing ADP Payroll.
Please do not respond to this message. It comes from an unattended mailbox.

28 October 2015: invoice381624185029.zip: Extracts to: invoice381624185029.exe
Current Virus total detections 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/895e23a7f5094fbab7b1392c56c4e3d50154c6d141d26a3933c3a09e47fe33bc/analysis/1446048560/
___

Fake 'résumé' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-id9828myresume.html
27 Oct 2015 - "This fake résumé spam comes with a malicious attachment. It seems that the names are randomly-generated from a list.
From: Trinh [zhanxing1497kcuo@ 163 .com]
Date: 27 October 2015 at 18:30
Subject: id:9828_My_Resume
Signed by: 163 .com
Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster

In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55*, mostly detecting a generic macro downloader... the Hybrid Analysis** of the document shows traffic coming FROM 46.30.41.150 (EuroByte LLC, Russia) and being POSTED to the following:
all-inclusiveresortstravel .com
designtravelagency .com
bigboattravel .com
cpasolutiononline .com
ciiapparelblog .com
The first three are on 108.167.140.175 and the second two are on 192.185.101.210 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely -compromised-. The Hybrid Analysis report** shows that the malware has some characteristics that make it look like -ransomware-.
Recommended blocklist:
46.30.41.150: https://www.virustotal.com/en/ip-address/46.30.41.150/information/
108.167.140.175: https://www.virustotal.com/en/ip-address/108.167.140.175/information/
192.185.101.210: https://www.virustotal.com/en/ip-address/192.185.101.210/information/
UPDATE: This Tweet*** indicates that the payload is Cryptowall."
* https://www.virustotal.com/en/file/6f26e30b99bc668efacaf2da2a38037c9509f02099323d65a48ad758fe88d9ad/analysis/1445972310/

** https://www.hybrid-analysis.com/sample/6f26e30b99bc668efacaf2da2a38037c9509f02099323d65a48ad758fe88d9ad?environmentId=1

*** https://twitter.com/Techhelplistcom/status/659038278746685440

:fear::fear: :mad:

FYI...

Fake 'Doc Scan' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malware-spam-documents-for-review-and.html
29 Oct 2015 - "This -fake- document scan email has a malicious attachment:
From: Sarah [johnson@ jbrakes .com]
Date: 29 October 2015 at 08:27
Subject: Documents for Review and Comments
Hi Morning,
Attached are the return documents.
Call me if you need anything.
See you soon.
Sarah

The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55*. According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54**. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:
eyeseen .net/swift/gate.php
This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal*** indicates a lot of badness on this IP address, so it is probably one worth blocking. The payload is Pony / Fareit, which is basically a password stealer."
* https://www.virustotal.com/en/file/9fd03451e18b8c33caca6d89aee260886e2b6a2e77f2d6af9d6981389e7822e3/analysis/1446107638/

** https://www.virustotal.com/en/file/4d988335170d2922d6d68d2c6387617c6d53bb12983859436fbf31b65a541887/analysis/1446108516/

*** https://www.virustotal.com/en/ip-address/198.105.221.5/information/

1] https://www.virustotal.com/en/file/9fd03451e18b8c33caca6d89aee260886e2b6a2e77f2d6af9d6981389e7822e3/analysis/1446107638/

2] https://www.hybrid-analysis.com/sample/9fd03451e18b8c33caca6d89aee260886e2b6a2e77f2d6af9d6981389e7822e3?environmentId=2

3] https://malwr.com/analysis/MGQ1ZDcyMzc4NGM0NDY2ODhhZTkxNDU4YjgwODY5YTE/
___

Fake 'eBay Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-ebay-invoice-is-ready-fake-pdf-malware-2/
29 Oct 2015 - "An email with the subject of 'Your eBay Invoice is Ready' pretending to come from eBay <ebay@ ebay .com> with a zip attachment is another one from the current bot runs... The content of the email says :
PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Dear Customer,
Please open the attached file to view invoice.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader this is available at no cost...
This email has been scanned by the Symantec Email Security.cloud service.
This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.

29 October 2015: ebay_591278156712819_291015.zip: Extracts to: ebay_591278156712819_291015.exe
Current Virus total detections 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/311132c9f241d4f0be5982e1680751d3051b38291d0aaf2821e27520de356773/analysis/1446114782/
___

Fake 'Your Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/heather-crawford-barclaycomms-com-your-invoice-i0000040777-word-doc-malware/
29 Oct 2015 - "An email with the subject of 'Your Invoice I0000040777' pretending to come from Heather Crawford <h.crawford@ barclaycomms .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
Dear Customer. Please find attached your Invoice. Invoice Number: 0000040777 Invoice Date: 28/10/2015 Invoice Total: 78.40 Invoice Description: Barclay Fresh Direct Debit 1 V (x1.00000)
This e-mail, and any attachment, is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not the views of Barclay Communications, unless specifically stated.

29 October 2015: I0000040777.doc - Current Virus total detections 3/55*
... Downloads Dridex banking malware from
0319225577 .com/46435/087965.exe (VirusTotal 0/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... Many versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content. Do NOT enable Macros... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a793aef1bbcdef406c90a4166cc5a42032c703aaf485b00027c24a63dee602af/analysis/1446115712/

** https://www.virustotal.com/en/file/f34b930f9c34ad376295db9aaaad6016b64fd78df25bb920531eef2224628ecd/analysis/1446114950/

0319225577 .com: 180.182.51.81: https://www.virustotal.com/en/ip-address/180.182.51.81/information/
___

Fake 'FedEx Label' SPAM - doc malware
- http://myonlinesecurity.co.uk/confirmation-from-fedex-emailonline-label-walmart-com-return-word-doc-malware/
29 Oct 2015 - "An email about Walmart .com Returns with the subject of 'Confirmation from FedEx Email/Online Label' pretending to come from FedEx Email/Online Label NoReply <no-reply@ packagetrackr .com> with a malicious word doc is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Confirmation-from-FedEx-Email-Online-Label-1024x589.png

29 October 2015: label_737929223.doc - Current Virus total detections 2/55* . Analysis via Payload Security hybrid analysis** tells me that it downloads writeonlabels .biz/media/system/m.exe
(VirusTotal 0/55***) and posts some information to dethetear .ru/sliva/gate.php. This looks a bit like the behaviour of the new Shifu banking malware which combines the worse elements of Dridex, Zeus, Pony and all the other information stealers... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4be1077cdd7e821b3999b9c24c1e9070eadf87163ee27773e61197b68e21edda/analysis/1446133593/

** https://www.hybrid-analysis.com/sample/4be1077cdd7e821b3999b9c24c1e9070eadf87163ee27773e61197b68e21edda?environmentId=1

*** https://www.virustotal.com/en/file/85b523825c7a1ec3da4621ae01bca7dab592663f62eb0b0bcb9928818c87d4f9/analysis/1446135044/

:fear::fear: :mad:

FYI...

Fake 'Purchase Order' SPAM - doc malware
- http://myonlinesecurity.co.uk/clare-harding-carters-packaging-ltd-purchase-order-0000035394-customer-09221-word-doc-malware/
30 Oct 2015 - "An email with the subject of 'Purchase Order 0000035394 customer 09221' pretending to come from Clare Harding <purchasing@ carterspackaging .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/10/Purchase-Order-0000035394-customer-09221-1024x727.png

30 October 2015: Purchase Order 0000035394.DOC - Current Virus total detections 4/55*
... Downloads ankarasogukhavadepo .com/45y3f34f/7jh4wqd.exe which appears to be Dridex banking malware (VirusTotal 1/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/57e7eb6c8a742767101ed847d9697fc17cdbea9dc129b99aefe67276ad346957/analysis/1446197496/

** https://www.virustotal.com/en/file/5c095d6ea6739cc51a1526ea02614f0a66793a4dc301ead5955d9951f550c79c/analysis/1446198752/

- http://blog.dynamoo.com/2015/10/malware-spam-purchase-order-0000035394.html
30 Oct 2015 - "This -fake- financial spam does not come from Carters Packaging Ltd but is instead a simple forgery with a malicious attachment... Carters Packaging are on the ball and have put a big notice on their site, which is nice work:
>> https://4.bp.blogspot.com/-kH6ud4vSuxo/VjNd-6pk1yI/AAAAAAAAHRM/a21HfVrgZ6w/s400/carters-packaging.png "
___

Fake 'Domain Suspension Notice' SPAM - Cryptowall ransomware payload
- http://blog.dynamoo.com/2015/10/malware-spam-domain-domain-suspension.html
29 Oct 2015 - "There appear to be many versions of this spam, aimed at domain owners and apparently coming from the actual registrar of the domain. For added authenticity, the owner's name is included in the spam...
From: ENOM, INC. [abuse@ enom.com .org]
Date: 30 October 2015 at 04:11
Subject: Domain ... Suspension Notice
Dear Sir/Madam,
The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy ...
Click here and download a copy of complaints we have received...

... clicking on the link goes to edecisions .com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify -any- domain name and it gives a matching file. Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions .com. It looks like the sort of domain that might contain abuse reports, but in fact it is a -hijacked- GoDaddy domain hosted on 65.78.174.100 and a quick look at VirusTotal* indicates that one of the other 4 sites on the same server was also -compromised- and was serving up malware in 2013. This is definitely a good candidate to block... several compromised domains on the same server, indicating that the entire box has been popped..."
* https://www.virustotal.com/en/ip-address/65.78.174.100/information/
... UPDATE: The payload appears to be the Cryptowall ransomware."
(More detail and IP's to block at the dynamoo URL above.)

edecisions .com: 65.78.174.100: https://www.virustotal.com/en/url/95408a08330bbc19c9c834725b4830b4855bfb564f386c74d4ff0df30e9e6f20/analysis/

>> http://support.melbourneit.com.au/articles/help/Spam-Alert-27th-October-2015
27 Oct 2015 - "... advise that any customer that receives the email is to -delete- it immediately. If you are unsure of the validity of your emails please check the email headers to determine the source and return path for the email address..."

:fear::fear: :mad:

FYI...

Fake 'Purchase Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-purchase-order-37087-por.html
2 Nov 2015 - "This -fake- financial spam does not come from K. Stevens (Leicester) Ltd but is instead a simple -forgery- with a malicious attachment.
From Margaret Wimperis [MargaretWimperis@ biasbinding .com]
Date Mon, 02 Nov 2015 18:28:23 +0700
Subject Purchase Order 37087-POR
Hi
Please confirm receipt of order
Kind regards
Margaret
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited...

Attached is a file PORDER.DOC which comes in three different versions (although I only have two samples [1] [2]) containing a malicious macro... which download a binary from the following locations:
saltup .com/34g3f3g/68k7jh65g.exe
landprosystems .com/34g3f3g/68k7jh65g.exe
jambidaily .com/34g3f3g/68k7jh65g.exe
This binary has a detection rate of 4/55* and according that that VirusTotal report, this reverse.it report** this Malwr report*** it contacts the following IP:
128.199.122.196 (DigitalOcean, Singapore)
I strongly recommend that you -block- that IP. The payload is likely to be the Dridex banking trojan..."
1] https://www.virustotal.com/en/file/b3c483e304a52e2e5724e7b637146da62d285a37736461d4280366c98ee74125/analysis/1446464337/

2] https://www.virustotal.com/en/file/d997184e5277a9ede634999c6cfaea0d64f7009ff6727c71d58d9d676530ae5e/analysis/1446464348/

* https://www.virustotal.com/en/file/f5332dbba418832e779b6bcbd654a1507012a057730fb2abcaa1d6ba9c04f316/analysis/1446464493/

** https://www.hybrid-analysis.com/sample/f5332dbba418832e779b6bcbd654a1507012a057730fb2abcaa1d6ba9c04f316?environmentId=1
128.199.122.196: https://www.virustotal.com/en/ip-address/128.199.122.196/information/

*** https://malwr.com/analysis/ZmJlZDJlMzY3YjcxNDYwZDgxYjM2ODQ5MjdhMzU5NDY/

- http://myonlinesecurity.co.uk/purchase-order-37087-por-margaret-wimperis-k-stevens-leicester-ltd-word-doc-malware/
2 Nov 2015
"... 2 November 2015: PORDER.DOC - Current Virus total detections 3/55*
... Downloads Dridex banking malware from one of these locations:
saltup .com/34g3f3g/68k7jh65g.exe (VirusTotal 4/55**)
landprosystems .com/34g3f3g/68k7jh65g.exe
jambidaily .com/34g3f3g/68k7jh65g.exe ..."
* https://www.virustotal.com/en/file/b3c483e304a52e2e5724e7b637146da62d285a37736461d4280366c98ee74125/analysis/1446470703/

** https://www.virustotal.com/en/file/f5332dbba418832e779b6bcbd654a1507012a057730fb2abcaa1d6ba9c04f316/analysis/1446464493/
___

Fake 'American Airlines' SPAM - doc malware
- http://myonlinesecurity.co.uk/american-airlines-e-ticket-confirmation-word-doc-malware/
2 Nov 2015 - "An email appearing to be an American Airlines E-Ticket with the subject of 'E-Ticket Confirmation' pretending to come from American Airlines@ aa .com <notify@ hvacprofessional .net> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/American_-Airlines_E-Ticket1-1024x553.png

2 November 2015 : ticket_AA77799543.doc - Current Virus total detections 4/55*
... Contains an embedded ole object that drops a pony malware pu .exe (VirusTotal 2/55**), posts -stolen- information to
- http ://wicytergo .ru/sliva/gate.php
- http ://unlaccothe .ru/sliva/gate.php
- http ://thetedrenre .ru/sliva/gate.php
... Which in turn downloads Dyreza banking malware from one of these 3 sites:
- http ://eextensions .co/m.exe
- http ://www.10203040 .at/m.exe
- http ://www.eshtari .me/m.exe (VirusTotal 2/55***)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7e28f1b5f5738a3ce1e38dc80a169cf0850b5f22015bd9555f7ad1d48b9f7b47/analysis/1446486517/

** https://www.virustotal.com/en/file/aa6f1f2db2afd7f37f1b2133881bdbc0fdd7515cbde8749bf21d1fcabe372982/analysis/1446486884/

*** https://www.virustotal.com/en/file/857ac93ea68f74636be147e264e0803e0921341a372b1b5711c7c541555abb82/analysis/1446487008/

:fear::fear: :mad:

FYI...

Fake 'Delivery Confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/delivery-confirmation-0068352929-acuvue-com-word-doc-malware/
3 Nov 2015 - "An email with the subject of 'Delivery Confirmation: 0068352929' pretending to come from ACUVUE_DEL <ship-confirm@ acuvue .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide

3 November 2015: Advance Shipping Notification 0068352929.DOC - Current Virus total detections 3/54*
... Downloads http ://goalaskatours .com/45gce333/097j6h5d.exe looks like Dridex banking malware (VirusTotal 4/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5b343d8163cc250ecfb56f63c753421decfde5f36c7a7559819129e4a377f464/analysis/1446542730/

** https://www.virustotal.com/en/file/bbf503d960c62e2aadb5aa270aa05b0f937b28be1b7cca3cad0339fb59273493/analysis/1446544379/
... Behavioural information
TCP connections
128.199.122.196: https://www.virustotal.com/en/ip-address/128.199.122.196/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

- http://blog.dynamoo.com/2015/11/malware-spam-delivery-confirmation.html
3 Nov 2015 - "... this Hybrid Analysis report* show network communications to the following IPs:
128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
198.74.58.153 (Linode, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
The payload is most likely to be the Dridex banking trojan.
Recommended blocklist:
128.199.122.196
75.99.13.123
198.74.58.153
221.132.35.56 "
* https://www.hybrid-analysis.com/sample/bbf503d960c62e2aadb5aa270aa05b0f937b28be1b7cca3cad0339fb59273493?environmentId=1
___

Fake 'New Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-invoice-from-documents-online-fake-pdf-malware/
3 Nov 2015 - "An email with the subject of 'New Invoice from Documents Online' pretending to come from Documents Online Limited <sales@ documentsonline .co.uk> with a zip attachment is another one from the current bot runs... The content of the email says :
Dear Customer,
This is a notice that an invoice has been generated against your account, details of the invoice are as follows:
Invoice #241
Amount Due: 90.00GBP
Due Date: 01/12/2015
Payment Method: Bank Transfer
Invoice Items
... 75.00GBP
Sub Total: 75.00GBP
20.00% UK VAT: 15.00GBP
Credit: 0.00GBP
Total: 90.00GBP
Please find attached a copy of this invoice in PDF format for your records.
IMPORTANT: Please open the attached file using your temporary password. Your temporary password is: UCZ941QXO941 ...

3 November 2015: Invoice-241.zip: Extracts to: Invoice-241.exe
Current Virus total detections 0/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0da209f011c514c1b15e8ccca3f94618d279439a28394067b6579d171e515c3/analysis/1446550339/

- http://blog.dynamoo.com/2015/11/malware-spam-new-invoice-from-documents.html
3 Nov 2015 - "... Attached is a password-protected ZIP file Invoice-241.zip.. which in turn contains a malicious executable Invoice-241.zip.exe ...
UPDATE: This Hybrid Analysis report* shows traffic consistent with Upatre dropping the Dyre banking trojan, including traffic to the well known bad IP of:
197.149.90.166 (Cobranet, Nigeria)"
* https://www.hybrid-analysis.com/sample/d0da209f011c514c1b15e8ccca3f94618d279439a28394067b6579d171e515c3?environmentId=1
___

Fake 'Dispatch order' SPAM - PDF malware
- http://myonlinesecurity.co.uk/josh-carr-intermodal-management-system-dispatch-order-19579282466206-fake-pdf-malware/
3 Nov 2015 - "An email with the subject of 'Dispatch order – 19579282466206' pretending to come from Josh Carr <Josh.Carr@ imstransport .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Dispatch-order-19579282466206-1024x660.png

3 November 2015: 5969141.zip: Extracts to: 0810121.scr
Current Virus total detections 0/41* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/17bb16ddc31f39e2d6bf3447863fbd6d1bf47f3e69c1946818ee46bbb6305b57/analysis/1446564559/
___

Angler -and- Nuclear EK's integrate Pawn Storm Flash Exploit
- http://blog.trendmicro.com/trendlabs-security-intelligence/angler-and-nuclear-exploit-kits-integrate-pawn-storm-flash-exploit/
Nov 3, 2015 - "... We found -two- vulnerabilities that were now being targeted by exploit kits, with one being the recent Pawn Storm Flash zero-day. Starting on October 28, we found that these two vulnerabilities were being targeted by the Angler and Nuclear exploit kits. (The second vulnerability was a Flash vulnerability that worked on versions up to 18.0.0.232; we are currently working with Adobe to confirm the CVE number for this exploit)... Our latest research confirms that the two exploit kits abusing the Diffie-Hellman key exchange, with some minor differences from the previous usage. This is being done to hide their network traffic and to get around certain security products. The changes are an attempt to make analysis of their key exchange by researchers more difficult. The Angler EK has made the following changes to its usage of the Diffie-Hellman protocol. They add some obfuscation to what had previously been a relatively clear and obvious process... activity for the Angler exploit kit was higher in the earlier weeks of October; perhaps the addition of these vulnerabilities is an attempt to raise the traffic levels of the exploit back to the earlier levels. Users in Japan, the United States, and Australia were the most affected..."

Current Flash version - 19,0,0,226
Test here: https://www.adobe.com/software/flash/about/

:fear::fear: :mad:

FYI...

Fake 'Transport' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-email-from-transport-for.html
4 Nov 2015 - "This -fake- Transport for London spam is a variation of something used before. It does not actually come from TfL, but is a simple -forgery- with a malicious attachment:
From "Transport for London" [noresponse@ cclondon .com]
Date Wed, 4 Nov 2015 14:33:44 +0100
Subject Email from Transport for London
Dear Customer
Please open the attached file to view correspondence from Transport for London.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment...
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative ...
This email has been scanned by the Symantec Email Security.cloud service...

Attached is a file 6305093.zip of which I have seen just one sample, containing a malicious executable 6305093.scr (MD5 6a4cce90ba28720fa9e6813f681b1f75) which has a VirusTotal detection rate of 7/54*. This Hybrid Analysis report** shows it communicating with the well-known malicious IP address of 197.149.90.166 (Cobranet, Nigeria) which I recommend you block. The payload here seems to be Upatre dropping the Dyre banking trojan."
* https://www.virustotal.com/en/file/2e82c5534c04bcf50c9afb9dd5e28bba23c418fbfa0ffed19645a30de56b25aa/analysis/1446645968/

** https://www.hybrid-analysis.com/sample/2e82c5534c04bcf50c9afb9dd5e28bba23c418fbfa0ffed19645a30de56b25aa?environmentId=1

:fear::fear: :mad:

FYI...

Fake 'Document from AL-KO' SPAM - doc malware
- http://myonlinesecurity.co.uk/document-from-al-ko-word-doc-malware/
5 Nov 2015 - "An email with the subject of 'Document from AL-KO' pretending to come from info@ alko .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)

5 November 2015: Document from AL-KO.doc - Current Virus total detections 0/54*.
... Downloads Dridex banking malware from:
www .mazzoni-hardware .de/f75f9juu/009u98j9.exe
deklompjes .nl/~maurice/f75f9juu/009u98j9.exe
members.dodo .com.au/~mfranklin17/f75f9juu/009u98j9.exe
www .www .www.enhancedpixel .com/f75f9juu/009u98j9.exe (VirusTotal 3/54**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/134f4cd2f17b312083bee6fb6d502dd0dd3b70f5716b8d17aae8acdcbad0e610/analysis/1446722835/

** https://www.virustotal.com/en/file/17ac88233dfe1197ecca2ed4c2560d95be595123c725d75f839f9d101c9de3e4/analysis/1446723789/
... Behavioural information
TCP connections
75.99.13.123: https://www.virustotal.com/en/ip-address/75.99.13.123/information/
23.62.99.160: https://www.virustotal.com/en/ip-address/23.62.99.160/information/

- http://blog.dynamoo.com/2015/11/malware-spam-document-from-al-ko.html
5 Nov 2015 - "... detection rate of 4/54*... Other automated analyses [5] [6] show network traffic to:
128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
128.199.122.196
75.99.13.123 "
* https://www.virustotal.com/en/file/17ac88233dfe1197ecca2ed4c2560d95be595123c725d75f839f9d101c9de3e4/analysis/1446729564/

5] https://www.hybrid-analysis.com/sample/17ac88233dfe1197ecca2ed4c2560d95be595123c725d75f839f9d101c9de3e4?environmentId=2

6] https://malwr.com/analysis/MTNjODQ1MmE0MjRiNGJmOTg4MzYyODFiYzg0MzY2ZWE/

128.199.122.196: https://www.virustotal.com/en/ip-address/128.199.122.196/information/
___

Fake 'Billing' SPAM – PDF malware
- http://myonlinesecurity.co.uk/monthly-billing-920493380924127516-e-online-data-amerikicks-fake-pdf-malware/
5 Nov 2015 - "An email with the subject of 'Monthly Billing 920493380924127516 – e-Online Data – amerikicks' coming from random companies, email addresses and names with a zip attachment is another one from the current bot runs... The content of the email says :
Amerikick Studios
Invoice #: 920493380924127516
Please use the HelpDesk for all problems/questions/suggestions. It is located at the bottom of the admin pages.
A full report in the attachment.
Billing for Nov 2015
This is your Payment Gateway monthly invoice...

5 November 2015: Final overdue bill order document.zip: Extracts to: 745348208.exe
Current Virus total detections 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2ba09e25d6d9f0b9a5f0db14a6eb6e792270a2ec71e4d377f3a761055b726560/analysis/1446738837/
___

Fake 'subpoena' attachment SPAM - doc malware
- http://myonlinesecurity.co.uk/i-got-this-subpoena-in-my-mail-box-today-doug-little-cardataconsultants-com-word-doc-malware/
5 Nov 2015 - "An email saying 'I got this subpoena in my mail box today' with the subject of 'sued used' pretending to come from dlittle@ cardataconsultants .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Nobody is being sued. Nobody is actually sending a subpoena to you by email. The email looks like:
I got this subpoena in my mail box today, saying that I have been sued by you.
I am sorry but I don’t even know what this is.
I am attaching a scanned copy , please let me know what this is about
Doug Little
Special Services Co-ordinator
CarDATA Consultants
Phone 289-981-2733 ...

5 November 2015 : subpoena.doc - Current Virus total detections 2/54*
This malicious word doc has -2- copies of a RTF file embedded inside it (MALWR**) that when extracted deliver an embedded fareit password stealing malware pm3.exe (VirusTotal 2/55***) that posts information to http ://littonredse .ru/gate.php
These malicious word docs normally also drop an Upatre downloader that in turn downloads a Dyreza banking malware... the macro inside the word doc seems to indicate that it should...
Update: somewhere along the line it also downloads:
- http ://s.teamzerostudio .com/x1.exe (VirusTotal[4])...
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/15db7d387b7e6dcbb7ea6a502526c7103329fab1cd4e05db406cd93efe55fff6/analysis/

** https://malwr.com/analysis/NTY3ZjEwMmU0NGE3NGRmOGI2OTllNTE5ODhmMTliYTI/

*** https://www.virustotal.com/en/file/6a37daf10204852ee3780f17cc5976b6e0c52bfd300efa1670b4135ea70ef674/analysis/1446742200/
... Behavioural information
TCP connections
80.78.251.32: https://www.virustotal.com/en/ip-address/80.78.251.32/information/
119.81.144.82: https://www.virustotal.com/en/ip-address/119.81.144.82/information/

4] https://www.virustotal.com/en/file/e17449a3562f42b1b799ccd2e1a573fd901e55ce455b863de5efe9bbd7922095/analysis/1446746740/
___

PayPal Spam
- http://threattrack.tumblr.com/post/132616332398/paypal-spam
Nov 5, 2015 - "Subjects Seen:
Your PayPal Invoice is Ready
Typical e-mail details:
Dear PayPal Customer,
Please open the attached file to view invoice.
Your monthly account statement is available anytime; just log in to your account. To correct any errors, please contact us through our Help Centre.

Malicious File Name and MD5:
paypal_955154675414192_110515.exe (2364e385b3fe22c9381e20a72ce520e5)

Screenshot: https://40.media.tumblr.com/d36cf5a54dce047e6e1278e51dff00e8/tumblr_inline_nxcxmgW7nZ1r6pupn_500.png

Tagged: PayPal, Upatre
___

Trojanized adware; 20K popular apps caught in the crossfire
- https://blog.lookout.com/blog/2015/11/04/trojanized-adware/
Nov 4, 2015 - "Auto-rooting adware is a worrying development in the Android ecosystem in which malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove. Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware... detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others..."
- http://net-security.org/malware_news.php?id=3144
05.11.2015

- http://arstechnica.com/security/2015/11/new-type-of-auto-rooting-android-adware-is-nearly-impossible-to-remove/
Nov 4, 2015
___

Instagram 'free $50 Xbox cards' - Phish ...
- https://blog.malwarebytes.org/online-security/2015/11/nice-instagram-shame-about-the-code-generator/
Nov 5, 2015
> https://blog.malwarebytes.org/wp-content/uploads/2015/11/xboxinsta1-300x261.jpg
"... This tiled effect is achieved by uploading pieces of the larger image one by one, and could well help to attract attention from anybody interested in free $50 Xbox cards... it’s certainly a lot better looking than most similar promo splashes we see elsewhere... It claims to be a code generator, and wants visitors to enter an email-address-to-proceed after having selected their chosen reward. After hitting the 'Generate Code' button, the would-be recipient of free Xbox goodness sees one of those “We’re doing hacking stuff, honest” boxes pop up in the middle of the screen complete with regulation standard green text on black background:
> https://blog.malwarebytes.org/wp-content/uploads/2015/11/xboxinsta3.jpg
... convincing people to fill in surveys has been around for many years, yet they continue to bring in those hopeful of a little free console cash. I’ve seen pretty much every variation of the above there is, and have yet to see a single supposed code generator which actually did just that. All you’ll get for your time and trouble is handing over personal information to marketers and / or potentially unwanted downloads. And after you’ve done all of that, there’s still no guarantee you’ll get anything at the end of it. Our advice is -not- to bother with offers such as these – no matter how nice their Instagram page looks."

:fear::fear: :mad:

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-invoice-00004232-from.html
6 Nov 2015 - "This -fake- invoice does not come from Timber Solutions but is instead a simple -forgery- with a malicious attachment:
From: Kes [kerryadamson@ bigpond .com]
Date: 6 November 2015 at 11:07
Subject: Invoice #00004232; From Timber Solutions
Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow. Please pay into the
account, details of which are at the foot of the invoice. Kes

Attached is a file ESale.xls which I have seen just a single variant of across multiple emails. This has a VirusTotal detection rate of 3/54* and contains this malicious macro... which (according to this Hybrid Analysis report**) downloads a binary from:
advancedgroup .net .au/~incantin/334g5j76/897i7uxqe.exe
..this is saved as %TEMP%\tghtop.exe and has a detection rate of... zero***. Automated analysis of this binary [1] [2] shows network traffic to:
89.108.71.148 (Agava Ltd, Russia)
I strongly recommend that you -block- traffic that that IP. The payload is most likely to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/5be589570751f4d8ead65ec9ce502637464568eca45f35dca61a195e6cb35f90/analysis/1446810013/

** https://www.hybrid-analysis.com/sample/5be589570751f4d8ead65ec9ce502637464568eca45f35dca61a195e6cb35f90?environmentId=1

*** https://www.virustotal.com/en/file/994de37c90fcb8a15746bc8c39659a559dec586e2c391aba4189b5450e5d07f7/analysis/1446810177/
... Behavioural information
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
88.221.14.163: https://www.virustotal.com/en/ip-address/88.221.14.163/information/

1] https://www.hybrid-analysis.com/sample/994de37c90fcb8a15746bc8c39659a559dec586e2c391aba4189b5450e5d07f7?environmentId=1

2] https://malwr.com/analysis/NGE4ZDEzNWM4OTY4NGJjMGFhMjNmMDUyM2UxZDM0OGY/
___

Fake 'Order Notification' SPAM - PDF malware
- http://myonlinesecurity.co.uk/order-notification-72742018-for-opportunities-beyond-obstacles-2015-complimentary-registration-fake-pdf-malware/
5 Nov 2015 - "An email appearing to come from the 'London housing foundation' about tickets for a conference with the subject of 'Order Notification 72742018 for Opportunities Beyond Obstacles 2015 – Complimentary Registration' pretending to come from jayk@ lhf .org.uk with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Order-Notification-72742018-for-Opportunities-Beyond-Obstacles-2015-Complimentary-Registration-1024x546.png

5 November 2015: barf vermilion.zip: Extracts to: 018648187082.exe
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e07d6c40cd9199559f4fe90515f7a583a1d2a073d58182ca9548f2bb037a96a2/analysis/1446759940/
___

Cryptowall 4.0 released ...
- http://net-security.org/malware_news.php?id=3145
06.11.2015 - "Cryptowall 4 (although the number is not mentioned in the new, changed ransom note) is not drastically different from version 3. According to malware researcher Nathan Scott*, it uses the same encryption, installation method, Decrypt Service site, communication method, C&C server, and ransom payment domains.
* http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/
... Palo Alto Networks researchers have so far spotted** -ten- unique instances of CryptoWall version 4, and have provided SHA256 hashes for each sample they analyzed... performing regular backups of important files is highly advised - in the case that you fall for the scheme, you wont have to pay the ransom because your files can be restored."
** http://researchcenter.paloaltonetworks.com/2015/11/cryptowall-v4-emerges-days-after-cyber-threat-alliance-report/
Nov 5, 2015
> http://researchcenter.paloaltonetworks.com/wp-content/uploads/2015/11/crypto2.png

- http://www.hotforsecurity.com/blog/cryptowall-4-0-returns-to-the-wild-posing-as-good-guy-12985.html
Nov 5, 2015
___

DirectRev Ad loads Flash Exploit, CryptoWall...
- https://blog.malwarebytes.org/malvertising-2/2015/11/directrev-advert-loads-self-sufficient-flash-exploit-cryptowall/
Nov 5, 2015 - "We have been observing a series of -malvertising- attacks using an unusual but familiar delivery method recently... instead of relying on an exploit kit to compromise the victims’ machines, this technique simply relies on a disguised Flash advert that downloads its own exploit and payload. We previously encountered this attack pattern on two occasions, one for a Sparta Ad and another that involved RTB platform DirectRev. This latest attack features various ad platforms leading to a booby-trapped DirectRev ad...
> https://blog.malwarebytes.org/wp-content/uploads/2015/11/Final_flow.png
... The Flash exploit is hosted on sensentive[.]com... The malware payload, CryptoWall, is retrieved from gearsmog[.]com... Both domains were created only a few seconds apart but reside on different IP addresses: 80.240.135.208 and 178.62.150.20..."

80.240.135.208: https://www.virustotal.com/en/ip-address/80.240.135.208/information/

178.62.150.20: https://www.virustotal.com/en/ip-address/178.62.150.20/information/

:fear::fear: :mad:

FYI...

Fake 'OUTSTANDING INVOICES' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-outstanding-invoices-steve.html
9 Nov 2015 - "This -fake- financial email does not come from Resimac but is instead a simple -forgery- with a malicious attachment.
From "Steve McDonnell" [stevem@ resimac .co.uk]
Date Mon, 09 Nov 2015 18:24:23 +0530
Subject OUTSTANDING INVOICES
Dear,
Please find attached invoices 1396 & 1406 which are now outstanding.
I should be grateful if you would let me know when they are going to be paid.
Kind Regards
Steve McDonnell
Company Secretary
Resimac Ltd
Unit 11, Poplars Industrial Estate ...

I have only seen a single sample of this with an attachment named Invoices001396,1406-11.2015.xls which has a VirusTotal detection rate of 3/54* ... which contains this malicious macro... which (according to this Hybrid Analysis report**) in this case downloads a binary from:
www .davidcaballero .com/87yte55/6t45eyv.exe
The VirusTotal detection rate for this binary is 3/55***. That report indicates network traffic to:
89.108.71.148 (Agava Ltd, Russia)
Other analyses are pending, however I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/6c9952b0712c9726373be21b1db570bcaf73d66a4dc286b383b773a654c68fc3/analysis/

** https://www.hybrid-analysis.com/sample/6c9952b0712c9726373be21b1db570bcaf73d66a4dc286b383b773a654c68fc3?environmentId=1

*** https://www.virustotal.com/en/file/3172fc122a9d6ee1cea1ead656502f9336bb62351878ebc1473b48857744a673/analysis/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

213.229.173.59: https://www.virustotal.com/en/ip-address/213.229.173.59/information/

- http://myonlinesecurity.co.uk/outstanding-invoices-steve-mcdonnell-resimac-co-uk-excel-xls-spreadsheet-malware/
9 Nov 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/OUTSTANDING-INVOICES-1024x561.png
"... 9 November 2015: Invoices001396,1406-11.2015.xls
Current Virus total detections 8/55* ... Downloads Dridex banking malware from
www .davidcaballero .com/87yte55/6t45eyv.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6c9952b0712c9726373be21b1db570bcaf73d66a4dc286b383b773a654c68fc3/analysis/
___

Fake 'Amendment/Agreement' SPAM - sharefile .com malware
- http://blog.dynamoo.com/2015/11/malware-spam-random-name-shared.html
5 Nov 2015 - "This -fake- Dropbox spam appears to come from randomly-generated people..
From: Sandy Schmitt via Dropbox [no-reply@ dropbox .com]
Date: 9 November 2015 at 11:41
Subject: Sandy Schmitt shared "Amendment or the Agreement_09-11-2015.zip" with you
Sandy used Dropbox to share a file with you!
Click here to view...
> https://1.bp.blogspot.com/-cua7HAy0dJU/VkCWITBajDI/AAAAAAAAHUU/3waO1sgAHnk/s400/fake-dropbox.png

The link in the email actually goes to sharefile .com where it downloads a file Amendment or the Agreement_09-11-2015.zip containing a malicious executable Amendment or the Agreement_09-11-2015.scr which has a VirusTotal detection rate of 2/54*. Automated analysis is inconclusive [1] [2] but you can guarantee that this is nothing good. Because of the low detection rates, it might be worth -temporarily- blocking sharefile .com."
* https://www.virustotal.com/en/file/47de271bdf0bbe10f19cff2bb53846ba805824cf18a00577d0ea9dcce4585d00/analysis/1447072746/

1] https://www.hybrid-analysis.com/sample/47de271bdf0bbe10f19cff2bb53846ba805824cf18a00577d0ea9dcce4585d00?environmentId=1

2] https://malwr.com/analysis/MTU3N2U2ZmI3ZDEyNDExMzg5YWU1ZjJjNzE2MDFiYmE/
___

New crypto-ransomware targets Linux web servers
- http://net-security.org/malware_news.php?id=3148
09.11.2015 - "There's a new piece of crypto-ransomware out there, but unlike most malware of this particular type, this one is mainly directed at web servers running on Linux. The threat has been dubbed Linux Encoder by Dr. Web researchers, and is currently detected by a small fraction of AV solutions*:
> http://www.net-security.org/images/articles/ransom-09112015-big.jpg
... "Once launched with administrator privileges, the Trojan (...) downloads files containing cybercriminals' demands and a file with the path to a public RSA key. After that, the malicious program starts as a daemon and deletes the original files," the researchers explained**. "Subsequently, the RSA key is used to store AES keys which will be employed by the Trojan to encrypt files on the infected computer"... It encrypts a wide variety of files - including Office, documents, image files, HTML and PHP files, archives, DLLs and EXE files - and adds the .encrypted extension to them. Instructions on what to do in order to get the files decrypted are included in each directory. Dr. Web researchers are working on a technology that can help decrypt data encrypted by this malware, but in the meantime the best protection against its destructiveness is to backup crucial files regularly..."
* https://www.virustotal.com/en/file/fd042b14ae659e420a15c3b7db25649d3b21d92c586fe8594f88c21ae6770956/analysis/

** https://news.drweb.com/show/?i=9686&lng=en&c=5

:fear::fear: :mad:

FYI...

Fake 'Itinerary' SPAM - malcious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-itinerary-c003ns39-no.html
10 Nov 2015 - "This rather terse -fake- business spam does not come from Click Travel but is instead a simple -forgery- with a malcious attachment:
From: no-reply@ clicktravel .com [mailto:no-reply@ clicktravel .com]
Sent: Tuesday, November 10, 2015 11:21 AM
Subject: Itinerary #C003NS39
Please see document attached

Attached is a file Hotel-Fax-V0045G2B_8308427510989318361.xls which contains this malicious macro... which (according to this Hybrid Analysis report*) downloads a component from:
www .clemenciaortiz .com/87yte55/6t45eyv.exe
So far I have only seen one sample of this, there are likely to be others with different download locations but the same binary. This executable file has a detection rate of 2/55** and that VirusTotal report and this Malwr report*** indicate traffic to the following IP:
89.108.71.148 (Agava Ltd, Russia)
I strongly recommend blocking traffic to that IP address. The payload is the Dridex banking trojan."
* https://www.hybrid-analysis.com/sample/89f5ad1914f34c192f93d72db0e0f98befd5e55ee862e66ccc621dd0d0b61af9?environmentId=1

** https://www.virustotal.com/en/file/1beda47146b1dd7a2ca7210e83bec3b1bc45c51f9eb97ece446983e6324741cc/analysis/1447152223/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

*** https://malwr.com/analysis/MjI4MmQzNWVlMzFhNGE0Yjk2MmFhMDgzOTM5MmZjYTA/
___

Linux Encoder victims catch a lucky break: flaw in the malware
- http://net-security.org/malware_news.php?id=3151
10.11.2015 - "... the good news is that the malware makers have made a mistake that allowed Bitdefender researchers to recover the AES encryption key without having to decrypt it with the RSA private key held by the criminals... "We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab," they added. "We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s)." This knowledge allowed them to create an effective decryption script, and given that this piece of ransomware targets more tech savvy users, they should not have a problem deploying it (check out this blog post* for the download link and instructions on how to use it)... They advised users never to run applications that they don’t completely trust, and to backup often - and keep the backup away from the system. In this particular case, that was the initial way to avoid paying the ransom, as the Trojan also encrypted backups found on the server."
* http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/
___

Fake 'PO99631' SPAM - xls malware
- http://myonlinesecurity.co.uk/po99631-mark-singleton-gilkes-pumping-systems-direct-excel-xls-spreadsheet-malware/
10 Nov 2015 - "An email with the subject of 'PO99631' pretending to come from Mark Singleton <m.singleton@ gilkes .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find PO99631 attached.
Kind Regards
Mark Singleton Sourcing Specialist Gilkes Pumping Systems Direct: +44 (0) 1539 790051
Tel: +44 (0) 1539 720028 Fax: +44 (0) 1539 732110 Gilbert Gilkes & Gordon Ltd ・Kendal ・Cumbria ・LA9 7BZ・United Kingdom
Registered Office: Gilbert Gilkes & Gordon Ltd. Kendal, Cumbria, LA9 7BZ Registration No: 173768 England & Wales

10 November 2015 : 99631 RBE.xls - Current Virus total detections 4/42*
... Same Dridex banking malware is downloaded as described in today’s earlier malspam run of malicious office documents**..."
* https://www.virustotal.com/en/file/89f5ad1914f34c192f93d72db0e0f98befd5e55ee862e66ccc621dd0d0b61af9/analysis/1447173398/

** http://myonlinesecurity.co.uk/itinerary-c003ns39-clicktravel-com-excel-xls-spreadsheet-malware/
___

Fake 'PayPal' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-paypal-extras-mastercard-bill-payment-has-been-sent-fake-pdf-malware/
9 Nov 2015 - "An email with the subject of 'Your PayPal Extras MasterCard bill payment' has been sent pretending to come from admin@ eight-point .com with a zip attachment is another one from the current bot runs... The content of the email says :
Hello customer,
Your payment for 654.35 USD has been sent.
Recipient: PayPal Extras MasterCard® Payment Method: Echeck Payment Amount: 654.35 USD Payment Date: Mon, 09 Nov 2015 22:04:27 +0100 Details in the attachment
Thanks for choosing the PayPal Extras MasterCard®.
Sincerely, PayPal ...
PayPal Email ID PP0822 – yrV3fNFlU5JL13 ...

9 November 2015: firm prices swordplay.zip: Extracts to: 353444754788.exe
Current Virus total detections 8/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a5ea7f981a3bcba7886e398753e3ccf8021958ce670c2ce76681c064c7a5669f/analysis/

:fear::fear: :mad:

FYI...

Fake 'scanner' SPAM - xls macro malware
- http://myonlinesecurity.co.uk/scanneryour-own-email-domain-email-sent-from-aficio-mp-c5000-excel-xls-spreadsheet-malware/
11 Nov 2015 - "An email with -no- subject pretending to come from a scanner at your own email domain about a document from 'Aficio MP C5000' with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
This E-mail was sent from “RNPF137EA” (Aficio MP C5000).
Scan Date: Wed, 11 Nov 2015 12:53:35 +0300
Queries to: scanner@ [redacted]

11 November 2015: 20151029110925329.xls - Current Virus total detections 4/54*
... downloads http ://conesulmodelismo .com.br/87yte55/6t45eyv.exe ... likely to be Dridex banking malware although completely undetected at the moment (VirusTotal 0/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b2818610715f6e8e9a480b8fb731b1408be157a7f75ca36f0dd34efd28598822/analysis/1447235888/

** https://www.virustotal.com/en/file/a0ba8ae36f33597858d12db1ed576d1b9278d41b58d29d984b4b753d6570e5e9/analysis/1447236803/
TCP connections
95.154.203.249: https://www.virustotal.com/en/ip-address/95.154.203.249/information/
8.253.82.142: https://www.virustotal.com/en/ip-address/8.253.82.142/information/

conesulmodelismo .com.br: 200.169.17.48: https://www.virustotal.com/en/ip-address/200.169.17.48/information/
___

Fake 'PayPal' refund SPAM - malicious link
- http://blog.dynamoo.com/2015/11/malware-spam-refund-from-bowater.html
11 Nov 2015 - "This -fake- PayPal email leads to malware:
From: service@ paypal .co.uk
Date: 11 November 2015 at 16:27
Subject: Refund from Bowater Incorporated
Bowater Incorporated has just sent you a refund
Wed, 11 Nov 2015 17:27:26 +0100
Transaction ID: 47E30904DC4145388
Dear Customer,
Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase.
If you have any questions about this refund, please contact Bowater Incorporated
The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account.
To see all the transaction details, please download and view from the link below ...
Merchant information
Bowater Incorporated Note from merchant
None provided
Original transaction details
Description Unit price Qty Amount
Purchase from Bowater Incorporated £7849.90 GBP 1 £7849.90 GBP
Insurance: ----
Total: £7849.90 GBP
Refund to PayPal Balance: £7849.90 GBP
Invoice Number: 59266315
Yours sincerely,
PayPal ...

The -link- in the email goes to a download location at sharefile .com which leads to a file transaction details.zip containing a malicious executable 'transaction details.scr'. This binary has a VirusTotal detection rate of just 1/55*. The Hybrid Analysis report** shows network traffic consistent with Upatre download the Dyre banking trojan. One key IP address in 197.149.90.166 (Cobranet, Nigeria) which is well worth blocking."
* https://www.virustotal.com/en/file/6193e4256d68b6f21dd3cd165cc25b9d1502dbff5c8613fd0b63584cc3301fd3/analysis/1447260291/

** https://www.hybrid-analysis.com/sample/6193e4256d68b6f21dd3cd165cc25b9d1502dbff5c8613fd0b63584cc3301fd3?environmentId=1

- http://myonlinesecurity.co.uk/refund-from-agco-corporation-paypal-fake-pdf-malware/
11 Nov 2015 - "An email that looks like it comes from -PayPal- with the subject of 'Refund from AGCO Corporation' pretending to come from service@ paypal .co.uk with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Refund-from-AGCO-Corporation-1024x544.png

11 November 2015: transaction details.zip: Extracts to: transaction details.scr
Current Virus total detections 1/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6193e4256d68b6f21dd3cd165cc25b9d1502dbff5c8613fd0b63584cc3301fd3/analysis/1447256652/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-invoice-si823610-from.html
11 Nov 2015 - "This -fake- invoice does not come from OfficeFurnitureOnline .co.uk but is instead a simple -forgery- with a malicious attachment.
From accounts [accounts@ equip4work .co.uk]
Date Wed, 11 Nov 2015 14:54:33 +0400
Subject Invoice SI823610 from OfficeFurnitureOnline .co.uk Order Ref 4016584
Please find attached a sales invoice from OfficeFurnitureOnline .co.uk.
This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.
Thank you for your order.

Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro... and has a VirusTotal score of 4/54*. According to this Hybrid Analysis report** it then downloads a malicious binary from:
kdojinyhb .wz.cz/87yte55/6t45eyv.exe
In turn, this binary has a detection rate of zero***. Those two reports plus this Malwr report[4] show between them malicious traffic to the following IPs:
95.154.203.249 (Iomart / Rapidswitch, UK)
182.93.220.146 (Ministry Of Education, Thailand)
89.32.145.12 (Elvsoft SRL / Coreix , Romania / UK)
The payload is the Dridex banking trojan.
Recommended blocklist:
95.154.203.249
182.93.220.146
89.32.145.12
wz.cz "
* https://www.virustotal.com/en/file/173189a2f4247f80faf91e160294099f12fa8718659a2633e662fbd9d03280c6/analysis/1447239924/

** https://www.hybrid-analysis.com/sample/173189a2f4247f80faf91e160294099f12fa8718659a2633e662fbd9d03280c6?environmentId=1

*** https://www.virustotal.com/en/file/a0ba8ae36f33597858d12db1ed576d1b9278d41b58d29d984b4b753d6570e5e9/analysis/1447240051/
TCP connections
95.154.203.249: https://www.virustotal.com/en/ip-address/95.154.203.249/information/
8.253.82.142: https://www.virustotal.com/en/ip-address/8.253.82.142/information/

4] https://malwr.com/analysis/YjVhM2M1MmQ1NzQ5NGM2Yzk4MGEzY2NkNzk3MTQ5ZDI/
___

Anti-Virus alone is not enough ...
- https://blog.malwarebytes.org/security-threat/2015/11/three-reasons-why-anti-virus-alone-is-no-longer-enough/
Nov 11, 2015 - "... The malware ecosystem has changed drastically in the past 10 years, to the point that the old precautions are just no longer enough. Here are the three top reasons for this:
• You don’t have to click to get hit. In the past, it was sufficient to simply avoid clicking on suspect links or visiting bad sites. This is no longer the case because of new attack vectors like malvertising. In a malvertising attack, a legitimate site unknowingly pulls malicious content from a bad site, and the malicious content seeks ways (often exploits) to install itself on your computer. You may have heard these attacks called “drive by downloads.” Just by visiting a good site on the wrong day, you get infected...
• Traditional AV response times to new threats are too slow. According to data compiled by Panda Research, traditional AV only stops 30-50 percent of new zero-hour malware when it’s first seen. A few take up to eight hours to reach even the 90 percent level, with the majority needing a full 24 hours. And it takes them a full seven days to get to the high 90’s. That’s a whole lot of time to be missing protection. A recent study by the Enterprise Strategy Group showed that almost -half- of the enterprises polled had suffered a successful malware attack even though they were running anti-virus.
• Exploits are everywhere. Many software products, notably including Java and Flash, were designed in an era when computer security was a much less serious concern. And the worst part of exploit based malware is that the time from the initial exploit to detection and remediation – is on average almost a year...
... we believe in what’s called a layered approach to security.
• The layered approach is just like using a seat belt and an airbag – they both help keep you safe, but they work in different ways. In layered security, you don’t put all your eggs in the AV basket – you use multiple types of defense, each of which has its own strengths, and does different things. An anti-malware program is a zero-day focused, lightweight product that works with your traditional anti-virus product to block threats that AV misses. An anti-exploit program takes a different – yet still complimentary – approach. While anti-malware concerns itself with the what – files, URLs, domains, and so forth, anti-exploit worries about the how. How is a particular application behaving, and is it only performing actions which are expected? Using advanced behavior analysis, anti-exploit can stop a compromise at the beginning of the attack chain, rather than waiting until malware is already installed. And of course, you can augment your vendor provided protection by simply maintaining your computer according to the Three Basic Rules of Online Security, written by expert Brian Krebs:
• Don’t install software you didn’t explicitly request
• Keep your installed software up to date
• If you no longer need a piece of software, uninstall it..."

:fear::fear: :mad:

FYI...

Fake 'Invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/debbie-haydon-mvmilk-co-uk-invoice-excel-xls-spreadsheet-malware/
12 Nov 2015 - "An email with the subject of 'Invoice' pretending to come from Debbie Haydon <debbie@ mvmilk .co.uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Thank you for your order. Your Invoice – V414980 – is attached.
As agreed this invoice will NOT be sent via post.
If you have any questions regarding the attached invoice please telephone our office on 01708 688422.
kind regards

12 November 2015: V414980.XLS - Current Virus total detections 3/54*
... Downloads Dridex banking malware from:
http ://aniretak .wz.cz/5t546523/lhf3f334f.exe -or-
http ://sanoko .jp/5t546523/lhf3f334f.exe (VirusTotal **)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b4afaeb8c54b24c0d3de694407ddab56ba68bdd625410a72e6f918a73bf3a41d/analysis/1447326664/

** https://www.virustotal.com/en/file/77eb7b7e4593cffacf7a4f30590f3235bbc00c95e1c99726383c8910eef2dc39/analysis/
TCP connections
95.154.203.249: https://www.virustotal.com/en/ip-address/95.154.203.249/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-remittance-advice.html
12 Nov 2015 - "This fake financial spam does -not- come from Norfolk County Council but is instead a simple -forgery- with a malicious attachment:
From AccountsPayable@ Norfolk .gov.uk
Date Thu, 12 Nov 2015 14:09:46 +0430
Subject Remittance Advice
Dear Sir/Madam,
Please find attached your remittance advice.
Regards,
NCC ...

Attached is a file 6134443_101115_141851.xls which apparently comes in two or three versions, although I have only seen one with a VirusTotal detection rate of 3/54* and containing this malicious macro... These documents then download a malicious binary from:
aniretak .wz.cz/5t546523/lhf3f334f.exe
sanoko .jp/5t546523/lhf3f334f.exe
www .delianfoods .com/5t546523/lhf3f334f.exe
This binary has a VirusTotal detection rate of 3/54**, and that report plus this Hybrid Analysis report*** show malicious traffic to:
95.154.203.249 (Iomart Hosting / Rapidswitch, UK)
182.93.220.146 (Ministry of Education, Thailand)
The payload is the Dridex banking trojan.
Recommended blocklist:
95.154.203.249
182.93.220.146 "
* https://www.virustotal.com/en/file/b4afaeb8c54b24c0d3de694407ddab56ba68bdd625410a72e6f918a73bf3a41d/analysis/1447326664/

** https://www.virustotal.com/en/file/1abf731b8d681d0beccd2eb390be8a61a01bb706a6a625a6d55b5f78a31cb50b/analysis/1447326681/

*** https://www.hybrid-analysis.com/sample/77eb7b7e4593cffacf7a4f30590f3235bbc00c95e1c99726383c8910eef2dc39?environmentId=1
___

Fake 'e-Transfer' SPAM - Dyre banking trojan
- http://blog.dynamoo.com/2015/11/malware-spam-fyi-interac-e-transfer-to.html
12 Nov 2015 - "This -fake- financial spam leads to malware:
From: Bank of Montreal [notify@ payments .interac.ca]
Date: 30 September 2015 at 13:34
Subject: FYI: INTERAC e-Transfer to Guillaume Davis accepted
Dear Customer
The INTERAC e-Transfer for $2997.60 (CAD) you sent to Guillaume Davis was accepted. The transfer is now complete.
Recipient's message: A message was not provided
Thank you for using Bank of Montreal INTERAC e-Transfer Service.
Please follow the link below to download the transaction details ...

The -link- in the email downloads a file INTERAC e-Transfer transaction details.doc which has a VirusTotal detection rate of just 1/53*. Analysis of the malicious code within the downloaded document is pending, however the use of sharefile .com is consistent with the delivery of the Dyre banking trojan."
* https://www.virustotal.com/en/file/fbcd41ac2b4da177e97eb2696703b64c53512ec6aaa7743e4b1feb0c23bfd2ba/analysis/1447342765/

- http://myonlinesecurity.co.uk/fyi-interac-e-transfer-to-rafael-rubery-accepted-royal-bank-of-canada-word-doc-malware/
12 Nov 2015 - "... These are spoofing loads of different Canadian Banks. So far I have also seen Canadian Imperial Bank of Commerce, Royal Bank of Canada, Bank of Montreal all with random names for the recipients of the -fake- INTERAC 'e-Transfer' Service...

12 November 2015: INTERAC e-Transfer transaction details.doc - Current Virus total detections 1/53*
MALWR** which contains an embedded rtf file(VirusTotal 2/54***) , which in turn has an embedded dyre / dyreza banking malware (VirusTotal[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fbcd41ac2b4da177e97eb2696703b64c53512ec6aaa7743e4b1feb0c23bfd2ba/analysis/1447344188/

** https://malwr.com/analysis/OGUxMTUyM2FlOTQ3NDFmNjk2MTMwNzYzNTQ4NDFkNjI/

*** https://www.virustotal.com/en/file/a4ebe247830b8d831d2bd6a3b5a87686ee1c9cc59077dbcfa71b763b46a6cd01/analysis/1447345292/

4] https://www.virustotal.com/en/file/8ad398c290ca18eed2deab055073f3053fa67d4845736c7be9d1e58e94600632/analysis/1447345341/
___

Buhtrap gang distributed malware thru Ammyy’s remote desktop software
- http://net-security.org/malware_news.php?id=3154
12.11.2015 - "... Researchers noticed in late October that, for about a week, visitors to ammyy .com were downloading an installer that contained malware along with the Ammyy product. While Ammyy Admin is legitimate software, it has a long history of being used by fraudsters, and several security products detect it as a Potentially Unsafe Application. Similarly, Download .com, a major download site, doesn’t provide a direct-download link to Ammyy software to users, instead listing the Ammyy Admin page for information purposes only. However, Ammyy Admin is still widely used: Ammyy’s website lists clients that include TOP500 Fortune companies as well as Russian banks. According to the investigation, -five- different malware families were distributed through Ammyy’s website during the recent incident. The first malware, the Lurk downloader, was distributed on October 26. Next was Corebot on October 29, then Buhtrap on October 30, and finally Ranbyus and Netwire RAT on November 2.
Although these families are not linked, the droppers that could potentially have been downloaded from Ammyy’s website were the same in every case. Thus it is quite possible that the cybercriminals responsible for the website hack sold the access to different groups. Of the malware distributed via Ammyy’s website, of particular interest is the install package used in Operation Buhtrap. “The fact that cybercriminals now use strategic web compromises is another sign of the gap closing between techniques used by cybercriminals and by actors behind so called Advanced Persistent Threats,” said Jean-Ian Boutin, Malware Researcher at ESET."
- http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/

:fear::fear: :mad:

FYI...

'Magnitude EK' activity increases via Malvertising attacks
- https://blog.malwarebytes.org/exploits-2/2015/11/magnitude-exploit-kit-activity-increases-via-malvertising-attacks/
Nov 13, 2015 - "During the past few days we have noticed a higher than usual number of 'malvertising attacks' pushing the Magnitude exploit kit – which had been relatively quiet – to drop ransomware. Magnitude EK is one of those exploit kits we don’t hear about as much in comparison to others such as Angler EK or Nuclear EK. Its unique URL pattern makes it easy to spot from the clutter of network traffic captures because it uses chained subdomains typically ending in a shady Top Level Domain like -pw- (Palau Pacific island)... Perhaps this increased activity is due to the fact that Magnitude EK is the third exploit kit to leverage the latest Flash Player vulnerability (CVE-2015-7645*) recently patched by Adobe... CryptoWall was dropped via two separate malware binaries..."

* Latest Flash version is -19.0.0.245- check yours to avoid trouble:
> https://www.adobe.com/software/flash/about/
___

Fake 'Telstra bill' SPAM - xls malware
- http://myonlinesecurity.co.uk/our-new-telstra-bill-for-account-2000514059862-is-attached-excel-xls-spreadsheet-malware/
13 Nov 2015 - "An email with the subject of 'our new Telstra bill for account 2000514059862 is attached' pretending to come from telstraemailbill_noreply8@ online .telstra .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Your-new-Telstra-bill-for-account-2000514059862-is-attached-1024x580.png

13 November 2015: TRPB_1_1107991874.pxls - Current Virus total detections 3/54*
... some of these emails have a plxs attachment which I never heard of. It is either a mistake by the malware bot sender or it is a new excel extension that needs a new version of excel to open it. My gut feel is that it was a mistake and the P added in error. Renaming the file to a simple xls makes it work as normal and shows a download of Dridex banking malware from
http ://rgr-sa .ch/~testing/345u754/433fd.exe (VirusTotal 3/53**). Many other copies of the email had a -normal- xls extension... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9ce4022b73e9c9f656de082d6ae6374d1aa4e391ac06597c218a32255b0a4ef4/analysis/1447408547/

** https://www.virustotal.com/en/file/0173188d48bbc9dc5cefb6adb8fd0cd12e546b5c9e87c296fecf7bc102f65293/analysis/1447409290/
TCP connections
78.47.66.169: https://www.virustotal.com/en/ip-address/78.47.66.169/information/
88.221.14.122: https://www.virustotal.com/en/ip-address/88.221.14.122/information/
___

Fake 'Invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/november-invoice-inv-9771-from-eye-on-books-excel-xls-spreadsheet-malware/
13 Nov 2015 - "An email with the subject of 'November Invoice INV-9771' from 'Eye on Books' pretending to come from Charles Klvana <message-service@ post .xero .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi,
Please find attached this months invoice for Xero & Receiptbank software. You’ve completed a direct debit form, so this will have been paid from your nominated account, so please don’t send through payment separately.
Thanks again for your business, it’s greatly appreciated.
Kind regards,
Charles Klvana
EYE ON BOOKS

13 November 2015 : Invoice INV-9771.xls - Current Virus total detections 3/52* ... the same malware downloading the same Dridex banking malware as described in this post**..."
* https://www.virustotal.com/en/file/ceaec1cb1c1b6856cf1f2b607bc1eae7e350ddecd25b7232ff496a34aa688eb2/analysis/1447409851/

** http://myonlinesecurity.co.uk/our-new-telstra-bill-for-account-2000514059862-is-attached-excel-xls-spreadsheet-malware/
___

Fake 'Statements' SPAM - xls malware
- http://myonlinesecurity.co.uk/statements-and-related-documents-for-october-david-bartels-miriam-benda-professionals-ashgrove-excel-xls-spreadsheet-malware/
13 Nov 2015 - "The -third- version of a Dridex dropper today so far is an email with the subject of 'Statement(s) and related document(s) for October' pretending to come from David Bartels <davebartels228@ gmail .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Sir/Madam
Please find attached:
Your Statement(s) and related document(s) for October.
Regards,
Miriam Benda
Professionals Ashgrove

13 November 2015: Mai49621.xls Same malware although -renamed- that downloads the same Dridex banking malware from the same locations as described in today’s earlier malspam runs [1] [2]...
1] http://myonlinesecurity.co.uk/november-invoice-inv-9771-from-eye-on-books-excel-xls-spreadsheet-malware/

2] http://myonlinesecurity.co.uk/our-new-telstra-bill-for-account-2000514059862-is-attached-excel-xls-spreadsheet-malware/
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/november-invoice-78909675-wahl-canada-word-doc-malware/
13 Nov 2015 - "An email with the subject of 'November Invoice #78909675' pretending to come from Logan Courtney <CourtneyLogan8935@ olivainsurance .com> (probably random, -faked- headers) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
Hello ,
Please review the attached copy of your Electronic document.
A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
Thank you for your business,
Wahl Canada Inc.
NOTICE OF CONFIDENTIALITY. This communication, including any information transmitted with it, is intended only for the use of the individual(s) to which it is addressed and is confidential. If you are not an intended recipient...

13 November 2015: INVOICE-78909675.doc - Current Virus total detections 0/54*
This has an embedded ole object in base 64 format that I couldn’t manually decode however MALWR** showed it connecting to http ://109.234.37.214 /alikaps/terminator.php where it downloaded ulysse.exe (VirusTotal 1/51***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/87aa26f16d507f66386c2f1d60f00499aab7aaeeea723d5bb848abbc9f2f4055/analysis/1447416661/

** https://malwr.com/analysis/NWYyMzAwNGM5OTFiNGNmZWI0MTU4MDc2MjFiZjIzMTg/

*** https://www.virustotal.com/en/file/7ce325939050960112a5c038734e6db2ea0789fdacdfa1110b276e78dd192c25/analysis/1447417050/
TCP connections
85.214.152.31: https://www.virustotal.com/en/ip-address/85.214.152.31/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

109.234.37.214: https://www.virustotal.com/en/ip-address/109.234.37.214/information/
> https://www.virustotal.com/en/file/e3ea28357fafb0bb70de56983bac7f780c8a5cfd3c784e0965331dd7af3933d2/analysis/
ulysse.exe 0/54
___

Fake 'Payment Confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/transaction-and-payment-confirmation-from-spilo-worldwide-word-doc-malware/
13 Nov 2015 - "An email with the subject of 'Transaction and Payment Confirmation' from Spilo Worldwide pretending to come from random names, companies and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:

Transaction and Payment Confirmation from Spilo Worldwide

13 November 2015: Spilo_Worldwide_payment_17650687.doc - Current Virus total detections 0/54*
This is another one of the -new- type macro downloaders that I first saw earlier today that have an embedded base 64 file inside the word doc that uses a post command to a php file on a remote server instead of the more usual -get- to download malware. MALWR analysis shows that this one contacts http ://91.223.88.54 /alikaps/terminator.php to download a different Dridex version by the same file name ulysse.exe from today’s earlier one (VirusTotal 0/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4e56c84d20accba4f66496221a0d192cd5e7760690f6a9e71fcb3f973b095566/analysis/1447423504/

** https://www.virustotal.com/en/file/e3ea28357fafb0bb70de56983bac7f780c8a5cfd3c784e0965331dd7af3933d2/analysis/1447425228/

91.223.88.54: https://www.virustotal.com/en/ip-address/91.223.88.54/information/
> https://www.virustotal.com/en/file/e3ea28357fafb0bb70de56983bac7f780c8a5cfd3c784e0965331dd7af3933d2/analysis/
ulysse.exe 0/54
... Behavioural information
TCP connections
85.214.152.31: https://www.virustotal.com/en/ip-address/85.214.152.31/information/
> https://www.virustotal.com/en/file/e3ea28357fafb0bb70de56983bac7f780c8a5cfd3c784e0965331dd7af3933d2/analysis/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

:fear::fear: :mad:

FYI...

Fake 'DHL' SPAM - PDF malware
- http://myonlinesecurity.co.uk/dhl-express-credit-card-billing-adjustment-ref-3383095-fake-pdf-malware/
16 Nov 2015 - "... An email with the subject of 'DHL Express – Credit Card Billing Adjustment. Ref# 3383095' pretending to come from eInvoicing <groupadminstubbinsDONOTREPLY@ tnt .com> with a zip attachment is another one from the current bot runs... The content of the email says :
DHL Express Customer:
The attached file details adjustments that have been made to shipping charges originally billed to your credit card. These adjustments are for charges or credits that have occurred after the initial processing of your shipment(s). These adjustments have been applied to your credit card and will appear on your next credit card statement.
All shipments are subject to the terms and conditions contained in the DHL Express Tariff and the DHL Express Terms and Conditions of Service...

16 November 2015: dhl16112015_6987878544212.zip: Extracts to: dhl16112015_6987878544212exe
Current Virus total detections 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9eadcc852b87429dfb8c7e61da7951a8fb8c28eb88ec91d90eea290248747dff/analysis/1447663550/
___

Fake 'Toll' SPAM - xls malware
- http://myonlinesecurity.co.uk/toll-ipec-invoicestatement-80458249-excel-xls-spreadsheet-malware/
16 Nov 2015 - "An email with the subject of 'Toll IPEC invoice/statement (80458249)' pretending to come from ipecar@ tollgroup .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached your current Toll IPEC invoice/statement..
Should you have a query with your account, please contact the telephone number detailed on your invoice/statement or email your enquiry to ipecar@ tollgroup .com

16 November 2015 : 80458249_1519.pxls - Current Virus total detections 3/55*
... Downloads Dridex banking malware from http ://gospi .eu/~gospi/45yfqfwg/6ugesgsg.exe (VirusTotal 1/55**)... the xls spreadsheet has been accidentally renamed to pxls, so windows doesn’t know what to do with it. Some versions then were PXLS and some proper XLS... Other download locations include www .kolumbus .fi/~kf0963/45yfqfwg/6ugesgsg.exe and piotrektest .cba .pl/45yfqfwg/6ugesgsg.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cefc0857a0dda3991bdad3aa3800b1175c96c7acb8feaa6cffed0b79ce649a13/analysis/1447675709/

** https://www.virustotal.com/en/file/46aeb8a5464513ae306610154e55fdcd8646f5d79904d40bc729cf0de7c3e100/analysis/1447675703/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-address/182.93.220.146/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'Invoices' SPAM - doc malware
- http://myonlinesecurity.co.uk/accounting-specialist-metropolitan-an-rr-donnelley-company-2-invoices-attached-word-doc-malware/
16 Nov 2015 - "An email with the subject of '2 Invoices Attached' pretending to come from random names, companies and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
Good morning,
Please see the attached invoices and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Thank you!
Loris Lecomte
Accounting Specialist| Metropolitan, An RR Donnelley Company

16 November 2015 : invoices_59830277.doc - Current Virus total detections 2/55*
... Downloads Dridex banking malware from http ://185.80.53.15 /bermuda/triangle.php and other locations (VirusTotal 2/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f00bc4f8f7d88fb8866aa98d0eebebca0f2f1210745c33495f4caaf860dfe116/analysis/1447685993/

** https://www.virustotal.com/en/file/2e8a7fe250d97d0157a4ae4c4a675ccf5693db2d5cf2f0409c72e8df835bf94f/analysis/1447692609/
TCP connections
85.214.152.31: https://www.virustotal.com/en/ip-address/85.214.152.31/information/
88.221.14.130: https://www.virustotal.com/en/ip-address/88.221.14.130/information/

185.80.53.15: https://www.virustotal.com/en/ip-address/185.80.53.15/information/
___

Fake 'Remittance' SPAM - doc malware
- http://myonlinesecurity.co.uk/cook-medical-cook-remittance-advice-ach-word-doc-malware/
16 Nov 2015 - "An email with the subject of 'COOK Remittance Advice-ACH' pretending to come from random companies, names and email addresses with a malicious word doc or attachment is another one from the current bot runs... The email looks like:
Please find attached your Remittance Details for the funds that will be deposited to your bank account, PLEASE ALLOW 1-2 BUSINESS DAYS.
Cook Medical is now sending through the bank the addenda information including your remit information.
If you are not seeing your addenda information in your bank reporting you may have to contact your local bank representative.
Accounts Payable

16 November 2015: invoice_details_59282006.doc - Current Virus total detections 3/54*
... Downloads the same Dridex banking malware from the same locations as described in this earlier post**..."
* https://www.virustotal.com/en/file/b284caf6cf031ed3ac01a7149a6779f34be62cce8be132418f83a548603f4b58/analysis/1447694373/

** http://myonlinesecurity.co.uk/accounting-specialist-metropolitan-an-rr-donnelley-company-2-invoices-attached-word-doc-malware/
___

Fake 'DoT' SPAM - xls malware
- http://myonlinesecurity.co.uk/dot-payment-receipt-excel-xls-spreadsheet-malware/
16 Nov 2015 - "An email with the subject of 'DoT Payment Receipt' pretending to come from donotreply@ transport .gov .uk with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
[Automated message. Do not reply]
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.
DISCLAIMER
This email and any attachments are confidential and may contain legally privileged
and/or copyright material. You should not read, copy, use or disclose any of the
information contained in this email without authorisation. If you have received it in
error please contact us at once by return email and then delete both emails. There is
no warranty that this email is error or virus free.

16 November 2015: PaymentReceipt.xls - Current Virus total detections 3/53*
... Same downloader that downloads the same Dridex banking malware from different locations as described in today’s other malspam run** ..."
* https://www.virustotal.com/en/file/ae7841ed3c8a41e19ed7c21b3b698cc2a287feadd0f7239057ce9aa4b5f6fd3e/analysis/1447676687/

** http://myonlinesecurity.co.uk/toll-ipec-invoicestatement-80458249-excel-xls-spreadsheet-malware/

- http://blog.dynamoo.com/2015/11/malware-spam-dot-payment-receipt.html
16 Nov 2015 - "... This binary has a detection rate of 3/53* and that VirusTotal report and this Malwr report** indicates malicious traffic to:
182.93.220.146 (Ministry Of Education, Thailand)
78.47.66.169 (Hetzner, Germany)
89.108.71.148 (Agava, Ltd)
221.132.35.56 (Post And Telecom Company, Vietnam)
The payload is the Dridex banking trojan...
Recommended blocklist:
cba.pl
182.93.220.146
78.47.66.169
89.108.71.148
221.132.35.56 "
* https://www.virustotal.com/en/file/e3ac1aa13026feb600371d2ae37a55b682d3efb857dd6573da7987f7c01f52de/analysis/1447681458/

** https://malwr.com/analysis/NDU0ZGQxZjBhOWNkNDZlZGI3Y2FkMjliYTllNzFlMDc/
___

Google ID: Profile Inaccurate – Phish...
- http://myonlinesecurity.co.uk/google-id-profile-inaccurate-phishing/
15 Nov 2015 - "An email saying 'Google ID: Profile Inaccurate' pretending to come from Google Support [secure@ googleaccountaudit .com] is a phishing attempt. One of the major common subjects in this sort of phishing attempt is 'Your password will expire soon' or 'update your email' or 'your profile is inaccurate' or 'needs updating' or something very similar. This one wants your Google Account log in details, name, credit/debit card, birthdate, address, telephone etc. In fact just about everything that will identify you & take over your accounts and identity... The original email looks like:
From: Google Support [mailto: secure@ googleaccountaudit .com]
Sent: 15 November 2015 13:30 To: [REDACTED]
Subject: Google ID: Profile Inaccurate
[redacted] Account Notice
Please confirm your Google Account [redacted]
We have attempted to get in touch with you on three previous occasions with reference to the European Commissions eID service Regulation (EU) N°910/2014 that requires us ‘Google Inc’ to check the authenticity of Google users in Europe. Because your Google account [redacted] has now passed the deadline it’s at risk of termination within 48 hours unless you review your details... We apologize for any inconivnece this may cause but unless this is addressed your Google account [redacted] will be suspended pending deletion from all Google services.
Confirm Google Account
Forgot your password? Reset it now
Sincerely, Google Support Team
© 2015 Google Inc. 3488 Amphitheatre Drive, Mountain View, CA 41845 You [redacted] have received this mandatory email service announcement to update you about important changes to your Google product or account .

... [DO NOT] follow the link, you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Google-ID-Profile-Inaccurate_1-1024x550.png
... If you do fill in the details you get sent on to the next page:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Google-ID-Profile-Inaccurate_2-1024x561.png
All of these emails use Social engineering tricks to persuade you to follow the links or open the attachments that come with the email... make sure you have “show known file extensions enabled“..."
___

MS 'Outlook Web Access' – Phish ...
15 Oct 2015 - "... a lot of phishing attempts against Microsoft Outlook Web Access (Microsoft Outlook Web App (formerly known as Outlook on the Web or Outlook Web Access) is a browser-based email client. Outlook Web App lets you access your Microsoft Exchange Server mailbox from almost any web browser.) These sort of phishing attempts are much harder to protect against, because the OWA web address will -not- be a Microsoft website or any common site name but is normally a subdomain or part of your own company web domain. To make it harder, many companies do have numerous different email domains, so email messages might come from any of the company domains. To make it even more plausible, many companies have policies that insist on a user updating and changing their passwords every 30 or 60 or 90 days... One of the major common subjects in this sort of phishing attempt is Your password will expire soon or update your email or something very similar. This one wants only wants your email log in details...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Your-password-will-expire-soon_email-1024x420.png

... The from address is -spoofed- to read from Administrator <s.moran@ whitgift .co.uk> whereas a very high proportion of them will be spoofed to appear to come from Administrator @ your own email domain. If you are unwise enough to follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Your-password-will-expire-soon-1024x514.png
... If you do fill in the details you get sent on to the next page saying :
Your information was successfully submitted, please ensure that you entered your email details correctly; to enable us complete your security updates. If you have entered your details wrongly kindly click back and refill in details correctly.
N.B Please be informed that filling in the wrong details will be resulting to the deactivation of your email address.
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Your-password-will-expire-soon2-1024x355.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."

:fear::fear: :mad:

FYI...

Britain to build cyber attack forces to tackle IS, hackers
- http://www.reuters.com/article/2015/11/17/us-britain-security-cybersecurity-idUSKCN0T604K20151117
Nov 17, 2015 - "British spies are building elite cyber offensive forces to strike at Islamic State fighters, hackers and hostile powers, finance minister George Osborne said on Tuesday after warning militants wanted to launch deadly digital attacks. Islamic State was trying to develop the capability to attack British infrastructure such as hospitals, power networks and air traffic control systems with potentially lethal consequences, Osborne said. In response, Britain will bolster spending on cyber defenses, simplify its state cyber structures and build its own offensive cyber capability to attack adversaries... Britain's new cyber attack forces will be run jointly between GCHQ and the Defence Ministry and will target individual hackers, criminal gangs, militant groups and hostile powers, using a "full spectrum" of actions, Osborne said..."
___

Casino Malvertising Campaign
- https://blog.malwarebytes.org/malvertising-2/2015/11/the-casino-malvertising-campaign/
Nov 17, 2015 - "We identified one of the largest malvertising campaigns in recent months going through -10- different ad domains receiving massive volumes of Internet traffic. Although we only recently uncovered and reported this campaign, telemetry data indicates that it actually started on October 21, making this at least a three-week operation. This malvertising attack preyed on visitors to sketchy websites offering anything from torrents of copyrighted movies, live streams of the latest flicks, or pirated software. The malicious ads would automatically (no click required) redirect users to a casino website used as decoy to silently load malicious iframes from disposable domains which ultimately lead to the Angler exploit kit. In one case, the casino website was a direct gateway to Angler EK. The ad networks were almost all registered via Domains By Proxy LLC, meaning -no- information was available about the registrant but they were all through GoDaddy and on the same ASN: AS15169. This made us believe that they were actually all related to one another. Moreover, one of them, AdCash, did have a point of contact and this is how we were able to report the incidents. A look at some of the stats behind those ad domains shows some staggering numbers. According to SimilarWeb a service that estimates website traffic and provides various analytics, these ad networks generated over 2 -billion- visits in October. To be clear, this is -not- how many people were exposed to malvertising since this only affected a few particular rogue campaigns, and not all campaigns running on these networks... before September, the traffic on those three domains was quasi nonexistent but all of the sudden spiked through the roof for a combined total of over 1 million visits:
> https://blog.malwarebytes.org/wp-content/uploads/2015/11/similarweb.png
... a very large number of people were exposed to malware because of this campaign. Over the three-week course, several different payloads were dropped by Angler EK. We found the infamous CryptoWall ransomware as well as the Bunitu Trojan... We contacted AdCash on November 10th and the following day the malvertising attacks appeared to have stopped. However, on November 14th we observed -another- incident again also using one of the casino websites but with a .space domain now to redirect to Angler EK... We will continue to monitor and report future incidents we encounter via this ad network and take necessary actions to protect our users from malware.
Highlights:
• Torrent, crack, video sites targeted
• Malvertising via AdCash and related networks (> 2 billion traffic)
• Casino websites used a decoy/redirectors ( > 1 million traffic)
• Angler exploit kit
• Over 30 different malware payloads
• Three-week campaign ..."
> https://blog.malwarebytes.org/wp-content/uploads/2015/11/Casino_Flow.png
___

Blackhole EK resurfaces...
- https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-exploit-kit-resurfaces-in-live-attacks/
Nov 17, 2015 - "... a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via -compromised- websites. We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages. Looking closer at the structure of this attack, we were surprised when we realized this was the infamous Blackhole. Blackhole’s author, Paunch, was arrested in October 2013 and while criminals kept using the kit for the next few months, the exploits slowly deprecated and lost value because of lack of development. The new drive-by download attacks we caught over the weekend rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits. The only difference is the malware payload being dropped, which is current and had very -low- detection on VirusTotal... Although the exploits are old, there are probably still vulnerable computers out there who could get compromised. We also noticed that the author behind this Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future... Indicators of compromise: Server IP: 88.208.0.217 ..."

:fear::fear: :mad:

FYI...

Fake 'Statement' SPAM - xls malware
- http://myonlinesecurity.co.uk/paul-barnett-copy-statement-bausch-lomb-excel-xls-spreadsheet-malware/
18 Nov 2015 - "An email with the subject of 'Copy Statement' pretending to come from Barnett, Paul <Paul.Barnett@ bausch .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Copy-Statement-Paul-Barnett-1024x509.png

18 November 2015 : Statement client 0091293(1).xls - Current Virus total detections 4/54*
... Downloads Dridex banking malware from one of these locations http ://www.samsoncontrols .co.uk/h64gf3/89j6cx.exe -or-
http ://iraqiairways .co.uk/h64gf3/89j6cx.exe (VirusTotal 2/39**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e7038a8bf45436ae129f5ca49870675404a1d3af6987e47b6dd8f1b337c11097/analysis/1447836428/

** https://www.virustotal.com/en/file/6c02eed279f26a69678edc7b254316173c79f04a36c6f9fb61701478d318ed40/analysis/1447837417/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-address/182.93.220.146/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'Invoices' SPAM – PDF malware
- http://myonlinesecurity.co.uk/cic-invoices-fake-pdf-malware/
18 Nov 2015 - "An email about CIC Group Invoices with the subject of 'Invoices' pretending to come from CIC Group <admin@ cic .fr> with a zip attachment is another one from the current bot runs... The content of the email says:
... Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
Thank you.

18 November 2015: facture_37854634_181115.zip: Extracts to: facture_37854634_181115.exe
Current Virus total detections 3/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/24692e4c3f215a41f6b514efc21549a4fc60b2587c5d79f6954a369b5fed401e/analysis/1447850791/
___

Fake 'invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoice-or-payment-word-doc-malware/
18 Nov 2015 - "An email with random subjects that are 2 or 3 letters and then the word invoice or payment, like 'ZV Payment' or 'MU Invoice' or 'SBN Payment' pretending to come from random names, companies and email addresses with a random named malicious word doc attachment is another one from the current bot runs... The email looks like:
Processing Number: M19Q0R5VG842B
A new Status: Error
Total Amount: 20741.84 Great Britain Pounds
Please click the document attached with this email to see more info.
-Or-
Payment: L6174S1E
Status: Authorised
Transaction Total: 23018.32 GBP
Please click the document attached with this email to get more information.
-Or-
Transaction: S1970110
A new State: Voided
Total Amount: 35079.44 Great Britain Pounds
Please check the file attached with this email to have more info.

18 November 2015: VTJ0W7M7VX5.doc - Current Virus total detections 4/55*
MALWR analysis** shows a connection to http ://classic-eng .com/ge.jpg?7538 and a download AhkD7UHKJjGS08990.exe (VirusTotal 4/55**). Full analysis of this download is pending but is very likely to be Dridex banking malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/eeb99c54a862b88ab73e5e0369f5c61ca20293f903f08a8d88c562307fc193de/analysis/1447830052/

** https://malwr.com/analysis/OTY2Y2QwMTA0Y2QwNDhhZmJlNmQxMTQxMmU1NWUzMjQ/

*** https://www.virustotal.com/en/file/9c9763f22d9764adcc427fc3d916874de298899a010ed8746745c136149e7834/analysis/1447831128/
TCP connections
78.129.133.249: https://www.virustotal.com/en/ip-address/78.129.133.249/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'Receipt' SPAM - xls malware
- http://myonlinesecurity.co.uk/here-is-your-credit-card-receipt-attached-xls-spreadsheet-malware/
18 Nov 2015 - "An email saying 'Here is your credit card receipt attached' with the subject of 'Receipt' pretending to come from Mike <mike@xencourier .co .uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi
Here is your credit card receipt attached. VAT invoice to follw in due course.
Best regards
Mike
This email is free from viruses and malware ...

18 November 2015: scan0001.xls - Current Virus total detections 6/55*
MALWR analysis** shows me that this is the -same- malware dropper attempting to download an updated version of the Dridex banking malware as described in today’s earlier malspam run***
http ://www .samsoncontrols .co .uk/h64gf3/89j6cx.exe (the company has removed the malware and hopefully cleaned and fixed the vulnerabilities that allowed them to be used as a conduit for malware distribution). Warning: there were other locations mentioned earlier that might still be live. The http ://iraqiairways .co.uk/h64gf3/89j6cx.exe is still -live- and giving an updated version (virustotal[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/26506a03b76c6244df28db631f94dfd145753431adff482083223146ecb1f91b/analysis/1447851533/

** https://malwr.com/analysis/N2JiNDk1ZjRmZmNkNDE0Nzg3ZjdiZTcwZjE3Zjg4MTM/

*** http://myonlinesecurity.co.uk/paul-barnett-copy-statement-bausch-lomb-excel-xls-spreadsheet-malware/

4] https://www.virustotal.com/en/file/5c71fa337a8d536de1c35b793a52fa88ee2302bfae8a16dd39c40d4115b4e65e/analysis/1447851743/
TCP connections
203.172.180.195: https://www.virustotal.com/en/ip-address/203.172.180.195/information/
8.253.82.62: https://www.virustotal.com/en/ip-address/8.253.82.62/information/

- http://blog.dynamoo.com/2015/11/malware-spam-receipt-mike.html
18 Nov 2015 - "... it has a malicious attachment scan0001.xls which appears to come in at least -three- different versions... These contain a malicious macro... they attempt to download a malicious binary from the following locations:
www .eurocontainers .it/h64gf3/89j6cx.exe
www .asnp .it/h64gf3/89j6cx.exe
www .samsoncontrols .co.uk/h64gf3/89j6cx.exe [file not found]
This binary has a detection rate of 7/54* and that VirusTotal report and this Malwr report** both indicate malicious network traffic to:
203.172.180.195 (Ministry Of Education, Thailand)..."
* https://www.virustotal.com/en/file/5c71fa337a8d536de1c35b793a52fa88ee2302bfae8a16dd39c40d4115b4e65e/analysis/1447858997/
TCP connections
203.172.180.195: https://www.virustotal.com/en/ip-address/203.172.180.195/information/
8.253.82.62: https://www.virustotal.com/en/ip-address/8.253.82.62/information/

** https://malwr.com/analysis/MTU2YTZiMGU3MTc0NGQzODk4MTU1OTNlOTYyMzljZDY/
___

Fake 'InTuIT' SPAM - malware
- http://myonlinesecurity.co.uk/quickbooks-intuit-important-notification-malware/
Nov 18, 2015 - "An email saying you need to update your InTuIT QuickBooks with the subject of 'INTUIT Important Notification' pretending to come from INTUIT QB <qbsupport@ services .intuit .com> with a zip attachment is another one from the current bot runs... Other subjects in this malspam series include:
• INTUIT QB
• INTUIT Please Notify!
• INTUIT QB
• INTUIT QuickBooks
• INTUIT QB Security Warning
• INTUIT Attention
• Intuit QuickBooks Online: Browser Update
• Intuit QuickBooks Online: Supported Browsers
• INTUIT Supported Browsers Update
• INTUIT Security Warning
Other alleged senders include:
• INTUIT QB <services@ quickbooks .intuit .com>
• quickbooks <qbsecuritycenter@ intuit .com>
• INTUIT QB <services@ quickbooks .intuit .com>
• QuickBooks Online <security@ services .qb .intuit .com> ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/INTUIT-Important-Notification-1024x662.png

18 November 2015: INTUIT-Browser-up1247.zip: Extracts to: up1247.exe
Current Virus total detections 2/55*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of an excel file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/48d7e9385ba7708019e1817c6fe76f706bb36dd1433b017b9b6330436efe0606/analysis/1447857402/
TCP connections
89.163.249.75: https://www.virustotal.com/en/ip-address/89.163.249.75/information/
188.247.102.215: https://www.virustotal.com/en/ip-address/188.247.102.215/information/
UDP communications
8.8.8.8: https://www.virustotal.com/en/ip-address/8.8.8.8/information/

- http://blog.dynamoo.com/2015/11/mystery-intuit-quickbooks-spam-leads-to.html
18 Nov 2015 - "... Screenshot:
> https://1.bp.blogspot.com/-jqzrc2_aW3Y/Vkyln1SIkyI/AAAAAAAAHYk/zEfd1xsli1c/s400/intuit.png
The -link- in the email goes to:
kompuser .com/system/logs/update/doc.php?r=download&id=INTUIT-Browser-up1247.zip
This downloads a file INTUIT-Browser-up1247.zip which in turn contains a malicious executable up1247.exe ... which has a VirusTotal detection rate of 2/54*. That VirusTotal report and this Hybrid Analysis report** show that the malware POSTs data to:
onbrk .in/p7yqpgzemv/index.php
The payload is unknown... the same nameservers and have also been used for malicious activity going back to August... Recommended blocklist:
31.210.116.68
188.247.102.215
89.163.249.75
95.173.164.212
kompuser .com
onbrk .in ..."
(More at the dynamoo URL above.)
* https://www.virustotal.com/en/file/48d7e9385ba7708019e1817c6fe76f706bb36dd1433b017b9b6330436efe0606/analysis/1447863072/
TCP connections
89.163.249.75: https://www.virustotal.com/en/ip-address/89.163.249.75/information/
188.247.102.215: https://www.virustotal.com/en/ip-address/188.247.102.215/information/
UDP communications
8.8.8.8: https://www.virustotal.com/en/ip-address/8.8.8.8/information/

** https://www.hybrid-analysis.com/sample/48d7e9385ba7708019e1817c6fe76f706bb36dd1433b017b9b6330436efe0606?environmentId=1

- https://security.intuit.com/alert.php?a=271
11/18/15
- https://security.intuit.com/alert.php?a=270
11/18/15
___

Infoblox - DNS Threat report
- http://net-security.org/malware_news.php?id=3155
18.11.2015 - "The creation of DNS infrastructure by cybercriminals to unleash exploit kits increased 75 percent in the third quarter of 2015 from the same period in 2014, according to Infoblox:
> http://www.net-security.org/images/articles/infoblox-112015.jpg
... Highly skilled attackers can create exploit kits, which are packages for delivering a malware payload, and then sell or rent these toolkits to those with little technical experience - vastly increasing the ranks of malicious attackers capable of going after individuals, businesses, schools, and government agencies. -Four- exploit kits - Angler, Magnitude, Neutrino, and Nuclear - accounted for -96- percent of total activity in the category for the third quarter. Most exploit kit attacks are distributed through spam emails or compromised web sites, or are embedded in online ads. When users click a link in the emails or ads, the exploit kit takes advantage of vulnerabilities in popular software to deliver a malware payload that can perform actions such as planting ransomware, capturing passwords for bank accounts, or stealing an organization’s data. Cybercriminals need the DNS to register domains for building the “drive-by” locations where exploit kits lie in wait for users, and for communicating with command-and-control servers that send instructions to infected devices and extract information..."

> https://www.infoblox.com/dns-threat-index
Video: 2:49

:fear::fear: :mad:

FYI...

Fake 'Shipping notification' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-shipping-notification.html
19 Nov 2015 - "This rather terse spam does -not- come from Ceva Logistics but is instead a simple -forgery- with a malicious attachment.
From: noreply@ cevalogistics .com
Date: 19 November 2015 at 10:27
Subject: [Shipping notification] N3043597 (PB UK)

There is -no- body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro... it has a VirusTotal detection rate of 2/54*. The comments on that VirusTotal report plus this Hybrid Analysis report** indicate a malicious binary is downloaded from:
iwcleaner .co.uk/8i65h4g53/o97i76u54.exe
This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54*** and this Hybrid Analysis report[4] shows malicious traffic to the following IP (which I recommend you block):
182.93.220.146 (Ministry of Education, Thailand)
The payload is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/f8f6572a592f40a0b1a0c126fc2d4cb45b9cafaf0ccda76b0dfe940e7355531b/analysis/1447929870/

** https://www.hybrid-analysis.com/sample/f8f6572a592f40a0b1a0c126fc2d4cb45b9cafaf0ccda76b0dfe940e7355531b?environmentId=1

*** https://www.virustotal.com/en/file/477887b3807dbeff838f81ef7ad24ab27402dd2835e945bead4379b99b9cf892/analysis/1447930055/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-address/182.93.220.146/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

4] https://www.hybrid-analysis.com/sample/477887b3807dbeff838f81ef7ad24ab27402dd2835e945bead4379b99b9cf892?environmentId=2
___

Fake 'Google invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-your-google-invoice-is.html
19 Nov 2015 - "This -fake- invoice does not come from Google, but is instead a simple -forgery- with a malicious attachment:
From: billing-noreply@ google .com
Date: 19 November 2015 at 12:40
Subject: Your Google invoice is ready
Attached to this email, please find the following invoice:
Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806
Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@ google .com.
Yours Sincerely,
The Google Billing Team
Billing ID: 0349-7974-3806

The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro... Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan."
1] https://www.virustotal.com/en/file/bdc8d17deb40bc0f43f2bdc7e4f79941c710db6655604e713b827d8a6406f553/analysis/1447936837/

2] https://www.virustotal.com/en/file/09d966d562b3933398df19c9d153adfa8c72e5040dcb5e9a0366daba2b68aca2/analysis/1447937222/

- http://myonlinesecurity.co.uk/your-google-invoice-is-ready-word-doc-malware/
19 Nov 2015
"19 November 2015: 1630884720.doc - Current Virus total detections 3/54*
... Downloads Dridex banking malware from bhoomiconsultants .com/8i65h4g53/o97i76u54.exe (VirusTotal 1/54**)..."
* https://www.virustotal.com/en/file/bdc8d17deb40bc0f43f2bdc7e4f79941c710db6655604e713b827d8a6406f553/analysis/1447942173/

** https://www.virustotal.com/en/file/5ab7b06d5d7a043726e9b4a23419fec293cea016d2efb1f263b03fb2be3cb03a/analysis/1447944295/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-address/182.93.220.146/information/
8.254.218.142: https://www.virustotal.com/en/ip-address/8.254.218.142/information/
___

Fake 'Invoice and VAT Receipt' SPAM - xls malware
- http://myonlinesecurity.co.uk/invoice-and-vat-receipt-edmun11118_181859-accountedmun11118-postcode-anywhere-excel-xls-spreadsheet-malware/
19 Nov 2015 - "An email with the subject of 'Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]' pretending to come from support@ postcodeanywhere .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Invoice-and-VAT-Receipt-EDMUN11118_181859-Account-EDMUN11118-1024x559.png

19 November 2015: EDMUN11118_181859.xls - Current Virus total detections 5/54*
... tries to download Dridex banking malware from http ://lapelsbadges .com/8i65h4g53/o97i76u54.exe which at the present time is not resolving for me. Usually there are several download locations all delivering the same dridex malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3e8698c52b6469a78b34a45d504e75beb866c2ccd3a273eb116a0bd342ecc5cb/analysis/1447943292/

- http://blog.dynamoo.com/2015/11/malware-spam-invoice-and-vat-receipt.html
19 Nov 2015 - "... The attachment is EDMUN11118_181859.xls... download(s) a file... has a VirusTotal detection rate of 1/54* and that VirusTotal report indicates it phoning home to:
182.93.220.146 (Ministry Of Education, Thailand)
I strongly recommend that you -block- that IP address. The payload is the Dridex banking trojan..."
* https://www.virustotal.com/en/file/5ab7b06d5d7a043726e9b4a23419fec293cea016d2efb1f263b03fb2be3cb03a/analysis/1447949778/
TCP connections
182.93.220.146: https://www.virustotal.com/en/ip-address/182.93.220.146/information/
8.254.218.142: https://www.virustotal.com/en/ip-address/8.254.218.142/information/
___

Exploit kits... change tactics
- https://isc.sans.edu/diary.html?storyid=20391
Last Updated: 2015-11-19 - "... computers directed to an EK? It often happens through compromised websites. Threat actors compromise legitimate websites, and pages from these compromised servers have injected script that connects the user's computer to an EK server. This happens behind the scenes, and the user is unaware... Threat actors often use another server as a gate between the compromised website and the EK server. I often call it a "redirect" because it redirects traffic from a compromised website to the EK... The gate is most often another compromised website. Less often, the gate is a dedicated server established by the threat actor. At times, threat actors have used Pastebin or a URL shortner like goo.gl as the gate. In some cases, you might find a second or -third- gate before you get to the EK... All of this is transparent to the unsuspecting user. Fortunately, many security professionals study EK traffic. Specific trends are quickly identified, security professionals share the data, and automated detection is usually available within a day or two. Threat actors know this. Criminals occasionally change tactics in how they direct traffic from compromised websites to their EK servers. For example, earlier this week I noticed a change by an actor using Rig EK. On Monday 2015-11-16, this threat actor was using a distinct gate path. By Wednesday 2015-11-18, the gate patterns had distinctly changed... On Monday 2015-11-16, this actor was using a two gates between the compromised website and Rig EK...
> https://isc.sans.edu/diaryimages/images/2015-11-19-ISC-diary-image-01.jpg
On Wednesday 2015-11-18, the same actor had switched to a single gate. These single gates appeared to be hosted on -other- compromised websites...
> https://isc.sans.edu/diaryimages/images/2015-11-19-ISC-diary-image-02.jpg
... The first group of Rig EK intercept came from Monday 2015-11-16. The second group came from Wednesday 2015-11-18. Although I could not identify this actor, the traffic represents the -same- criminal group. I'm basing my assessment on the malware payload. Each payload exhibited the -same- behavior on both occasions... I saw Rig EK and the same post-infection traffic after viewing -more- compromised websites on Wednesday 2015-11-18. You'll find the compromised legitimate website, followed by a single gate. Rig EK was on 46.40.46.146 using the domains ftg .askgreatquestions .com, ghf .askmoregetmore .com -or- erf .closelikeapro .com. Post-infection traffic was seen on 62.76.42.21 using the domain alohajotracks .com, just like we saw before on Monday... I've seen a wide variety of paths from compromised websites to an EK server, so this isn't a comprehensive review on the topic. This is just one example. Don't get me started on -malvertizing- which is a much more complicated chain of events..."
(More detail at the isc URL at the top.)

46.40.46.146: https://www.virustotal.com/en/ip-address/46.40.46.146/information/

62.76.42.21: https://www.virustotal.com/en/ip-address/62.76.42.21/information/

:fear::fear: :mad:

FYI...

Fake 'transfer' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-jean-pierre-kibung.html
20 Nov 2015 - "This spam looks like an advanced free fraud, but instead it comes with a malicious attachment. The email appears to originate from within the victim's own domain, but this is a simple -forgery- and does -not- mean that you have been hacked.
From: Jean Pierre Kibungu [jpie.kibungu@ victimdomain]
Date: 20 November 2015 at 09:56
Subject: 0150363108788101_02416060_1.xls
Please find attached the swift of the transfer of $30000.
Kind regards
Jean Pierre Kibungu
INCAT
JEAN PIERRE KIBUNGU AVAR-DA-VISI
GENERAL MANAGER
INCAT OILFIELD LOGISTICS (DRC) LTD
Site:
Mob: + 243 998 01 95 01
Headoffice:
Tel. +44(0) 1534 758859
Fax: +44(0) 1534 758834

The telephone number does match that of a genuine company in Jersey, but they are -not- sending this spam. The attachment is named 0150363108788101_02416060_1.xls and so far I have seen just one version of this with a VirusTotal detection rate of 4/53*. It contains this malicious macro...
UPDATE: Sources tell me there are at least two variants with download locations of:
betterimpressions .com/~impressions/65y3fd23d/87i4g3d2d2.exe
192.186.227.64 /~irma1026/65y3fd23d/87i4g3d2d2.exe
This has an MD5 of d410a45dc4710ea0d383dee81fbbcb6f and a VirusTotal detection rate of 4/52**. According to that VirusTotal report and this Malwr report***, it makes a network connection to:
157.252.245.32 (Trinity College, US)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/5198124f754f016e89dc12f104dc1a0b5a831dc36b469e53f8df2cf86bff4f6b/analysis/1448014325/

** https://www.virustotal.com/en/file/7bbd0d18ce7e8c3388794f5f2a24ff4c6f63a1ce935d3a1f8bf9312480523e32/analysis/1448014994/
TCP connections
157.252.245.32: https://www.virustotal.com/en/ip-address/157.252.245.32/information/
88.221.14.145: https://www.virustotal.com/en/ip-address/88.221.14.145/information/

*** https://malwr.com/analysis/Y2FhM2MzZDE1YjQxNDAzODk5MjE3ZDQ2ODJjZDY2MGM/

- http://myonlinesecurity.co.uk/jean-pierre-kibungu-0150363108788101_02416060_1-xls-excel-xls-spreadsheet-malware/
20 Nov 2015 - "... The email looks like:
Please find attached the swift of the transfer of $30000.
Kind regards
Jean Pierre Kibungu ...

20 November 2015 : 0150363108788101_02416060_1.xls - Current Virus total detections 4/53*
... Analysis of this is pending but is almost certain to be a Dridex banking malware downloader... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e9d4132e9e99e946d8805a824a61f9a624aa0ffc26c2aa5b5a7383edee0a2043/analysis/1448011659/
___

Fake 'Reprint Document' SPAM - doc malware
- http://myonlinesecurity.co.uk/reprint-document-archive-eurocarparts-com-word-doc-malware/
20 Nov 2015 - "A concurrent malspam run involving malicious word docs is an email with the subject of 'Reprint Document archive' pretending to come from tracey.beedles@ eurocarparts .com with a malicious word doc attachment is another one from the current bot runs... The email simply says:
Attached is a Print Manager form.
Format = Word Document Format File (DOC)

20 November 2015 : pmB3A6.doc - Current Virus total detections 4/53*
This also downloads the same Dridex malware from a -different- location irisbordados .com/65y3fd23d/87i4g3d2d2.exe than I saw in the other malspam run**... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8cc83aed3a3080d0b0e699dbfeb1a6d24e59575c1ed5de418967696591d2aa80/analysis/1448020152/

** http://myonlinesecurity.co.uk/jean-pierre-kibungu-0150363108788101_02416060_1-xls-excel-xls-spreadsheet-malware/

- http://blog.dynamoo.com/2015/11/malware-spam-reprint-document-archive.html
20 Nov 2015 - "... if you look at the Hybrid Analysis report* and others, the executable masquerades as mbar.exe / Malwarebytes Anti-Rootkit. The payload is most likely to be the Dridex banking trojan.
Screenshot: https://4.bp.blogspot.com/-VtkH94G_sZM/Vk8dqyZt79I/AAAAAAAAHY8/XE1KJvXAdZ8/s1600/fake-mbar.png
... Recommended blocklist:
157.252.245.32
89.32.145.12 "
* https://www.hybrid-analysis.com/sample/8c4586a133d6631144a0ea720f1bab03c78b2ac677e90a46af14aac0194b92c3?environmentId=1

:fear::fear: :mad:

FYI...

relode .com - SPAM...
- http://blog.dynamoo.com/2015/11/spam-relodecom-and-matt-tant-part-ii.html
21 Nov 2015 - "Matt Tant and the moron spammers from relode .com are at it again.
From: Matt Tant [matthew@ relode .com]
To: "donotemail@ wearespammers .com" [donotemail@ wearespammers .com]
Date: 21 November 2015 at 22:40
Subject: Snagajob integration added
This just in! In addition to our Craigslist and Indeed integrations, we have just pushed an integration with Snagajob! Do you post only on Craigslist, or do you post on multiple job posting sites?...

I've covered these CAN-SPAM busting idiots before*..."
* http://blog.dynamoo.com/2015/11/spam-relodecom-and-matt-tant.html
17 Nov 2015
___

- http://centralops.net/co/DomainDossier.aspx
relode .com
aliases
addresses
198.185.159.144: https://www.virustotal.com/en/ip-address/198.185.159.144/information/
198.185.159.145: https://www.virustotal.com/en/ip-address/198.185.159.145/information/
198.49.23.144: https://www.virustotal.com/en/ip-address/198.49.23.144/information/
198.49.23.145: https://www.virustotal.com/en/ip-address/198.49.23.145/information/

:fear::fear: :mad:

FYI...

WordPress + Angler EK = compromise for some...
- https://blog.malwarebytes.org/hacking-2/2015/11/catching-up-with-the-eitest-compromise-a-year-later/
Nov 23, 2015 - "We are seeing -dozens- of WordPress sites compromised recently with the same malicious code -redirecting- to the Angler exploit kit. The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page. It is important to stress this is a conditional injection because webmasters trying to identify the issue may -not- see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit)... The -rogue- code loads a Flash video file from a -suspicious- top-level domain name such as .ga, .tk or .ml which is used to -redirect- visitors to the Angler exploit kit. This is the same attack pattern we documented over a year ago (Exposing the Flash ‘EITest’ malware campaign*)... The latest WordPress version is 4.3.1. This particular ‘EITest campaign’ never actually stopped and saw an increase in the last few months which has been sustained up until now... Angler EK exploits Flash Player... If your WordPress site has been affected, keep in mind that the malicious injected code is just part of the symptoms from having your site hacked. It’s important to identify backdoors, .htaccess modifications as well as the original entry point, by looking at your access and error logs..."
* https://blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/

Latest Wordpress: https://wordpress.org/news/2015/09/wordpress-4-3-1/

Latest Flash: https://helpx.adobe.com/security/products/flash-player/apsb15-28.html
___

Fake 'Employee Documents' SPAM - xls malware
- http://myonlinesecurity.co.uk/employee-documents-internal-use-pretending-to-come-from-hr-at-your-own-email-domain-excel-xls-spreadsheet-malware/
23 Nov 2015 - "An email with the subject of 'Employee Documents Internal Use' pretending to come from HR at your own email domain or company with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents
DOCUMENT LINK: [Link removed]
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

23 November 2015: Employee Documents(1928).xls - Current Virus total detections 4/54*
... Connects to and downloads kunie .it/u654g/76j5h4g.exe. It is very likely that the downloaded malware will be Dridex banking malware, although some antiviruses are indicating a -cryptowall- ransomware (VirusTotal 6/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3665b64b8d6e58c03be3d19afda66fd778ca3c9794eaecf06a9b882f60967102/analysis/1448270398/

** https://www.virustotal.com/en/file/e55f89332662a8139c37a381fc7d13e660db3b0a34f62a0b2b44be4055686bfb/analysis/1448270247/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
90.84.59.51: https://www.virustotal.com/en/ip-address/90.84.59.51/information/

- http://blog.dynamoo.com/2015/11/malware-spam-employee-documents.html
23 Nov 2014 - "... Attached is a file Employee Documents(1928).xls ... sources tell me that there are -three- different versions downloading from the following locations:
kunie .it/u654g/76j5h4g.exe
oraveo .com/u654g/76j5h4g.exe
www .t-tosen .com/u654g/76j5h4g.exe
The downloaded binary has a detection rate of just 1/54*. That VirusTotal report and this Hybrid Analysis report** show network connections to the following IPs:
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
157.252.245.32 (Trinity College Hartford, US)
The payload is probably the Dridex banking trojan...
Recommended blocklist:
89.108.71.148
89.32.145.12
157.252.245.32 "
* https://www.virustotal.com/en/file/4e5fa43aa2f95edc99656d9187946e5cf5874b3b4a63b895a0de1f5e61272560/analysis/1448276542/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
8.254.218.126: https://www.virustotal.com/en/ip-address/8.254.218.126/information/

** https://www.hybrid-analysis.com/sample/4e5fa43aa2f95edc99656d9187946e5cf5874b3b4a63b895a0de1f5e61272560?environmentId=1
___

Fake 'UKMail tracking' SPAM - doc malware
- http://myonlinesecurity.co.uk/ukmail-988271023-tracking-information-word-doc-malware/
23 Nov 2015 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service...

23 November 2015: 988271023-PRCL.doc - Current Virus total detections 4/54*
... Connects to & downloads an updated Dridex banking malware from
xsnoiseccs .bigpondhosting .com/u654g/76j5h4g.exe (VirusTotal 3/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8e2d48a763b0fdfa61a2af12b69a6babe859c4c6347211c6e43f52b5236a914e/analysis/1448280511/

** https://www.virustotal.com/en/file/98700dbf8aab16f57032eb5b49c8c0443d31d6f74eba0bcfcf7b458a740dc03c/analysis/1448282238/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
23.62.99.136: https://www.virustotal.com/en/ip-address/23.62.99.136/information/

- http://blog.dynamoo.com/2015/11/malware-spam-ukmail-988271023-tracking.html
23 Nov 2015 - "... The attachment is named 988271023-PRCL.doc ... This binary has a VirusTotal detection rate of 5/54*. That VirusTotal report plus this Hybrid Analysis report** and Malwr report*** indicate malicious traffic... The payload is likely to be the Dridex banking trojan...
Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79 "
* https://www.virustotal.com/en/file/98700dbf8aab16f57032eb5b49c8c0443d31d6f74eba0bcfcf7b458a740dc03c/analysis/1448285502/

** https://www.hybrid-analysis.com/sample/98700dbf8aab16f57032eb5b49c8c0443d31d6f74eba0bcfcf7b458a740dc03c?environmentId=1

*** https://malwr.com/analysis/ODJhYmE3NGY1ZDI4NDg3NzlmZjQ1NjM0ZDM2NmFhM2I/
___

Dyreza trojan evolves for Win10
- http://www.itnews.com.au/news/dyreza-trojan-evolves-for-windows-10-412101
Nov 23 2015 - "Notorious banking trojan Dyreza has evolved to target the Windows 10 operating system, according to cyber-security firm Heimdal*. The new feature of this pernicious strain of malware includes support for Windows 10, so cyber-criminals can stay up to date with the developments of their prey as well as the ability to latch on to Microsoft Edge, Window's 10's replacement for the much-maligned internet explorer. Heimdall also noted that this new version of Dyreza “kills a series of processes linked to endpoint security software, in order to make its infiltration in the system faster and more effective”. Nearly 100,000 machines have apparently infected by Dyreza worldwide and Dyreza strains have been developed for just about every kind of Windows operating system in recent memory including Windows 7 through 10 as well as Winserver 2003 and Vista... Occasionally known as -Dyre- this particular trojan digs itself right into a users' browser. From there, it directs users to modified versions of otherwise legitimate webpages. If Dyreza is installed on a computer, it might steal online banking details as a user logs into what they think is a normal online -banking- webpage. It commonly spreads itself in large swathes of phishing emails in a tactic is known as 'spray and pray'. But once Dyreza does hits a target, it collects users data and becomes part of a botnet, allowing the attacker to receive the critical information from many users... The research also notes that this new strain arrives just in time for the holidays, with Christmas, Thanksgiving and more importantly, Black Friday, the US's post-thanksgiving shopping event, just around the corner..."
* https://heimdalsecurity.com/blog/security-alert-new-dyreza-variant-supports-windows-10-edge/
___

Cybercriminal Underground - 2015
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/prototype-nation-the-chinese-cybercriminal-underground-in-2015/
Nov 23, 2015 - "... Data leaked in the underground allows cybercriminals to commit various crimes like financial fraud, identity and intellectual property theft, espionage, and extortion. Chinese cybercriminals have managed to enhance the way they share data as seen in the case of SheYun, a search engine created specifically to make leaked data to users available. Over the last few years, we have been keeping track of the shift of prices of goods and services traded in the Chinese underground. Previously, we saw compromised hosts, DDoS attack tools services, and remote access Trojans (RATs) being sold. Today, social engineering tools have been added to the market.
Carding devices: Cash transactions are slowly becoming a thing of the past, as evidenced by the adoption of electronic and mobile payment means.
• PoS skimmers - Tampered PoS devices are sold to resellers who may or may not know that these devices are rigged. Some PoS skimmers come with an SMS-notification feature that allows the cybercriminal to access the stolen data remotely every time the device is used.
• ATM skimmers – Commonly sold on B2B websites, these fraud-enabling devices allowed fraudsters to carry out bank fraud and actual theft. The devices have keypad overlays that are used to steal victims’ PINs.
• Pocket skimmers – These small, unnoticeable magnetic card readers can store track data of up to 2,048 payment cards. They do not need to be physically connected to a computer or a power supply to work. All captured data can be downloaded onto a connected computer..."
___

21% of Brits have been hit by cyber gits
- http://www.theinquirer.net/inquirer/news/2436052/21-percent-of-brits-have-been-hit-by-cyber-gits
Nov 23 2015 - "ACCORDING TO A REPORT from Deloitte*, one in five British people has been the victim of a security breach... The report says that the ongoing explosion in business and consumer data presents an increasingly tempting target for those with evil intent. It warns companies that most consumers expect them to take responsibility for protecting their data. However, it adds that most consumers do not have a clue what that means... 'Our 2015 report found that 84 percent of consumers expect companies to be held responsible for ensuring the security of user data and personal information online'... Deloitte found that two-thirds of punters would pull their personal data out of firms if they could do so easily, while 52 percent are -not- happy with the way their data is used. Only about a third said that they are aware of the fact that their data is taken and used. Thirteen percent were completely clueless on collection. These people are reading the wrong websites..."
* http://www2.deloitte.com/uk/en/pages/consumer-business/articles/consumer-data-under-attack.html

:fear::fear: :mad: