PDA

View Full Version : SPAM frauds, fakes, and other MALWARE deliveries...



Pages : 1 2 3 4 [5] 6

AplusWebMaster
2016-07-04, 15:23
FYI...

Fake 'Scanned image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scanned-image-pretending-to-come-from-your-own-email-domain-delivers-locky-2/
4 July 2016 - "An email with the subject of 'Scanned image' pretending to come from random names at your own email domain or company with a malicious word doc macro attachment delivers Locky Ransomware... The email looks like:
From: Random names at your own email domain
Date: Mon 04/07/2016 11:33
Subject: Scanned image
Attachment: 04-07-2016_rndnum(4,9)}}.docm
Image data has been attached to this email.

4 July 2016: 04-07-2016_rndnum(4,9)}}.docm - Current Virus total detections 6/54*
.. MALWR** shows a download from http ://clear-sky .tk/nb4vervge which is Locky Ransomware although not showing in the sandbox analysis. This means that once again the Locky gang have upped the stakes and changed their anti-analysis/ anti-sandbox protections to make it more difficult to detect and protect against (VirusTotal 3/53***).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9b194174fcf4cde35aa6315c7723898602a82e4a114b5e39459b16027aa01eaf/analysis/1467628388/

** https://malwr.com/analysis/ZTJmMTIwODc4NTNlNDA3Y2IyNTAwZGI0NmRlNjAxOTY/
Hosts
213.239.227.58: https://www.virustotal.com/en/ip-address/213.239.227.58/information/
>> https://www.virustotal.com/en/url/252f6babf6a2d0d6cd0658d794021716d56ceaddaf0ea532f7663cf825781d09/analysis/

*** https://www.virustotal.com/en/file/0f3f32f5e9ef01c95c1e7c459fb1ddbaec9fe64382bab16893196e156ea8afad/analysis/1467627485/

:fear::fear: :mad:

AplusWebMaster
2016-07-05, 15:00
FYI...

Fake 'Rechnung' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/rechnung-2016-93910-mpsmobile-gmbh-malspam-delivers-locky-ransomware/
5 July 2016 - "An email partly in German and partly in English pretending to be a-mobile-phone-bill with the subject of 'Rechnung 2016-93910' [random numbered] pretending to come from mpsmobile GmbH <info@ mpsmobile .de> with a zip attachment which downloads Locky ransomware... One of the emails looks like:
From: mpsmobile GmbH <info@mpsmobile .de>
Date: Tue 05/07/2016 10:45
Subject: Rechnung 2016-93910
Attachment: 52751_Rechnung_2016-93910_20160705.zip
Sehr geehrte Damen und Herren, anbei erhalten Sie das Dokument ‘Rechnung 2016-93910′ im PDF-Format. Um es betrachten und ausdrucken zu können, ist der PDF Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren. Mit freundlichen Grüssen mpsmobile Team ...
Dear Ladies and Gentlemen, please find attached document ”Rechnung 2016-93910’ im PDF-Format. To view and print these forms, you need the PDF Reader, which can be downloaded on the Internet free of charge. Best regards mpsmobile GmbH ...

5 July 2016: 52751_Rechnung_2016-93910_20160705.zip: Extracts to: 63227_2016-53001_20160705.js
Current Virus total detections 23/56*. Payload Security** | MALWR*** was unable to find anything but manual analysis shows a download from http ://brewinbooks .com/98uhnvcx4x (VirusTotal 3/53[4]) which looks like Locky Ransomware but MALWR[5] doesn’t show any activity which is probably due to anti-sandbox protection in the file. Other download locations so far found include:
http ://brazilmart .com/98uhnvcx4x
http ://brewinbooks .com/98uhnvcx4x
http ://thecorporate .gift/98uhnvcx4x
http ://lojaeberlin .com/98uhnvcx4x
http ://topbag .com.au/98uhnvcx4x
http ://hangusaxachtay .com/98uhnvcx4x
http ://flyingcarts .com/98uhnvcx4x
http ://imbagscanta .com/98uhnvcx4x
http ://foxprint .ro/98uhnvcx4x
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/15c7846d81bfb2b62431d57ee39e12e0cc30ba907d7281a162181c8b430078d1/analysis/1441173827/

** https://www.hybrid-analysis.com/sample/40f5f1188b4f02ec51c5556fd5dd765333daa74cf758dc5dde9a9c6f96dd831c?environmentId=100
Contacted Hosts
79.170.44.88
185.106.122.46
185.106.122.38
192.42.116.41
5.196.70.240

*** https://malwr.com/analysis/MTViYTEyZGNmMTBkNDVmOWFiM2E2ZjE3N2I4MTczNjQ/

4] https://www.virustotal.com/en/file/f7b000420530107cf5c7b82dd5df93345ee8d0e1bb82d73c250be250a2f994e6/analysis/1467711259/

5] https://malwr.com/analysis/MTczYmY2MjM0YTQ5NDA4N2E0MDBmZWMyZGZkNjkyYmI/
___

Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-scanned-image-leads-to.html
5 July 2016 - "This -fake- document scan appears to come from within the victim's own domain but has a malicious attachment.
From: administrator8991@ victimdomain .com
Date: 5 July 2016 at 12:47
Subject: Scanned image
Image data has been attached to this email.

Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52* and 6/52**. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:
leafyrushy .com/98uhnvcx4x
sgi-shipping .com/98uhnvcx4x
There will be a lot more locations too. This drops a binary with a detection rate of 5/55[3] which appears to be Locky ransomware. Hybrid Analysis[4] shows it phoning home to:
185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)
Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be Locky ransomware.
Recommended blocklist:
185.106.122.0/24
185.129.148.0/24 "
* https://virustotal.com/en/file/26202e93dc56ac9b3d76cc68c787ad70099aa1ee6b5610277feed23501d8f5ee/analysis/1467721871/

** https://virustotal.com/en/file/34c92160a7456b52d393750f42140070dcc2bc5b61322121d57af1f39507c85c/analysis/1467721877/

1] https://malwr.com/analysis/ZTNkYzVmMGI4MDc2NDM2NWI4ZWIzZDNkZWYzZDliYTM/
Hosts
209.222.76.2

2] https://malwr.com/analysis/Y2RlMTJlYTIyNmNjNDRhOGIyMjc1MjlmMWMwZGJjYjk/
Hosts
160.153.74.199

3] https://virustotal.com/en/file/2a92ef3dd016c5577788ee15a5247368d478fa1128916fd5bae6e194d13634f0/analysis/

4] https://www.hybrid-analysis.com/sample/2a92ef3dd016c5577788ee15a5247368d478fa1128916fd5bae6e194d13634f0?environmentId=100
Contacted Hosts
185.106.122.38
185.106.122.46
185.129.148.6
___

Fake 'Quick cash' fraud SCAM/PHISH
- https://myonlinesecurity.co.uk/fake-invoices-quick-cash-systems-binary-options-fraud-scams/
5 July 2016 - "... Instead of the usual spam emails, we are seeing loads of -fake- invoices, all with links to various companies that pass through or redirect the user to
http ://www.quickcashsystem .biz/?offerID=1062&p=10274a38b6a0b47645075132d8d48c (They are probably affiliate references so the scummy scammers can pay the evil fraudsters who send victims to them). The reference number is different, depending on the “victim’s IP number”. I visited via different proxies and got a different reference number each visit... This all starts off with an email like one of these:
This first one pretends to be an Account Balance Warning from an unnamed bank. All the links go to
http ://beckham7 .com/lists/link.php?M=28914&N=33&L=18&F=H where you are -redirected- (eventually) to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e where a video immediately starts playing offering you, showing you a big mansion, expensive cars and the chance to make $$$$$.

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/account_balance_beckham7-1024x733.png

This one pretends to be an electronics invoice and at a first quick glance, you could quite easily mistake it for an Ebay invoice and follow the links to see what on earth has happened, because you don’t remember ordering anything. This one leads to http ://a2cd .com/lists/link.php?M=29114&N=33&L=18&F=H which -redirects- to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/fake_invoice_a2cd-1-1024x608.png
This 3rd example is so generic that almost anyone receiving it would click through to see what or how this mistake could have been made. This goes to
http ://steps123 .com/lists/link.php?M=29215&N=41&L=20&F=H and -redirects- to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/fake_invoice_steps123-1024x580.png
You eventually end up on this page, whichever link you follow to start with:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/quick_cash-1024x644.png
If you look at the small print at the very bottom of the page, you just see in very light type a link to disclaimer and privacy:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/QC_disclaimer_link.png
Following the disclaimer link, you get a page that does warn you “The www .quickcashsystem .biz sales video is fictitious and was produced to portray the potential of the www .quickcashsystem .biz 3rd party signals software. Actors have been used to present this opportunity and it should be viewed for entertainment purposes. We do not guarantee income or success, and example results in the video and anywhere else on this website do not represent an indication of future success or earnings.”

quickcashsystem .biz: 5.189.129.65: https://www.virustotal.com/en/ip-address/5.189.129.65/information/
>> https://www.virustotal.com/en/url/67b03071c9f91e74b936f02462d5cf0b15e4d63a5637bdbd26b1db0699660189/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-07-06, 16:30
FYI...

Fake 'random hex numbers' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/07/malware-spam-with-random-hexadecimal.html
6 July 2016 - "I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).
My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:
blingberry24 .com/90ujn3b8c3
danseduchat .com/90ujn3b8c3
harveyventuresltd .com/90ujn3b8c3
noveltybella .com/90ujn3b8c3
www .proxiassistant-ao .com/90ujn3b8c3
www .sacandolalengua .com/90ujn3b8c3
The payload is Locky ransomware with a detection rate of 3/52*. The same source says that C2 locations are:
89.108.84.42 (Agava JSC, Russia)
148.163.73.29 (GreencloudVPS JSC, Vietnam)
Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:
89.108.84.42
148.163.73.29 "
* https://www.virustotal.com/en/file/62224461417f991f95d5ea08ebb19e15434cf0c3d28ae15450c1e4910ea3a2b6/analysis/
___

CryptXXX ransomware updated
- https://isc.sans.edu/diary.html?storyid=21229
2016-07-06 - "When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware. This happened after an infection caused by Neutrino EK triggered from the pseudoDarkleech campaign:
Flow chart for Neutrino EK/CryptXXX caused by pseudoDarkleech
> https://isc.sans.edu/diaryimages/images/2016-07-06-ISC-diary-image-01.jpg
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven't found anything online yet describing these recent changes, so this diary takes a quick look at the traffic:
An infected Windows desktop from earlier today
> https://isc.sans.edu/diaryimages/images/2016-07-06-ISC-diary-image-02a.jpg
Details: Today's EK traffic was on 198.71.54.211 using the same domain shadowing technique we've seen before from various campaigns using Neutrino EK... Post-infection traffic was over 91.220.131.147 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year..."
(More detail at the isc URL above.)

198.71.54.211: https://www.virustotal.com/en/ip-address/198.71.54.211/information/
>> https://www.virustotal.com/en/url/f29312944c35b22047bb0a09dc36facaccb5194eb9f0b6f8948dd1f5959dea55/analysis/

91.220.131.147: https://www.virustotal.com/en/ip-address/91.220.131.147/information/
>> https://www.virustotal.com/en/url/049cfa34fa0f42b57ed302ad0bdd43f18bb1e470bf4d24ae22990ff0166a0571/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-07-08, 12:46
FYI...

Fake 'AU Fedcourts' SPAM - Malware
- https://isc.sans.edu/diary.html?storyid=21241
2016-07-08 - "Earlier today people have started reporting that they have received a subpoena email from the Australian Federal courts:
> https://isc.sans.edu/diaryimages/images/Capture.PNG
The email links through to a various compromised sites which -redirect- the user to a federalcircuitcourt .net web server. Once on the web server you are expected to enter a number and the captcha shown before a case.js file is downloaded:
> https://isc.sans.edu/diaryimages/images/fedc-captcha.png
... feel free to -block- the domain federalcircuitcourt .net in your web proxies. This is -not- a legitimate domain. The federal circuit court has issued a media release:
> http://www.federalcircuitcourt.gov.au/wps/wcm/connect/fccweb/about/news/mr080716
'Media Release - Spam Warning...
If you receive one of these emails:
Do not click on any of the links as they may contain viruses or malware
Delete the item from your inbox and Deleted folder...'"

federalcircuitcourt .net: 192.3.21.105: https://www.virustotal.com/en/ip-address/192.3.21.105/information/
>> https://www.virustotal.com/en/url/437315d5d3eb8ca86b5d325d6102eed35c98b653e9eaefeaea99b13046959082/analysis/
104.223.53.210: https://www.virustotal.com/en/ip-address/104.223.53.210/information/
>> https://www.virustotal.com/en/url/1d531d0b87e06a2afb0162cfbc24bb89b6608c6c14a2d8ffb0dea9d95f6badf1/analysis/
___

Malware masquerades as Firefox update
- https://www.helpnetsecurity.com/2016/07/08/kovter-malware-masquerades-firefox/
July 8, 2016 - "Click-ad-fraud Kovter malware, packaged as a legitimate Firefox browser update, is being delivered to unsuspecting victims via drive-by-download attacks. Kovter, which also occasionally installs other malware, has been around for a few years now, and has gone through many changes that keep it a current threat:
> https://www.virustotal.com/en/file/41315d87daabe6080db34b0d2f5d097f2513710c6b1247beee455699b44d827a/analysis/
'firefox-patch.exe
Detection ratio: 27/53 ...'
Users are advised always to be wary of random pop-ups telling them some software needs an update. Most software by now – and popular browsers especially – have in-software mechanisms for downloading and implementing updates. If, for whatever reason, they don’t want to use it, updates should be picked up directly from the vendors’ official websites or from well-reputed download sites..."
___

Crimeware Shake-up ...
- http://blog.talosintel.com/2016/07/lurk-crimeware-connections.html
July 7, 2016 - "For a couple of weeks in June the threat landscape was changed. Several high profile threats fell off the scene, causing a shake-up that hadn't been seen before. For a period of three weeks the internet was safer, if only for a short time. Still to date the Angler exploit kit has not returned and the threat outlook appears to be forever changed... Earlier this month a group of individuals were arrested in Russia. The arrest was linked to a Russian-specific piece of malware named Lurk, a banking trojan that was specifically targeting Russian banks. Due to the malware being restricted to Russia there wasn't a lot of public information regarding the threat itself... The Necurs botnet is back online and delivering both Locky & Dridex. It was down for approximately three weeks, but it's resurgence shows that again these threats are making far too much money to -not- be resilient. In time it's likely all of the major threats that we've seen be hindered or disappear will return:
> https://3.bp.blogspot.com/-bEajbYmyIZE/V31VStnOH4I/AAAAAAAABAw/uJfXE5QrohsFtemH9ZG1LJe4Jwttg_bXwCKgB/s400/CrimewareTimeline_blog.png
... There is no way to say for certain that all of these threats are connected, but there is one single registrant account that owned domains attached to all of them. If this one group was running all of these activities this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars. However, the celebration will be short lived as we've seen in the past, when a group this size is taken down a vacuum is created. All of these threats will come back, in some form or another, and will have learned from the mistakes of their predecessors. The best evidence of this was the author of Blackhole exploit kit being arrested, for a time there was an arms race between exploit kits to see who would take the top spot. That eventually gave rise to Angler, which took the sophistication of exploit kits and drive-by-downloads to a level not seen with Blackhole. We expect the same thing to occur now as Angler and possibly Nuclear leave the threat landscape. Other lesser known kits will likely try to fill the void, which we have already seen with Rig and Neutrino, as well as the new kits that are likely already under development... despite all the variety and different actors making use of these technologies there potentially was a much smaller group responsible for a far larger chunk of the crimeware space than previously estimated..."
___

Cybercrime surpasses traditional crime in UK
- http://www.darkreading.com/threat-intelligence/cybercrime-now-surpasses-traditional-crime-in-uk/d/d-id/1326208
July 8, 2016 - "Cybercrime is currently outpacing traditional crime in the United Kingdom in terms of impact spurred on by the rapid pace of technology and criminal cyber-capability, according to the UK’s National Crime Agency. The trend suggests the need for a more collective response from government, law enforcement, and industry to reduce vulnerabilities and prevent crime, the NCA report says:
> http://www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016/file
... The UK’s Office of National Statistics included cybercrime for the first time in its 2015 annual Crime Survey of England and Wales. The survey estimated that there are 2.46 million cyber incidents and 2.11 million victims of cybercrime in the UK last year... The assessment shows that cybercrime activity is growing fast and evolving, with the threats from Distributed Denial of Service (DDoS) and ransomware attacks increasing significantly in 2015. The threats from DDoS and ransomware attacks have increased, driven by ready access to easy to-use tools and by wider criminal understanding of its potential for profit through extortion. Ransomware attacks have also increased in frequency and complexity, and now include threats to publish victim data online, as well as the permanent encryption of valuable data, the assessment states. The most advanced and serious cybercrime threat to the UK is the direct or indirect result of a few hundred international cybercriminals who target UK businesses to commit highly profitable, malware-facilitated fraud... Under-reporting continues to obscure the full impact of cybercrime in the UK. This shortfall in reporting hampers the ability of law enforcement to understand the operating methods of cyber criminals and most effectively respond to the threat. As a result, the NCA is urging businesses to view cybercrime not only as a technical issue but as a board-level responsibility, and to make use of the reporting paths available to them, sharing intelligence with law enforcement and each other... most security tools have been reversed-engineered and bypassed by cybercriminal crews. So the emphasis should be on intrusion suppression, where security professionals decrease the dwell time the adversaries have to freely roam their organizations networks..."

Fraud News:
- http://www.actionfraud.police.uk/news

:fear::fear: :mad:

AplusWebMaster
2016-07-12, 15:28
FYI...

Fake 'bill enclosed' SPAM - malspam word doc
- https://myonlinesecurity.co.uk/please-find-the-bill-enclosed-with-this-msg-malspam-word-docs-delivers-unknown-malware/
12 July 2016 - "An email with the subject of 'Re: senders name' pretending to come from random senders with a malicious word doc attachment is another one from the current bot runs... There are a multitude of single line body content with this malspam run. Some of the ones I have seen so far include:
Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.
Please check the IOU attached to this email. The Transfer should appear in 40 minutes.
Check the report enclosed with this msg. The Transaction will be posted in 15 minutes
Find the voucher enclosed with this msg. The Funds will be posted in 5 days
Find the voucher enclosed with this email. The Transfer should appear within 6 hours
Find the invoice attached to this message. The Funds will be posted in 4 days
Please check the report attached to this msg. The Funds will be posted in 5 days
Check the check attached to this email. The Transaction should appear in 3 days
Find the bill enclosed with this msg. The Payment will be posted in 5 days
One of the emails looks like:
From: Lacey Jefferson <kithuat4@ centec .vn>
Date: Tue 12/07/2016 06:34
Subject: Re:Lacey Jefferson
Attachment: MF1H6N-Lacey Jefferson.dotm
Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.

12 July 2016: MF1H6N-Lacey Jefferson.dotm - Current Virus total detections 3/55*
.. MALWR** crashes every time. Hybrid Analysis*** also doesn’t show or give any download or dropped files.
Manual attempts using Libre office also crash LIbre office, so it is possible that either the macro is malformed and not running properly or a new anti-analysis protection or a 0 day is being used
- Update: Manual analysis by one of the analysts on Twitter[4] (thanks) has discovered this download
bring-me .in/su.jpg which is a jpg containing Steganographically embedded malware. We are still waiting for fuller analysis to extract the malware from the jpg file. This is normally done by the macro inside the word doc.
- Further Update: to decode jpg & get the Dridex banking Trojan use offset 0x13CC XOR: 0x68
The jpg looks like this screenshot:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/bring_me_in_su.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3b1334a3ae259d7becebfbe2d90487df940c04861849559e06bdd8d3d64e214a/analysis/1468303224/

** https://malwr.com/analysis/YTRhZWQ1YzM1NDc1NDQ0ODgyMGRjYzk3Yjk1ZWZmMTg/

*** https://www.hybrid-analysis.com/sample/3b1334a3ae259d7becebfbe2d90487df940c04861849559e06bdd8d3d64e214a?environmentId=100

4] https://twitter.com/malwrhunterteam/status/752757247642566656

bring-me .in: 213.186.33.18: https://www.virustotal.com/en/ip-address/213.186.33.18/information/
>> https://www.virustotal.com/en/url/a81f315f6a16401422308f032d80dd50bea1a1684cac191705da166a3379fdaa/analysis/
___

Fake 'excel file' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-heres-that-excel-file.html
12 July 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Benita Clayton
Date: 12 July 2016 at 15:04
Subject: Fw:
hi [redacted],
Here's that excel file (latest invoices) that you wanted.
Best regards,
Benita Clayton
Vice President US Risk Management

Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-. Trusted external analysis (thank you again) shows the scripts download an obfuscated binary... Locky then phones home to one of the following locations:
5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
77.222.54.202 (SpaceWeb CJSC, Russia)
109.234.34.146 (McHost.Ru, Russia)
192.71.249.220 (EDIS, Sweden)
Recommended blocklist:
5.196.189.37
77.222.54.202
109.234.34.0/24
192.71.249.220 "
___

Google notifies users of 4,000 state-sponsored cyber attacks per month ...
- http://www.reuters.com/article/us-google-cyberattack-idUSKCN0ZR2IU
Jul 12, 2016 - "A senior executive of Alphabet Inc's Google unit said on Monday that the company was notifying customers of 4,000 state-sponsored cyber attacks per month... Google senior vice president and Alphabet board member Diane Greene mentioned the figure... The internet search leader, which develops the Android mobile system and also offers email and a range of other applications for consumers, has led the way in notifying users of government spying. Others, including Microsoft Corp, have since followed suit. Google had previously said that it had been issuing tens of thousands of warnings every few months and that customers often upgraded their security in response."
___

Using Process Explorer to detect malware
- https://isc.sans.edu/forums/diary/Process+Explorer+and+VirusTotal/19931
"Did you know you can have all EXEs of running processes scanned with VirusTotal?...
Enable VirusTotal checks... And accept the VirusTotal terms...
(... by default Process Explorer only submits hashes to VirusTotal, not files, unless you explicitly instruct it to submit a file)
... now you can see the VirusTotal scores..."
(More detail at the isc URL above.)
___

Akamai - Network Traffic Overview
> https://www.akamai.com/us/en/solutions/intelligent-platform/visualizing-akamai/real-time-web-monitor.jsp
July 12, 2016 09:10:28 PM GMT - "44% above normal..."

:fear::fear: :mad:

AplusWebMaster
2016-07-13, 19:18
FYI...

Fake ransomware SCAM, malware just deletes victims’ files
Tagged as 'Ranscam', Powershell and script-based malware is a botched smash-and-grab
- http://arstechnica.com/security/2016/07/posing-as-ransomware-windows-malware-just-deletes-victims-files/
Jul 12, 2016 - "... 'Ranscam' is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for 'encrypted' files that were actually just plain -deleted- by a batch command. 'Once it executes it, it pops up a ransom message looking like any other ransomware', Earl Carter, security research engineer at Cisco Talos, told Ars. 'But then what happens is it forces a reboot, and it just deletes-all-the-files. It doesn't try to encrypt anything — it just -deletes- them all'. Talos discovered* the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address..."
* http://blog.talosintel.com/2016/07/ranscam.html
July 11, 2016 - "... The unfortunate reality is, all of the user’s files have already been deleted and are unrecoverable by the ransomware author as there is no capability built into Ranscam that actually provides recovery functionality. The author is simply relying on 'smoke and mirrors'. in an attempt to convince victims that their files can be recovered in hopes that they will choose to pay the ransom..."

:fear::fear: :mad:

AplusWebMaster
2016-07-14, 23:37
FYI...

Kovter’s persistence methods
- https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
July 14, 2016 - "Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult... Authors of Kovter put a lot of effort in making their malware stealth and hard to detect. During the initial assessment of some of the Kovter samples we could notice that it is signed by valid Comodo certificate (it was stolen, got revoked later)... After the sample gets deployed, Kovter runs PowerShell and installs itself in the system... Observing it via Process Explorer we can find the command passed to PowerShell. It’s purpose is to execute a code stored in an environment variable (names are random, new on each run)... Conclusion: Thanks to the techniques employed by Kovter, no executable needs to be dropped on the disk – that’s why is known as “fileless”. Even the file to which the initial link leaded does not contain any code to be executed. Instead, it is used just for the flow obfuscation. Running it, in reality leads to running the code stored in the registry, that is sufficient to unpack and re-run the real payload. Persistence used by this malware is creatively designed and exceptional in comparison to most of the malware. Not only it is scattered into several layers, but also obfuscated at every stage and containing tricks that slow down the analysis process..."
(More detail at the malwarebytes URL above.)
___

Exploit kits - cyber-crime marketplace
- http://www.theregister.co.uk/2016/07/13/sundown_exploit_kit_updates/
13 Jul 2016 - "Cybercrooks behind the Sundown Exploit Kit are rapidly updating the hacking tool in a bid to exploit a gap in the market created by the demise of the Angler and Nuclear exploit kits. While RIG and Neutrino have been the primary protagonists in the void left by Angler and Nuclear, Sundown is also vying for an increased share in the exploit kit marketplace. Security researchers at Zscaler ThreatLabZ* reckon the miscreants behind Sundown have accelerated the evolution of what started out as a fairly rudimentary exploit kit since the beginning of 2016. The crooks behind Sundown used stolen code from the rival RIG exploit kit for a short time before subsequently knitting together their own code, security researchers at cloud security firm Zscaler ThreatLabZ report. Elements of the latest version of the cybercrime toolkit include an image referencing the self-styled Yugoslavian Business Network – likely a reference to the infamous Russian Business Network cybercrime group... Exploit kits in general are used to booby-trap websites in order to sling malware at visiting surfers through drive-by-download attacks. The tactic relies on exploiting security holes in typically Windows PCs, browser vulnerabilities and (increasingly) Flash flaws."
* https://www.zscaler.com/blogs/research/sundown-chronicles-observations-exploit-kits-evolution

:fear::fear: :mad:

AplusWebMaster
2016-07-16, 15:45
FYI...

Ransomware - Threat Activity Review
- https://atlas.arbor.net/briefs/index#-811293044
July 14, 2016 - "... Analysis: Locky ransomware has seen unprecedented distribution attempts over the last week and coupled with the new ability to encrypt systems -without- an internet connection, will likely see successes not previously seen... While casting a wide distribution net and having a well-coded product make for a great potential return on investment, creating less expensive variants can be profitable too. Stampado*, with its low price, could lead to even more individuals attempting to make money with ransomware. While the overall quality of Stampado has yet to be determined, the price tag will potentially lead to substantial purchases and usage. Understanding these new threats in a timely fashion can allow researchers to create mitigations before these new variants see widespread distribution... Currently, there is no magic one stop fix for ransomware threats. However, companies and individuals can thwart ransomware operations by applying system updates in an expedient manner, avoiding macro-enabled documents, avoiding attachments containing JavaScript and by performing routine backups that are maintained offline."
Source: http://www.inforisktoday.com/researchers-unleash-ransomware-annihilation-a-9255

* https://heimdalsecurity.com/blog/security-alert-stampado-ransomware-on-sale/
___

Neutrino EK adopts IE flaw
- https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
July 14, 2016 - "A security researcher recently published source code for a working exploit for CVE-2016-0189* and the Neutrino Exploit Kit (EK) quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows. Microsoft patched CVE-2016-0189 in May on Patch Tuesday**. Applying this patch will protect a system from this exploit...."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0189
Last revised: 05/11/2016

MS16-051: Cumulative Security update for Internet Explorer: May 10, 2016
** https://support.microsoft.com/en-us/kb/3155533
Last Review: 05/10/2016 17:12:00 - Rev: 1.0

:fear::fear: :mad:

AplusWebMaster
2016-07-18, 14:40
FYI...

Fake 'bank account report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-bank-account-report-leads.html
18 July 2016 - "This -fake- financial spam has a malicious attachment:
From "Boyd Dennis"
Date Mon, 18 Jul 2016 11:34:11 +0200
Subject bank account report
How is it going?
Thank you very much for responding my email in a very short time. Attached is the
bank account report. Please look at it again and see if you have any disapproval.
--Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
085-57-41

The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file... I don't have a copy of the payload at present, but it does phone home to:
77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
176.111.63.51 (United Networks Of Ukraine Ltd , Ukraine)
209.126.112.14 (MegaHosterNetwork, Ukraine)
The payload appears to be Locky ransomware.
Recommended blocklist:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 "

- https://myonlinesecurity.co.uk/bank-account-report-malspam-leads-to-locky-ransomware/
18 July 2016 - "... an email with the subject of 'bank account report' pretending to come from random senders with a zip attachment containing a WSF file which downloads Locky Ransomware... One of the emails looks like:
From: Greta Lowe <Lowe.14640@ swimthebridge .com>
Date: Mon 18/07/2016 09:58
Subject: bank account report
Attachment: rob_22285.zip
Hi
Thank you very much for responding my email in a very short time. Attached is the bank account report. Please look at it again and see if you have any disapproval.

Yours truly,
Greta Lowe
BT GROUP
Phone: +1 (371) 956-22-56, Fax: +1 (371) 956-22-38

18 July 2016: rob_22285.zip: Extracts to: account_report 883.wsf - Current Virus total detections 3/55*
.. MALWR** as usual cannot decode or run these Js or WSF files without crashing due to the protections inside them. Payload Security*** shows a download of an encrypted file from my-result .ru/0j1nlpj8 which has to be decrypted by the WSF file to give ypnI2jnqVVbmiz.exe (VirusTotal 3/54[4])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ee133dcafb4aae3f29d0d636848d21734980566140a62f7e2ee7c651ad6de0e2/analysis/1468832454/

** https://malwr.com/analysis/MzcwMTAyMTM4ZWYzNDZiOWJjYjMxYTQ2Nzc2Y2IwNjM/

*** https://www.hybrid-analysis.com/sample/aafdcd25b0a51d42be128000b0272cba9611d54f2f30aa42179344fc217e5086?environmentId=100
Contacted Hosts
95.163.18.88

4] https://www.virustotal.com/en/file/1c819a611418f8f0b1b7b8bf55a98e57627b7e3da4658c59c75158edb198a49f/analysis/1468832994/

my-result .ru: 95.163.18.88: https://www.virustotal.com/en/ip-address/95.163.18.88/information/
>> https://www.virustotal.com/en/url/05804ee0c5ab3a9316d33972658ddc280ef34b7fc370f4c08d670b3817e1fa7b/analysis/
___

Fake 'Scan**' SPAM - word macro delivers Locky
- https://myonlinesecurity.co.uk/sent-from-my-samsung-device-malspam-word-macro-delivers-locky/
18 July 2016 - "... from THIS earlier Malspam[1] delivering Locky ransomware via WSF files inside a zip we are also seeing a concurrent malspam run using Word Docs with macros. They are very terse and simple emails with a subject of 'Scan******' (random numbers) pretending to come from random senders with a malicious word docm attachment where the attachment name -matches- the subject...
1] https://myonlinesecurity.co.uk/bank-account-report-malspam-leads-to-locky-ransomware/
The email looks like:
From: Lynnette <clearke0303@ vinyl-lps .com>
Date: Mon 18/07/2016 11:28
Subject: SCAN0000467
Attachment: SCAN0000467.docm
Sent from my Samsung device

18 July 2016: SCAN0000467.docm - Current Virus total detections 8/52* - Payload Security** shows a download from yifruit .com/54ghnnuo (VirusTotal 3/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5f28c7d2d97120d8b403981714f28c064655b33ca06901481e25fba19bd2c7dc/analysis/1468837749/

** https://www.hybrid-analysis.com/sample/5f28c7d2d97120d8b403981714f28c064655b33ca06901481e25fba19bd2c7dc?environmentId=100
Contacted Hosts
211.149.194.192

*** https://www.virustotal.com/en/file/65161b6e1d0da3e51e231eff2dd6ac2b3a7beb3c228c454b65d15a2d8eecc5b3/analysis/1468836377/

yifruit .com: 211.149.194.192: https://www.virustotal.com/en/ip-address/211.149.194.192/information/
>> https://www.virustotal.com/en/url/810282edf4a2621046ea1d5a13233bf6b1c771f2c21a455d06d21bba1b1ecaea/analysis/

- http://blog.dynamoo.com/2016/07/malware-spam-sent-from-my-samsung.html
18 JUuly 2016 - "This rather terse spam has a malicious attachment:
From: Ila
Date: 18 July 2016 at 13:01
Subject: scan0000511
Sent from my Samsung device

The sender and subject vary, but the subject seems to be in a format similar to the following:
scan0000511
SCAN000044
COPY00002802
Attached is a .DOCM file with the -same- name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading... The payload is Locky with a detection rate of 4/53*. It phones home to:
77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
That's a subset of the IPs found here**, so I recommend you block the following IPs:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 "
* https://www.virustotal.com/en/file/65161b6e1d0da3e51e231eff2dd6ac2b3a7beb3c228c454b65d15a2d8eecc5b3/analysis/

** http://blog.dynamoo.com/2016/07/malware-spam-bank-account-report-leads.html
___

Compromised Joomla sites are foisting ransomware on visitors
- https://www.helpnetsecurity.com/2016/07/18/compromised-joomla-sites-ransomware/
July 18, 2016 - "Administrators of WP and Joomla sites would do well to check for specific -fake- analytics code injected into their properties, as a ransomware delivery campaign taking advantage of vulnerable sites has been going strong for over a month now... Sucuri CTO Daniel Cid noted*: '... We recommend checking your logs for requests from 46 .183 .219 .91 – if you find requests similar to the ones in this post, consider your website compromised. At this point you should take steps to remove the malware immediately and prevent reinfection.'"
* https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromising-joomla-sites.html

46.183.219.91: https://www.virustotal.com/en/ip-address/46.183.219.91/information/

> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8562
Last revised: 06/28/2016 - "Joomla! 1.5.x, 2.x, and 3.x before 3.4.6... as exploited in the wild in December 2015."
___

'Delilah' – first 'Insider Threat' Trojan
- http://blogs.gartner.com/avivah-litan/2016/07/14/meet-delilah-the-first-insider-threat-trojan/
July 14, 2016 - "Criminal recruitment of insiders is becoming an industry now with the release of a new Trojan called “Delilah”. Delilah recruits targeted insiders via social engineering and/or extortion, sometimes using ransomware techniques... Diskin Advanced Technologies (DAT) reports that the bot is delivered to victims via downloads from multiple popular adult and gaming sites... instructions to victims usually involve usage of VPN services, TOR and comprehensive deletion of browser history (probably to remove audit trails). These -bots- still require a high level of human involvement to identify and prioritize individuals who can be -extorted- into operating as insiders at desirable target organizations. Criminals who want to use the bot can also acquire managed social engineering and fraudster services to help them out, in case they lack those specific skills... Organizations should also seek to prevent endpoints from getting infected in the first place by preventing employees from visiting high risk adult and gaming sites using organizational systems... Conclusion: Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web. With Trojans like Delilah, organizations should expect insider recruitment to escalate further and more rapidly. This will only add to the volume of insider threats caused by disgruntled employees selling their services on the Dark Web in order to harm their employers."

:fear::fear: :mad:

AplusWebMaster
2016-07-19, 14:04
FYI...

Fake 'business analysis' SPAM - .wsf script / ransomware
- http://blog.dynamoo.com/2016/07/malware-spam-i-attached-detailed.html
19 July 2016 - "This spam has a malicious attachment. And also mismatched (brackets}.
From "Lynnette Slater"
Date Tue, 19 Jul 2016 10:47:09 +0200
Subject Business Analysis
Message text
I attached the detailed business analysis (updated}
King regards,
Lynnette Slater
Briglin Pottery ...

The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same. Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.
UPDATE: My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component... I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
___

Fake 'documents attached' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-documents-natalie-pywell.html
19 July 2016 - "This spam does not come from Abbey Glass UK, but is instead a simple forgery with a malicious attachment:
From Natalie Pywell [Natalie.Pywell6@ abbeyglassuk .com]
Date Tue, 19 Jul 2016 15:27:20 +0530
Subject Documents
Dear Customer
Please find your documents attached.
If you have any questions please reply by email or contact me on 01443 238787.
Kind regards
Natalie Pywell
**This email has generated from an automated system**
This email has been sent via the Fusemail mail filtering service provided by Pro-Copy
Limited

The sender's email address varies somewhat. Attached is a randomly named ZIP file which contains a malicious .js script. Analysis is pending, but it looks like Locky ransomware and is probably similar to the one found in this spam run*."
* http://blog.dynamoo.com/2016/07/malware-spam-i-attached-detailed.html
19 July 2016
___

Fake 'Documents from work' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-documents-from-work.html
19 July 2016 - "This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.
From: recipient@ victim .tld
To: recipient@victim.tld
Subject: Documents from work.
Date: 19 July 2016 at 12:20

There is -no- body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component... The dropped payload has a detection rate of 3/54* and it phones home to the following locations:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
That's a subset of the locations found here**. The payload is Locky ransomware.
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
* https://www.virustotal.com/en/file/0598ee89f5e6296cb18040e2c62c750a6f74b397742ff58356db99832f17b0db/analysis/

** http://blog.dynamoo.com/2016/07/malware-spam-i-attached-detailed.html
19 July 2016

77.222.54.202: https://www.virustotal.com/en/ip-address/77.222.54.202/information/
>> https://www.virustotal.com/en/url/8d7d192facdb2e47ee213fed5c05498cd0ba802b08464292391da4bd77ccfca9/analysis/
194.1.236.126: https://www.virustotal.com/en/ip-address/194.1.236.126/information/
>> https://www.virustotal.com/en/url/d9f587a2e9b96e23801c339a7c90686db37cabaa19365db157a79cc7f915138c/analysis/
185.117.153.176: https://www.virustotal.com/en/ip-address/185.117.153.176/information/
>> https://www.virustotal.com/en/url/2a4e7a9659f7a07f8626502696eff689e19b4f037673c5e3ef2166601a4d49bd/analysis/
176.111.63.51: https://www.virustotal.com/en/ip-address/176.111.63.51/information/
>> https://www.virustotal.com/en/url/ccd30ca465f6528a2bfeb745d97c5be5fd9f384a065c5255f5b9055fd569b353/analysis/
___

Magnitude EK malvertising not affected by slowdown in EK activity
- https://blog.malwarebytes.com/cybercrime/exploits/2016/07/long-lasting-magnitude-ek-malvertising-campaign-not-affected-by-slowdown-in-ek-activity/
July 19, 2016 - "We have been tracking a malvertising campaign distributing the Cerber ransomware linked to the actor behind the Magnitude exploit kit for months. It will pop on one ad network, then onto another and come back again... Despite a global slowdown in exploit kit activity, this particular distribution channel has remained active and strong... One of this attackers’ favourite spot has been on torrent or streaming sites but also via monetized URL shorteners that use a pay-per-view/click model when people open up a shortened URL and have to wait for an advert to load before getting to their destination. It is no surprise that more ads – and low quality ones especially – means chances of drive-by downloads are dramatically increased... For ad networks to stop this continuing onslaught for good would require no longer accepting risky customers and closing up their platform for arbitrage with unknown buyers. Playing whack-a-mole with crooks wearing many different hats is simply an ineffective solution where malicious ads always end up making it through..."
(Long list of IOC's at the malwarebytes URL above.)

:fear::fear: :mad:

AplusWebMaster
2016-07-20, 15:01
FYI...

Fake 'transaction' SPAM - Java Adwind Trojan
- https://myonlinesecurity.co.uk/java-adwind-trojans-via-fake-transaction-malspam-emails/
20 July 2016 - "Overnight we received 2 separate sets of malspam emails both eventually leading to the same Java Adwind Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/Pending-Sendout-Transaction-1024x568.png

Update: I am also getting some of these 'Pending Sendout Transaction' emails coming through pretending to come from amirmuhammed @almuzaniexchange .ae "
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/Confirm-To-Release-email-1024x617.png

20 July 2016: Sendout-Copy.zip: Extracts to: Sendout_copy..js - Current Virus total detections 1/54*
.. Payload Security**. This is a JavaScript file that automatically downloads and runs
http ://ebhar .net/css/new_file_jacob.jar Which is the -same- Java Adwind Trojan as the Java.jar file in the second email.

20 July 2016: Sendout-Report.rar: Extracts to: Sendout-Copy.jar - Current Virus total detections 18/55[3]
.. Payload Security [4].
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bd16eccb8be7219998fadcc24c64cb67969b88fe69861fe4c83982cb77137624/analysis/1468989481/

** https://www.hybrid-analysis.com/sample/bd16eccb8be7219998fadcc24c64cb67969b88fe69861fe4c83982cb77137624?environmentId=100
Contacted Hosts
216.194.169.160

3] https://www.virustotal.com/en/file/d5fe856f35866dfb0901caf892bc848dd077bf519c413231277d4547ef386201/analysis/1468989622/

4] https://www.hybrid-analysis.com/sample/d5fe856f35866dfb0901caf892bc848dd077bf519c413231277d4547ef386201?environmentId=100

ebhar .net: 216.194.169.160: https://www.virustotal.com/en/ip-address/216.194.169.160/information/
>> https://www.virustotal.com/en/url/5c9f8554fc6204f0a20dd375cba3e3bb5a0d3f57fb088bb48df8d6f9a8459851/analysis/
___

CrypMIC ransomware follows CryptXXX ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/
July 20, 2016 - "... a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX...
Comparison of CrypMIC (left) and CryptXXX (right) ransom notes and user interfaces of their payment sites
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/07/20160718crypmiccryptxxx08.png
CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits]/UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers... The demise of the Angler exploit kit from crypto-ransomware activity has made CryptXXX migrate to Neutrino exploit kit, which have been recently reported to be delivering -other- ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber. We have observed that CrypMIC and CryptXXX were distributed by Neutrino interchangeably over the course of a week. CrypMIC was first pushed by Neutrino on July 6th before switching back to delivering CryptXXX 4.001 on July 8th. It started redistributing CrypMIC on July 12th before reverting to CryptXXX the next day. On the same week, Neutrino also distributed Cerber via -malvertising- as well as -other- malware from other cybercriminal groups. By July 14th, Neutrino has started to distribute an apparently newer version of CryptXXX (5.001)... CryptXXX automatically scans the machine for network-drives then proceeds to encrypt files stored on them. CryptXXX 4.001 also downloads and executes an information-stealing module on its process memory — named fx100.dll ... the decryptor created by CrypMIC’s developers has been reported to be not functioning properly. Additionally, paying the ransom only makes businesses and users susceptible to more ransomware attacks. Besides regularly backing up files, keeping systems updated with the latest patches is another means of mitigating the risks of ransomware. A multilayered defense that can secure systems, servers and networks is also recommended..."

> https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxx-ransomware
July 14, 2016 - "... detected an email campaign with document attachments containing malicious macros. If opened, these attachments download and install CryptXXX ransomware..."
___

Business sites hijacked to deliver ransomware ...
- http://arstechnica.com/information-technology/2016/07/wave-of-business-websites-hijacked-to-deliver-crypto-ransomware/
7/19/2016, 5:56 PM - "If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for*. These sites are -redirecting- visitors to a -malicious- website that attempts to install CryptXXX — a strain of cryptographic ransomware first discovered in April. The sites were most likely exploited by a botnet called SoakSoak* or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea**. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin. In this recent wave of compromises, SoakSoak planted code that -redirects- visitors to a website hosting the Neutrino Exploit Kit... Even as those organizations try to regain control of their websites, others are likely to be rapidly compromised because of the vast number of sites that are behind on patching site add-ons like WordPress plugins."
* https://storify.com/BelchSpeak/soaksoak-web-compromises-lead-to-cryptxxx-ransomwa

** https://www.invincea.com/2016/07/major-websites-getting-soaksoakd-delivering-cryptxxx-ransomware/

:fear::fear: :mad:

AplusWebMaster
2016-07-22, 00:34
FYI...

'Authorize your Twitter account' - phishing scam
- https://blog.malwarebytes.com/cybercrime/2016/07/avoid-this-authorize-your-twitter-account-phishing-scam/
July 21, 2016 - "... a phish targeting people who desire Twitter verification. The fake site, located at
twitterverifiy(dot)verifiy(dot)ml
... poses as an app to be authorised, but is simply out to -steal- login credentials. Take note of the rather unique spelling of “verify” in the URL, too:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/wiki-twitter-phish.jpg
After hitting the “Authorize app” button, the victim is redirected off to the real Twitter website. At this point, the scammers are free to do what they like with the stolen account. One assumes the scammers behind this one aren’t really paying attention to who they send their messages to (and the screenshot cuts off the username of the spam account, so we can’t see what else they’re up to). Suffice to say, if you have your Direct Messages open to all then potentially you could receive a missive such as the one above. Verification has a specific process attached to it, and although it’s currently changing, you definitely won’t get a blue tick next to your Username by giving permission to phish pages posing as non-existent apps. No matter who you are, now matter how involved in issues of privacy and / or security you may be, there’s always the possibility you could get caught out by a clever scam. Keep your wits about you, and steer clear of “too good to be true” offers..."

:fear::fear: :mad:

AplusWebMaster
2016-07-22, 18:28
FYI...

Fake 'sorry' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-i-am-truly-sorry-that-i.html
22 July 2016 - "This spam has a malicious attachment:
From: "Lizzie Carpenter"
Subject: sales report
Date: Fri, 22 Jul 2016 21:38:25 +0800
I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.
Best of luck,
Lizzie Carpenter
SCHRODER GLOBAL REAL ESTATE SEC LTD ...

The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
* https://virustotal.com/en/file/c501131d7255725e26cf6351d21261a5bde58e9a996930f435d1008dc26a388c/analysis/1469197692/
___

Fake 'Fedex label' SPAM - .docm leads to Locky
- https://myonlinesecurity.co.uk/please-see-fedex-label-as-attached-mary-leons-airmenzies-com-malspam-leads-to-locky-ransomware/
22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
From: Mary Leons <mary.leons@ airmenzies .com>
Date: Fri 22/07/2016 10:04
Subject: PO5
Attachment: 906569711935.docm
Hi
Please see Fedex label as attached
Kindest Regards
Mary Leons
Customer Service Supervisor | Air Menzies International ...

22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
.. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
Other download locations for today’s Locky version include [duplicate's removed]:
http ://allmusic .c0.pl/09yhbvt4
allmusic .c0.pl: 95.211.144.65: https://www.virustotal.com/en/ip-address/95.211.144.65/information/
http ://delta5.homepage.t-online .de/09yhbvt4
t-online .de:
2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162: https://www.virustotal.com/en/ip-address/217.6.164.162/information/
62.153.159.92: https://www.virustotal.com/en/ip-address/62.153.159.92/information/
http ://dillerator.chat .ru/09yhbvt4
chat .ru: 195.161.119.85: https://www.virustotal.com/en/ip-address/195.161.119.85/information/
http ://files.igamingbusiness .co.uk/09yhbvt4
igamingbusiness .co.uk: 109.108.132.162: https://www.virustotal.com/en/ip-address/109.108.132.162/information/
http ://fotouniek.grafi-offshore .com/09yhbvt4
grafi-offshore .com: 85.214.152.145: https://www.virustotal.com/en/ip-address/85.214.152.145/information/
http ://hxt.50webs .com/09yhbvt4
50webs .com: 198.23.53.64: https://www.virustotal.com/en/ip-address/198.23.53.64/information/
http ://mizosiri3.web.fc2 .com/09yhbvt4
fc2 .com: 52.41.146.181: https://www.virustotal.com/en/ip-address/52.41.146.181/information/
54.187.26.65: https://www.virustotal.com/en/ip-address/54.187.26.65/information/
http ://okumachiryouin.yu-yake .com/09yhbvt4
yu-yake .com: 112.140.42.29: https://www.virustotal.com/en/ip-address/112.140.42.29/information/
http ://pamm-invest .ru/09yhbvt4
pamm-invest .ru: 81.177.135.251: https://www.virustotal.com/en/ip-address/81.177.135.251/information/
http ://tattoo-studio .nl/09yhbvt4
tattoo-studio .nl: 80.69.86.210: https://www.virustotal.com/en/ip-address/80.69.86.210/information/
http ://www.gerichtszeichnungen .de/09yhbvt4
gerichtszeichnungen .de: 2a01:238:20a:202:1148::
81.169.145.148: https://www.virustotal.com/en/ip-address/81.169.145.148/information/
http ://www.moran10.karoo .net/09yhbvt4
karoo .net: Could not find an IP address for this domain name.
http ://www.silvotecna .co.cl/09yhbvt4
silvotecna .co.cl: Could not find an IP address for this domain name.
http ://www.sirigor.republika .pl/09yhbvt4
republika .pl: 213.180.150.17: https://www.virustotal.com/en/ip-address/213.180.150.17/information/

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b1f3d540f279d132c4d2f8e25e8bd66a8e76051acad51e071460ff83800bf9d3/analysis/1469178299/

** https://malwr.com/analysis/MjI2YWM0Y2FiZmYzNGYyMDkyZGQ4NDdjODViYmNiOGU/
Hosts
195.161.119.85

*** https://www.virustotal.com/en/file/148aa4934663f9c6581cd65f0d955bd1e635cce4425c853e250b21e3d139e0f8/analysis/1469188310/

dillerator.chat .ru: 195.161.119.85: https://www.virustotal.com/en/ip-address/195.161.119.85/information/
>> https://www.virustotal.com/en/url/b59c269c612e1f898c5f50a723967b6b85208fd6beb71c17e9aa5d878626bb6c/analysis/
___

Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/vp-invoicecreditstatement-h10040-malspam-leads-to-locky/
22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
The email looks like:
From: Prism Server Account <accounts@ vpplc .com>
Date: Fri 22/07/2016 10:27
Subject: VP Invoice/Credit/Statement – H10040
Attachment: INVOICE.DOCM
Please find document(s) attached.
The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...

This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://myonlinesecurity.co.uk/please-see-fedex-label-as-attached-mary-leons-airmenzies-com-malspam-leads-to-locky-ransomware/
___

HelpDesk Upgrade Outlook Web - PHISH
- https://myonlinesecurity.co.uk/ict-helpdesk-upgrade-outlook-web-app-phishing/
22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/ICT-HelpDesk-Upgrade_email-1024x676.png

The -link- in the email goes to:
http ://xprs.imcreator .com/free/icthelpdesk/password
... which looks like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/icthelpdesk_site-1024x535.png "

imcreator .com: 97.74.141.1: https://www.virustotal.com/en/ip-address/97.74.141.1/information/

:fear::fear: :mad:

AplusWebMaster
2016-07-25, 16:12
FYI...

Fake 'Emailing: Photo - Document' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-emailing-photo-25-07-2016.html
25 July 2016 - "This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
From: Rebeca [Rebeca3@ victimdomain .tld]
Date: 25 July 2016 at 10:16
Subject: Emailing: Photo 25-07-2016, 34 80 10
Your message is ready to be sent with the following file or link
attachments:
Photo 25-07-2016, 34 80 10 ...

Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
An alternative -variant- comes with a malicious -Word- document:
From: Alan [Alan306@ victimdomain .tld]
Date: 25 July 2016 at 12:40
Subject: Emailing: Document 25-07-2016, 72 35 48
Your message is ready to be sent with the following file or link
attachments:
Document 25-07-2016, 72 35 48 ...

The attachment is this case is a .DOCM filed named in a similar way as before. This analysis is done by my usual trusted source (thank you). These scripts and macros download a component... The payload here is Locky ransomware, and it phones home to the following addresses:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176 "

77.222.54.202: https://www.virustotal.com/en/ip-address/77.222.54.202/information/
>> https://www.virustotal.com/en/url/8d7d192facdb2e47ee213fed5c05498cd0ba802b08464292391da4bd77ccfca9/analysis/
194.1.236.126: https://www.virustotal.com/en/ip-address/194.1.236.126/information/
>> https://www.virustotal.com/en/url/d9f587a2e9b96e23801c339a7c90686db37cabaa19365db157a79cc7f915138c/analysis/
185.117.153.176: https://www.virustotal.com/en/ip-address/185.117.153.176/information/
>> https://www.virustotal.com/en/url/2a4e7a9659f7a07f8626502696eff689e19b4f037673c5e3ef2166601a4d49bd/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-07-26, 15:03
FYI...

Fake 'Attached Image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-attached-image-leads-to.html
26 July 2016 - "This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
From: victim@ victimdomain .tld
To: victim@ victimdomain .tld
Date: 26 July 2016 at 10:27
Subject: Attached Image ...

Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number... In this example* the script downloads a malicious binary from:
www .isleofwightcomputerrepairs .talktalk .net/okp987g7v
There will be -many- other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54**. The Hybrid Analysis*** for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216 "
* https://malwr.com/analysis/MWYxYjBhOWQzM2U2NDZkMmJmY2JhNWY0ZmFhZjEzZWY/
Hosts
62.24.202.31

** https://virustotal.com/en/file/96bc546e4128fa043e6abac3c063a8b446de37eeb78cf6bf199bb961204daf25/analysis/

*** https://www.hybrid-analysis.com/sample/96bc546e4128fa043e6abac3c063a8b446de37eeb78cf6bf199bb961204daf25?environmentId=100
Contacted Hosts
91.234.35.216
31.41.47.41

- https://myonlinesecurity.co.uk/yet-another-attached-image-locky-malspam-pretending-to-come-from-your-own-email-address/
26 July 2016 - "An email with the subject of 'Attached Image' pretending to come from your own email address with a zip attachment which downloads Locky Ransomware... One of the emails looks like:
From: your own email address
Date: Tue 26/07/2016 10:22
Subject: Attached Image
Attachment: 0324923_02.zip ...

26 July 2016: 0324923_02.zip: Extracts to: 753707_02.js - Current Virus total detections 8/54*
.. MALWR** shows a download of xxxx from
http ://exploromania4x4club .ro/okp987g7v?tKLWyjuj=PrkWVPasbrS which gave me lnHLopubGiz.exe (VirusTotal 5/54***).
Hybrid Analysis[4] . This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/dc92662faee479d876c0d47b892aa62e910188ba51b9180d36c4fe287836d9af/analysis/1469524580/

** https://malwr.com/analysis/YjY2ZmQyMzhlNjBkNDY4MThjOTJiODdkMTNhNGY2OWM/
Hosts
89.42.216.118
*** https://www.virustotal.com/en/file/96bc546e4128fa043e6abac3c063a8b446de37eeb78cf6bf199bb961204daf25/analysis/1469524971/

4] https://www.hybrid-analysis.com/sample/dc92662faee479d876c0d47b892aa62e910188ba51b9180d36c4fe287836d9af?environmentId=100
Contacted Hosts
89.42.216.118: https://www.virustotal.com/en/ip-address/89.42.216.118/information/
>> https://www.virustotal.com/en/url/d0e667287599e5f3ec1d3d2ad70905411e7979059e28154964b5df790adac66e/analysis/
31.41.47.41: https://www.virustotal.com/en/ip-address/31.41.47.41/information/
91.234.35.216: https://www.virustotal.com/en/ip-address/91.234.35.216/information/
___

Fake 'list of activities' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-list-of-activities-leads.html
26 July 2016 - "This -fake- business spam has a malicious attachment:
From "Penelope Phelps"
Date Tue, 26 Jul 2016 23:02:43 +1100
Subject list of activities
Hello,
Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.
Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID ...

The sender's name, company and 'Security-ID' vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script... This Malwr report* and this Hybrid Analysis** show this particular sample downloading from:
akva-sarat.nichost .ru/bokkdolx
There will be -many- other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55***. Further analysis is pending, however it is quite likely that this sample uses the -same- C2 servers as seen earlier today[4]."
* https://malwr.com/analysis/ZTA1ZmZmOGViOWVkNDIwZDgyMzU2ZTdiYzRjMmY0NjQ/
Hosts
195.208.0.150

** https://www.hybrid-analysis.com/sample/d47a2ea5c02430bf90e4850391c9223586c02f0a3d226e021097855658ea67a3?environmentId=100
Contacted Hosts
195.208.0.150: https://www.virustotal.com/en/ip-address/195.208.0.150/information/
>> https://www.virustotal.com/en/url/97b212d5a71e9e943e1e0f9c7126dae3816ea1a37c4aa20afce4d425bdf0300d/analysis/

*** https://virustotal.com/en/file/6cd6cc39546fe0146b5aae93f43231d7c2f07d58fcac3619b546749a71c429e2/analysis/

4] http://blog.dynamoo.com/2016/07/malware-spam-attached-image-leads-to.html
___

Ransomware 2.0 ...
- http://www.techrepublic.com/article/ransomware-2-0-is-around-the-corner-and-its-a-massive-threat-to-the-enterprise/
July 26, 2016 - ... profits from ransomware are making it one of the fastest growing types of malware and new versions could negatively impact entire industries, according to a Cisco report
"... Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked -daily- and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second..."

:fear::fear: :mad:

AplusWebMaster
2016-07-27, 13:45
FYI...

Fake 'Sent from my Samsung' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-sent-from-my-samsung_27.html
27 July 2016 - "This spam comes in a few different variations:
From: Lottie
Date: 27 July 2016 at 10:38
Subject: scan0000510
Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component... The dropped file is Locky ransomware and it has a detection rate of 2/52*. It phones home to the following locations:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data) There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
Recommended blocklist:
5.9.253.160/27
178.62.232.244 "
* https://www.virustotal.com/en/file/9c905f11e7dd24f6074128ce8bbe53b266e9682da8d6a0359895e3f86f47dfda/analysis/

5.9.253.173: https://www.virustotal.com/en/ip-address/5.9.253.173/information/
>> https://www.virustotal.com/en/url/594e3e801da1c1fa8d7f9c845bc0ed5117fa4f682e93b9c8fa939e1fa615d145/analysis/
178.62.232.244: https://www.virustotal.com/en/ip-address/178.62.232.244/information/
>> https://www.virustotal.com/en/url/207c8d10cda5f4adad62f5b857738bdaa0364dfef0a905f4d88bfab0360e9b6e/analysis/
___

Fake 'updated details' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-attached-is-updated.html
27 July 2016 - "This spam has a malicious attachment:
Subject: updated details
From: Faith Davidson (Davidson.43198@ optimaestate .com)
Date: Wednesday, 27 July 2016, 11:13
Attached is the updated details about the company account you needed
King regards
Faith Davidson ...

The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample* shows the script download from:
beauty-jasmine .ru/6dc2y
There will be -many- more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55**. Analysis of this payload is pending, however the C2 servers may well be the same as found here***."
* https://www.hybrid-analysis.com/sample/292933de76f351ac1271bb284194f58bc0c1b97a29d73c6756d30c1ffb53b7da?environmentId=100
Contacted Hosts
195.208.1.120: https://www.virustotal.com/en/ip-address/195.208.1.120/information/
>> https://www.virustotal.com/en/url/478e2468eea19981532de7824b645caf7519c13f639f73fe3786690c7e50ed8c/analysis/

** https://virustotal.com/en/file/085d8b809a452e9604607509d88224fb99767fbe1f1e1b5ec022c1121c8a5de3/analysis/

*** http://blog.dynamoo.com/2016/07/malware-spam-sent-from-my-samsung_27.html

:fear::fear: :mad:

AplusWebMaster
2016-07-28, 14:11
FYI...

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-please-check-attached.html
28 July 2016 - "This -fake- financial spam leads to malware:
Subject: Invoice
From: Kendall Harrison (Harrison.59349@ chazsmedley .com)
Date: Thursday, 28 July 2016, 10:33
Hello,
Please check the attached invoice and confirm me if I sent the right data
Yours sincerely,
Kendall Harrison
320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3

The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted". The Malwr analysis* for the partially deobfuscated script and this Hybrid Analysis** show this particular sample downloading from:
83.235.64.44/~typecent/xvsb58
This drops a malicious Locky ransomware binary with a detection rate of 7/55***. Analysis of this binary is pending.
UPDATE: Thank you to my usual source for this analysis... C2 locations:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)
Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0 "
* https://malwr.com/analysis/Nzg5YzJmZjNlYTk3NDU4M2I5YjgzNmM5Y2Q3NGQwNmM/
Hosts
83.235.64.44

** https://www.hybrid-analysis.com/sample/f7f07a45c8d9fbe1cc46224ec802876b0604de20308a54380b1d5fd0f87f4229?environmentId=100
Contacted Hosts
83.235.64.44: https://www.virustotal.com/en/ip-address/83.235.64.44/information/
>> https://www.virustotal.com/en/url/7e85bf3eca9f7edfc6f7d4c9f42789de9b4a6de1e65040b4627d593ff2dfe541/analysis/

*** https://virustotal.com/en/file/1da2be79c9ffd1edfcfce054f1913bc59c6337ca62370f095172768c07c23f9e/analysis/
___

Fake 'Self Billing Statement' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-self-billing-statement.html
28 July 2016 - "This -fake- financial spam comes with a malicious attachment:
From Kathryn Smith [kathryn@ powersolutions .com]
Date Thu, 28 Jul 2016 16:21:41 +0530
Subject Self Billing Statement

I do not know if there is any body text at present. Attached is a file with a name similar to 'Self Billing Statement_431.zip' which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js).
Analysis by a trusted party shows that these scripts download a component...
This originally dropped this payload* since updated to this payload**, both of which are Locky ransomware.
The C2 servers to -block- are exactly the -same- as found in this earlier spam run***."
* https://www.virustotal.com/en/file/601a63f9233e8920e08680702f370fa3b7c4282e097cc95b2fdc999e45a95000/analysis/

** https://www.virustotal.com/en/file/a7704087cfb711f2542cf7493f496d7b6719d0333db9e5bf5d716bec9531f36d/analysis/

*** http://blog.dynamoo.com/2016/07/malware-spam-please-check-attached.html

:fear::fear: :mad:

AplusWebMaster
2016-07-29, 14:39
FYI...

Fake 'Bank account record' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-bank-account-record-leads.html
29 July 2016 - "This -fake- financial spam leads to malware:
Subject: Bank account record
From: Stephen Ford (Ford.24850@ aworkofartcontracting .com)
Date: Friday, 29 July 2016, 10:56
Good morning,
Did you forget to finish the Bank account record?
Read the attachment and let me know if there is anything I didn't make clear.
Yours sincerely,
Stephen Ford
57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe

The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attached is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record"...
According to the Hybrid Analysis* on that script and Malwr report** on a partly deobfuscated version the script downloads a binary from:
oleanderhome .com/q59ldt5r
This dropped binary has a detection rate of 5/55*** and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2]. The is also traffic to kassa.p0 .ru which is more of a puzzle and doesn't look particularly malicious****. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs. If I get more information on this I will post it here."
* https://www.hybrid-analysis.com/sample/e7087a6c75789184fafb3fd3725048c3d5c26bb0482d2daea608d445434ff4bb?environmentId=100
Contacted Hosts
195.216.243.102
107.180.50.233

** https://malwr.com/analysis/OGYzZWU1YjVlNmU1NDE2M2I2M2IwMDY4MzFlMTJhNGE/
Hosts
195.216.243.102: https://www.virustotal.com/en/ip-address/195.216.243.102/information/
107.180.50.233: https://www.virustotal.com/en/ip-address/107.180.50.233/information/
>> https://www.virustotal.com/en/url/d27d7e80f4ff338afe4b32a8e0bca44f6f3b09e05f00e0515a5341e7cc9c0e6e/analysis/

*** https://virustotal.com/en/file/00f8dcdfb84fa06e4ccc370113500499d3cc840f6c05c6cbf54d1ded756b0c13/analysis/

**** https://urlquery.net/report.php?id=1469786112022

1] https://www.hybrid-analysis.com/sample/00f8dcdfb84fa06e4ccc370113500499d3cc840f6c05c6cbf54d1ded756b0c13?environmentId=100

2] https://malwr.com/analysis/Njk0YmQ0ZjEyMWRiNGI5MmE2NTkwYzVmOTE5MjZjMzA/

UPDATE: My trusted source (thank you) gives the following... C2 servers are the same as found here*.
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139 "
* http://blog.dynamoo.com/2016/07/malware-spam-voicemail-from-anonymous.html
29 July 2016
___

Fake 'Voicemail' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-voicemail-from-anonymous.html
29 July 2016 - "This -fake- voicemail spam has a malicious attachment:
From SureVoIP [voicemailandfax@ surevoip .co.uk]
Date Fri, 29 Jul 2016 17:47:41 +0700
Subject Voicemail from Anonymous <Anonymous> 00:02:15
Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain .tld

The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf...
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139 "

178.62.232.244: https://www.virustotal.com/en/ip-address/178.62.232.244/information/
>> https://www.virustotal.com/en/url/207c8d10cda5f4adad62f5b857738bdaa0364dfef0a905f4d88bfab0360e9b6e/analysis/
91.195.12.143: https://www.virustotal.com/en/ip-address/91.195.12.143/information/
>> https://www.virustotal.com/en/url/fcf5a854f1e393e14fab34d6b79c0b2e28b33199a8e3ef02a7bf51e742a257dd/analysis/
91.230.211.139: https://www.virustotal.com/en/ip-address/91.230.211.139/information/
>> https://www.virustotal.com/en/url/3b17f3fdd19e9defaf585de5bb27548b3f6ec32ea0e86b79d01150fd78dd29a4/analysis/
___

Recent Activity - RIG Exploit Kit
- https://atlas.arbor.net/briefs/index#233459834
July 28, 2016 - "... Analysis: In the wake of the disappearance of the previously successful Angler exploit kit and Nuclear Exploit Kit, cybercrime continues through other kits such as Neutrino, RIG, Sundown and others although campaign activity as recently as June has been lower volume compared to the time period when Angler and Nuclear were active... It is likely that this exploit kit traffic will increase over time, as prior users of other exploit kits migrate."
> https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/07/a-look-into-some-rig-exploit-kit-campaigns/

:fear::fear: :mad:

AplusWebMaster
2016-08-01, 16:41
FYI...

Fake 'Corrected report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-please-review-attached.html
1 Aug 2016 - "This spam comes with a malicious attachment:
Subject: Corrected report
From: Joey Cox (Cox.48@ sodetel .net.lb)
Date: Monday, 1 August 2016, 13:37
Dear webmaster,
Please review the attached corrected annual report.
Yours faithfully
Joey Cox

The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware (MANY locations listed)...
The dropped binary then attempts to phone home to:
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
The host for that last one comes up over and over again, it's time to -block- that /22.."
Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22 "

91.230.211.139: https://www.virustotal.com/en/ip-address/91.230.211.139/information/
>> https://www.virustotal.com/en/url/3b17f3fdd19e9defaf585de5bb27548b3f6ec32ea0e86b79d01150fd78dd29a4/analysis/
37.139.30.95: https://www.virustotal.com/en/ip-address/37.139.30.95/information/
>> https://www.virustotal.com/en/url/16bb8bff3d0c74fa7aeda374258a8a73d004bedad71f277118095988b32d5508/analysis/
91.219.29.48: https://www.virustotal.com/en/ip-address/91.219.29.48/information/
>> https://www.virustotal.com/en/url/e3112b50b8cfde397ad6f6adb83ddd52eede7d87da38a3598e2f7c725d4c8257/analysis/
___

Google featured snippets abused by SEO scammers
- https://blog.malwarebytes.com/cybercrime/hacking/2016/08/googles-featured-snippets-abused-by-seo-scammers/
Aug 1, 2016 - "... online crooks are abusing Google’s featured snippets via compromised-websites that -redirect- to -bogus- online stores. A featured snippet is triggered when a user types in a question via a standard search. Google will display a block with a summary of the answer and a link to the site, on top of the regular search results. Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing. In this particular case, a hacked Hungarian sports site (which has nothing to do with software or license keys) is used to game Google’s algorithm which programmatically determines that a page contains a likely answer to the user’s question. People who click-on-the-link will be -redirected- to cheapmicrosoftkey[.]com a site that offers various license keys for Microsoft products at ‘discounted’ prices. Buying from such dubious online shops is -never- a good idea as you might actually purchase stolen merchandise, or worse, get completely scammed:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/flow_snippet.png
... In an added twist, if you visited the Hungarian website directly, you would be -redirected- to the Neutrino exploit kit and get infected with the CrypMIC ransomware. This is a good example of the multiple ways criminals can monetize a -hacked- site. It is quite likely in this case that the site was hacked several different times in unrelated automated attacks, perhaps even via the same vulnerability... As an end user, beware of online deals that sound too good to be true. This example is particularly tricky as people would be inclined to trust their search engine for showing them the answer to their question. We have reported this particular abuse to the Google team."
IOC:
IP: 185.139.238.210: https://www.virustotal.com/en/ip-address/185.139.238.210/information/

cheapmicrosoftkey[.]com: 185.139.238.210

:fear::fear: :mad:

AplusWebMaster
2016-08-02, 15:51
FYI...

Fake 'Paid bills' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-please-see-attached-last.html
2 Aug 2016 - "This -fake- financial spam has a malicious attachment:
From: Nathanial Lane
Date: 2 August 2016 at 12:05
Subject: Paid bills
Hello [redacted],
Please see the attached last month’s paid bills for the company
Best regards
Nathanial Lane

The name of the sender varies. It appears that these are being sent out in very-high-volumes. Attached to the email message is a randomly-named ZIP file which contains a malicious .js script beginning with "sales charts".
Thank you to my usual source for this analysis: the script downloads... (from MANY locations)...
The payload is Locky ransomware, phoning home to:
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy .ru]
93.170.128.249/upload/_dispatch.php (Krek Ltd, Russia)
Recommended blocklist:
37.139.30.95
93.170.128.249 "

37.139.30.95: https://www.virustotal.com/en/ip-address/37.139.30.95/information/
>> https://www.virustotal.com/en/url/16bb8bff3d0c74fa7aeda374258a8a73d004bedad71f277118095988b32d5508/analysis/
93.170.128.249: https://www.virustotal.com/en/ip-address/93.170.128.249/information/
Country: RU
___

Fake 'Unable to deliver' SPAM - leads to ransomware
- http://blog.dynamoo.com/2016/08/malware-spam-unable-to-deliver-your.html
2 Aug 2016 - "This -fake- FedEx email has a malicious attachment.
From: FedEx International Ground [terry.mcnamara@ luxmap .com]
Date: 2 August 2016 at 18:53
Subject: [REDACTED], Unable to deliver your item, #000179376
Dear [Redacted],
This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.
Thanks and best regards,
Terry Mcnamara,
Support Manager.

Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis* on the sample shows that the script downloads -ransomware- from opros.mskobr .ru but a quick examination of the code reveals several download locations:
opros.mskobr .ru
alacahukuk .com
www .ortoservis .ru
aksoypansiyon .com
samurkasgrup .com
Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:
195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)
A couple of binaries are dropped onto the system, a.exe (detection rate 2/53)** [may not be malicious] and a2.exe (detection rate 7/53)***.
The payload seems to be Nemucod/Crypted or some related ransomware.
Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32 "
* https://www.hybrid-analysis.com/sample/dca75e5fa81d128665a13e846c16fe53493b45bccc9db6b3fafdbbdfa6a6a02e?environmentId=100
Contacted Hosts
195.208.64.20

** https://www.virustotal.com/en/file/4ed142ac450d0ea86e0e31c46b1ca928bde991a7432dd6a0c2c3d79833ccac95/analysis/1470163333/

*** https://www.virustotal.com/en/file/416e93a8b6bd7f06e724607fbc6da9ef1acb55759c7b088bf432af15f1439dbf/analysis/1470163336/
___

Tech Support Scams - two for one ...
- https://blog.malwarebytes.com/cybercrime/malware/2016/08/tech-support-scams-two-for-the-price-of-one/
Aug 2, 2016 - "... Running an executable file posing as an installer for “VMC Media Player”, we were greeted by these prompts telling us we were going to be logged off:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/warning1-1.png
..
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/warning3.png
— and this site opening in our default browser:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/warning2-1.png
Since yolasite .com offers users the option to track visitors to their sub-domain, we suspect this site to be built to keep track of the people that installed the “software”. We have reported this site to Yola and are awaiting a reply. This sequence of events is programmed in a simple batch file that opens the site and commands the computer to shut down in 5 minutes... Once the victims log back on, they will be confronted with this -fake- BSOD screen:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/main-2.png
The screen’s text rambles a lot about errors and Trojans and displays the phone-number they would like you to call. It also shows a seemingly unrelated prompt to “get the product key”, which we will discuss later on, and a button labeled “Microsoft Help” that opens the site www[dot]microsoft[dot]aios[dot]us:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/site.png
Here you can download remote administration tools to get ”support” for a great variety of products. We have seen complaints about the people running this site and its predecessors for at least two years. The site shows a prompt that is a bit unclear about your options:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/choices.png
The listed options are YES to “Start Support Session” or NO to “Browse Support Site”, but the buttons are labeled OK and Cancel. I tested for you, and Cancel gets rid of the pop-up. And if you allow more pop-ups and click OK a few times, you will eventually get the option to download the legitimate remote administration tool TeamViewer.
And the second Tech Support Scam? Ah yes, let’s circle back to the prompt that promised us a product key:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/getthenext.png
Click OK on that one, and you will see a download prompt for a file called license_key.exe:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/downloadfromrun.png
This file has been reported to Mediafire. If you run this file, you may get some déjà vu feelings as you will see the “Thank you” prompt to notify that you will be logged off and visit another Yola site, this time it’s thankyou1234[dot]yolasite[dot]com using the URL shortener lnk.direct. Statistics of the URL shortener showed it was created 06/29/2016 and had 1143 visitors over the past month... The relatively good news about this repetition is that it will get rid of the fake BSOD for you because it alters the Winlogon Shell registry value yet again, only to replace it with -another- Tech Support Scammers -lock-screen- however. This time one that looks a lot like some of the earlier ones. A phone number and a form requesting “a product key”:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/main-3.png
Only this time it looks like you are completely -stuck- without any option. The part of the form that you would expect to fill out and the “Cancel” button are both unresponsive, so most people will end up having to use Ctrl-Alt-Del to get out of this. The name of the running processes for both rounds is fatalerror(.exe). We have dubbed the second one “Product Key” as that is the name of the folder it creates in Program Files (x86). But for the benefit of the Tech Support Scammers there is an “Easter egg” hidden in this screen. If you click -anywhere- in the 5th line (the one starting with the words “PRODUCT KEY”) you will go to this screen:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/theretheyare.png
... Summary: In what must be an attempt to drive victims crazy enough to call one of their numbers, Tech Support Scammers replace one logon lock-screen with another... save yourself the hassle and get protected."

yolasite[dot]com: 2400:cb00:2048:1::6810:69f9
2400:cb00:2048:1::6810:68f9
2400:cb00:2048:1::6810:67f9
2400:cb00:2048:1::6810:6af9
2400:cb00:2048:1::6810:6bf9
104.16.105.249: https://www.virustotal.com/en/ip-address/104.16.105.249/information/
104.16.106.249: https://www.virustotal.com/en/ip-address/104.16.106.249/information/
104.16.103.249: https://www.virustotal.com/en/ip-address/104.16.103.249/information/
104.16.107.249: https://www.virustotal.com/en/ip-address/104.16.107.249/information/
104.16.104.249: https://www.virustotal.com/en/ip-address/104.16.104.249/information/

aios[dot]us: 107.180.21.20: https://www.virustotal.com/en/ip-address/107.180.21.20/information/
>> https://www.virustotal.com/en/url/7ee3f8e8a6bbd54082fa2b1a62daaabe5abd3614ab6d2ea1c79c91093f4a8b79/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-08-03, 12:46
FYI...

Fake 'project status report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-i-attached-project-status.html
3 Aug 2016 - "This spam leads to Locky ransomware:
From: Keri Jarvis [Jarvis.64030@ bac.globalnet .co.uk]
Date: 2 August 2016 at 22:13
Subject: report
Hi,
I attached the project status report in order to update you about the last meeting
Best regards,
Keri Jarvis

Attached is a randomly named ZIP file containing a malicious .js script beginning with the word "report". This downloads an evil binary... (MANY locations listed)...
(Thank you to my usual source for this data). The malware phones home to:
37.139.30.95/php/upload.php (Digital Ocean, Netherlands) [hostname: belyi.myeasy .ru]
93.170.128.249/php/upload.php (Krek Ltd, Russia)
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
Recommended blocklist:
37.139.30.95
93.170.128.249
93.170.104.20 "

37.139.30.95: https://www.virustotal.com/en/ip-address/37.139.30.95/information/
>> https://www.virustotal.com/en/url/a647806abc245c4db1f60a23a1512b46c88e76252a9fef73aa8b7425886210fa/analysis/
93.170.128.249: https://www.virustotal.com/en/ip-address/93.170.128.249/information/
>> https://www.virustotal.com/en/url/de35f0c83a674c515b23075128a243cd86c5ced781715adeb473a77c4eb1a6b6/analysis/
93.170.104.20: https://www.virustotal.com/en/ip-address/93.170.104.20/information/
>> https://www.virustotal.com/en/url/8aa4b30fcb71c0f4c72b1c6b19fde60a11de217c6379f9f6cb2f5962bcd6537f/analysis/
___

Fake 'New invoices' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-as-you-directed-i-send.html
3 Aug 2016 - "Another day, another Locky ransomware run:
From: Marian Mcgowan
Date: 3 August 2016 at 11:15
Subject: Fw: New invoices
As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
blog-aida .cba .pl/2zensi7t
..when decrypted it creates a binary with a detection rate of 4/54*. That same Malwr analysis shows it phoning home to:
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
This IP was seen last night** and it seems that there is a concurrent Locky spam run phoning home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv .com]
Both those IPs are in known-bad-blocks.
Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24 "
* https://virustotal.com/en/file/dd8d6aaa43f007c8be8b90af3469eedeeba95ff5a6b8814314a366a46758816b/analysis/1470220208/

** http://blog.dynamoo.com/2016/08/malware-spam-i-attached-project-status.html

93.170.104.20: https://www.virustotal.com/en/ip-address/95.211.144.65/information/
>> https://www.virustotal.com/en/url/8aa4b30fcb71c0f4c72b1c6b19fde60a11de217c6379f9f6cb2f5962bcd6537f/analysis/

185.129.148.19: https://www.virustotal.com/en/ip-address/185.129.148.19/information/
89.108.127.160: https://www.virustotal.com/en/ip-address/89.108.127.160/information/
___

Fake 'Confirmation letter' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-confirmation-letter-leads.html
3 Aug 2016 - "Another -spam- run leading to Locky ransomware..
From: Mavis Howe [Howe.4267@ croestate .com]
Date: 3 August 2016 at 13:32
Subject: Confirmation letter
Hi [redacted],
I attached the employment confirmation letter I prepared.
Please check it before you send it out.
Best regards
Mavis Howe

The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here*."
* http://blog.dynamoo.com/2016/08/malware-spam-as-you-directed-i-send.html

:fear::fear: :mad:

AplusWebMaster
2016-08-04, 13:45
FYI...

Fake 'business card' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-business-card-i-have.html
4 Aug 2016 - "This spam email has a malicious attachment:
From: Glenna Johnson
Date: 4 August 2016 at 10:18
Subject: Business card
Hello [redacted],
I have attached the new business card design.
Please let me know if you need a change
King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7

Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card"... The payload appears to be Locky ransomware. This Hybrid Analysis* of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
escapegasmech .com/048220y5
goldjinoz .com/0a3tg
platimunjinoz .ws/13fo8lnl
regeneratewert .ws/1qvvu9lu
traveltotre .in/2c4ykij7
This drops a binary with a detection rate of 8/54**. The earlier Hybrid Analysis report shows it phoning home to:
31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost .ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers .com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22 "
* https://www.hybrid-analysis.com/sample/369b373aff8c222e69bec418a5819d7e93b79f1d987f994fae4960c36516a947?environmentId=100

** https://virustotal.com/en/file/2fea3c0bb9976a4658388b99ed3df1883f0848ed8d122fa2db00dbba620b6910/analysis/1470304914/
___

Fake 'Sheet/Document/Invoice' SPAM - .docm leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-emailing-sheet-document.html
4 Aug 2016 - "This malware-laden spam comes with a variety of subjects, for example:
Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf
There is -no- body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component... (Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here*."
* http://blog.dynamoo.com/2016/08/malware-spam-business-card-i-have.html
___

Fake 'Please sign' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-please-sign-receipt.html
4 Aug 2016 - "Yet another Locky campaign today..
From: Erica Hutchinson
Date: 4 August 2016 at 12:34
Subject: please sign
Dear [redacted]
Please sign the receipt attached for the arrival of new office facilities.
Best regards,
Erica Hutchinson

This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run*."
* http://blog.dynamoo.com/2016/08/malware-spam-business-card-i-have.html

:fear::fear: :mad:

AplusWebMaster
2016-08-05, 14:13
FYI...

Zeus Panda variant targets Brazil - wants to steal everything
- https://www.helpnetsecurity.com/2016/08/05/zeus-panda-steals-everything/
Aug 5, 2016 - "A new Zeus Trojan variant dubbed Panda Banker has been specially crafted to target users of 10 major Brazilian banks, but also other locally popular services. 'Zeus Panda’s Brazilian configuration file has a notable local hue. Aside from including the URLs of major banks in the country, Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce', IBM researchers* have found..."
* https://securityintelligence.com/panda-is-one-hungry-bear-a-heavyweight-banking-trojan-rolls-into-brazil/
Aug 4, 2016

Top Financial Malware per Attack Volume (Source: IBM Trusteer)
> https://static.securityintelligence.com/uploads/2016/08/1h2016_families.png
___

Fake Apple ‘Thank You For Your Order’ Phish
- http://www.hoax-slayer.net/apple-store-thank-you-for-your-order-scam-email/
Aug 5, 2016 - "Email purporting to be from the Apple Store thanks you for your order of an iPhone and notes that you can click a cancel link if you did not make the order... The email is -not- from Apple and it does not reference a real Apple Store order. Instead, it is a phishing scam designed to steal your Apple ID and password, your credit card details, and other personal information:
> https://i0.wp.com/www.hoax-slayer.net/wp-content/uploads/2016/08/apple-thank-you-for-order-scam-2.jpg
According to this email, which purports to be from the Apple Store, your order of an Apple iPhone 5c is about to be dispatched. The email does not contain your shipping and billing address but rather those of a person you do not know. It also includes a ‘cancel order’ link’ . The email features the Apple logo and is quite professionally presented. However, the email is not from Apple. Instead, it is a phishing scam designed to steal your personal and financial information. When you receive the email, you may mistakenly believe that the person named as the recipient of the iPhone has hijacked your Apple Account and made purchases in your name. Therefore, your first reaction might be to click the ‘cancel’ link in the hope of dealing with the issue. If you do click-the-link, you will be taken to a fraudulent website designed to emulate the genuine Apple website. Once on the -fake- site, you will be asked to ‘login’ with your Apple ID and password. Next, you will be taken to a -bogus- ‘Cancel Order’ form that asks you to provide your credit card details and other personal and financial information. After submitting the requested information, you may be told that you have successfully cancelled the order. But, now, the criminals can steal the information that you supplied and use it to -hijack- your Apple account, commit credit card fraud in your name, and attempt to steal your identity..."
___

Walmart phish ...
- https://bgr.com/2016/08/05/walmart-phishing-hack-account-recovery-email-scam/
Aug 5, 2016 - "Over the past couple of days*, Walmart users have been seeing unsolicited password recovery emails pop up in their inboxes. There’s clearly something 'phishy' going on, but it doesn’t seem to be a simple hack: it’s likely the precursor to an ambitious phishing attack on Walmart .com users... a Walmart spokesperson confirmed that there’s an increase in password recovery emails, but doesn’t think that any accounts have been compromised — yet. Instead, Walmart thinks that a hacker is using Walmart’s password recovery system to prepare for a -future- phishing attack. Walmart’s password recovery system is like most others: input an email address, and it sends a recovery code to that email address. But unlike some others, Walmart’s system confirms or denies whether there’s a Walmart .com account associated with that email... Seeing the groundwork for a phishing attack being laid is worrying, but the steps for customers to remain safe are simple... Walmart’s spokesperson also emphasized that it’s 'very unlikely' that any user accounts have been breached so far, and all customers need to do in the future is remain vigilant. If you’re particularly concerned, you can change the email address and password associated with your Walmart account."
* https://bgr.com/2016/08/04/walmart-email-hack-phishing-password-reset/
Aug 4, 2016

:fear::fear: :mad:

AplusWebMaster
2016-08-08, 14:21
FYI...

Fake 'Fraud Policy, Exceeded send Limit' SPAM - lead to Java Adwind Trojan
- https://myonlinesecurity.co.uk/the-plague-of-java-adwind-trojans-continue-via-fake-financial-themed-malspam-emails/
8 Aug 2016 - "We continue to be plagued daily by fake financial themed emails containing java adwind attachments. I mentioned these HERE*. We have been seeing those emails almost every day and there was nothing to update. Today’s have stepped up a notch with multiple emails, subjects and slightly different subjects and email content to previous ones. There are 2 different Java Adwind versions in these emails...
* https://myonlinesecurity.co.uk/java-adwind-trojans-via-fake-transaction-malspam-emails/
The first one of the emails looks like:
From: admin@moneygram .ae
Date: Mon 08/08/2016 06:20
Subject: Attention To All Agents (Fraud Policy)
Attachment: Antifraud-policy.zip ( extracts to 2 identical files Antifraud-Agent-User-manual.jar and Antifraud-policy..jar )
Dear Agent,
Please find attached a self-explanatory letter and the Dodd-Frank Compliance,
Fraud Policy and Procedures which will be in effect from 20th January, 2016.
Please do not hesitate to revert to us should you require any further information.
Regards,
Senzo Dlamini
Regional Operations Executive
MoneyGram International ...

The next example looks like:
From: XM Accounts & Finance <xm.accounts@ xpressmoney .com>
Date: Mon 08/08/2016 07:58
Subject: Exceeded send Limit
Attachment: Settlement Sheet – Exceeded send Limit.zip ( extracts to Sendout Limit Exceded.jar and index.jpg ( which is a logo image for xpressmoney .com )
Dear Sir/ Madam,
It came to our notice that your agent terminal exceeded it’s send limit.
As a result of this, We want you to verify your transaction report as attached.
Respond urgently if you feel there is an error during our server computation.
XM Accounts & Finance
Xpress Money Services Ltd. | 8th Floor, Al Ameri Building TECOM
P.O. Box 643996, Sheikh Zayed Road, Dubai, UAE ...

8 August 2016: Payment_Details_00H675B0017485.jar (119kb) - Current Virus total detections 30/55* Payload Security**

8 August 2016: Antifraud-Agent-User-manual.jar (235kb) - Current Virus total detections 12/55*** Payload Security[4]

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a4ad50c2afabee18c6df2b5791148fa9eabb255e55a702a37b7aae6004fd9cfd/analysis/1470633115/

** https://www.hybrid-analysis.com/sample/a4ad50c2afabee18c6df2b5791148fa9eabb255e55a702a37b7aae6004fd9cfd?environmentId=100
Contacted Hosts
23.231.23.176: https://www.virustotal.com/en/ip-address/23.231.23.176/information/

*** https://www.virustotal.com/en/file/84847f08bc147ecf7e940da9f7ec845f16dd0d2be2455fe75a2ff33e3cc31699/analysis/1470633100/

4] https://www.hybrid-analysis.com/sample/84847f08bc147ecf7e940da9f7ec845f16dd0d2be2455fe75a2ff33e3cc31699?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2016-08-09, 16:06
FYI...

Fake 'Documents Requested' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/another-malspam-word-doc-pretending-to-come-from-your-own-email-address-delivers-locky-zepto-ransomware/
9 Aug 2016 - "An email with the subject of 'FW: Documents Requested' pretending to come from a random name at your own email domain with a malicious word doc attachment is another Locky/zepto ransomware dropper...
The email looks like:
From: random name at-your-own-domain
Date: Tue 09/08/2016 09:50
Subject: FW: Documents Requested
Attachment: Untitled(1).docm
Dear [ your name ] ,
Please find attached documents as requested.
Best Regards,
Lizzie

9 August 2016: Untitled(1).docm - Current Virus total detections 5/55*.. Payload security** shows a download of the encrypted Locky/zepto binary from www .fliegendergaertner .at/09uh8ny which gets converted to a working .exe file by the malicious macro in the original word doc. to give zorgins .exe
(VirusTotal 4/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/42cb802393eef9141fbfbc828a840f66b9c0941c8633eabb229c436b3355472f/analysis/1470732585/

** https://www.reverse.it/sample/42cb802393eef9141fbfbc828a840f66b9c0941c8633eabb229c436b3355472f?environmentId=100
Contacted Hosts
81.19.145.43: https://www.virustotal.com/en/ip-address/81.19.145.43/information/
>> https://www.virustotal.com/en/url/991a0c51bebbaebe3b072012885b108166ef0001e0a3e94298cc61889b6a2078/analysis/
159.203.182.129: https://www.virustotal.com/en/ip-address/159.203.182.129/information/
>> https://www.virustotal.com/en/url/3fae446c56b67b2d1711523e4d0915ba208c12feac1a4e5620910f06b64e23e6/analysis/
185.129.148.19: https://www.virustotal.com/en/ip-address/185.129.148.19/information/
>> https://www.virustotal.com/en/url/98716c6d591e02c64c662a238e4ce3976256f10bace6b66dc40d6921cce760ca/analysis/
188.166.150.176: https://www.virustotal.com/en/ip-address/188.166.150.176/information/
>> https://www.virustotal.com/en/url/e232bb5f69a8080407463dfdeb1591c7336fd048c76310270f542cbc34826e20/analysis/

*** https://www.virustotal.com/en/file/8d231166fb6638156b906709cc27887ff696f7f873316e6bd5ce157d92dd9b72/analysis/1470733027/
___

Facebook Scams ...
- https://blog.malwarebytes.com/cybercrime/2016/08/new-celebrity-death-hoax-hits-facebook/
Aug 9, 2016 - "... yet another celebrity death hoax. This time, the personality in question is Will Smith’s son, Jaden. Using one of our test accounts, below is a captured screenshot of what this Facebook post would look like if a user sees it in their feed:
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/fb-hoax-post.png
... (and) iwilltryeverything[DOT]site (pictured below), and clicking any of the five boxes claiming to contain the same news:
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/realwheel-600x396.png
Also, clicking anywhere on the page redirects users to ads, which may not be ideal if you’re worried about malvertising. Users are then directed to a goaheadnow[DOT]press page. From here, two things can happen: one, the user may choose to scroll down and check out the video on that page or, two, the user can choose to -share- the -false- news straight away... Choosing to share the news straight away directs users to Facebook’s login page for them to enter their credentials, if they’re not logged in it already. And then, the site asks for the user permission to post on their wall:
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/005.png
... As more people share and spread such false news, the likelihood of others falling for online threats like scams and malware, or signing up for something they’d regret in the end also increases.If you see the Jaden Smith death “news” in your feed, inform the sharer that it’s a -hoax- and avoid sharing it further."

iwilltryeverything[DOT]site: 192.138.19.74: https://www.virustotal.com/en/ip-address/192.138.19.74/information/
>> https://www.virustotal.com/en/url/34b6b54c76610feb7f63854c7cb27cdb8750711b32ce976c045330ea4e943b86/analysis/

goaheadnow[DOT]press: 192.138.19.74

“Five Free Tickets” Facebook Scam
- http://www.hoax-slayer.net/vue-cinemas-five-free-tickets-facebook-scam/
Aug 8, 2016 - "Post being shared on Facebook claims that you can click to get 5 free tickets from UK based cinema chain Vue Cinemas. The post is fraudulent. It is not associated with Vue Cinemas and participants will never receive the promised movie tickets. The post is a -scam- designed to trick people into divulging their personal information on suspect survey websites:
> https://i2.wp.com/www.hoax-slayer.net/wp-content/uploads/2016/08/vue-cinemas-free-tickets-facebook-scam-1.jpg
... the post has no connection to the UK based cinema chain and those who participate will never receive the promised tickets. The post is designed to trick you into firstly spamming your friends with the same fraudulent giveaway and then submitting your personal information via decidedly dodgy “survey” websites..."
> https://i1.wp.com/www.hoax-slayer.net/wp-content/uploads/2016/08/vue-cinemas-free-tickets-facebook-scam-2.jpg

:fear::fear: :mad:

AplusWebMaster
2016-08-11, 16:13
FYI...

Fake 'Scanned' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-new-doc-scanned-by.html
11 Aug 2016 - "This spam has a malicious attachment:
From: Ashley [Ashley747@ victimdomail .tld]
Date: 11 August 2016 at 11:13
Subject: New Doc 6-6
Scanned by CamScanner
Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis* of one sample shows a download location of fcm-makler .de/4GBrdf6 and my sources (thank you) tell me that there are -many- others, giving the following list:
151 .ru/4GBrdf6
antonello.messina .it/4GBrdf6
fcm-makler .de/4GBrdf6
iceninegr.web.fc2 .com/4GBrdf6
mccrarys .us/4GBrdf6
momoselok .ru/4GBrdf6
sando.oboroduki .com/4GBrdf6
www .EastsideAutoSalvage .com/4GBrdf6
www .fasulo .org/4GBrdf6
www .halloweenparty.go .ro/4GBrdf6
www .tommasobovone .com/4GBrdf6
The malware is Locky ransomware, and it phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife .net]
136.243.237.197/php/upload.php (Hetzner, Germany)
Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197 "
* https://www.hybrid-analysis.com/sample/842d6a410b2f494ff8ba88302d28c45eb619dcc8f2f70ee6ca4fc49a03ce4114?environmentId=100
Contacted Hosts
217.119.54.192: https://www.virustotal.com/en/ip-address/217.119.54.192/information/
>> https://www.virustotal.com/en/url/14db1b379967b7ae5ffb03b11bee1e521cf7732a5a57da48459a7a6a9bd5da1f/analysis/
185.129.148.19: https://www.virustotal.com/en/ip-address/185.129.148.19/information/
>> https://www.virustotal.com/en/url/8587e23fa327426fe64719a714d6bfcbf0016bf04c76c1357ce755e945a16e32/analysis/
195.16.90.23: https://www.virustotal.com/en/ip-address/195.16.90.23/information/
>>> https://www.virustotal.com/en/url/34c2f0ff448d327dfb7018b469ded9dc743ecf6b7f83ba882475f16393969bf5/analysis/
136.243.237.197: https://www.virustotal.com/en/ip-address/136.243.237.197/information/
>> https://www.virustotal.com/en/url/b442fc4dd8d6d7257a2aeee040a7c8bdb3c342c0952504f358c72d084fca2e73/analysis/
___

Fake 'Dear client' SPAM - malicious link
- https://myonlinesecurity.co.uk/dear-client-we-have-detected-the-attempt-of-transaction-from-your-bank-word-malspam/
11 Aug 2016 - "A series of emails saying 'Dear client! We have detected the attempt of transaction from your bank account', coming from random senders with a -link- to a malicious word doc is another one from the current bot runs... Some of the subjects seen include:
Detected suspicious transaction on your account
Locked transaction
Online Banking informs
Barclays Personal Banking
Incomplete transaction
One of the emails looks like:
From: yvvelez@ gracehill .org
Date:
Subject: Detected suspicious transaction on your account
Attachment ( link ): payment.doc
Hello!
Dear client! We have detected the attempt of transaction from your bank
account. You may find details of the transaction in the
http ://vividlightingandliving .com.au/bank-info/payment.doc
Please download this document. If this transaction was yours, please,
contact us via contacts in the loaded file. If this transaction was not
yours, notify our safety service shortly. Contacts of the safety service
may be found in the loaded file. Also, you can contact us through the
Personal Account of your bank.
Attention: if you ignore our request, your account will be blocked on
20.08.2016.

Alternative download locations from other emails include:
http ://guestlistalamode .com/bank/payment.doc: 192.185.75.239: https://www.virustotal.com/en/ip-address/192.185.75.239/information/
>> https://www.virustotal.com/en/url/06306c7c751a017681c50652ee5226a5138866da0a8f62d91c53ecddd51efe50/analysis/
http ://www.1800cloud .com/infos/report.doc: 65.49.52.99: https://www.virustotal.com/en/ip-address/65.49.52.99/information/
>> https://www.virustotal.com/en/url/d50901400110501a8c17ec272b69fc1fa58925b3df9490498c498bc029551a04/analysis/
http ://www.monparfum .it/payments/info.doc: 80.88.88.149: https://www.virustotal.com/en/ip-address/80.88.88.149/information/
>> https://www.virustotal.com/en/url/140b0bea5c7bd5346dc1d1843d21dc9c3c2580c454e96a07ca1262f29f67c39a/analysis/

11 August 2016: payment.doc - Current Virus total detections 2/53*. MALWR** shows a download from
http ://88.119.179.160 /1biycuhoqetzowaawneab.exe (VirusTotal 7/53***) MALWR[4]..
Update: I am informed that it appears to be 'Panda Banker' which is a banking password/credential stealer.
See Proofpoint[5] and Arbor[6] for more details of this new threat..."
5] https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
"... Some of the Panda Banker C&C servers use Fast flux DNS, and have numerous IP addresses associated with a single malicious domain, making the malware more resistant to counter-measures..."

6] https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/
"... Not only is it built on a proven banking malware platform (Zeus), there are already a number of samples and botnets in the wild. In addition, Panda Banker is actively being developed with 9 distinct versions known..."

* https://www.virustotal.com/en/file/422c061cb2c8d8dddb9c15f760b2e169400b975a751e0cc3fd1ab0eabce0e02b/analysis/1470917056/

** https://malwr.com/analysis/YWJhYTUxNDFmYzNlNGE1MWFlZjI0ZWM4NGYzZGJiNDU/
Hosts
88.119.179.160: https://www.virustotal.com/en/ip-address/88.119.179.160/information/
>> https://www.virustotal.com/en/url/6ae0a97eeb7dcd4277d197d3cdb449e63c255cf47854e4a4217547193d8ecf53/analysis/

*** https://www.virustotal.com/en/file/b78afdedb28db1f5d7d9364f2a78e84a3d140dbc90dddd9cba461b41ba864578/analysis/1470916592/

4] https://malwr.com/analysis/NmRlNzAyNTY2NWIzNDIwOWJmZjk3NzYzOTgwNGE0YzU/
Hosts
No hosts contacted.

vividlightingandliving .com.au: 192.185.37.232: https://www.virustotal.com/en/ip-address/192.185.37.232/information/
>> https://www.virustotal.com/en/url/cb3089a300ef55dd851ff6ddec3165148d4e9aa503bae7e7628e1da22e083754/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-08-12, 14:52
FYI...

Fake 'Xpress Money Certificate' SPAM - leads to JAVA Jacksbot
- https://myonlinesecurity.co.uk/new-xpress-money-certificate/
12 Aug 2016 - "An email with the subject of 'New Xpress Money Certificate' pretending to come from akash.kushwah@xpressmoney .com <xm.ca@ xpressmoney .com> with a zip attachment which downloads a JAVA Jacksbot... This is a slight change to the usual java.jar files that are normally attached to these emails. Today’s version has a .exe file which is actually a SFX (self extracting RAR file) which extracts to an identically named .exe file which in turn when run drops the java files and runs them. AV detections call this one a Java Jacksbot rather than the “normal” Java Adwind we have been seeing in this sort of financial malspam.
One of the emails looks like:
From: akash.kushwah@ xpressmoney .com <xm.ca@ xpressmoney .com>
Date: Thu 16/06/2016 11:09
Subject: New Xpress Money Certificate
Attachment: New Xpress Money Certificate Signed And Sealed.exe
Dear Agent,
We have attached the New Certificate with installation details , Sign the branch seal on the attach authorization for security updates.
Best regards,
AKASH KUSHWAH | Xpress Money Operations
Xpress money services Ltd| P.O. Box 170,
Tel: +971 2 6580989 |Ex: 371 | Fax: +971 2 989564 ...

12 August 2016: New Xpress Money Certificate Signed And Sealed.exe - Extracts to: New Xpress Money Certificate Signed And Sealed..exe - Current Virus total detections 29/55*. MALWR**
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e580ccd34d64e88ad00f59457e0e03c414615da50d7652c935518eb31d03b60b/analysis/1470995213/

** https://malwr.com/analysis/MGYzMDc3YWUzODViNGM1YjliNTc5OTdmMWFkZWViYjc/
___

Fake 'scanner' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-this-e-mail-was-sent-from.html
12 Aug 2016 - "This spam comes with a malicious attachment:
Subject: Message from "CUKPR0317276"
From: scanner@ victimdomain .tld (scanner@ victimdomain .tld)
To: webmaster@ victimdomain .tld
Date: Friday, 12 August 2016, 14:00
This E-mail was sent from "CUKPR0329001" (Aficio MP C305).
Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@ victimdomain .tld

The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to
doc(171)-12082016.wsf . This Hybrid Analysis* shows the script downloading a file from www .hi-segno .com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2 .com and www .homesplus .nf.net) but a trusted source tells me that the following download locations appear in different scripts... (see URL above for long list).
The malware phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
That Latvian network range is -all- bad, I recommend that you -block- the lot. The payload is Locky ransomware.
Recommended blocklist:
185.129.148.0/24
138.201.56.190 "
* https://www.hybrid-analysis.com/sample/0c1ab8586840a04106f2decf67606c1881d0ff703459a133aa7fda1cc3bfd2e6?environmentId=100
Contacted Hosts
213.205.40.169
138.201.56.190
185.129.148.19
208.71.106.49
216.251.43.11
___

ITunes, Netflix phishing
- https://myonlinesecurity.co.uk/apple-itunes-netflix-phishing/
12 Aug 2016 - "The latest Apple/ITunes phish pretends to be confirmation of an ITunes order for Netflix.

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/Order-Receipt-NetFlix-06285490.png

The links go to
http ://hiperkarma .hu/download/g.html where you are -redirected- to
http ://margotbai .com/UnitedKingdom/Itunes/apple/ and see a page looking like this, where if you fill in the ID and password then asks for all other financial information:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/06/flyinmgstart_apple_phish.png "

hiperkarma .hu: 87.229.45.133: https://www.virustotal.com/en/ip-address/87.229.45.133/information/
>> https://www.virustotal.com/en/url/715ef9acc1b581f2284c9e3c12dc23c68cff88efab5a333aad7b836477f6835f/analysis/
margotbai .com: 67.212.91.221: https://www.virustotal.com/en/ip-address/67.212.91.221/information/
>> https://www.virustotal.com/en/url/da2c8d7fc79dcecc7efd325e23571b2c004ed7228e98f83ba9cf8f7ff6db4543/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-08-13, 17:51
FYI...

Beware of browser hijacker - comes bundled with legitimate software
- https://www.helpnetsecurity.com/2016/08/12/browser-hijacker-bing-vc/
Aug 12, 2016 - "Lavians, a 'small software vendor team' is packaging its offerings with a variant of browser-hijacking malware Bing .vc. The company sells and offers for free different types of software (drivers and other kinds of utilities) on their own website*, but also on popular download sites. Unfortunately, most of them come bundled with the aforementioned malware, which installs itself into Internet Explorer, Firefox, and Chrome -without- the user’s consent..."
* http:// www. lavians .com/product/

lavians .com: 45.79.77.19: https://www.virustotal.com/en/ip-address/45.79.77.19/information/
>> https://www.virustotal.com/en/url/7c439eaba3967f4ee2e19a23bb37e3de9a53b23c774f2a6ac6892b4756032bc3/analysis/
bing .vc: 65.75.147.228: https://www.virustotal.com/en/ip-address/65.75.147.228/information/
>> https://www.virustotal.com/en/url/587c4d4e354626a1a6c7c009f3aac03d77287da9dfae0b1e36339b92697b46ed/analysis/
2016-08-13
___

Visa Alert - Oracle POS Breach
- http://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/
Aug 13, 2016 - "Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle‘s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang:
> http://krebsonsecurity.com/wp-content/uploads/2016/08/VSA-oracle.png
The Visa alert is the first substantive document that tries to help explain what malware and which malefactors might have hit Oracle — and by extension many of Oracle’s customers... MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels. In short, tens of millions of credit cards are swiped at MICROS terminals monthly, and a breach involving the theft of credentials that might have granted remote access to even just a small percentage of those systems is potentially a big and costly problem for all involved:
> http://krebsonsecurity.com/wp-content/uploads/2016/08/oraclehosp-580x476.png "

:fear::fear: :mad:

AplusWebMaster
2016-08-15, 14:19
FYI...

Fake 'Order Confirmation' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-orderconfirmationesabcouk.html
15 Aug 2016 - "This -fake- financial spam does -not- come from ESAB but is instead a simple -forgery- with a malicious attachment.
From: orderconfirmation@ esab .co.uk
Date: 15 August 2016 at 10:37
Subject: Order Confirmation-7069-2714739-20160815-292650 ...

Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component...
The payload is Locky ransomware with a very low detection rate* at present. It phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)
The MWTV block is -all- bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77 "
* https://www.virustotal.com/en/file/02469222c9895fcbdcbe8264fadfbd8150d649a08e42ea2c476b6a33203e21c5/analysis/
File name: ferdoxs.exe
Detection ratio: 1/55

138.201.56.190: https://www.virustotal.com/en/ip-address/138.201.56.190/information/
>> https://www.virustotal.com/en/url/4a7ea40698992e4a79dcdc1e57d756c3bf9065c33b535268848b4c76d130c05b/analysis/
46.148.26.77: https://www.virustotal.com/en/ip-address/46.148.26.77/information/
>> https://www.virustotal.com/en/url/be685d17cdf8fd558c56994e0dafcd29d64a12460cf05f11465947525f0cd79a/analysis/

- https://myonlinesecurity.co.uk/order-confirmation-9355-8379094-20160815-474623-esab-co-uk-leads-to-locky-ransomware/
15 Aug 2016 - "An email with the subject of 'Order Confirmation-9355-8379094-20160815-474623' pretending to come from orderconfirmation@ esab .co.uk with a malicious word doc attachment downloads Locky ransomware...
The email looks like:
From: orderconfirmation@ esab .co.uk
Date: Mon 15/08/2016 10:33
Subject: Order Confirmation-9355-8379094-20160815-474623
Attachment: Order Confirmation-9355-8379094-20160815-474623.docm ...

15 August 2016: Order Confirmation-9355-8379094-20160815-474623.docm - Current Virus total detections 7/56*
There are several different versions of this Locky downloader which all download an encrypted data file that is transformed by the macro to the same Locky Ransomware (virustotal 4/54*)..."
* https://www.virustotal.com/en/file/a2342bbc53db362c99dabd0dd15f623d2d27b7bce693df051d5b16c69c97f197/analysis/1471258818/

** https://www.virustotal.com/en/file/02469222c9895fcbdcbe8264fadfbd8150d649a08e42ea2c476b6a33203e21c5/analysis/
___

Fake from 'Emma Critchley' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-emma-critchley.html
15 Aug 2016 - "This -fake- financial spam has a malicious attachment. It does -not- come from Advantage Finance but is instead a simple forgery.
Subject: Emailing - 9104896607509
From: Emma Critchley (emmacritchley@ advantage-finance .co.uk)
Date: Monday, 15 August 2016, 13:28
Hi
Vicky has asked me to forward you the finance documents (Please see attached)
Many Thanks

Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware... This phones home to the same servers as mentioned in this post*."
* http://blog.dynamoo.com/2016/08/malware-spam-orderconfirmationesabcouk.html
___

Fake 'Documents' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-jen-jenpurple-officecom.html
15 Aug 2016 - "These -fake- financial documents have a malicious attachment:
From: Jen [Jen@ purple-office .com]
Date: 15 August 2016 at 14:10
Subject: Documents from Purple Office - IN00003993
Please find attached invoice/credit from Purple Office.
Best regards,
Purple Office

Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here[1] and here[2]."
1] http://blog.dynamoo.com/2016/08/malware-spam-emma-critchley.html

2] http://blog.dynamoo.com/2016/08/malware-spam-orderconfirmationesabcouk.html

- https://myonlinesecurity.co.uk/documents-from-purple-office-malspam-delivers-locky-ransomware/
15 Aug 2016
> https://malwr.com/analysis/M2RhNDAxZGI1ZTNhNDNkMmIxMTRhZGFiOGMwNWViNzI/
Hosts
80.150.6.138: https://www.virustotal.com/en/ip-address/80.150.6.138/information/
>> https://www.virustotal.com/en/url/2fcd3fb0ce9bf81daf3213d9ce1dae51992f4a6f67bd8e466e1b3916d65d79d7/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-08-16, 13:53
FYI...

Fake 'Scan/Document/Receipt' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/generic-emailing-file-document-receipt-pretending-to-come-from-your-own-email-address-delivers-locky-ransomware/
16 Aug 2016 - "Today’s first Locky ransomware example is a blank/empty email with the subject saying something like 'File: Scan(86)' or 'Emailing: Document(2)' or 'Emailing: Receipt(8)' [random numbered] or other similar generic subjects pretending to come from random names at your own email domain with a zip attachment containing a random numbered WSF (script file) which downloads an encrypted Locky ransomware version that gets converted by the script file to a fully working .exe... One of the emails looks like:
From: Random names at your own email domain or company
Date: Tue 16/08/2016 10:11
Subject: File: Scan(86)
Attachment: Scan(86).zip

Body content: Totally blank/empty

16 August 2016: Scan(86): Extracts to: 572310451803.wsf - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these 3 locations (there will be multiple others) that is transformed by the script to eaoJlwhPcR.exe (random depending on the version you get) (VirusTotal 3/56***)
http ://zarexbytonia.cba .pl/nJHbj0266b?coHDErXiOn=ldRhoj
http ://fereastrazmeilor .go.ro/nJHbj0266b?coHDErXiOn=ldRhoj
http ://www .lefaos.50webs .com/nJHbj0266b?coHDErXiOn=ldRhoj
... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0aedd9aa32d9521686fecfe9da6eccb657963d31228469bac592314937550274/analysis/1471338738/

** https://malwr.com/analysis/ODAyODBjM2YxMzYxNGQ3MGJhMGIyZWFmYjJhYmJiNTA/
Hosts
192.151.153.26
81.196.20.134
95.211.144.65

*** https://www.virustotal.com/en/file/73e6aa1f6f62fa8b28f8bf2f55fb94983edad0968b6b4e5775e4aa2e21e7aafb/analysis/1471340178/
___

ITunes Phish
- https://myonlinesecurity.co.uk/apple-itunes-phishing-copilot-premium-hd/
16 Aug 2016 - "The latest Apple/ITunes phish pretends to be confirmation of an ITunes order for CoPilot premium HD.

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/Apple_phish_copilot-1024x654.png

The links go to
http ://monthlyincomeformula .com/.GB/db/ where you are -redirected- to
http ://missclaudia .net/.GB/apple-store-refund/appsrefund/ and see a page looking like this, where -if- you fill in the ID and password then asks for all other financial information:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/App_store_refund_request-1024x555.png "

monthlyincomeformula .com: 162.144.84.124: https://www.virustotal.com/en/ip-address/162.144.84.124/information/

missclaudia .net: 174.136.50.43: https://www.virustotal.com/en/ip-address/174.136.50.43/information/

:fear::fear: :mad:

AplusWebMaster
2016-08-17, 14:58
FYI...

Cerber ransomware ...
- https://www.helpnetsecurity.com/2016/08/17/inner-workings-cerber-ransomware-campaign/
Aug 17, 2016 - "Check Point’s research team has analysed the inner workings of Cerber, the world’s biggest ransomware-as-a-service scheme:
> https://www.helpnetsecurity.com/images/posts/checkpoint-cerber2.jpg
... Cerber is set up to enable non-technical criminals to take part in the highly profitable business and run independent campaigns, using a set of command and control servers and an easy-to-use control interface available in 12 different languages... The Bitcoin is transferred to the malware developer and affiliates by flowing through thousands of Bitcoin wallets, making it almost impossible to trace individual payments... The overall profit made by Cerber in July was $195,000. The malware developer received approximately $78,000 and the rest was split between the affiliates, based on successful infections and ransom payments for each campaign. On a yearly basis, the estimated monthly profit for the ransomware author would be $946,000. 'This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry' said Maya Horowitz, group manager, Research & Development, Check Point*. 'Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections'.”
* http://blog.checkpoint.com/2016/08/16/cerberring/
"... researchers have managed to break the encryption of Cerber and provide a free decryption tool**..."
** https://www.cerberdecrypt.com/RansomwareDecryptionTool/

Exploit Kit Country Distribution Map: https://blog.checkpoint.com/wp-content/uploads/2016/08/Figure9.jpg
___

'Bogus blue verified checkmark' SCAM - on Twitter
- https://www.hotforsecurity.com/blog/beware-bogus-blue-verified-checkmark-scams-on-twitter-16373.html
Aug 17, 2016 - "... Take, for instance, this -scam- which was being played out on Twitter last week:
> https://www.hotforsecurity.com/wp-content/uploads/2016/08/twitter-verification-scam-tweet.jpeg
If you saw it in your Twitter timeline, you might very well click on the link without thinking – imagining that the account is run by Twitter. After all, it is displaying the same avatar as the one used by the legitimate @verified account. And clicking on the link *does* take you to a website which – at first glance – might look like a genuine Twitter property to those -lacking- in caution:
> https://www.hotforsecurity.com/wp-content/uploads/2016/08/twitter-verified-scam-site.jpeg
Clicking further, however, takes you to a form which should instantly set your alarm bells ringing. It asks you to enter information such as your email address and your number of followers (both pieces of information that Twitter should -already- know) as well as your username and password:
> https://www.hotforsecurity.com/wp-content/uploads/2016/08/twitter-verified-scam-site-2.jpeg
Once you fill your details in this form, they are instantly transmitted to the hackers – who can then use your credentials to hijack your account for the purposes of spam or spreading malicious links. Furthermore, if you have made the mistake of reusing your Twitter password elsewhere on the net there is a good chance that you may have other online accounts compromised by the hackers in follow-up attacks. I reported the phishing URL to Google, and I’m pleased to report that it is now being blocked by most browsers:
> https://www.hotforsecurity.com/wp-content/uploads/2016/08/chrome-block.jpeg
The offending Twitter account has also been suspended. There are a few lessons here...
Firstly, always be careful about where you enter your login credentials. Make sure that you are on the proper website by examining-the-URL-closely, and consider that one of the benefits of running a good password manager is that it will not let you easily fill in your password unless it recognises it.
Secondly, never-reuse-passwords on multiple websites. If one site gets hacked, online criminals will often try to use the same credentials to unlock your other online accounts.
Thirdly, harden your defences. Where available (as it is on Twitter) enable two-step verification or two-factor authentication to provide an additional layer of defence for your accounts. With 2SV or 2FA in place, hackers will need more than your password to break into your accounts making it – in most cases – something that they’ll simply not bother with, as they move to find softer targets."

:fear::fear: :mad:

AplusWebMaster
2016-08-18, 17:55
FYI...

Fake 'UPS' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-office-printer-is-having.html
18 Aug 2016 - "This -fake- UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.
From "Laurence lumb" [Laurence.lumb25@ ups .de]
Date Thu, 18 Aug 2016 17:35:21 +0530
Subject Emailing: Label
Good afternoon
The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.
Cheers
Laurence lumb

Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware... (according to my trusted source)... This dropped binary has a detection rate of 6/54*. It phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)
Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183 "
* https://www.virustotal.com/en/file/d1ac3b6f9019bc2d1f25eec8abced027a78692c7ebbeea56337d529165f7e84e/analysis/
___

Locky Ransomware via DOCM attachments - latest Email campaigns
- https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html
Aug 17, 2016 - "Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry:
Top 10 affected industries
> https://www.fireeye.com/content/dam/fireeye-www/blog/images/Locky%20ransomware%20Rongwhachong/Fig1.png
Numerous countries are affected, with the United States, Japan, and Republic of Korea topping the list:
Top affected countries
> https://www.fireeye.com/content/dam/fireeye-www/blog/images/Locky%20ransomware%20Rongwhachong/Fig2.png
... Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems. These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick:
Massive DOCM related campaigns on Aug. 9, Aug. 11 and Aug. 15, 2016
> https://www.fireeye.com/content/dam/fireeye-www/blog/images/Locky%20ransomware%20Rongwhachong/Fig3.png
Our analysis showed high similarity in the macro code that was used in the Aug. 9, Aug. 11 and Aug. 15 campaigns... The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking trojans, as the former appears to be more lucrative. These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations."

:fear::fear: :mad:

AplusWebMaster
2016-08-19, 13:01
FYI...

Fake 'Payment Receipt' SPAM - leads to locky
- https://myonlinesecurity.co.uk/attached-is-the-copy-of-your-payment-receipt-leads-to-locky-ransomware/
19 Aug 2016 - "... a long line of generic emails delivering Locky ransomware is an email with the subject of 'Payment Receipt' pretending to come from random companies and email addresses with a malicious word doc attachment... One of the emails looks like:
From: Payment Receipt
Date: Fri 19/08/2016 10:43
Subject: Payment Receipt
Attachment: PaymentReceipt.docm
Attached is the copy of your payment receipt.

19 August 2016: PaymentReceipt.docm - Current Virus total detections 7/55*.. MALWR shows a download of an encrypted file from http ://wzukoees.homepage.t-online .de/897fyDnv which is converted by the malicious macro in the word doc to C:\DOCUME~1\User\LOCALS~1\Temp\sys48.tmp (VirusTotal 4/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/af3e4798677e18672a503d6dfc9b3aa1b3994ee5b3f35df65fb4d43d0e347d8b/analysis/1471600737/

** https://www.virustotal.com/en/file/23f3af553ed69694de70a82ec31d2e95ed9cea106319781622c2c80196afba6b/analysis/1471600926/

t-online .de: 2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162: https://www.virustotal.com/en/ip-address/217.6.164.162/information/
62.153.159.92: https://www.virustotal.com/en/ip-address/62.153.159.92/information/
___

Fake 'Report' SPAM - leads to Java Adwind Trojan
- https://myonlinesecurity.co.uk/unclaimed-commission-report-wubs-malspam-delivers-java-adwind/
19 Aug 2016 - "We continue to see Java Adwind Trojans daily. Today’s example is a slight change to the delivery method from previous Malspam emails that have been using Moneyexpress .com or MoneyGram or other middle eastern money exchange bodies. This one is an email with the subject of 'Unclaimed Commission Report-WUBS' pretending to come from Shiella F. Doria <shiella.doria@ westernunion .com> with a zip attachment which contains a Java.jar file & an image to make it look “respectable” and genuine. We have seen various -spoofed- Western Union malspam...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/Unclaimed-Commission-Report-WUBS-1024x646.png

The image from inside the zip is:
- https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/Amendment-Sheet.jpeg

19 August 2016: Unclaimed Commission Report.zip - Extracts to: UN-PROCESSED COMMISSION.jar
Current Virus total detections 30/56*. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cc5ae08b50bd64e66d33812bff7ad27d390e9f0250f1b67ff086ecce861ab36e/analysis/1471508188/
___

Ransomware round up
- https://atlas.arbor.net/briefs/index#-198932443
Aug 18, 2016 - "... Analysis: ... ransomware developers and infrastructure providers who deliver the packages are continuing to refine their crafts. The addition of a RAT used to target potential banking elements instead of going forward with ransomware -extortion- is a smart addition. Most threat actors behind ransomware tend to utilize one flat ransom across their victim pool. However, some, notably those behind Locky, have paid attention to some of their victims and were able to extort larger sums than the original request once they identified the overall value of the victimized systems. A RAT could allow a smart threat actor to better access their target and move forward with requesting larger sums of money. However, it could simply allow threat actors to leverage more traditional capabilities by capturing banking credentials which in turn could allow them to perform fraudulent withdrawals with potentially larger payouts than had they attempted simple extortion efforts. Nemucod and Locky continue to change their overall operating procedures. The addition of ad-click and backdoor functionality to a ransomware operation can lead to additional revenue streams for threat actors, especially if the ransomware does not impact the -additional- malicious packages, allowing for them to operate unencumbered while the victim decides what course of action to take in response to the ransomware. Most ransomware is best defended against by -never- enabling-macros unless you implicitly trust the source... and maintaining up-to-date backups that are stored offline..."

:fear::fear: :mad:

AplusWebMaster
2016-08-22, 16:14
FYI...

Fake 'fax' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/todays-fax-malspam-word-macros-leads-to-locky-ransomware/
22 Aug 2016 - "... first example of malspam word docs with macros delivering Locky ransomware is an email with the subject of 'Today’s fax' pretending to come from random names at your own email domain... The email looks like:
From: name/number at your own email domain
Date: Mon 22/08/2016 10:37
Subject: Today’s fax
Attachment: FAX_5542.DOCM

Body content: Totally blank/empty

22 August 2016: FAX_5542.DOCM - Current Virus total detections 4/55*.. MALWR** shows a download of an encrypted file from http ://seiwa1202.web. fc2.com/HfgfvhTR5 that is converted by the malicious macro in the word doc to axilans.exe (VirusTotal 4/55***). Payload Security[4] shows this has anti-analysis protection... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3f555eb38f2a9345a770c0e0a453f6896bf67946d9c3ed07477843cda37d038c/analysis/1471858624/

** https://malwr.com/analysis/MGQ0YjVmOGMzNDdlNGJiNTlmMDcxODRjMTY1N2ZlOGQ/
Hosts
208.71.106.61: https://www.virustotal.com/en/ip-address/208.71.106.61/information/
>> https://www.virustotal.com/en/url/0519ea7ff8e05d019795615baecc989ee81af1c16ae7ad10c745d2cd25932839/analysis/

*** https://www.virustotal.com/en/file/6c9d67aba3f51df325b653bec8e019acf3fd0410517543c9458aeeadad527891/analysis/1471859596/

4] https://www.hybrid-analysis.com/sample/6c9d67aba3f51df325b653bec8e019acf3fd0410517543c9458aeeadad527891?environmentId=100
___

Fake 'Hello' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/hi-hi-there-hello-malspam-delivers-locky-ransomware/
22 Aug 2016 - "... next batch of malspam emails delivering locky ransomware is a series of emails with subjects like “Hi”, “Hi There” or “Hello” coming from random names, companies and email addresses with a zip attachment containing a WSF (Windows Scripting File)... The body has various generic phrases as the contents along the lines of:
“Please see the attached report about the monthly progress of our department”
“I am sending you the bills of the goods we delivered to you in the attachment"

22 August 2016: 5772ac1553.zip: Extracts to: export_pdf_ 2c23a43a~.js - Current Virus total detections 2/56*
.. MALWR was unable to get any content from the heavily encoded WSF file (waiting for other analysis but almost certain to be the same locations as Today’s Word version Malware delivery[1]). Payload Security** shows a load of connections to various sites... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ac3df2cd1f41bfd32fb325590a811261ebb9aaec32b86612b115f29dd3565796/analysis/1471860907/

** https://www.hybrid-analysis.com/sample/ac3df2cd1f41bfd32fb325590a811261ebb9aaec32b86612b115f29dd3565796?environmentId=100
Contacted Hosts
213.217.149.4
213.229.74.92
185.129.148.19
185.51.247.211
194.67.210.183
51.254.55.171
91.201.202.125

1] https://myonlinesecurity.co.uk/todays-fax-malspam-word-macros-leads-to-locky-ransomware/

:fear::fear: :mad:

AplusWebMaster
2016-08-23, 16:18
FYI...

Fake 'Voice Message Notifications' deliver Ransomware
- https://isc.sans.edu/diary.html?storyid=21397
2016-08-23 - "... a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a 'voice mail notification'. Even residential systems can deliver voice message notifications. Here is an example displayed in Microsoft Outlook:
> https://isc.sans.edu/diaryimages/images/microsoft-voice-msg.gif
Today, I received a wave of emails like the following:
From: voicemail@ rootshell .be
To: [redacted]
Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25
Dear [redacted]:
There is a message for you from 01422520472, on 2016/08/23 15:55:25 .
You might want to check it when you get a chance. Thanks!

The sender is spoofed with the victim domain name.... file was attached to the message... '.wav.zip' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]. Vigor is UK company building ADSL residential modems[2]. This tends to think that the new wave is targeting residential customers. Here are the C2 servers (for your IDS):
89.42.39.81
213.205.40.169
51.254.55.171
194.67.210.183
185.51.247.211
185.129.148.19
91.201.202.125 "

[1] https://www.virustotal.com/en/file/97be73cf491cf8e4d30e0e6d9b73e95151f77b3e52813e06b2ef391fa6f26b2a/analysis/1471949327/
File name: 614007286106.wsf
Detection ratio: 6/55

[2] http://www.draytek.co.uk/products/legacy/vigor-2820
___

More Fake 'voice mail messages' SPAM - delivers Locky/Zepto
- https://myonlinesecurity.co.uk/vigor2820-series-new-voice-mail-message-from-random-telephone-number-on-20160823-210159-delivers-locky-zepto-ransomware/
23 Aug 2016 - "Today’s Locky/Zepto ransomware malspam emails have come steadily in waves all day long. There have been 2 distinct different subjects and themes, one pretending to be a voice message from your own email domain or company, with the second pretending to be an audit report from a random company. The first is an email with the subject of '[Vigor2820 Series] New voice mail message' from 01443281097 on 2016/08/23 21:01:59 [random telephone number and date/time] pretending to come from voicemail @ your own email address with a zip attachment named something like 'Message_from_01443281097.wav.zip' where the attachment number matches the telephone number in the subject line. The Vigor 2820 Series is an older ADSL Router Firewall aimed at small business users, so we can quite easily see that this campaign of malware spreading is directly aimed at the small business user...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/Vigor2820-Series-New-voice-mail-message-from-01443281097-1024x426.png

The second campaign has a subject of 'Audit Report' coming from random senders with a content looking like the below. The name in the body of the email matches the spoofed sender. One of the emails looks like:
From: Omer Scott <Scott.58115@ bambit .de>
Date: Tue 23/08/2016 15:3
Subject: Audit Report
Attachment: 83543cd11db.zip
Dear lie
The audit report you inquired is attached in the mail. Please review and transfer it to the related department.
King regards,
Omer Scott

23 August 2016: Message_from_01443281097.wav.zip: Extracts to: 44077640409.wsf
Current Virus total detections 23/56*.. MALWR** shows a download of an encrypted file from either
http ://danzig.vtrbandaancha .net/HJghjb54?PqzwogvtP=xYWWDkr -or-
http ://backyard004.web. fc2.com/HJghjb54?PqzwogvtP=xYWWDkr (in this example) which gets converted by the script to wKoYWwOtQ.exe (VirusTotal 6/56***)

23 August 2016: 83543cd11db.zip: Extracts to: audit report 316dd5a1.js
Current Virus total detections 23/56[4].. MALWR[5] shows a download of an encrypted file from either
http ://sb-11856.fastdl-server .biz/688dak3, http ://newt150.tripod .com/idyeb9 -or-
http ://dl.sevenseals .ru/ehaq1zw (in this example) which gets converted by the script to NCPcpOkuUfr5AA0.dll (VirusTotal 18/56[6])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/15c7846d81bfb2b62431d57ee39e12e0cc30ba907d7281a162181c8b430078d1/analysis/1441173827/

** https://malwr.com/analysis/NjhlMjZkY2ZmNGUwNDE4MDg4N2YwMDVhZmE2NTcxZGM/
Hosts
200.83.4.62
185.129.148.19
208.71.106.40

*** https://www.virustotal.com/en/file/ec64616f8f1e46d35c7d760566b2324112aeb93964adbd4face3efa3e1260a0a/analysis/1471961322/

4] https://www.virustotal.com/en/file/15c7846d81bfb2b62431d57ee39e12e0cc30ba907d7281a162181c8b430078d1/analysis/1441173827/

5] https://malwr.com/analysis/YjFiYzVkM2E0MjI5NDcwMWE5YzQ4MmNkNzA3MjA4NzM/
Hosts
109.230.252.172
52.52.39.236
77.221.140.226

6] https://www.virustotal.com/en/file/bb52a69eb29a53d46c46f555bac76a140136ad0ecdcb73d3c004094cc47cd2c2/analysis/1471962605/
___

Fake 'Cancellation' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/attached-is-the-paper-concerning-with-the-cancellation-of-your-current-credit-card-malspam-delivering-locky-ransomware/
23 Aug 2016 - "The next in the series of today’s Locky downloaders is an email with the subject of 'Cancellation' pretending to come from random senders with a zip attachment containing a JavaScript file that pretends to be a pdf... One of the emails looks like:
From: Zachary Flynn <Flynn.94@ football-stats .org>
Date: Tue 23/08/2016 19:00
Subject: Cancellation
Attachment: 2c122b8fa354.zip
Dear rob,
Attached is the paper concerning with the cancellation of your current credit card.
Confirm to us for receiving.
King regards,
Zachary Flynn
Account Manager ...

23 August 2016: 2c122b8fa354.zip: Extracts to: card_cancellation_pdf 5a59aad3.js
Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations
http ://sopranolady7 .wang/1cntwk5 | http ://www.leuchten-modelle .de/ink36
http ://download.apf .asso .fr/87aktsv | http ://gromasgboleslawiec .cba .pl/09n7n
... that is decrypted and transformed into P6dtp6pov8qB.dll (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1efa8fd737b091c0bc6fc6502a672c7000b997cc46037261683a49b485f8004a/analysis/1471975535/

** https://malwr.com/analysis/NDkyZGYyNTllNTY5NGFkN2E3YTM3MzU0YTkzZTYyMTU/
Hosts
95.211.144.65
212.18.0.4
91.223.89.200
195.154.81.86

*** https://www.virustotal.com/en/file/1fd155286d3da5b44adab040368608f9adc3547760c221eb0a45ed5d1f6cf94f/analysis/1471977294/
___

File-in-the-middle Browser hijackers
- https://blog.malwarebytes.com/cybercrime/2016/08/file-in-the-middle-hijackers/
Aug 23, 2016 - "We are not sure if this is going to be a new trend among browser-hijackers, but it seems more than a coincidence that we found -two- browser hijackers using a very similar approach to reach their goal of taking victims to the sites of their choice. Both are using one of their own files to act as a file-in-the-middle between the user and the browser... Dotdo Audio: Dotdo is a strain of hijackers that we have discussed before for using different and more “out of bounds” methods to get the job done. I named this variant “audio” because it uses audio advertisements. But that is not our focus here. It’s the replacement of browser executables with their own that raised our interest. The installer -renames- the files firefox.exe and chrome.exe, if present, and adds a number to the filename. It then hides these renamed files and replaces them with its own files:
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/hiddenexe.png
The screenshot above shows you the hidden and renamed Chrome file, in the same folder as the replacement. I changed the settings for hidden files so that we can see them. In a similar screenshot below we can see that the same was done for Firefox:
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/hiddenexe2.png
The browsers are -hijacked- to open with traffic-media[dot]co by altering the browser shortcuts for:
Chrome
Firefox
Internet Explorer
Opera
Yandex
... Summary: We discussed two hijackers from very different families and using different methods, but they also had a few things in common. They want the victims to hear/see their advertisements and they used a file-in-the-middle between the browser shortcuts and the actual browser in order to alter the browsers behavior to meet their goals..."

traffic-media[dot]co: 195.154.46.150: https://www.virustotal.com/en/ip-address/195.154.46.150/information/
>> https://www.virustotal.com/en/url/dc0778c0691294cadf826493f2d59c201e4bfe331a452973c1cc448c3d928854/analysis/
___

Email - Security battleground
- http://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-and-business-email-compromise-bec-lead-year-of-online-extortion/
Aug 23, 2016 - "Emails have become the battleground for the first half of the year in terms of security. It is the number one infection vector that have ushered in 2016’s biggest threats so far — ransomware and business email compromise (BEC). Ransomware infections normally start via email. Based on our findings, -71%- of the known ransomware families’ delivery method is through spam. Looking at the threat trends so far, both ransomware and BEC have proved profitable across the world:
Regional breakdown by volume of ransomware threats:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/08/figure01a-20161h-roundup.jpg
Regional breakdown by volume of organizations affected by BEC scams:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/08/figure02a-20161h-roundup.jpg
Our telemetry shows that ransomware’s scope is more widespread than BEC as it targets countries in Europe, Middle East, and Africa. The prevalence of BEC scams are higher in the North American region, with fewer countries but more targeted — attackers behind BEC scams most often impersonate and target C-level executives... 58% of the nearly 80 million ransomware threats Trend Micro blocked from January to June 2016 are email-borne ransomware. BEC scams, on the other hand, -all- arrive via email. These factors make the two threats quite formidable, as email remains a firm staple in everyday business. They both also utilize social engineering. In ransomware’s case, it’s for the user to click and run the ransomware attached to their opening email. For BECs, it’s to trick the targeted officer into thinking that their request for a money transfer is legitimate, without the usual malware payload... Knowing that these threats use email as an attack vector, companies should strengthen employee education and invest smartly in email protection. With these, the threat of ransomware and BEC attacks can be greatly reduced..."

:fear::fear: :mad:

AplusWebMaster
2016-08-24, 13:57
FYI...

Fake 'Statement' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-monthly-financial-statement-is-attached-within-the-email-malspam-delivering-locky-ransomware/
24 Aug 2016 - "This morning’s first Locky ransomware delivering malspam is an email with the subject of 'Statement' coming from random senders, companies and email addresses with a random named zip attachment containing a JavaScript file that pretends to be a financial statement... One of the emails looks like:
From: Ella Gonzales <Gonzales.169@ airtelbroadband .in>
Date: Wed 24/08/2016 10:34
Subject: Statement
Attachment: 25b8ae3a4d.zip
Hi,
The monthly financial statement is attached within the email.
Please review it before processing.
King regards,
Ella Gonzales ...

24 August 2016: 25b8ae3a4d.zip: Extracts to: monthly_financial_scan aa9140e0.js
Current Virus total detections 2/56*.. MALWR** shows a download of an encrypted file from one of these locations:
http ://rejoincomp2 .in/117uuf5h | http ://dokcool.atspace .org/jltqouz
http ://smilehomeutsumi504.web. fc2.com/by11k6r ... that is converted by the JavaScript to o2OoILn8OHU.dll and autorun (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e881fd2a16a3e42ac23612b802089441dcf256663ecdf24163fe53aed6da913d/analysis/1472031010/

** https://malwr.com/analysis/YmNjYjUxNWNjZTE4NGI0ZTk5MGYzNWFkNDQxNDgwYmE/
Hosts
82.197.131.109
208.71.106.49
213.229.74.92

*** https://www.virustotal.com/en/file/89e3826910ce80cc51d60e76285b94e49a237f8646b22f5b89b9da6ab38a4721/analysis/1472033919/
___

Fake 'Emailing: Image' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/emailing-image15-jpg-malspam-using-hta-files-delivers-locky-ransomware/
24 Aug 2016 - "A blank email with the subject of 'Emailing: Image15.jpg' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... This set of emails has a zip attachment that extracts to a HTA file... One of the emails looks like:
From: Raymon <Raymon237@ Your email domain >
Date: Wed 24/08/2016 12:04
Subject: Emailing: Image15.jpg
Attachment: Image15.zip

Body content: Totally blank/Empty

24 August 2016: Image15.zip: Extracts to: 100966743304.hta - Current Virus total detections 2/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to xUztoLUte.exe by the instructions inside the HTA/JavaScript (VirusTotal 2/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9582e4b08753bd0478c0ebf4dd688614b32823491fa62056e3941117c48fb727/analysis/1472036751/

** https://www.hybrid-analysis.com/sample/9582e4b08753bd0478c0ebf4dd688614b32823491fa62056e3941117c48fb727?environmentId=100
Contacted Hosts
112.140.42.29
213.205.40.169
200.83.4.62
185.129.148.19
51.254.55.171
185.51.247.211
194.67.210.183
91.226.92.208

*** https://www.virustotal.com/en/file/f20a5ed36937d554eef5ce589472ed18934f7db257fba332a17cebc775678f1b/analysis/1472037488/

:fear::fear: :mad:

AplusWebMaster
2016-08-25, 12:53
FYI...

Fake 'Fraud Notice' SPAM - Java Adwind Trojans
- https://myonlinesecurity.co.uk/java-adwind-embedded-in-word-doc-xpress-money/
25 Aug 2016 - "... Java Adwind Trojans being delivered by various financial themed emails, we are seeing a new method of distribution of the Java Adwind Trojan using these financial themed emails with the subject of 'Request for Amendment'-XPIN- 2401200221508974 & 2401240241500561 (11) pretending to come from xm.support@ xpressmoney .com <XM SUPPORT> with a word doc attachment that contains the Java Adwind Trojan as an embedded OLE object... One of the emails looks like:
From: xm.support@ xpressmoney .com <XM SUPPORT>
Date: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
Subject: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
Attachment: Fraud Notice XM.doc
Dear Sir/Madam,
We would like to inform you that the transaction mentioned have been flagged from our system although the Xpress Money account is still under review. Please cancel and amend these transactions from your system at the earliest. Details of Transactions is been attached
Thanks & Warm Regards,
Prasanth Vasanth Pai
Specialist Customer Support
Xpress Money Services Ltd.
PO Box 170, Abu Dhabi, UAE ...

Screenshot of attached word doc: https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/Fraud-Notice-XM_doc-1024x419.png

25 August 2016: Fraud Notice XM.doc - Current Virus total detections 23/56*. MALWR**
If you are unwise enough to double click the alleged pdf files that are -embedded- inside the word doc, then a JAVA.jar – Jacob.jar file will open & run (VirusTotal 23/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2975d89e92fa95a101ea87bb40109981751026c730da048762670c74809e38ad/analysis/1472103111/

** https://malwr.com/analysis/ODIwOWYzYzQ3ZWEzNGFhZDgyMDYxYzVkMjc1YzJlYTQ/

*** https://www.virustotal.com/en/file/63ce0cb3f81bb54b30f287e8a28b0df9a1835aee4430ef8492a748e327d07ccc/analysis/1472103307/

Earlier 'Java Adwind' posts: https://myonlinesecurity.co.uk/?s=Java+Adwind
___

BEC scams and ransomware
- https://www.helpnetsecurity.com/2016/08/25/evolution-ransomware-bec-scams/
Aug 25, 2016 - "Trend Micro analyzed the trends in attacks and vulnerabilities seen throughout the first half of this year*, and found a rise and impact of attacks, such as a -172- percent increase in ransomware and $3 billion in losses due to business email compromise (BEC) scams so far in 2016..."
(More detail at the URL above.)
Charted: https://www.helpnetsecurity.com/images/posts/trendmicro-08-ransomware1.jpg
* http://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-and-business-email-compromise-bec-lead-year-of-online-extortion/
Aug 23, 2016 - "... Based on our findings, 71% of the known ransomware families’ delivery method is through spam..."
* https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup
Aug 23, 2016 - "... The number of new ransomware families we saw in the first half of 2016 alone has already eclipsed the total 2015 volume by 172%. With ransomware attacks becoming more and more sophisticated and prevalent, we believe that the threat will potentially cause more damage going into the second half of the year..."
___

Tech support scams and Google Chrome tricks
- https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2016/08/tech-support-scams-and-google-chrome-tricks/
Aug 25, 2016 - "Tech support scams coming as phishing pages that contain -fake- alerts urging you to call for immediate assistance are common place these days. We collect -hundreds- of such URLs each day and have observed countless tricks to fool users... for years we have been telling people to double check the URL in the address bar to know if a website is really what it claims to be. When this scam page loads it runs in full-screen mode and prevents the user from easily closing it with an infinite loop of alerts.
Now take a look at the address bar. For all intents and purposes it does look like the legitimate Microsoft website, although the ‘ru-ru’ (Russia) portion of the URL is a fail in an otherwise clever design. (There are other bits of Russian here and there in the source code, which perhaps link to the original author?):
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/scam.png
... Tech support -scams- have similar alert windows except we found some that are completely made up. Putting a checkmark and clicking OK actually produces the opposite result of what you’d expect, to keep you more frustrated and ready to throw your computer out the window... It’s safe to say that browser-based tech support scams are not going anywhere any time soon. Sadly, most browsers are brought to their knees with simple bits of JavaScript and non savvy users will simply give up and call the toll free number for assistance (we forgot to mention that all this while a very annoying audio track plays in the background). Call centres located in India (for the most part) are receiving thousands of calls each day from desperate victims prime to be -defrauded- of hundreds of dollars by rogue operators playing the Microsoft technician game. Spotting those scams isn’t always easy though and that is why it’s important to expose them to show their inner workings. To learn more about tech support scams and consult our blacklist of known offenders, please check out our resource page here*."
* https://blog.malwarebytes.com/threats/tech-support-scams/

:fear::fear: :mad:

AplusWebMaster
2016-08-26, 19:01
FYI...

Fake 'Voice Message' SPAM - delivers Locky/Zepto
- https://myonlinesecurity.co.uk/voice-message-from-outside-caller-3m-54s-peach-telecom-delivers-locky-zepto/
26 Aug 2016 - "An email with the subject of 'Voice Message from Outside Caller (3m 54s) [random length]' pretending to come from Peach Telecom <peach_necsv06@ hotmail .com> (random number after peach_necsv) with a zip attachment which downloads Locky/Zepto ransomware... One of the emails looks like:
From: Peach Telecom <peach_necsv06@ hotmail .com>
Date: Fri 26/08/2016 12:21
Subject: Voice Message from Outside Caller (3m 54s)
Attachment: Outside Caller 08-26-2016 9aaf18b.zip
Voice Message Arrived on Friday, Aug 26 @ 6:26 AM
Name: Outside Caller
Number: Unavailable
Duration: 3m 54s ...

26 August 2016: Outside Caller 08-26-2016 9aaf18b.zip: Extracts to: 08-26-2016 36ptor06.wsf
Current Virus total detections 9/56*.. MALWR** shows a download of an encrypted file from one of these locations:
http ://sewarte.homepage. t-online .de/nb20gjBV?xJNXYWEr=xnGdqHz |
http ://theramom.web. fc2 .com/nb20gjBV?xJNXYWEr=xnGdqHz |
http ://seishinkaikenpo .com/nb20gjBV?xJNXYWEr=xnGdqHz
which is transformed by the script to LHOyUOaiiss1.dll (VirusTotal ***). All versions send info back to the control centre at http ://51.254.55.171/data/info.php ...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/034fb3635b53341c4f51f79ab6cbd7beb4781c7c58899a30d9f6c5083e273ae0/analysis/1472210401/

** https://malwr.com/analysis/OTY5MGRiM2UxN2QwNGIwMGFlOTllY2QwYjdlOGNhMTI/
Hosts
210.157.30.70
208.71.106.46
80.150.6.138
51.254.55.171

*** https://www.virustotal.com/en/file/b985b35319e03b0df7a7b12423b82fef770e35ebdbab22e7f1810bc0bd0f9b7a/analysis/1472214673/
___

Fake 'P.O.' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/please-sign-the-attached-purchase-of-the-office-equipment-malspam-delivers-locky-ransomware/
26 Aug 2016 - "The second batch of today’s Locky ransomware malspam emails is an email with the subject of
'office equipment' coming from random senders with a zip attachment... One of the emails looks like:
From: Jillian Kirby <Kirby.84@ phantomes .com>
Date: Fri 26/08/2016 11:41
Subject: office equipment
Attachment: 609c171b94a.zip
Dear wh,
Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.
Best regards,
Jillian Kirby
Sales Manager

26 August 2016: 609c171b94a.zip: Extracts to: office_equipment ~bced3628.js
Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations,
http ://onlybest76 .xyz/1rkyye | http ://all-rides .com/i0gih |
http :// provincialpw .com/crgrapy | http ://www.mediawareonline .it/yvg6cw |
http ://www.jansen-consultancy-machines .be/nvbd7rme that is transformed by the script to deliver AzWzM3LegeEcV6.dll (VirusTotal 14/58***). Payload Security[4].. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b0f6b873b31775de65850e2cea3322aa2c8eec0d2d2933766c9aa02814f9b10b/analysis/1472209948/

** https://malwr.com/analysis/NmUwMTAxYjIxYmE2NDczY2JkMWEwOWE3MDhiYmZjODA/
Hosts
195.130.132.84
104.232.35.136
160.153.54.35
173.255.129.128
212.104.43.3

*** https://www.virustotal.com/en/file/29fd0e815d6fecee1b27cb60916350d74ea2bfef0ad8cd3e7b7dfb3564ad47eb/analysis/1472217004/

4] https://www.hybrid-analysis.com/sample/b0f6b873b31775de65850e2cea3322aa2c8eec0d2d2933766c9aa02814f9b10b?environmentId=100
Contacted Hosts
160.153.54.35
212.104.43.3
188.127.249.203
138.201.191.196
51.254.55.171
91.226.92.208
___

Fake 'monthly report' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/there-were-some-errors-in-the-monthly-report-you-submitted-last-week-malspam-delivering-locky-ransomware/
26 Aug 2016 - "The third of today’s Locky ransomware malspam deliveries is an email with the subject of 'monthly report' coming from random senders, companies and email addresses with a zip attachment... One of the emails looks like:
From: Tasha Ray <Ray.05187@ flamingjewellery .co.uk>
Date: Fri 26/08/2016 18:16
Subject: monthly report
Attachment: c1195a3663e.zip
Good evening hyperbolasmappera,
There were some errors in the monthly report you submitted last week.
See the highlights in the attachment and please fix as soon as possible.
Best regards,
Tasha Ray
Account Manager ...

28 August 2016: c1195a3663e.zip: Extracts to: monthly_report_pdf (~41e8df8a).js
Current Virus total detections 6/56*.. MALWR** shows a download of an encrypted file from one of these locations:
http ://berndburgdorf .de/5x6vdaw | http ://www.valmon .it/ndxec | http ://rejoincomp2 .in/3dv7n |
http ://abufarha .net/80d4a1j which is transformed by the script to lh7pIFrXtoRVDe.dll (VirusTotal 19/58***)...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b42d7d29c2c3c24b59a2dac998dac152f0be8d03d9bad758d716d01f67696881/analysis/1472235308/

** https://malwr.com/analysis/OGQ2NmJmMGI2ZGE1NDI5ZWE0MGYyYTg2NmJjMGE0ZmU/
Hosts
212.40.179.94
104.232.35.136
213.205.40.169
66.147.240.193

*** https://www.virustotal.com/en/file/bb40584cae7a53682d52dc912258852367eec8bf91a76d825e6608649ddbcf46/analysis/1472237184/

:fear::fear: :mad:

AplusWebMaster
2016-08-29, 15:06
FYI...

Fake 'Commission' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/here-is-the-excel-file-of-the-commission-you-earned-last-month-malspam-delivers-locky/
29 Aug 2016 - ".. the -Locky- onslaught continues its daily attacks with an email with the subject of 'Commission' coming from random companies and senders with a zip attachment that despite the message in the email body saying it is an Excel file actually contains a JavaScript file, although they have half tried to disguise it as an excel file commission_xls (~2a4bfa91).js ... One of the emails looks like:
From: Minerva Bridges <Bridges.033@ aprilwilkins .com>
Date: Mon 29/08/2016 10:20
Subject: Commission
Attachment: 9dc078a8d54e.zip
Good morning rob,
Here is the excel file of the commission you earned last month. Please analyze
the attachment to confirm the amount.
Regards,
Minerva Bridges

29 August 2016: 9dc078a8d54e.zip: Extracts to: commission_xls (~2a4bfa91).js - Current Virus total detections 4/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://xelagon.50webs .org/8rxv3 | http ://209.237.142.197/~p27j55uk/von90s
http ://ach-dziennik.cba .pl/kag7pe6 | http ://wangmewang .name/5tr5xeey which is transformed into a working Locky Ransomware file by the JavaScript file yzASo9ubY.dll (VirusTotal 9/58***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/65e94e738b1203f82036982fb93c00bde6fc4d536a63215fec7b6f851a8d506f/analysis/1472462471/

** https://malwr.com/analysis/YjBiMWMwMzA3ZTRlNGNhMmFhMTI2ZjMwMzNlMTk3OWI/
Hosts
192.151.153.26
213.229.74.92
95.211.144.65
209.237.142.197

*** https://www.virustotal.com/en/file/969278e2a68efd9973d2882984403fa9a1dd61f3c75633eae399c38b337d5c38/analysis/1472464805/
___

Fake 'invoice' SPAM - leads to ransomware
- https://myonlinesecurity.co.uk/please-find-attached-invoice-no-9087773449-pretending-to-come-from-your-own-email-domain-delivers-locky-zepto-ransomware/
39 Aug 2016 - "... series of Locky/Zepto ransomware malspams... an email with the subject of 'Please find attached invoice no: 9087773449' [random numbered] pretending to come from document@ your own email domain with a zip attachment containing a WSF file... One of the emails looks like:
From: document@ your own email domain
Date: Mon 29/08/2016 10:21
Subject: Please find attached invoice no: 9087773449
Attachment: 03A137a21.zip
Attached is a Print Manager form.
Format = Portable Document Format File (PDF) ...

29 August 2016: 03A137a21.zip: Extracts to: sedFki.wsf - Current Virus total detections 7/56*
.. MALWR** shows a download of an encrypted file from one of these locations
http ://www.imaginarium .home.ro/78yhuinFYs?AUURTj=HtKvHtW
http ://abcbureautique.abc.perso. neuf .fr/78yhuinFYs?AUURTj=HtKvHtW
http ://dussartconsulting .com/78yhuinFYs?AUURTj=HtKvHtW ... which is transformed by the script file to atuBFcBCz1.dll and automatically run (VirusTotal 4/58***). All the versions post home to the control centre at http ://51.255.107.30 /data/info.php to get & store the encryption key used to encrypt your files... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/be926a8be225dbda3534e34373a74acecfc46d31633be724fdc3f2854a195bad/analysis/1472462824/

** https://malwr.com/analysis/YzE2ZGI0Mjg3ZmI3NGEzYmFiMTc0MzUzZGRkYWIwYmE/
Hosts
86.65.123.70
81.196.20.133
91.216.107.228
51.255.107.30

*** https://www.virustotal.com/en/file/b58a4beff3b39066626e0d8af3dc23ac65b59849ccacd0c012174604b946819b/analysis/1472465136/
___

Fake 'mortgage documents' SPAM - lead to Locky
- https://myonlinesecurity.co.uk/i-am-attaching-the-mortgage-documents-relating-to-your-department-malspam-delivers-locky/
29 Aug 2016 - "... Locky ransomware malspams... email with the subject of 'mortgage documents' with a zip attachment containing a WSF file... One of the emails looks like:
From: Edison Montgomery <Montgomery.25@ cable .net .co>
Date: Mon 29/08/2016 20:16
Subject: mortgage documents
Attachment:
Dear cazzo, I am attaching the mortgage documents relating to your department.
They need to be signed in urgent manner.
Regards,
Edison Montgomery

29 August 2016: 9aaea06c022a.zip: Extracts to: mortgage_documents.c40bf5a3.wsf
Current Virus total detections 5/56*.. MALWR** seems unable to analyse these and Payload Security has 150+ files in the queue...
Edit: Payload security*** eventually gave me www .qualityacoustic.comcastbiz .net/53ky07h2 which is an encrypted flle which gets transformed by the script to a Locky/Zepto file. Unfortunately Payload security does not give me that file... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/563c868355a3292501ee5f85ded24ade343a45b73a6ade4d12e720a40716bb00/analysis/1472498468/

** https://malwr.com/analysis/YWQ5NGUzMjI1MzFkNDc2MWIxZjcyM2JhNjMxOGY2ODQ/

*** https://www.hybrid-analysis.com/sample/563c868355a3292501ee5f85ded24ade343a45b73a6ade4d12e720a40716bb00?environmentId=100
Contacted Hosts
216.87.186.101
51.255.107.30
188.127.249.203
195.64.154.114
138.201.191.196
69.195.129.70
91.226.92.208
___

Locky downloaded as encrypted DLLs
- http://blog.trendmicro.com/trendlabs-security-intelligence/locky-ransomware-now-downloaded-encrypted-dlls/
Aug 29, 2016 - "... Locky has, over time, become known for using a wide variety of tactics to spread – including macros, VBScript, WSF files, and now DLLs... we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/08/locky-dll-1.png
... Using a DLL file in this way represents an attempt to try and -evade- behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky this is new. The use of encryption is also meant to strengthen this malware’s ability to hide itself. Without receiving the right parameters from the downloader, no actual malicious file is actually decrypted (and theoretically, detected)..."

:fear::fear: :mad:

AplusWebMaster
2016-08-30, 17:10
FYI...

Fake 'Body content Blank/empty' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/blank-email-pretending-to-come-from-your-own-email-address-delivers-locky-zepto/
30 Aug 2016 - "The latest of Today’s Locky/Zepto malspams is a -blank- empty email pretending to come from random names at your own email domain with the -subject- similar to 'document, File, Picture, Photo, Image' etc. with a zip attachment containing a WSF file... One of the emails looks like:
From: random name @ your own email domain
Date:
Subject: Photo
Attachment: PC_20160830_05_84_67_Pro.zip

Body content: Blank/empty

11 May 2016: PC_20160830_05_84_67_Pro.zip: Extracts to: XfTxmMOc.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from
http ://gerochan.web. fc2 .com/987nkjh8?RlUTbYrVI=TMGiBgFtfwB amongst others which eventually gets transformed by the script file to XWYLtzfQg1.dll (VirusTotal 5/58***). C2 control which determines the encryption key is
http ://188.127.249.32 /data/info.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9df925d482775dd51ead795c97be4faa7cd4a0ec5e5398b4e577f49ec036e1df/analysis/1472566396/

** https://malwr.com/analysis/YTE0NDY2OGVhODE1NGM5ZTkwYmI5ZGRlZTk2MTcwYjU/
Hosts
85.12.197.61
208.71.106.49
208.71.106.45
51.255.107.30
188.127.249.32

*** https://www.virustotal.com/en/file/2d2616b7b36b5f368d25d7c3f91bee9d73a391a4ea63ed607017127f4a785756/analysis/1472562174/
___

Fake 'Final payment' SPAM - leads to malware
- https://myonlinesecurity.co.uk/final-payment-request-fake-hmrc-demand-leads-to-malware/
30 Aug 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky or numerous Cryptolocker versions... The email looks like:
From: angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw>
Date: Tue 30/08/2016 15:08
Subject: Final payment request
Attachment: hmrc_doc_083016_848347734.docm
Date of issue 30 august 2016
Reference K 2058964946
Sir/Madam
Final payment request GBP 5,961.34.
Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you.
We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe.
As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money.
For more information and how to pay us please see attached statement.
We’ll continue to add interest to the original debt until you pay in full.
Debt Management
G McLean
HMRC ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/hmrc_final-payment-request-1024x562.png

30 August 2016: hmrc_doc_083016_848347734.docm - Current Virus total detections 4/55*
.. MALWR** shows a download from http ://ivanovimportexportltd. co.uk/4.exe (VirusTotal 4/57***) MALWR[4]
... likely to be a password stealer of some sort. Payload Security[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fabf49d526a6dbe77515c4e02f057c00a6b93a4d0c39175c4faac128dd9fa712/analysis/1472565604/

** https://malwr.com/analysis/ZmE3YWRkYjg2NGQyNDQzNjkwMjkxZjJjMzNlYzBhMGM/
Hosts
137.74.172.30

*** https://www.virustotal.com/en/file/1850db439087d14d3f33a77b68e4f47071018a12ed49231c09c210e240520abd/analysis/1472566995/

4] https://malwr.com/analysis/NjhkNTkxMDBmZGQ3NDU2Zjg2NmQ4Y2Y3NWRlNTk5NGE/

5] https://www.reverse.it/sample/fabf49d526a6dbe77515c4e02f057c00a6b93a4d0c39175c4faac128dd9fa712?environmentId=100
Contacted Hosts
137.74.172.30
___

Fake 'paycheck' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attached-is-the-paycheck-for-your-next-months-salary-in-advance-malspam-delivers-locky/
30 Aug 2016 - "... series of Malspam delivering -Locky- ransomware is an email with the subject of 'paycheck' coming from random senders, companies and email addresses with a zip attachment... One of the emails looks like:
From: Isabella Holman <Holman.114@ profilerhs .com>
Date: Tue 30/08/2016 18:38
Subject: paycheck
Attachment:
Hey gold, as you requested, attached is the paycheck for your next month�s salary in advance.
Sincerely yours,
Isabella Holman

30 August 2016: e3fa12b0575f.zip: Extracts to: paycheck_pdf_de64ad80.js - Current Virus total detections 6/54*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://malwinstall .wang/1xiolv6 | http ://specialist.homepage. t-online .de/pgtv2
http ://kikital.web. fc2 .com/amqq7aq6 | http ://solesdearequito. tripod .com/f1bii
http ://vinciunion. co.th/gfp87 that is converted by the script to a working Locky ransomware 6e8kHAmEE5.dll
that gets run automatically (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ebe37927fa4c338eed299fc378aec62e532a1ea30127128ea144fec2ac6de15f/analysis/1472578893/

** https://malwr.com/analysis/NmY4ZTFmYjBlNDg1NDJjYWJiYzhiZjRjZGVjNzMyZjA/
Hosts
80.150.6.138
52.52.40.206
208.71.106.48
45.59.114.100
103.246.18.22

*** https://www.virustotal.com/en/file/04e2bf142b02ea2db585a233ee763162ea0ea55acaea29cfc0e3edf326ced5f9/analysis/1472579254/
___

Fake 'Server Update' SPAM - drops Java Adwind or Jacksbot
- https://myonlinesecurity.co.uk/unity-link-new-server-update-drops-java-jar-files-drops-java-adwind-or-jacksbot/
30 Aug 2016 - "An email with the subject of 'Unity Link New Server Update' pretending to come from xm.nl@ unitylink .com <abelen@ unitylink .com> with a zip attachment which contains an executable file 'Updated Unityink Server..exe' and an image, which drop/create various Java.jar files. This is likely to be a Java Adwind or Java Jacksbot version... One of the emails looks like:
From: xm.nl@ unitylink .com <abelen@ unitylink .com>
Date: Tue 30/08/2016 07:13
Subject: Unity Link New Server Update
Attachment: Unity Link New Server Update.zip
Dear Agent,
Find attach New update details with password, kindly sign and branch seal on the attach authorization for security updates.
Best regards,
ALAA ELDIN BEBARS
| Unity Link Operations
Unity Link services Ltd| P.O. Box 170 ...

Screenshot of image file inside zip: https://myonlinesecurity.co.uk/wp-content/uploads/2016/08/Unity-Link-New-Server-Update.png

30 August 2016: Unity Link New Server Update.zip: Extracts to: Updated Unityink Server..exe
Current Virus total detections 15/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b995d52f0432d50b9d1f6cae9b95c328a9454cdf90ba2212f99e22dc73cd6792/analysis/1472556607/

** https://malwr.com/analysis/NmQ0YTIwOTExNDBmNDE5MjgxZTBmNmI1NzYwNjI3OGI/
___

Opera server breach ...
> https://www.opera.com/blogs/security/2016/08/opera-server-breach-incident/
Aug 26, 2016 - "Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised. Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution. We have also sent emails to all Opera sync users to inform them about the incident and ask them to change-the-password for their Opera-sync-accounts. In an abundance of caution, we have encouraged users to also reset-any-passwords to third-party-sites they may have synchronized with the service. To obtain a new password for Opera sync, use the password resetting page:
- https://auth.opera.com/account/lost-password "

:fear::fear: :mad:

AplusWebMaster
2016-08-31, 12:32
FYI...

Fake 'Scan' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/sent-with-genius-scan-for-ios-pretending-to-come-from-your-own-email-address-leads-to-locky-ransomware/
31 Aug 2016 - "... received a massive malspam run of an email with the subject of 'FW: [Scan] 2016-08-13 15:49:12' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... One of the emails looks like:
From: Bertha <Bertha34@ your own email domain>
Date: Wed 31/08/2016 06:14
Subject: FW: [Scan] 2016-08-13 15:49:12
Attachment: 2016-08-30 436 663 415.zip
From: “Bertha” <Bertha34@[REDACTED]>
Sent: 2016-08-13 15:49:12
To: [REDACTED]
Subject: [Scan] 2016-08-13 15:49:12
Sent with Genius Scan for iOS ...

31 August 2016: 2016-08-30 436 663 415.zip: Extracts to: Yd95ozed8.hta - Current Virus total detections 9/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to QXkcpj1.dll by the instructions inside the HTA/JavaScript (VirusTotal 19/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/15cf2275f21fa97f5b462fccd1f038ccce6e13e596d8f3248e8d5533732af3d7/analysis/1472620428/

** https://www.reverse.it/sample/15cf2275f21fa97f5b462fccd1f038ccce6e13e596d8f3248e8d5533732af3d7?environmentId=100
Contacted Hosts
210.157.28.18
80.150.6.138
195.208.0.137
95.85.19.195
188.127.249.32
58.158.177.102

*** https://www.virustotal.com/en/file/db74ae79244ee9c1db11c1d107a95d59258091c1239a318586a56e10b7a89571/analysis/1472623964/
___

Fake 'bank transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attached-is-the-bank-transactions-made-from-the-company-during-last-month-malspam-delivers-locky/
31 Aug 2016 - "... Locky continues with an email with the subject of 'bank transactions' coming from random senders, companies and email addresses with a random named zip attachment containing a JS file... One of the emails looks like:
From: Marlene Carrillo <Carrillo.170@ veloxzone. com.br>
Date: Wed 31/08/2016 07:35
Subject: bank transactions
Attachment: b231f370cf0.zip
Good morning gold.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Marlene Carrillo

31 August 2016: b231f370cf0.zip: Extracts to: CC1BB558_bank_transactions.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://www.instalacionesjosearteaga .com/s7yy5 | http ://enigmes4saisons.perso. sfr .fr/dilveh
http ://mambarambaro .ws/1m202 | http ://www.meta. metro .ru/uumr65 which gets transformed into the Locky ransomware by the script KzgOzqkkKOZ.dll (VirusTotal 7/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/940e5c9f4fba2f0b16cfef4f2af563e431addac03bcd59c1ccc5cac41c2d3086/analysis/1472629007/

** https://malwr.com/analysis/ZDI1NjIzZDZjODUxNDRkY2E2ZDMwZjc4OGI3NTk5MzU/
Hosts
62.42.230.17
86.65.123.70
195.91.160.34
45.59.114.100
158.69.147.88

*** https://www.virustotal.com/en/file/e3aecae4c86e7a992e0d37d73891a2dd4d4b2897e0a60ed44c3fbc2d90287be9/analysis/1472629326/

4] https://www.hybrid-analysis.com/sample/940e5c9f4fba2f0b16cfef4f2af563e431addac03bcd59c1ccc5cac41c2d3086?environmentId=100
Contacted Hosts
62.42.230.17
86.65.123.70
95.85.19.195
188.127.249.203
138.201.191.196
188.127.249.32
91.223.180.66

- http://blog.dynamoo.com/2016/08/malware-spam-bank-transactions.html
31 Aug 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Rueben Vazquez
Date: 31 August 2016 at 10:06
Subject: bank transactions
Good morning petrol.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js ... According to the Malwr report of these three samples [1] [2] [3] the scripts download... Each one of those samples drops a -different- DLL... these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain .in .ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers .com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl .ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/analysis/YzQyYzA2NDRlMTU4NDU0Mzg4ZTZkODk0ZmVmZjE5Mzg/

2] https://malwr.com/analysis/YTVhMjg2NGZhMGEyNDIzZDk0YTUyM2RmNWEwZDFjY2E/

3] https://malwr.com/analysis/ZjM5YTNhOTZmMGQ3NGViZTlkODdjMDViOWM4YTNmOTQ/
___

Fake 'flight tickets' SPAM - delievers Locky
- https://myonlinesecurity.co.uk/i-am-sending-you-the-flight-tickets-for-your-business-conference-abroad-next-month-malspam-delivers-locky/
31 Aug 2016 - "This latest Locky ransomware malspam is a little bit more believable than some recent attempts and might actually fool a few recipients. An email with the subject of 'flight tickets' pretending to come from random companies, senders and email addresses with a random name zip attachment containing a JavaScript file... One of the emails looks like:
From: Wallace Hampton <Hampton.7365@writers-india.com>
Date: Wed 31/08/2016 18:37
Subject: flight tickets
Attachment: 4e0302044044.zip
Good evening admin.
I am sending you the flight tickets for your business conference abroad next month.
Please see the attached and note the date and time.
Respectfully,
Wallace Hampton

31 August 2016: 4e0302044044.zip: Extracts to: CE14A812_flight_tickets.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://roger.pierrieau.perso. sfr .fr/68d8ti | http ://virmalw .name/31fwt4cs
http ://simo62.web. fc2 .com/yywcdpbu | http ://www.francogatta .it/npoa0lzw which is converted to a working Locky ransomware file & autorun by the script 20mrgwO23alMfJvj.dll (VirusTotal 8/58***). Payload Security[4]...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/68985ff631669092f8ce799a34035b1d18666a6edddcfcc94ee6aa42c1c6ee77/analysis/1472665164/

** https://malwr.com/analysis/Y2U2MmYxOTY0ZWUxNGFjYmE4NWM3M2Q2OWU2N2VmOGQ/
Hosts
158.69.147.88
208.71.106.61
195.78.215.76
86.65.123.70

*** https://www.virustotal.com/en/file/5d711d05521568d0e0fa887e5bd348c728197559dd36d5e6e27dcfdfab049233/analysis/1472665518/

4] https://www.hybrid-analysis.com/sample/68985ff631669092f8ce799a34035b1d18666a6edddcfcc94ee6aa42c1c6ee77?environmentId=100
Contacted Hosts
192.99.111.28
208.71.106.61
95.85.19.195
138.201.191.196
188.127.249.203
188.127.249.32
91.223.180.66
69.195.129.70
___

SWIFT discloses more cyber thefts, pressures banks on security
- http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C
Aug 31, 2016 - "SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank... The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers... A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers. All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter. Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police..."
___

Hacks steal account details for 60M Dropbox Users
- https://it.slashdot.org/story/16/08/31/1529229/hackers-stole-account-details-for-over-60-million-dropbox-users
Aug 31, 2016 - "Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard* obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts..."
* https://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts

:fear::fear: :mad:

AplusWebMaster
2016-09-01, 14:31
FYI...

Fake 'Shipping info' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/our-shipping-service-is-sending-the-order-form-due-to-the-request-from-your-company-malspam-delivers-locky/
1 Sep 2016 - "... the Locky onslaught continues with ever increasing frequency and complexity. The first of today’s Malspam is an email with the subject of 'Shipping information' coming from random names, companies and email addresses with a random named zip attachment containing a heavily obfuscated/encrypted JavaScript file... One of the emails looks like:
From: Celina Mccarty <Mccarty.8737@ spebs .com>
Date: Thu 01/09/2016 09:12
Subject: Shipping information
Attachment: 2020f266fc.zip
Dear customer,
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Celina Mccarty

1 September 2016: 2020f266fc.zip: Extracts to: 91CF4D63_shipping_service.js - Current Virus total detections 4/56*
.. MALWR* shows a download of an encrypted file from one of these locations:
http ://www.oltransservice .org/wxyig4v | http ://kreativmanagement.homepage. t-online .de/anlaok1d
http ://mambarambaro .ws/1zvqoqf which is transformed by the script to naXFQvt9.dll (VirusTotal 11/58***)
Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0280fbac3b1f390d8fdc95c757da4cffb7c0b6f489925a68a41d17ec1e11003a/analysis/1472717463/

** https://malwr.com/analysis/Mjg1YzAyNmM2YmM0NDZiMjg3Zjc2YmQwY2JmNWIwOGM/
Hosts
213.205.40.169
192.99.111.28
80.150.6.138

*** https://www.virustotal.com/en/file/3799c9106ddfd7f6dec6c9ee6fdcf0ed00d489bcc7d425e44b79a7f877e191e2/analysis/1472718234/

4] https://www.hybrid-analysis.com/sample/0280fbac3b1f390d8fdc95c757da4cffb7c0b6f489925a68a41d17ec1e11003a?environmentId=100
Contacted Hosts
213.205.40.169
95.85.19.195
212.109.192.235
5.34.183.211
188.127.249.32
188.127.249.203
91.223.180.66

- http://blog.dynamoo.com/2016/09/malware-spam-our-shipping-service-is.html
1 Sep 2016 - "This -fake- shipping email comes with a malicious attachment:
Subject: Shipping information
From: Charles Burgess
Date: Thursday, 1 September 2016, 9:30
Dear customer,
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Charles Burgess

The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js. Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome .de/430j1t
ngenge.web. fc2 .com/vs1qc0
mambarambaro .ws/1zvqoqf
timetobuymlw .in/2dlqalg0
peetersrobin.atspace .com/t2heyor1
www .bioinfotst. cba .pl/u89o4
Between those four reports, there are three -different- DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis* shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/analysis/MzA5NTllNzkwZTE5NGUwMzg3NThjNjlhYjlhNDQ0YjA/
Hosts
82.165.58.83
192.99.111.28
208.71.106.37

2] https://malwr.com/analysis/Nzg4YTM0OWU1YmRiNGE4Yzg1MTliYzNhZDJjMTUxNTE/
Hosts
82.197.131.109
158.69.147.88
95.211.144.65

3] https://www.hybrid-analysis.com/sample/5f7631bd4ad26f9db3496a4d3924a0da5a7c18142a0ca8179908f7a430d35f93?environmentId=100
Contacted Hosts
82.165.58.83

4] https://www.hybrid-analysis.com/sample/5e7224f3889ed3e5e5db11f2ccc4e911c2598bd211eb1c80bcff9b787d583248?environmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66

5] https://virustotal.com/en/file/59bd78a266ac1ef4f83a55a223995a15aa7c6943e04f7bed4b048270eea3da05/analysis/1472720135/

6] https://virustotal.com/en/file/03f50d6804c2a86fbdef01e95913694546c5a594139418c8763c192ef1dabd6e/analysis/1472720153/

7] https://virustotal.com/en/file/cd8a22f6cbcb8d33b3665c3d7db097f04084a0b760b1b93260de0ff980108380/analysis/

* https://www.hybrid-analysis.com/sample/5e7224f3889ed3e5e5db11f2ccc4e911c2598bd211eb1c80bcff9b787d583248?environmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66
___

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-please-find-attached.html
1 Sep 2016 - "This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.
Subject: Please find attached invoice no: 329218
From: victim@ victimdomain .tld
To: victim@ victimdomain .tld
Date: Thursday, 1 September 2016, 12:42
Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
Disclaimer ...

Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download... The payload appears to be Locky ransomware... This is similar to the list here*.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24 "
* http://blog.dynamoo.com/2016/09/malware-spam-our-shipping-service-is.html
1 Sep 2016
___

Fake 'Travel expense sheet' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/travel-expense-sheet-malspam-delivers-locky/
1 Sep 2016 - "... never ending series of Locky downloaders is an email with the subject of 'Travel expense sheet' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: ea00ba32a5.zip
Dear karen,
Here is the travel expense sheet for your upcoming company field trip. Please write down the approximate costs in the attachment.
Warm wishes,
Hilario Walton

1September 2016: ea00ba32a5.zip: Extracts to: Travel_expense_sheet_E492D6CB.js - Current Virus total detections 6/56*
.. MALWR shows a download of an encrypted file from one of these locations:
http ://www .cortesidesign .com/v1vmxyj | http ://www .aktion-zukunft-gestalten .info/hfgo3x
http ://portadeenrolar .ind.br/rbfr26 | http ://timetobuymlw .in/57h8t6it which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 21/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/56110904a2c19eda496676fb108db7fe911c7824a47ecf601db53e1ade7c0cc8/analysis/1472753839/

** https://malwr.com/analysis/YTU5OWRkMGIzN2JlNGMwNmI5MTIzYWZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustotal.com/en/file/15cc57f80acf43c7bb44ca02317dbcbf32436ce05ea1d67854d76e964aa95154/analysis/1472755942/
___

Cerber dropped via Malvertising
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-version-cerber-ransomware-distributed-via-malvertising/
Aug 31, 2016 - "... The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits. Users are typically -redirected- to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload. In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious... Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/08/cerber-v3-3.png
... The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location. A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended..."

:fear::fear: :mad:

AplusWebMaster
2016-09-02, 14:21
FYI...

Fake 'old office facilities' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-old-office-facilities.html
2 Sep 2016 - "This spam has a malicious attachment:
Subject: old office facilities
From: Kimberly Snow (Snow.741@ niqueladosbestreu .com)
Date: Friday, 2 September 2016, 8:55
Hi Corina,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Kimberly Snow

The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number. Analysis is pending, but this Malwr report* indicates attempted communications to:
malwinstall .wang
sopranolady7 .wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1: According to this Malwr report** it drops a DLL with a detection rate of 10/58***. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28 "
* https://malwr.com/analysis/OGI2NWI3ZjY5OTA0NGJlN2I0MGYzYzA3YWRkMzZmNGE/
Hosts
66.85.27.250
23.95.106.195

** https://malwr.com/analysis/OTA3MDk3ZGFlNzU4NDFkYjkxMTYwYjBhM2I4MTE0OTE/
Hosts
66.85.27.250
23.95.106.195

*** https://virustotal.com/en/file/9dc5ad10ec45f77056d5fb611d1ead1e788a3930893f376d6a668eb9af20c5c7/analysis/
VQpnPCqe.dll

- https://myonlinesecurity.co.uk/old-office-facilities-malspam-delivers-locky/
2 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'old office facilities' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Angelina Nielsen <Nielsen.83382@ parklawnsprinklers .com>
Date: Fri 02/09/2016 08:27
Subject: old office facilities
Attachment: 1fade4423b3a.zip
Hi Chasity,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Angelina Nielsen

2 September 2016: 1fade4423b3a.zip: Extracts to: office_facilities_059AB2E9.js - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from http ://malwinstall .wang/ezr08tjd which is transformed by the script to VQpnPCqe.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e8645ac68bdbf32ddbfcb9f112ced5cd924125e1894ebbef17cb5aefc582d906/analysis/1472801143/

** https://malwr.com/analysis/MzJkY2EzNGEwMWZiNDM1Mjk0YTIxMjg4OGVhMzAyMDQ/
Hosts
23.95.106.195
66.85.27.250

*** https://www.virustotal.com/en/file/9dc5ad10ec45f77056d5fb611d1ead1e788a3930893f376d6a668eb9af20c5c7/analysis/1472801991/
___

Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-scanned-image-from.html
2 Sep 2016 - "This -fake- document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.
Subject: Scanned image from MX2310U@ victimdomain .tld
From: office@victimdomain.tld (office@ victimdomain .tld)
To: webmaster@victimdomain.tld;
Date: Friday, 2 September 2016, 2:29
Reply to: office@ victimdomain .tld [office@ victimdomain .tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception
File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) ...

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component... The payload is Locky ransomware, phoning home to:
212.109.192.235/data/info.php [hostname: take. ru .com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers .xyz] (EDIS, Austria)
Recommended blocklist:
212.109.192.235
149.154.152.108 "
___

Fake 'Body content empty/blank' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank-email-from-random-names-icloud-com-with-numbered-zip-delivers-locky-zepto/
2 Sep 2016 - "... Locky/Zepto downloaders... empty/blank email with the subject random numbers and either .jpg, gif, pdf, img, docx, tif, png etc. coming as usual from random names @ icloud .com with a random named zip attachment that is named the -same- as the numbers in the subject line containing a wsf file... One of the emails looks like:
From: Alejandra_6526@ icloud .com
Date: Fri 02/09/2016 12:27
Subject: 26889jpg
Attachment: 26889.zip

Body content: Empty/blank

2 September 2016: 26889.zip: Extracts to: W64pP.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://maxshoppppsr .biz/js/y54g3tr?NxMSERb=asaGYkQ | http ://illaghettodelcircoletto .it/flkekqs?NxMSERb=asaGYkQ
http ://vimp.hi2 .ro/xqbqjyn?NxMSERb=asaGYkQ which is transformed by the script to vTFEncqFbOk1.dll (VirusTotal 5/58***)
All of them contact the C2 centre http ://149.154.152.108 /data/info.php to get & store the encryption key that is used to encrypt your files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/be9344adf677782d84efa9b415850b66537f1f692a0d7b0b62a318b4420608eb/analysis/1472815578/

** https://malwr.com/analysis/YzJkMzM2MWFlYjMzNGNhZDk3MTA2MTljNjI1ODBjNTY/
Hosts
89.42.39.81
195.110.124.188
66.85.27.252
149.154.152.108

*** https://www.virustotal.com/en/file/852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575/analysis/1472817060/
___

Bogus Windows error site - for iPad
- https://blog.malwarebytes.com/cybercrime/2016/09/ipad-error-windows-fakeout/
2 Sep 2016 - "... The bogus error site is located at:
ipad-error-9023(dot)com
Given the URL, you’d expect to see some sort of iPad related shenanigans taking place – an interesting twist on the well worn theme of tech-support-scams. Who needs Windows desktops when you can go after the tablet market, right? Unfortunately for our scammers, it all goes a bit wrong in terms of being convincing with that whole iPad URL thing. Let me count the ways... text reads as follows:
Windows Security Error !
Your Hard drive will be DELETED if you close this page
You have a ZEUS virus! Please call Support Now!
Call Now to Report This Threat.
Do not Click ‘OK’ button below, doing so will start the hacking process.
... 'didn’t put much thought into this whole iPad thing, did they?...
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/additional-dialogs.jpg
... a “prevent additional dialog” message from the browser? I’m guessing my PC hasn’t exploded yet. Maybe if I close the box and then hit the OK button:
> https://blog.malwarebytes.com/wp-content/uploads/2016/08/page-locked.jpg
... While the attempted fakeout up above isn’t one of the best ones we’ve seen, there are plenty out there which succeed in their attempts at convincing device owners that they have a problem. From there, phone calls to “tech support” and payments to have the non-existent virus cleaned up are only a hop, step and jump away. If you think you may have been targeted by such scams – or just want to avoid such antics in the future – feel free to give our guide to Tech Support Scams* a read. It could well save you time and money – and a lot of increasingly infuriating phone calls..."
* https://blog.malwarebytes.com/tech-support-scams/

ipad-error-9023(dot)com: 107.180.21.58: https://www.virustotal.com/en/ip-address/107.180.21.58/information/
>> https://www.virustotal.com/en/url/1567efd8bac53668df403ae26982c2239c496ce00321f19a80fa20a1cf255616/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-09-05, 14:25
FYI...

Fake 'Credit card receipt' SPAM - leads tp Locky
- https://myonlinesecurity.co.uk/we-are-sending-you-the-credit-card-receipt-from-yesterday-malspam-delivers-locky-also-drops-genuine-microsoft-netmsg-dll/
5 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'Credit card receipt' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
From: Wilda Hayden <Hayden.80411@ monicamatthews .com>
Date: Mon 05/09/2016 08:29
Subject: Credit card receipt
Attachment: 6aec8732b803.zip
Dear mrilw,
We are sending you the credit card receipt from yesterday. Please match the card number and amount.
Sincerely yours,
Wilda Hayden
Account manager

5 September 2016: 6aec8732b803.zip: Extracts to: credit_card_receipt_9F44E80E.js - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://darkestzone2 .wang/1i0i75gq | http ://canonsupervideo4k .ws/1bcpr7xx
.. which is transformed by the script to aXZnmnI3ES.dll (VirusTotal 9/57***). This is also downloading the genuine Microsoft netmsg.dll in an attempt to confuse antiviruses and researchers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3f7f8e7d4d1e5420d2efc6b1a0173056f24c03d26734d9a14744cba5fda8945f/analysis/1473060526/

** https://malwr.com/analysis/YTU5OWRkMGIzN2JlNGMwNmI5MTIzYWZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustotal.com/en/file/3068bc8e4253635a9caa1556441c0f3615d147add63fb2e709a0ae7f17b7c2f6/analysis/1473062169/

- http://blog.dynamoo.com/2016/09/malware-spam-we-are-sending-you-credit.html
5 Sep 2016 - "This -fake- financial spam has a malicious attachment:
From: Tamika Good
Date: 5 September 2016 at 08:43
Subject: Credit card receipt
Dear [redacted],
We are sending you the credit card receipt from yesterday. Please match the card number and amount.
Sincerely yours,
Tamika Good
Account manager

The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k .ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary) ...
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57*. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data .ru .com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt .pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55 "
1] https://malwr.com/analysis/MjA4OWI5OGJkNDY4NDI4NmJmMGRiZTlhYzZlNGExZjg/
Hosts
107.173.176.4

2] https://malwr.com/analysis/NjNjMTIyNmUyNmZkNGY1ZDgzOGVkZGIyOTk2MDcyNTk/
Hosts
23.95.106.206
107.173.176.4

3] https://malwr.com/analysis/MTZmNjgyMGNhMmUzNGE3Nzk5NzMwMGM1NjY0MGNlYWE/
Hosts
107.173.176.4

* https://virustotal.com/en/file/3068bc8e4253635a9caa1556441c0f3615d147add63fb2e709a0ae7f17b7c2f6/analysis/

4] https://www.hybrid-analysis.com/sample/c671d5f15bc1ea62c42ff815a871f4da5a26275ac10d202722f2dab2a79fc760?environmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

5] https://www.hybrid-analysis.com/sample/97df98463fedd3b76c1567bea330a9420e4745f1e0153cbf3aab39ae47de00bf?environmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
185.162.8.101
158.255.6.109
185.154.15.150
188.120.232.55

6] https://www.hybrid-analysis.com/sample/6eebc1b387869143ac7c8f5da7f1f78f00eb26b14a310c34f73fe4e55a6fedd2?environmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
158.255.6.109
185.154.15.150
185.162.8.101
91.211.119.71
___

Malware in '.pub files' SPAM
- https://isc.sans.edu/diary.html?storyid=21443
2016-09-05 - "While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it also supports macros. By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do -not- block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze! A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55). Stay safe!"
[1] https://isc.sans.edu/forums/diary/Voice+Message+Notifications+Deliver+Ransomware/21397/
[2] https://isc.sans.edu/forums/diary/Todays+Locky+Variant+Arrives+as+a+Windows+Script+File/21423/
[3] https://products.office.com/en/publisher
[4] https://www.virustotal.com/en/file/24441d0573c255852f28e558001883a00bc2f18816f48653d63429065d1f37fd/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-09-06, 14:56
FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/invoice-inv0000385774-malspam-delivers-locky/
6 Sep 2016 - "... series of Locky downloaders... an email with the subject of 'Invoice INV0000385774' (random numbers) coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the emails looks like:
From: Earlene conyers <Earlene859@ pickledlizards .com>
Date: Tue 06/09/2016 10:27
Subject: INV0000385774
Attachment: ea00ba32a5.zip
Please find our invoice attached.

6 September 2016: Invoice_INV0000385774.zip: Extracts to: 14Tf5zYWx67.wsf - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://around4percent.web .fc2 .com/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
http ://zse2 .pl/j8fn3rg3?jXRJazVGV=TBojQIxnjJC | http ://marcotormento .de/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
which is transformed by the script to pfRMaJgsGEL1.exe (VirusTotal 4/58***) which according to MALWR[4] creates/downloads/ drops another encrypted file... Payload Security reports [5] [6]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/56110904a2c19eda496676fb108db7fe911c7824a47ecf601db53e1ade7c0cc8/analysis/1472753839/

** https://malwr.com/analysis/MjI1MzM4YjkzYjJmNGY3Njg1ZTBlNTBkNzFhOTgyNWM/
14Tf5zYWx67.wsf
Hosts
208.71.106.48
66.85.27.108
13.107.4.50
216.126.225.149
93.157.100.25
81.169.145.157

*** https://www.virustotal.com/en/file/adc7cc912bd255e17431ead2dfa592f3176ddfa72cdc84cd3b78ab87f5a3f12d/analysis/1473154258/

4] https://malwr.com/analysis/OTNjNjQ1OTM1NzgxNDkzNDljZTE1MTBiZDk3MWJlMmI/
pfRMaJgsGEL1.exe
Hosts
66.85.27.108
13.107.4.50
216.126.225.149

5] https://www.reverse.it/sample/e586ae3f2cb1dd76e39004bd60bafa9395c864967c64d6614ebeab8ebdd58aa4?environmentId=100
14Tf5zYWx67.wsf
Contacted Hosts
216.239.120.224
208.71.106.48
66.85.27.108
216.126.225.149

6] https://www.reverse.it/sample/adc7cc912bd255e17431ead2dfa592f3176ddfa72cdc84cd3b78ab87f5a3f12d?environmentId=100
pfRMaJgsGEL1.exe
Contacted Hosts
66.85.27.108
___

Fake 'August invoice' SPAM - Locky
- https://myonlinesecurity.co.uk/xxxx-asked-me-to-send-you-invoice-for-august-malspam-tries-to-deliver-locky-but-appears-to-fail/
6 Sep 2016 - "... next in the never ending series of Locky downloaders is an email with the subject of 'August invoice' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Douglas Holmes <Holmes.850@ redbridgeconcern .org>
Date: Tue 06/09/2016 09:50
Subject: August invoice
Attachment: fe1afed4aa6f.zip
Hello montag, Brigitte asked me to send you invoice for August. Please look over the attachment and make a payment ASAP.
Best Regards,
Douglas Holmes

6 September 2016: fe1afed4aa6f.zip: Extracts to: August_invoice 2AAB15F0. pdf~.js - Current Virus total detections 4/56*
..Update: it looks like Payload security** have tweaked their system and managed to bypass the protection elements in today’s Locky and are now finding & getting the payloads... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0789099409292a97ad8668950e329bd1550e93209a379ce0eb10f191850ba0d4/analysis/1473151857/

** https://www.reverse.it/sample/0789099409292a97ad8668950e329bd1550e93209a379ce0eb10f191850ba0d4?environmentId=100
Contacted Hosts
107.173.176.4
23.95.106.220
192.3.150.178
91.211.119.71
158.255.6.109
185.162.8.101
185.154.15.150
188.120.232.55
___

Fake 'Message.. scanner' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/message-from-cukpr0959703-pretending-to-come-from-scanner-your-own-email-domain-malspam-delivers-locky/
6 Sep 2016 - "... Locky downloaders.. email with the subject of 'Message from “CUKPR0959703' pretending to come from scanner @ your own email domain with a random named zip attachment based on todays date containing a WSF file... One of the emails looks like:
From: scanner@ ...
Date: Tue 06/09/2016 16:11
Subject: Message from “CUKPR0959703”
Attachment: 20160906221127.zip
This E-mail was sent from “CUKPR0959703” (Aficio MP C305).
Scan Date: Tue, 06 Sep 2016 22:11:27 +0700
Queries to: <scanner@ ...

6 September 2016: 20160906221127.zip: Extracts to: 18YrNk1xk28.wsf - Current Virus total detections 16/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://www.alpstaxi .co .jp/j8fn3rg3?IxurVQb=sHiOGcukdY
http ://zui9reica.web .fc2 .com/j8fn3rg3?IxurVQb=sHiOGcukdY
which is transformed by the script to mUExMjQPwmL1.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b2b817672d9b7b7bb50335105c8d5813265cfac90ed3bf4044c24846aa88a45e/analysis/1473175613/

** https://malwr.com/analysis/Njk1YjRlNGI4NjVkNGQ3MGE1ZTgwZWIzYjFkNGJiOTI/
Hosts
208.71.106.45
216.126.225.149
8.254.207.14
211.134.181.38
___

Fake 'Suspected Purchases' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/suspected-purchases-malspam-delivers-locky/
6 Sep 2016 - "... Locky downloaders... email with the subject of 'Suspected Purchases' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files starting with random characters and then Suspected_Purchases_PDF.js ... One of the emails looks like:
From: Alyssa English <English.55@ heritagehomebuyers .net>
Date: Thu 01/09/2016 19:22
Subject: Suspected Purchases
Attachment: 3adec1d16a7e.zip
Dear enrico,
We have suspected irregular purchases from the company’s account.
Please take a look at the attached account balance to see the purchase history.
Best Regards,
Alyssa English
Support Manager

6 September 2016: 3adec1d16a7e.zip: Extracts to: FAAD4310 Suspected_Purchases_PDF.js
Current Virus total detections 3/55*. MALWR** shows a download of an encrypted file from one of these locations:
http ://canonsupervideo4k .ws/2sye3alf
http ://virmalw .name/uw2vyhpd
http ://tradesmartcoin .xyz/rwevvv3a
which is transformed by the script to 4fWrgKKcG.dll (VirusTotal 9/58***). This also downloads the genuine Microsoft netmsg.dll... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ce6c72f4a2ff5066fa25d16bf924c520ea8de1845ba974c491b7eae61a4d7d2e/analysis/1473179859/

** https://malwr.com/analysis/YWRjYjM0ODBjNTBmNDY4ZDgxZDE4YTYzMTFiMWFiNjU/
Hosts
51.255.227.230
185.101.218.49
107.173.176.24

*** https://www.virustotal.com/en/file/0b5ddf402ab38cc539c25e4ef06196c7f38dca756b16c96dfa2934b11a96f8ef/analysis/1473180787/
___

Paypal - PHISH
- https://myonlinesecurity.co.uk/your-paypal-access-bloqued-phishing/
6 Sep 2016 - "... daily -phishing- emails trying to steal your PayPal account. This one is worth mentioning because of the bad spelling and grammar that proves this does not come from an English speaking criminal. The original email looks like this:

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/Your-PayPal-access-bloqued-1024x563.png

From: no-reply@ paypal .com
Date: Tue 06/09/2016 14:59
Subject: Your PayPal access bloqued

Dear Customer,
Your account is temporarily suspended.
We are working to protect our users against fraud!
Your account has been selected for verification, we need to confirm that you are the real owner of this account
To conclude the recovery of his account and service interruption card with number 4*** **** **** ****..
Please consider that if you do not confirm your data now, we are forced to lock this account for your protection
Must follow two steps, in case you have any questions during the execution of this process can be supported support team .
Confirm account NAW
Regards,
Eduard Swards

The link behind 'confirm account NAW' goes to a well known-phishing-site, which has been reported so many times..
http ://paypal-securidad .com/informations/l/l/Index/
This one wants your personal details, your Paypal account log in details and your credit card and bank details..."

paypal-securidad .com: 192.185.128.24: https://www.virustotal.com/en/ip-address/192.185.128.24/information/
>> https://www.virustotal.com/en/url/9bd0bb11cf254e0f07d94abaaeb6cd3a69f972407b5cd5d1a799740c5baa59e6/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-09-07, 14:08
FYI...

Fake 'Agreement form' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/agreement-form-malspam-leads-to-locky/
7 Sep 2016 - "... series of Locky downloaders... email with the subject of 'Agreement form' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Staci Cruz <Cruz.5000@ stluc-esa-bxl .org>
Date: Wed 07/09/2016 09:06
Subject: Agreement form
Attachment: 23ad34e21057.zip
Hi there,
[ random name] assigned you to make the payment agreement for the new coming employees.
Here is the agreement form. Please finish it urgently.
Best Regards,
Staci Cruz
Support Manager

7 September 2016: 23ad34e21057.zip: Extracts to: C3AB68A4 agreement_form_doc.js - Current Virus total detections 3/56*
.. MALWR** was unable to get any downloads but shows connections to
tradesmartcoin .xyz 216.244.68.195
virmalw .name 51.255.227.230
listofbuyersus .co .in
brothermalw .ws
Payload Security analysis*** which took an extremely long time (unusually) also doesn’t show any direct downloads or files. This is likely to mean that the Locky gang are using an ever more restrictive anti-analysis protection. Payload did detect some more unusually Apt named domains. Contacted Domains: tradesmartcoin .xyz, listofbuyersus .co.in, malwinstall .wang, brothermalw .ws, virmalw .name
Contacted Hosts: 216.244.68.195, 51.255.227.230 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e3f5bcb0d1f177d991170c11c190bef26663e4aa7fa2829be7afa7edb9c0d5c8/analysis/1473235341/

** https://malwr.com/analysis/M2QzMjJiNDA4OGMwNGE3NWJmODFhYTY0ZDQ5MWUzZjk/
Hosts
51.255.227.230
216.244.68.195

*** https://www.hybrid-analysis.com/sample/e3f5bcb0d1f177d991170c11c190bef26663e4aa7fa2829be7afa7edb9c0d5c8?environmentId=100
Contacted Hosts
216.244.68.195
51.255.227.230

- http://blog.dynamoo.com/2016/09/malware-spam-agreement-form-probably.html
7 Sep 2016 - "This -fake- financial spam leads to malware:
Subject: Agreement form
From: Marlin Gibson
Date: Wednesday, 7 September 2016, 9:35
Hi there,
Roberta assigned you to make the payment agreement for the new coming employees.
Here is the agreement form. Please finish it urgently.
Best Regards,
Marlin Gibson
Support Manager

The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..
308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js
Automated analysis [1] [2] shows that the scripts... attempt to download a binary from one of the following locations:
donttouchmybaseline .ws/ecf2k1o
canonsupervideo4k .ws/afeb6
malwinstall .wang/fsdglygf
listofbuyersus .co .in/epzugs
Of those locations, only the first three resolve, as follows:
donttouchmybaseline .ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k .ws 51.255.227.230 (OVH, France / Kitdos)
malwinstall .wang 51.255.227.230 (OVH, France / Kitdos) ...
The following also presumably evil sites are also hosted on those IPs:
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name
Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name "
1] https://malwr.com/analysis/MjE5MmNhYzlmZTE3NDYxMGExNjA5ZGZlMTc5Yzk0NTE/
Hosts
216.244.68.195
51.255.227.230

2] https://www.hybrid-analysis.com/sample/3da882c76d8fc435145a71d7f672324be277bd993e40c85f2a476126a97c40d2?environmentId=100
Contacted Hosts
51.255.227.230
216.244.68.195

'UPDATE: My trusted source (thank you) says that it phones home to the following IPs and URLs:
91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota .org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg .work/data/info.php
balichpjuamrd .work/data/info.php
mvvdhnix .biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti .work/data/info.php
iruglwxkasnrcq .pl/data/info.php
xketxpqxj .work/data/info.php
qkmecehteogblx .su/data/info.php
bbskrcwndcyow .su/data/info.php
nqjacfrdpkiyuen .ru/data/info.php
ucjpevjjl .work/data/info.php
nyxgjdcm .info/data/info.php
In -addition- to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55 '
___

Fake 'Invoice' SPAM - JS malware attachment
- https://myonlinesecurity.co.uk/invoice-00014904-from-chalice-gold-mines-limited-delivers-digitally-signed-malware/
7 Sep 2016 - "An email with the subject of 'Invoice 00014904; From CHALICE GOLD MINES LIMITED' [random numbered] pretending to come from CHALICE GOLD MINES LIMITED <AccountRight@ appsmyob .com> with a link in the email body to download a zip file containing a .JS file. The .js file downloads a digitally signed .exe file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/Invoice-00014904-From-CHALICE-GOLD-MINES-LIMITED-1024x647.png

7 September 2016: 00014904.zip: Extracts to: 00014904.js - Current Virus total detections 2/55*
.. Payload Security** shows a download from
littlelionstudio .com/images/LLS-Landing-Image2.jpg which is actually a -renamed- .exe file which gets copied to
2 other file names and locations on the victim computer (VirusTotal 6/57***) | Payload Security[4]
This file is digitally signed with a valid signature so Windows will allow it to run without alerts from smart screen or other security software:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/llls-landing-image-digital-sig-1-1024x713.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d30d18d1b16c966d3fd4fb03e277c34431b2e2d2ec2d03c6ad16ba8857d8dfcc/analysis/1473221665/

** https://www.hybrid-analysis.com/sample/d30d18d1b16c966d3fd4fb03e277c34431b2e2d2ec2d03c6ad16ba8857d8dfcc?environmentId=100
Contacted Hosts
209.51.136.27
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113

*** https://www.virustotal.com/en/file/0832321389279e48f73521f8688ec41d77e5ab7600893715a6d7486e6c50724b/analysis/1473215063/

4] https://www.hybrid-analysis.com/sample/0832321389279e48f73521f8688ec41d77e5ab7600893715a6d7486e6c50724b?environmentId=100
Contacted Hosts
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113
___

Fake 'Free sports player' SPAM - delivers malware via hta files
- https://myonlinesecurity.co.uk/free-sports-player-splayer-malspam-delivers-malware-via-hta-files/
7 Sep 2016 - "... I have seen 3 distinct subject lines:
****Dont’t miss this fantastic free sport media player****
**** You wished you had this sport media player sooner****
Amazing**** Free “Sport media Player”**
All the emails come from Splayer XXXXX where XXXX can be team, company, player, command, online or any other similar word. The rest of the email address is -spoofed- and random...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/Amazing-Free-Sport-media-Player.-1024x556.png

... I have only found 3 base domains that contain the downloads, with hundreds of different random named folders and player versions. Each version appears to have a slightly different .hta file inside the zip and a strong warning should be given that they are using an unusual method of zipping the hta file so it extracts to computer-root and possibly/probably -autoruns- when you double click the zip:
http ://splayering .pw/download/ziefmz8dgi7/splayer-rc10.zip
http ://softship .online/download/6243onsblfasbatsr/splayer-rc21.zip
http ://itgnome .online/download/bm437mgs37khxmfzdivv/splayer-rc1.zip
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/splayer_winzip_warning.png

... analysed 1 version of the .hta file so far but I am sure all the others will give similar results.
7 September 2016: splayer-rc10.zip: Extracts to: splayer.hta - Current Virus total detections 2/56*
.. Payload Security** shows a download from splayeracy .online/50d5fdc6-7ed5-4272-b148-fcade183219e/splayer.bin
(VirusTotal 16/58***). Payload Security[4] which shows this is using the same file, file names & behaviour that was described in THIS post[5] which look like some sort of password stealer and backdoor trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/00ed1e7a7474c00740fe04740765a058eef5a58fad2a283c1da6648b04362c8e/analysis/1473198884/

** https://www.hybrid-analysis.com/sample/00ed1e7a7474c00740fe04740765a058eef5a58fad2a283c1da6648b04362c8e?environmentId=100
Contacted Hosts
192.3.150.197

*** https://www.virustotal.com/en/file/d9c8dab2efb3cf1f19a02d2b4d4bac49885cc3e213d35738baff12d10ab62d11/analysis/1473199782/

4] https://www.hybrid-analysis.com/sample/d9c8dab2efb3cf1f19a02d2b4d4bac49885cc3e213d35738baff12d10ab62d11?environmentId=100

5] https://myonlinesecurity.co.uk/invoice-00014904-from-chalice-gold-mines-limited-delivers-digitally-signed-malware/

splayering .pw: 192.3.150.197: https://www.virustotal.com/en/ip-address/192.3.150.197/information/
>> https://www.virustotal.com/en/url/bb9e1b1f1c8dfc4f7e3a4c035682a9f62f58dd3dd7419b6144523135f0b6761e/analysis/

softship .online: 192.3.150.197: https://www.virustotal.com/en/ip-address/192.3.150.197/information/
>> https://www.virustotal.com/en/url/e2bf071d5ec340615a921dc9f5c4bca6c8a9a0d4e6b4ef6965d83067533e44b3/analysis/

itgnome .online: 192.3.150.197: https://www.virustotal.com/en/ip-address/192.3.150.197/information/
>> https://www.virustotal.com/en/url/e2bf071d5ec340615a921dc9f5c4bca6c8a9a0d4e6b4ef6965d83067533e44b3/analysis/

// … as of 9/8/2016.

:fear::fear: :mad:

AplusWebMaster
2016-09-08, 16:49
FYI...

Fake 'voice mail' SPAM - Locky
- http://blog.dynamoo.com/2016/09/malware-spam-vigor2820-series-new-voice.html
8 Sep 2016 - "This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.
Subject: [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
From: voicemail@ victimdomain .tld (voicemail@ victimdomain .tld)
To: webmaster@ victimdomain .tld
Date: Thursday, 8 September 2016, 13:15
Dear webmaster :
There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
You might want to check it when you get a chance.Thanks!

Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:
158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman .web .fc2.com/g76gyui
dcqoutlet .es/g76gyui
dpskaunas .puslapiai .lt/g76gyui
fidelitas .heimat .eu/g76gyui
gam-e20 .it/g76gyui
ghost-tony .com.es/g76gyui
josemedina .com/g76gyui
kreativmanagement.homepage. t-online .de/g76gyui
olivier.coroenne.perso .sfr .fr/g76gyui
portadeenrolar .ind .br/g76gyui
sitio655.vtrbandaancha .net/g76gyui
sp-moto .ru/g76gyui
srxrun.nobody .jp/g76gyui
thb-berlin.homepage .t-online .de/g76gyui
tst-technik .de/g76gyui
unimet.tmhandel.com/g76gyui
www .agridiving .net/g76gyui
www .alanmorgan .plus.com/g76gyui
www .aldesco .it/g76gyui
www .alpstaxi .co.jp/g76gyui
www .association-julescatoire .fr/g76gyui
www .bytove.jadro .szm .com/g76gyui
www .ccnprodusenaturiste .home .ro/g76gyui
www .gebrvanorsouw .nl/g76gyui
www .gengokk .co .jp/g76gyui
www .hung-guan .com .tw/g76gyui
www .idiomestarradellas .com/g76gyui
www .laribalta.org/g76gyui
www .mikeg7hen.talktalk .net/g76gyui
www .one-clap .jp/g76gyui
www .radicegioielli .com/g76gyui
www .rioual .com/g76gyui
www .spiritueelcentrumaum .net/g76gyui
www .texelvakantiehuisje .nl/g76gyui
www .threshold-online .co .uk/g76gyui
www .whitakerpd .co.uk/g76gyui
www .xolod-teplo .ru/g76gyui
Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu). Unusually, this version of -Locky- does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above -or- you could monitor for the string g76gyui in your logs.
UPDATE: the Hybrid Analysis of the script can be found here[1]."
1] https://www.hybrid-analysis.com/sample/d3886d2ebc84190e5eb48970e6cc4b9a9c2aeead5f321e6454b1b3011e721015?environmentId=100
Contacted Hosts
211.134.181.38
81.24.34.9
62.24.202.31
93.184.220.29
54.192.203.242
___

Fake 'Lloyds Banking' SPAM - .doc malware
- https://myonlinesecurity.co.uk/lloyds-banking-group-encrypted-email-malspam-delivers-malware/
8 Sep 2016 - "An email with the subject of 'Lloyds Banking Group encrypted email pretending to come from GRP Lloydsbank Tech <info@ lloydsbanking52 .us> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... A little bit of digging around tells us that lloydsbanking52 .us was registered about 2 weeks ago...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/Lloyds-Banking-Group-encrypted-email-1024x775.png

8 September 2016: PGPMessage04834838.doc - Current Virus total detections 4/56*
.. Payload Security didn’t find any sites to download the malware.. a manual analysis & de-obfuscation of the macro you can see here original on Pastebin** shows a download from http ://aclawgroup .com .au/2.zip which gives 2.exe (VirusTotal 1/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it...
Update: I am being told it is a smoke loader AKA Dofoil[1] which will eventually download another banking Trojan."
1] https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

* https://www.virustotal.com/en/file/5812d3933ee62d52d3cf540b00751bec5d54182b5a4e9231b60b3f469451f8c9/analysis/1473344346/

** http://pastebin.com/ZuRM9iaN

*** https://www.virustotal.com/en/file/fe35c7884a5e8bb14218d93283dbf38392a2cc35358f13c6dbc7d4808cc5b73a/analysis/1473344266/

aclawgroup .com .au: 50.87.145.150: https://www.virustotal.com/en/ip-address/50.87.145.150/information/
>> https://www.virustotal.com/en/url/4e99813e8d7b4be8230993f29de2c2e5543dde6d975550d6c2667ce4e4ac5872/analysis/
___

Quick look at recent malvertising exploit chains
- https://www.zscaler.com/blogs/research/quick-look-recent-malvertising-exploit-chains
Sep 7, 2016 - "... during our daily exploit kit (EK) tracking, have been seeing some changes in both RIG and Sundown EKs. We recently encountered a malvertising chain serving both EKs on subsequent visits, and decided to compile a quick look at the these cases:
Graph showing the malvertising chains
> https://cdn-3.zscaler.com/cdn/farfuture/3p9AynzuU1qBMMvdvxOIofI8sfYA-4aVw1SMumR0htg/mtime:1473280846/sites/default/files/images/blogs/2kits1net/malvertising-graph.PNG
... they quickly integrated the exploit into the more typical Sundown landing page format. In a more recent episode, Trustwave's Spiderlabs spotted the addition of a fingerprinting code*, however we have not seen this feature in our captured cycles, so the operators may have opted for the simpler, non-fingerprinted landing page since then...
* https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%E2%80%93-Stealing-Its-Way-to-the-Top/
... In the wake of both Angler and Nuclear disappearing, RIG has taken a dominant position in the EK landscape. The RIG operators appear content, however, to iterate more slowly, with changes to the EK itself happening less frequently. That said, RIG EK authors have now made noticable changes to the landing page structure... At this point, it's clear that the exploit kit landscape has been thoroughly shaken up since the disappearance of Angler and Nuclear (as we have covered in our round-ups and other EK-related blogs). This small update is meant to give a quick look at the latest techniques and trends used by RIG and Sundown. We will continue to monitor the situation, and provide updates to the community as usual."
{More detail at the zscaler blogs URL at the top.)

:fear::fear: :mad:

AplusWebMaster
2016-09-09, 13:44
FYI...

Fake 'Order Confirmation' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/order-confirmation-nnnnnn-malspam-with-a-dzip-attachment-delivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order Confirmation 9226435' [random number] coming as usual from random companies, names and email addresses with a random named zip attachment containing an HTA file... One of the emails looks like:
From: Meagan carnochan <Meagan4@ insightsundertwo .com>
Date: Fri 09/09/2016 09:01
Subject: Order Confirmation 9226435
Attachment: Ord9226435.dzip extracts to 2015jozE.hta
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.

9 September 2016: Ord9226435.dzip: Extracts to: 2015jozE.hta - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from walkerandhall .co .uk/7832ghd?TtrISozIzi=CemUQBnTyeQ
which is transformed by the script to a working locky version. Unfortunately Payload security isn’t showing the converted /decrypted file amongst the downloads although the screenshots definitely show locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7a8ff284c55132b5fe89289dc2c8915e358a47ec44ae3164094fca880a9a514e/analysis/1473408597/

** https://www.hybrid-analysis.com/sample/7a8ff284c55132b5fe89289dc2c8915e358a47ec44ae3164094fca880a9a514e?environmentId=100
Contacted Hosts
5.10.105.44
52.32.150.180
93.184.220.29
54.192.203.56

- http://blog.dynamoo.com/2016/09/malware-spam-order-confirmation-xxxxx.html
9 Sep 2016 - "This -fake- financial spam leads to malware:
From: Ignacio le neve
Date: 9 September 2016 at 10:31
Subject: Order Confirmation 355050211
--
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.

The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip. Contained within the ZIP file is a malicious .HTA script with a random name... This simply appears to be an encapsulated Javascript... my trusted source (thank you) says that the various scripts download from...
(many random URLs listed at the dynamoo URL above)...
The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a ...
This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above -or- monitoring/blocking access attempts with 7832ghd in the string.
UPDATE: The Hybrid Analysis* of one of the scripts does not add much except to confirm that this is ransomware."
* https://www.hybrid-analysis.com/sample/a7f6e4561fe94dbeaaba1a9820b2d6327d729dbc918b4f01f0b50dc02151723d?environmentId=100
Contacted Hosts
192.185.196.41
93.114.64.41
50.112.202.19
72.21.91.29
54.192.203.144
___

Fake 'MS account - Unusual sign-in activity' malspam using JSE - delivers Locky
- https://myonlinesecurity.co.uk/microsoft-account-unusual-sign-in-activity-malspam-using-jse-files-delivers-locky/
9 Sep 2016 - "... this being used to spread Locky ransomware is a step in the wrong direction. This sort of email ALWAYS catches out the unwary. To make it even worse a JSE file is an encoded/encrypted jscript file that runs in the computer properly but is unreadable to humans (looks like garbled text) and because of the garbled txt the majority of antiviruses do -not- see it as a threat. Jscript is a Microsoft specific interpretation of JavaScript. They use email addresses and subjects that will entice a user to read the email and open the attachment. Locky tries new techniques on a small scale to “test the waters” - we have seen several similar small scale attacks this week. They will use the results & returns from them to tweak and refine the techniques before mass malspamming them...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/Microsoft-account-Unusual-sign-in-activity-1024x414.png

9 September 2016: 24549.zip: Extracts to: 24549.jse - Current Virus total detections 3/56*
.. Payload Security** shows a download from sonysoftn .top/log.php?f=3.bin which gave me log.exe (VirusTotal 20/57***).
Payload Security[4]. Many antiviruses are only detecting this malware heuristically (generic detections based on the NSIS packer used to create it). All indications suggest that it is a new variant of Locky ransomware. The IP numbers and sites it contacts have been used this week in other Locky ransomware versions. The problems are coming in the anti-analysis protections that Locky appear to have built-in to the new version of their horrifically proliferate ransomware. Although Payload security does show screenshots of a Locky ransomware file. NOTE: For some weird reason screenshots and images on payload security are -not- showing up in Internet explorer, although they do in Chrome and Firefox... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0adc7a9b3173d6db061d1c354864cecd9e43bd2b8cc25f977783921448349e95/analysis/1473349038/

** https://www.reverse.it/sample/0adc7a9b3173d6db061d1c354864cecd9e43bd2b8cc25f977783921448349e95?environmentId=100
Contacted Hosts
155.94.209.82
91.211.119.71
158.255.6.109
185.162.8.101
52.32.150.180
93.184.220.29
54.192.203.50

*** https://www.virustotal.com/en/file/66f1d845bda3b8281c341efc712cce1ecf79fa690bf8b394841eb647173f45bc/analysis/1473398861/

4] https://www.hybrid-analysis.com/sample/66f1d845bda3b8281c341efc712cce1ecf79fa690bf8b394841eb647173f45bc?environmentId=100
Contacted Hosts
185.162.8.101
158.255.6.109
91.211.119.71
52.34.245.108
93.184.220.29
54.192.203.209
52.33.248.56
___

Fake 'Documents Requested' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/please-find-attached-documents-as-requested-malspam-pretending-to-come-from-your-own-email-address-delivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Documents Requested' or 'FW: Documents Requested' pretending to come from a random name at your own email domain or company with a zip file named either Untitled(6).zip or newdoc(1).zip containing a HTA file (random numbers)... One of the emails looks like:
From: random name at your own email domain or company
Date: Fri 09/09/2016 14:03
Subject: FW:Documents Requested
Attachment: Untitled(6).zip
Dear addy,
Please find attached documents as requested.
Best Regards,
Gilbert

9 September 2016: Untitled(6).zip: Extracts to: 2809tib.hta - Current Virus total detections 6/58*
.. Payload Security** shows a download of an encrypted file from stylecode .co .in/7832ghd?KQWbOiH=QuwOGqnGpyL
which is transformed by the script to UcyxmkpQ1.dll (VirusTotal 21/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/572eae88f5dc67d61d892d02f10cf997d131863cb915c7c5bebd8e86f3433dbe/analysis/1473420208/

** https://www.hybrid-analysis.com/sample/b4544c8dc3b42366124d940cd895bbdfa03df044151ddec10d0f67484790340c?environmentId=100
Contacted Hosts
43.242.215.197
50.112.202.19
93.184.220.29
54.192.13.29

*** https://www.virustotal.com/en/file/15cc57f80acf43c7bb44ca02317dbcbf32436ce05ea1d67854d76e964aa95154/analysis/1472755942/

:fear::fear: :mad:

AplusWebMaster
2016-09-12, 19:15
FYI...

Fake 'Budget report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-budget-report-leads-to.html
12 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Lauri Gibbs
Date: 12 September 2016 at 15:11
Subject: Budget report
Hi [redacted],
I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.
With many thanks,
Lauri Gibbs

Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:
921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js
The scripts are highly obfuscated however the Hybrid Analysis* and Malwr report** show that it downloads a component from:
lookbookinghotels .ws/a9sgrrak
trybttr .ws/h71qizc
These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked. A DLL is dropped with a detection rate of about 8/57*** [3] [4] which appears to phone home to:
51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte .ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy .ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia) ...
Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101 "
* https://www.hybrid-analysis.com/sample/8dd3ca4774f0498bdf42c5ea17390507db1aed26b63335cd9d9d1fbdb38a11fd?environmentId=100
Contacted Hosts
23.95.106.223
95.85.29.208
46.173.214.95
91.214.71.101
51.255.105.2
185.154.15.150

** https://malwr.com/analysis/M2M4NzY4MWZmNTdjNDY2NTlkZDJiMTYzZTFkODlmODM/
Hosts
23.95.106.223

1] http://blog.dynamoo.com/2016/09/malware-spam-we-are-sending-you-credit.html

2] http://blog.dynamoo.com/2016/09/malware-spam-old-office-facilities.html

*** https://virustotal.com/en/file/76438fc9c86c57bf0fb8028a3a6290cfce8b305e21fca5ae15feaf2e73681a27/analysis/1473694538/

3] https://virustotal.com/en/file/76438fc9c86c57bf0fb8028a3a6290cfce8b305e21fca5ae15feaf2e73681a27/analysis/1473694538/

4] https://virustotal.com/en/file/a7c5d185235e8515e546d720e565a3efbc4e1b169852453726d5673dca0ed2d4/analysis/1473694540/
___

Avoid: BofA, Wells Fargo - SMS Phishing
- https://blog.malwarebytes.com/cybercrime/2016/09/avoid-bofa-wells-fargo-sms-phishing/
Sep 12, 2016 - "It always pays to be cautious where -unsolicited- text messages are concerned, as conniving phishers don’t always stick to the tried and tested route of email scams. For example, here’s two random texts sent out to one of our burner phones:
> https://blog.malwarebytes.com/wp-content/uploads/2016/09/bofa-phish.jpg
...
> https://blog.malwarebytes.com/wp-content/uploads/2016/09/wells-phish.jpg
The targets here are customers of Bank of America and Wells Fargo. The messages read as follows:
BofA customer your account has been disabled!!!
Please read this readmybank0famerica.cipmsg-importantnewalertt(dot)com

I think I’d probably be faintly worried if my otherwise sober and business-like bank started sending out messages with more than two exclamation marks in a sentence, but even without that, observant recipients would notice they also added an extra “t” onto the end of “alert”. The other message reads as follows:
The other message reads as follows:
(wells fargo) important message from security department! Login
vigourinfo(dot)com/secure.well5farg0card(dot)html
The above URL -redirects- clickers to the below website:
denibrancheau(dot)com/drt/w311sfg0/
> https://blog.malwarebytes.com/wp-content/uploads/2016/09/wells-phish-2.jpg
The phishers want a big slice of personal information, including name, DOB, driving license, social security number, mother’s maiden name, address, city, zipcode, card information, ATM PIN number, and even an email address.
All this, from a simple text... SMS phishing is not new, but it does snag a lot of victims. Random messages from your “bank” asking you to visit a link should be treated with suspicion, especially if those links ask you to login. Banks are certainly not the only target of SMS phishers, but they’re one of the more valuable bullseye for scammers to sink their teeth into. Whether receiving messages by email, text, or phone, your logins are only as safe as you make them – don’t make it easy for bank phishers and delete that spam."

readmybank0famerica.cipmsg-importantnewalertt(dot)com: A temporary error occurred during the lookup...

vigourinfo(dot)com/secure.well5farg0card(dot)html: 166.62.26.11: https://www.virustotal.com/en/ip-address/166.62.26.11/information/

denibrancheau(dot)com/drt/w311sfg0/ : 173.236.178.135: https://www.virustotal.com/en/ip-address/173.236.178.135/information/

:fear::fear: :mad:

AplusWebMaster
2016-09-13, 13:16
FYI...

Fake 'Tax invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/tax-invoice-malspam-delivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Tax invoice' coming as usual from random companies, names and email addresses with a random named/numbered zip attachment containing 2 identical .WSF files. Payload Security* shows an error in the downloaded file so it might not actually deliver the Locky ransomware or it might be that it will not run on a sandbox or VM... One of the emails looks like:
From: Anne Fernandez <Fernandez.8581@ starfamilymedicine .com>
Date: Tue 13/09/2016 10:12
Subject: Tax invoice
Attachment: 1a45b45d76ed.zip
Dear Client,
Attached is the tax invoice of your company. Please do the payment in an urgent manner.
Best regards,
Anne Fernandez

13 September 2016: 1a45b45d76ed.zip: Extracts to: tax_invoice_scan PDF.316AA.wsf
Current Virus total detections 5/56**.. Payload Security shows a download of an encrypted file from smilehymy .com/f72gngb which is transformed by the script to c2BwHrtql2.dll (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-analysis.com/sample/34c33f097beba1e4275153a40dc8c092f8d8b8cb5c8fe516fd0f432661d5b28f?environmentId=100
Contacted Hosts
23.249.164.116
95.85.29.208
91.214.71.101
51.255.105.2
185.154.15.150
46.173.214.95
217.187.13.71

** https://www.virustotal.com/en/file/34c33f097beba1e4275153a40dc8c092f8d8b8cb5c8fe516fd0f432661d5b28f/analysis/1473758776/

*** https://www.virustotal.com/en/file/1a907a140f7d7140ef203671f50d9ae37bce2d654d2df03f335ba6e973219dae/analysis/1473759502/

- http://blog.dynamoo.com/2016/09/malware-spam-attached-is-tax-invoice-of.html
13 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Tax invoice
From: Kris Allison (Allison.5326@ resorts .com.mx)
Date: Tuesday, 13 September 2016, 11:22
Dear Client,
Attached is the tax invoice of your company. Please do the payment in an urgent manner.
Best regards,
Kris Allison

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
adzebur .com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
duelrid .com/b9m1t [not resolving]
madaen .net/e3ib4f [143.95.252.28] (Athenix Inc, US)
morningaamu .com/6wdivzv [not resolving]
smilehm .com/f72gngb [not resolving]
The payload then phones home... Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71 "
___

Fake 'Accounts Documentation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/accounts-documentation-invoices-malspam-pretending-to-come-from-creditcontrol-your-own-email-domain-delivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Accounts Documentation – Invoices' pretending to come from CreditControl @ your own email domain with a random named zip attachment containing an .HTA file... One of the emails looks like:
From: CreditControl@...
Date: Tue 13/09/2016 10:22
Subject: Accounts Documentation – Invoices
Attachment: ~0166.zip
Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:
CreditControl@...
Please do not reply to this E-mail as this is a forwarding address only.

13 September 2016: ~0166.zip: Extracts to: 22FrDra16.hta - Current Virus total detections 6/56*
.. Payload Security** shows a download of an encrypted file from
goldenladywedding .com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS which is transformed by the script to a working Locky ransomware (unfortunately Payload Security does not show or allow us to download the actual file)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/56110904a2c19eda496676fb108db7fe911c7824a47ecf601db53e1ade7c0cc8/analysis/1472753839/

** https://www.hybrid-analysis.com/sample/3d91a6ffed8b038363a0ead0f8985d1bdf88ba543aff0bcab048819d70455073?environmentId=100
Contacted Hosts
192.185.94.100
93.184.220.29
54.192.203.254
___

Fake 'Equipment receipts' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/equipment-receipts-malspam-delivers-locky/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Equipment receipts' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the emails looks like:
From: Stacey Aguirre <Aguirre.535@ coopenet .com.ar>
Date: Tue 13/09/2016 17:36
Subject: Equipment receipts
Attachment: 5926f98c2d8d.zip
Good day hyperbolasmappera, Molly asked you to file the office equipment receipts.
Here is the photocopying equipment receipts purchased last week.
Please send him the complete file as soon as you finish.
Best regards,
Stacey Aguirre

13 September 2016: 5926f98c2d8d.zip: Extracts to: Equipment receipts 66BF9A.wsf - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from latexuchee .net/c4i03t which is transformed by the script to B6fKnUsSQfkrS.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f19e99b6cf11c943f728e7f4e050e36aa2ce20372e9112aea85eea471f89dd42/analysis/1473785537/

** https://www.hybrid-analysis.com/sample/f19e99b6cf11c943f728e7f4e050e36aa2ce20372e9112aea85eea471f89dd42?environmentId=100
Contacted Hosts
31.210.120.153
51.255.105.2
95.85.29.208
217.187.13.71

*** https://www.virustotal.com/en/file/a523f7064ebcccc3fe0e74e3f920bdd862e8d678bfba3a442e21a22e15b104e9/analysis/1473786095/

:fear::fear: :mad:

AplusWebMaster
2016-09-14, 12:59
FYI...

Fake 'Account report' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/account-report-malspam-we-have-detected-the-cash-over-and-short-in-your-account-delivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Account report' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... Payload Security[1] shows an error in running the dll file... One of the emails looks like:
From: Kimberley Witt <Witt.0236@ shopscissors .com>
Date: Wed 14/09/2016 08:31
Subject: Travel expense sheet
Attachment: 667b8951c871.zip
Dear nohdys, we have detected the cash over and short in your account.
Please see the attached copy of the report.
Best regards,
Kimberley Witt
e-Bank Manager

14 September 2016: 667b8951c871.zip: Extracts to: Account report 2311EEF4.wsf - Current Virus total detections 5/55**
.. MALWR*** unable to get any content. Payload security[1] shows a download of an encrypted file from
maydayen .net/l835ztl which is transformed by the script to RjN1UKDIQLzodBg.dll (VirusTotal 21/58[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.hybrid-analysis.com/sample/e1f615ce1f91b41c11b3cccae9b5a42c4501375a261972bc47c3b08e5a793d07?environmentId=100
Contacted Hosts
178.212.131.10

** https://www.virustotal.com/en/file/e1f615ce1f91b41c11b3cccae9b5a42c4501375a261972bc47c3b08e5a793d07/analysis/1473838191/

*** https://malwr.com/analysis/YTRlNjk0YzllYzkzNGYxY2FkM2JhODJlYTkxNTFlYWI/

4] https://www.virustotal.com/en/file/15cc57f80acf43c7bb44ca02317dbcbf32436ce05ea1d67854d76e964aa95154/analysis/1472755942/
___

Fake 'Delivery Confirmation' SPAM - delivers Locky/Zepto
- https://myonlinesecurity.co.uk/delivery-confirmation-00336499-malspam-coming-from-ship-confirm-random-companies-delivers-lockyzepto/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Delivery Confirmation: 00336499' [random numbers] coming as usual from ship-confirm@ random companies, names and email addresses with a random named zip attachment containing a .JS file. These are slightly better done than some recent ones. The attachment number Shipping Notification matches the subject Delivery Confirmation number... One of the emails looks like:
From: ship-confirm@ laughlinandbowen .com
Date: Wed 14/09/2016 10:55
Subject: Delivery Confirmation: 00336499
Attachment: Shipping Notification 00336499.zip
PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide

14 September 2016: Shipping Notification 00336499.zip: Extracts to: WOIMKE51915.js
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from one of these locations:
http ://adventurevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU | http ://morerevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU
which is transformed by the script to TKuAgcqe3.dll (VirusTotal 6/57***)... There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ac5d658850d941ef82b979ad4ed6ab23adfbaeddf8980d98768dbda86543078f/analysis/1473847035/

** https://malwr.com/analysis/MWE1OWVkZDRjOTQyNGYyNGFiNTdjYTljOTFmNjkxYTk/
Hosts
204.93.163.87
23.236.238.227

*** https://www.virustotal.com/en/file/d14cb7ec9e4d68ef38f92b227c1f2af2352504ee8dc582a466911601b77f5267/analysis/1473848281/
___

Fake 'Renewed License' SPAM - more Locky
- https://myonlinesecurity.co.uk/renewed-license-here-is-the-companys-renewed-business-license-malspam-delivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Renewed License' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the emails looks like:
From: Stella Henderson <Henderson.70579@ siamesegear .com>
Date: Wed 14/09/2016 17:58
Subject: Renewed License
Attachment: 4614d82776.zip
Here is the company’s renewed business license.
Please see the attached license and send it to the head office.
Best regards,
Stella Henderson
License Manager

14 September 2016: 4614d82776.zip: Extracts to: renewed business license 3D956A.wsf
Current Virus total detections 2/55*. MALWR** seems unable to cope with WSF files like this. Payload Security*** shows a download of an encrypted file from moismdheri .net/jqpxub which is transformed by the script to a working locky file, which unfortunately isn’t being shown or made available... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6e02c709fac13e3812a49306a065e067ef884231245120b079575ec696772fde/analysis/1473872609/

** https://malwr.com/analysis/MmFlNDUzMjZlOWI2NGRjNWI2ODhmYzM1MzE3ZjhlNzY/

*** https://www.hybrid-analysis.com/sample/6e02c709fac13e3812a49306a065e067ef884231245120b079575ec696772fde?environmentId=100
Contacted Hosts
37.200.70.6
52.32.150.180
93.184.220.29
54.192.203.123
___

Fake 'payment copy' SPAM - delivers Locky/Zepto
- https://myonlinesecurity.co.uk/payment-copy-malspam-delivers-locky-zepto/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'payment copy' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file. The email body has -no- content except 'Best Regards' and the alleged senders name... One of the emails looks like:
From: Eddie screen <Eddie450@ hidrolats .lv>
Date: Tue 13/09/2016 22:02
Subject: payment copy
Attachment: PID6650.zip

Best Regards, _________
Eddie screen

13 September 2016: PID6650.zip: Extracts to: OCRXIB2826.wsf - Current Virus total detections 7/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://allchannel .net/jpqhvig?eGkOBjIQFz=dEVDXjWYjjH | http ://feechka .ru/wdxwxoa?eGkOBjIQFz=dEVDXjWYjjH
http ://jonathankimsey .com/rptyswr?eGkOBjIQFz=dEVDXjWYjjH
which is transformed by the script to yvXjbqxs1.dll (VirusTotal 7/58***). Payload security[4] is showing a different dll downloaded & converted... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1a0ad6066fa57934cd92a75b9fcff94bd290d3471b96e55d7a23570701a83bd9/analysis/1473800782/

** https://malwr.com/analysis/MzNiNjBmYTBiYjRkNDg4YzhhZTc1MjIzMjQyNDJmNjk/
Hosts
94.73.146.80
5.61.32.143
143.95.41.185

*** https://www.virustotal.com/en/file/78b222082576d201d81511631a4533ad02314956aeb7001afc0cd9440cdfa188/analysis/1473801197/

4] https://www.hybrid-analysis.com/sample/e39dc03b2e5cd930ec1f26843117c675060fee062c927a4a1f01dac7c1b3ecdc?environmentId=100
Contacted Hosts
94.73.146.80
5.61.32.143
143.95.41.185
52.24.123.95
93.184.220.29
54.192.203.254
91.198.174.192
91.198.174.208
52.33.248.56

:fear::fear: :mad:

AplusWebMaster
2016-09-15, 12:44
FYI...

Fake 'financial report' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/financial-report-somebody-is-urging-you-to-get-the-financial-report-done-within-this-week-malspam-delivers-locky/
15 Sep 2016 - "... Locky downloaders... an email with the subject of 'financial report' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
From: Lenora Preston <Preston.03846@ tarquinm .com>
Date: Thu 15/09/2016 09:13
Subject: financial report
Attachment: b3fe1958be4e.zip
Annabelle is urging you to get the financial report done within this week.
Here are some accounting data I have collected. Please merge it into your report.
Best regards,
Lenora Preston

15 September 2016: b3fe1958be4e.zip: Extracts to: financial report 6AD1543.js - Current Virus total detections 3/55*
.. MALWR** shows a download of an encrypted file from http ://wyvesnarl .info/1gtqiyj which is transformed by the script to bNvbVc5R8fy.dll (VirusTotal 15/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/003b47b93828312677c7e58dc33dad924dd03eeb6b0bcea70488e3e2ccec7a2d/analysis/1473927705/

** https://malwr.com/analysis/ZDkyZTdmMTY1OTk4NDBmMmIzMTk4NzJlMWZlMTZhNjM/
Hosts
37.200.70.6

*** https://www.virustotal.com/en/file/9b385ad138021c598dc960d5e7f26e349ea46bb16057f0bc6f100278ef0a2b53/analysis/1473928074/
___

Fake 'SCAN' SPAM - delivers Locky/Zepto
- https://myonlinesecurity.co.uk/scan-algrafika-sh-p-k-coming-from-logistics-random-companies-malspam-delivers-locky-zepto/
15 Sep 2016 - "... Locky downloaders... an email with the subject of 'SCAN' coming from logistics@ random companies, names and email addresses with a random named zip attachment starting with SCAN _ todays date containing a WSF file... One of the emails looks like:
From: Elaine woolley <logistics@ kemindo-international .com>
Date: Thu 15/09/2016 10:37
Subject: Scan
Attachment: SCAN_20160915_8952113428.zip
Elaine woolley
Logistics Department
ALGRAFIKA SH.P.K ...

15 September 2016: SCAN_20160915_8952113428.zip: Extracts to: QATZEQE1822.wsf - Current Virus total detections 6/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://lullaby-babies .co.uk/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
http ://iassess .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
http ://techboss .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC which is transformed by the script to
UloAJcCuAfq1.dll (VirusTotal 6/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/69a0f91da3c0031c836a9538aaefa5520c577f3289da4172415990189c5770a6/analysis/1473932344/

** https://malwr.com/analysis/YTU5OWRkMGIzN2JlNGMwNmI5MTIzYWZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustotal.com/en/file/f68a383f7f27a8ac1f1cc9040bcbb11747412d2193d6eaa508d010eef3d59d76/analysis/1473932910/
___

Bitcoin Phishing
- https://blog.opendns.com/2016/09/15/bitcoin-phishing-next-wave/
Sep 15, 2016 - "... Through this investigation, we found more than 280 Bitcoin phishing domains, so it is clear here that your Bitcoins are under attack. Additionally, criminals are using different methods and tricks to stay under the radar, such as using reverse proxy services to hide the IPs serving the illegal content..."
(More at the opendns URL above.)

:fear::fear: :mad:

AplusWebMaster
2016-09-16, 12:39
FYI...

Fake 'request' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/here-is-the-invoice-from-september-2016-malspam-delivers-locky/
16 Sep 2016 - "... Locky downloaders... an email with the subject of 'Re: request' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Leroy Dillard <Dillard.65@ airtelbroadband .in>
Date: Fri 16/09/2016 08:15
Subject: Re: request
Attachment: 819533a5b1ac.zip
Dear adkins, as you inquired, here is the invoice from September 2016.
Let me know whether it is the correct invoice number you needed or not.

16 September 2016: 819533a5b1ac.zip: Extracts to: september_2016_details_~2CB6B4~.js
Current Virus total detections 1/55*. Payload Security** shows a download of an encrypted file from
satyrwelf .net/27d4l09which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0f59966b4d36cd4e8127143d8022e48e1e858bdcb3ae7147d22c772a60b6ffc4/analysis/1474009965/

** https://www.hybrid-analysis.com/sample/bdd56b075b7b18221e1598e3e5f15d13089c9514a9828825f83d5f87f65c31f6?environmentId=100
Contacted Hosts
178.212.131.10
52.32.150.180
93.184.220.29
54.192.203.192
52.33.248.56
___

Fake 'Booking confirmation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/booking-confirmation-malspam-delivers-locky/
15 Sep 2016 8:39 pm - "... Locky downloaders... an email with the subject of 'Booking confirmation' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 files. 1 is a .JS file. The other is a 4kb file with a single character name that is full of 0 byte padding... One of the emails looks like:
From: Avery Moses <Moses.17671@ domainedelunard .com>
Date: Thu 15/09/2016 19:58
Subject: Booking confirmation
Attachment: 426c7ce21e1.zip
Hi there allan.dickie, it’s Avery. I booked the ticket for you yesterday.
See the attachment to confirm the booking.
King regards,
Avery Moses

15 September 2016: 426c7ce21e1.zip: Extracts to: Booking confirmation ~0D68BA0~.js
Current Virus total detections 1/54*. Payload Security** shows a download of an encrypted file from
satyrwelf .net/27d4l09 which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bdd56b075b7b18221e1598e3e5f15d13089c9514a9828825f83d5f87f65c31f6/analysis/1473966399/

** https://www.hybrid-analysis.com/sample/bdd56b075b7b18221e1598e3e5f15d13089c9514a9828825f83d5f87f65c31f6?environmentId=100
Contacted Hosts
178.212.131.10
52.32.150.180
93.184.220.29
54.192.203.192
52.33.248.56
___

Locky download locations 2016-09-16
- http://blog.dynamoo.com/2016/09/locky-download-locations-2016-09-16.html
16 Sep 2016 - "I haven't had a chance to look at Locky today, but here are the current campaign download locations (thanks to my usual source)..
(Many domain-names shown at the dynamoo URL above.)
The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are -definitely- worth blocking:
178.212.131.10 (21 Century Telecom Ltd, Russia)
37.200.70.6 (Selectel Ltd, Russia) "

178.212.131.10: https://www.virustotal.com/en/ip-address/178.212.131.10/information/
>> https://www.virustotal.com/en/url/e312b0bbb2fa95c8240ed64fc63c342a6b3e3f5cb874951096bbe40314394461/analysis/
37.200.70.6: https://www.virustotal.com/en/ip-address/37.200.70.6/information/
>> https://www.virustotal.com/en/url/7192fbb20c6fb638d5c27e82c549e60fa5a28bc38e35aa39562f6ff4e95f8c1a/analysis/
___

Email tips - from Malwarebytes ...
- https://blog.malwarebytes.com/101/2016/08/10-easy-ways-to-prevent-malware-infection/
"... Read emails with an-eagle-eye. Check the sender’s address. Is it from the actual company he or she claims? Hover over links provided in the body of the email. Is the URL legit? Read the language of the email carefully. Are there weird line breaks? Awkwardly constructed sentences that sound foreign? And finally, know the typical methods of communication for important organizations. For example, the IRS will never contact you via email. When in doubt, call your healthcare, bank, or other potentially-spoofed organization directly.
> Bonus mobile phone tip: Cybercriminals love spoofing banks via SMS/text message or -fake- bank apps. Do not confirm personal data via text, especially social security numbers. Again, when in doubt, contact your bank directly..."
___

Amex users hit with phish offering anti-phish
- https://www.helpnetsecurity.com/2016/09/15/amex-phishing-anti-phishing-protection/
Sep 15, 2016 - "American Express users are being actively targeted with phishing emails impersonating the company and advising users to create an 'American Express Personal Safe Key' to improve the security of their accounts:
> https://www.helpnetsecurity.com/images/posts/fake-amex-safekey-email.jpg
Users who fall for the scheme are directed to a -bogus- Amex login page (at http ://amexcloudcervice .com/login/). Once they enter their user ID and password, they are taken to a bogus page that ostensibly leads them trough the SafeKey setup process. The victims are asked to input their Social Security number, date of birth, mother’s maiden name, mother’s date of birth, their email address, the Amex card info and identification number, and the card’s expiration date and 3-digit code on the back of the card:
> https://www.helpnetsecurity.com/images/posts/amex-bogus-setup.jpg
The victims will be taken through the setup process even if they enter incorrect login credentials. And, after they finish entering all the information asked of them, they are redirected to the legitimate Amex website, making them believe they were using it the whole time..."

amexcloudcervice .com: 104.255.97.117: https://www.virustotal.com/en/ip-address/104.255.97.117/information/
104.36.80.16: https://www.virustotal.com/en/ip-address/104.36.80.16/information/
___

Ransomware Trends
- https://atlas.arbor.net/briefs/index#337041686
Sep 15, 2016 - "... Analysis: Money is seemingly easy to make with ransomware and more variants continue to appear. $121 million in six months is no longer out of the realm of possibility with larger variants possibly making more and in less time. Developers are keen to exploit large-scale business and hospital networks, in hopes of taking advantage of deeper pockets. As they move forward, more traditional malware spreading methods will likely be employed, including web app vulnerability scanning and SQL database vulnerability scans. Ransomware-as-a-Service is quickly becoming popular. These service offerings significantly lower the barrier of entry so that almost anyone can now take advantage of this criminal activity. Unlike other malware-as-a-service offerings that usually charge fees upfront for access, most ransomware services are simply affiliate based, aiming to gain as many customers as possible in hopes of compromising more victims. These ransomware services have no monetary barrier to entry, only that most of the customers distribute their packages themselves. Ransomware may be growing leaps and bounds but the same basic mitigation principles exist. Users are encouraged to avoid unsolicited emails and attachments, -never- enable macros in documents unless you have a legitimate reason to, maintain up-to-date system backups that are stored offline, and update systems with the latest patches and security elements as quickly as possible..."
___

Azure outage...
- https://azure.microsoft.com/en-us/status/history/
9/15 ...

:fear::fear: :mad:

AplusWebMaster
2016-09-19, 12:19
FYI...

Fake 'Express Parcel service' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-express-parcel-service.html
19 Sep 2016 - "This spam has a malicious attachment:
From: Marla Campbell
Date: 19 September 2016 at 09:09
Subject: Express Parcel service
Dear [redacted], we have sent your parcel by Express Parcel service.
The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
Thank you.

Attached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing. The Hybrid Analysis* for one sample shows a download location of:
178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra .pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54*.

UPDATE: These Hybrid Analysis reports of other samples [1] [2]... show -other- download locations... All of these domains are hosted on evil IPs:
178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)...

Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10
91.194.250.131 "
The last one listed in italics is part of the update.

* https://www.hybrid-analysis.com/sample/b8f601fbaca128e30fa04954f12bfba8ac113b22abd305c2a70e44e39e0013c1?environmentId=100
Contacted Hosts
91.194.250.131
46.38.52.225
195.64.154.202
91.223.88.209

** https://virustotal.com/en/file/498811496cb62280f8eabe9fb345b2edc41d99886a4af319f2585fa8ebdc932b/analysis/1474275264/

1] https://www.hybrid-analysis.com/sample/43be4b89f50998b438d939d6d89e740b833b7c7c9b1e510e05b501498169b4a5?environmentId=100

2] https://www.hybrid-analysis.com/sample/7f2cfe7f92c6ab46158b96165809e6e077c5e08bf5799f02bfddeafa4dac9676?environmentId=100
___

Fake 'Order' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/tvh-uk-ltd-random-order-number-malspam-leads-to-locky/
19 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order: 19487600/00 – Your ref.:11893 [random order number, random reference number] coming as usual from random companies, names and email addresses with a macro enabled word doc attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/Order-1948760000-Your-ref-11893-1024x624.png

19 September 2016: OffOrd_19487600-00-35879-972570.docm - Current Virus total detections 11/55*
.. MALWR** shows a download of an encrypted file from http ://sarayutechnologies .com/67SELbosjc358
which is transformed by the macro to chrendokss.dll and autorun (VirusTotal 8/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/147c0d531075d917644266dc80a19884fcba9b968f633c6c499bf5d2b0bfe2c4/analysis/1474284844/

** https://malwr.com/analysis/YjA5Zjc0NjUxMjZiNDNjZThkYmIxMTY3ZDExNTExM2Q/
Hosts
89.163.249.205

*** https://www.virustotal.com/en/file/f6a9b32f8a9481b4b03563f0820aaf0532a7f272e0a5a7fd981ec9fb2db2e3ed/analysis/1474288204/

- http://blog.dynamoo.com/2016/09/malware-spam-order-2811261000-your-ref.html
19 Sep 2016 - "This -fake- financial spam has a malicious attachment that leads to Locky ransomware.
Subject: Order: 28112610/00 - Your ref.: 89403
From: Melba lochhead (SALES1@ krheadshots .com)
Date: Monday, 19 September 2016, 16:05
Dear customer,
Thank you for your order.
Please find attached our order confirmation.
Should you be unable to open the links in the document, you can download the latest version of Adobe Acrobat Reader for free...
Should you have any further questions, do not hesitate to contact me.
Kind Regards,
Melba lochhead
Internal Sales Advisor - Material Handling Equipment Parts & Accessories...

I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm, my trusted source says that the various versions download a component...
(Many domain-names listed at the dynamoo URL above.)
It drops a DLL which had a moderate detection rate earlier[8/57]*. This version of Locky does -not- communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358."
* https://www.virustotal.com/en/file/153fa3e3faee5aac9ef6c2145cb4efe51d24fbdf7ab8f44cb6551496a68f0417/analysis/
chrendokss.dll.3860.dr

:fear::fear: :mad:

AplusWebMaster
2016-09-20, 12:28
FYI...

Fake 'Tracking data' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-tracking-data-leads-to.html
20 Sep 2016 - "This spam has a malicious attachment leading to Locky ransomware:
From: Loretta Gilmore
Date: 20 September 2016 at 08:31
Subject: Tracking data
Good afternoon [redacted],
Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.
The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.

The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name...
UPDATE: Hybrid Analysis of various samples [1] [2].. shows the script downloading from various locations... All of these are hosted on:
178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx .xyz/data/info.php [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57*.
Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202 "
1] https://www.hybrid-analysis.com/sample/1e5d5fd8bbfc519d42723cc7c7192edea98f6c9a9aed76176ff247d17641a49b?environmentId=100
Contacted Hosts
178.212.131.10
91.223.88.205
176.103.56.105
46.38.52.225
195.64.154.202
91.223.88.209

2] https://www.hybrid-analysis.com/sample/25e060b0f4acdf28a3c77070009188d0052a0ef3181d0f1928097ebf5bb8c164?environmentId=100
Contacted Hosts
178.212.131.10
46.38.52.225
91.223.88.205
176.103.56.105
195.64.154.202
91.223.88.209

* https://virustotal.com/en/file/e5bea6e469ea2eb935799f2eaf92c637f609ae57030bf7c8f9f32a070316e7e2/analysis/
RwjjKUw5U4bU.dll
___

Fake 'documents' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/documents-malspam-pretending-to-come-from-random-names-cableone-net-delivers-locky-zepto/
20 Sep 2016 - "... Locky downloaders... an email with the subject of 'documents' pretending to come from random names @ cableone .net with a random named zip attachment containing a WSF file... One of the emails looks like:
From: Brandi theakston <Brandi.theakston@ cableone .net>
Date: Tue 20/09/2016 14:27
Subject: documents
Attachment: 5040_98991330.zip

Brandi theakston
Office Manager
Box Rentals LLC
Sanibel Executive Suites
Crestwood Apts.
Cleveland Apts...

20 September 2016: 5040_98991330.zip: Extracts to: YPBUJSS17703.wsf - Current Virus total detections 5/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://steyjixie .net/yCTb6zqTQ?bJiuYAR=nFrDER | http ://writewile .su/CTb6zqTQ?bJiuYAR=nFrDER
http ://wellyzimme .com/CTb6zqTQ?bJiuYAR=nFrDER which is transformed by the script to NTlCmBVJkD1.dll
(VirusTotal 9/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/04abd050050baec63b89de7d11d87a76c1611ef129705c4ef1ff9ff5e20166f0/analysis/1474375101/

** https://malwr.com/analysis/YTU5OWRkMGIzN2JlNGMwNmI5MTIzYWZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustotal.com/en/file/25221d8a576e3e6708de55b48821276659e7da98a2e7cae90172f2f9810782f6/analysis/1474383107/
___

Evil network: 178.33.217.64/28 ... exploit kit
- http://blog.dynamoo.com/2016/09/evil-network-178332176428-et-al.html
20 Sep 2016 - "This customer of OVH appears to be registered with -fake- details, and are distributing-malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:
178.33.217.64
178.33.217.70
178.33.217.71
178.33.217.78
178.33.217.79
A list of the domains associated with those IPs can be found here [pastebin*]... Checking the evolution-host .com... an invalid address with a different street number from before and an Irish telephone number... The Evolution Host website appears to have no contact details at all. RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block -all- of them:
91.134.220.108/30
92.222.208.240/28
149.202.98.244/30
176.31.223.164/30
178.33.217.64/28 "
* http://pastebin.com/9QGvmRVt
___

Fake 'Out of stock' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/we-are-very-sorry-to-inform-you-that-the-item-you-requested-is-out-of-stock-malspam-delivers-locky/
20 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Out of stock' coming as usual from random companies, names and email addresses with a random named zip attachment containing a.JS file... One of the emails looks like:
From: Steven Goodman <Goodman.55291@ 70-static.tedata .net>
Date: Tue 20/09/2016 20:25
Subject: Out of stock
Attachment: 050f0ba31ac.zip
Dear [REDACTED], we are very sorry to inform you that the item you requested is out of stock.
Here is the list of items similar to the ones you requested.
Please take a look and let us know if you would like to substitute with any of them.

20 September 2016: 050f0ba31ac.zip: Extracts to: updated order ~3F369A12~ pdf.js - Current Virus total detections 4/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://vumdaze .com/pknjo995 | http ://youthmaida .net/7ewhtm6 which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b6b60d2743977b82ac040b5e7d49548b3d1bf9853f012060d46fc8e6e9148d16/analysis/1474400445/

** https://malwr.com/analysis/MjEyODUzMjJkOTQ1NGNkZTk5ZWExMmRlOGY5N2JhODk/
Hosts
95.173.164.205
178.212.131.10

*** https://www.virustotal.com/en/file/57c32cd917006a947502464fb2ca5203c44acecb97456f9d2f3b44735c7e3b7b/analysis/1474398913/
___

'Just For Men' website - serves malware
- https://blog.malwarebytes.com/cybercrime/2016/09/just-for-men-website-serves-malware/
Sep 20, 2016 - "The website for Just For Men, a company that sells various products for men as its name implies, was serving malware to its visitors. Our automated systems detected the drive-by download attack pushing the RIG exploit kit, eventually distributing a password stealing Trojan. In this particular attack chain we can see that the homepage of justformen[.]com has been injected with obfuscated code. It belongs to the EITest campaign* and this gate is used to perform the -redirection- to the exploit kit. EITest is easy to recognize (although it has changed URL patterns) for its use of a Flash file in its redirection mechanism.
* https://blog.malwarebytes.com/threat-analysis/2014/10/exposing-the-flash-eitest-malware-campaign/
RIG EK has now taken over Neutrino EK as the most commonly used and seen toolkit in the wild... We replayed the attack in our lab as shown in the video below:
> https://youtu.be/F5uRosn8E58
... We reported this incident to Combe, the parent company for Just For Men. Between the time we collected our traffic capture and writing of this blog, we noticed the site had changed. As of now, the site is running the latest version of WordPress according to this scan from Sucuri** and does not appear to be compromised any more..."
** https://sitecheck.sucuri.net/results/justformen.com
... C2 callbacks:
217.70.184.38: https://www.virustotal.com/en/ip-address/217.70.184.38/information/
Country: FR / Autonomous System: 29169 (Gandi SAS)
173.239.23.228: https://www.virustotal.com/en/ip-address/173.239.23.228/information/
Country: US / Autonomous System: 27257 (Webair Internet Development Company Inc.)

... see "Latest detected URLs" shown in the virustotal links.
___

Fake AV on Google Play ...
- https://blog.malwarebytes.com/cybercrime/2016/09/mobile-menace-monday-fake-av-makes-it-onto-google-play/
Sep 19, 2016 - "Every once in a while, a -fake- antivirus pops up on the Google Play store. Most of the time, it’s just a fake scanner that doesn’t detect anything because it doesn’t actually look for anything to detect. Show a scan that simply lists all the apps on your device and it’s pretty easy to look legit. They serve up some -ads- for revenue, and you are given the false sense your phone isn’t infected — kind of a win-win unless you actually want malicious apps to be detected/removed. These apps are often ignored by real AV scanners because, technically, they aren’t doing anything malicious. It’s only when malicious intent is found that these apps are classified as bad. With a clean design and look, Antivirus Free 2016 could very easily be confused for a legitimate AV scanner:
> https://blog.malwarebytes.com/wp-content/uploads/2016/09/Screenshot1.png
...
> https://blog.malwarebytes.com/wp-content/uploads/2016/09/Screenshot4.png
Looking deeper though, one would see its true intent. To start, Antivirus Free 2016 is given permission to read, write, send, and receive SMS messages. It isn’t usual for an AV scanner to have receive SMS permission; but to read, write, or send SMS is another story. Unfortunately, any code that deals with SMS has been obfuscated/removed from being seen. The app’s receiver and service names, such as com.xxx.message.service.receiver.SmsReceiver, com.xxx.message.service.receiver.MmsReceiver, and com.xxx.message.service.RespondService, containing these codes raises enough suspicion on their own. What isn’t hidden in the code is the use of a complex decryption algorithm used to -hide- a URL and a string named “remotePackageName”. This could possibly be used to download and install -other- apps onto the device. According to our records, 'Antivirus Free 2016' is seen in the Google Play Store between August 14th to the 31st of this year, but has been removed since. Because of its extensive malicious intent, we have classified it as Android/Trojan.FakeAV. The act of using a -fake- Antivirus product to infect customers is far from a new trick. Still, it’s scary to think that a product that is meant to protect you can be the one doing the most damage. Make sure to do your research while picking a good AV product..."

:fear::fear: :mad:

AplusWebMaster
2016-09-21, 16:37
FYI...

Fake 'Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/receipt-40247-from-the-music-zoo-malspam-delivers-locky/
21 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt 40247' from The Music Zoo pretending to come from The Music Zoo <shipping3363@ themusiczoo .com> with a random numbered zip attachment (that matches the subject number) containing a .WSF file... One of the emails looks like:
From: The Music Zoo <shipping3363@ themusiczoo .com>
Date: Wed 21/09/2016 03:54
Subject: Receipt 40247 from The Music Zoo
Attachment: Receipt 40247.zip
Thank you for your order! Please find your final sales receipt attached to
this email.
Your USPS Tracking Number is: 1634888147633172932951
This order will ship tomorrow and you should be able to begin tracking
tomorrow evening after it is picked up. If you have any questions or
experience any problems, please let us know so we can assist you. Thanks
again and enjoy!
Thanks,
The Music Zoo ...

21 September 2016: Receipt 40247.zip: Extracts to: IOABB32501.wsf - Current Virus total detections 17/54*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://awaftaxled .com/JHG67g32udi?DnzmQJqbM=ncEcxrIem | http ://uphershoji .net/JHG67g32udi?DnzmQJqbM=ncEcxrIem
which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b95596b8318faf30e46a39cde991f71917d51faae7736fe109f237dc45410a7c/analysis/1474436523/

** https://malwr.com/analysis/MzY1MjIyMzI2YWVmNGI3MGE0ODliN2IxNjUxMGI2ZmY/
Hosts
62.84.69.75: https://www.virustotal.com/en/ip-address/62.84.69.75/information/
Domains
awaftaxled .com: 193.150.247.12: https://www.virustotal.com/en/ip-address/193.150.247.12/information/
uphershoji .net: 62.84.69.75

*** https://www.virustotal.com/en/file/e8b73e99c22d18d2208e659c9eb9937e1e9bdaf7b4bc9d48985e05559d9669d5/analysis/1474435608/
___

Those never-ending waves of Locky malspam
- https://isc.sans.edu/diary.html?storyid=21505
2016-09-21 - "Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now it's being implemented as a DLL [3].... The malspam all contained zip archives as file attachments. Those zip archives contained either a .js file or a .wsf file. The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file. The .wsf file extension is used for a Windows Script File. These .wsf files can also be run by double-clicking on them in a Windows environment... some of these emails make it through, and people still get infected. All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away. A solid strategy for any sort of ransomware is to make-regular-backups of any important files. Remember to test those backups, so you're certain to recover your data. These .js and .wsf files are -designed- to download Locky and run the ransomware as a DLL..."
1] http://blog.dynamoo.com/search/label/Locky

2] https://myonlinesecurity.co.uk/tag/locky/

3] http://www.bleepingcomputer.com/news/security/locky-zepto-ransomware-now-being-installed-from-a-dll/

:fear::fear: :mad:

AplusWebMaster
2016-09-22, 12:59
FYI...

Fake 'Receipt of payment' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/receipt-of-payment-malspam-delivers-locky/
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt of payment' coming as usual from random companies, names and email addresses with a random numbered zip attachment containing a HTA file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/Receipt-of-payment-1024x636.png

22 September 2016: (#721632093) Receipt.zip: Extracts to: A2LOCTI1203.hta - Current Virus total detections 7/54*
.. MALWR** is unable to analyse HTA files. Payload Security*** shows a download of an encrypted file from
ringspo .com/746t3fg3 which is transformed by the script to a working locky file. Unfortunately Payload security free version does not show us or allow download of the locky ransomware itself... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a5e671cc4beec75d35a724946565503f179e0575b23e3ea09fde0ab7616d51e4/analysis/1474506588/

** https://malwr.com/analysis/ODJkM2M0MjMzMzE2NDUwYjk2NTU4MjBhZmU3NzExMWI/

*** https://www.hybrid-analysis.com/sample/a5e671cc4beec75d35a724946565503f179e0575b23e3ea09fde0ab7616d51e4?environmentId=100
Contacted Hosts
67.205.36.188
52.24.123.95
93.184.220.29
52.85.173.119
___

Fake 'Package #..' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/package-dh4946376-pretending-to-be-a-dhl-unable-to-deliver-message-delivers-locky/
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Package #DH4946376' [random numbers] pretending to come from DHL but actually coming as usual from random email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
From: DHL Express <Murray.64@ yj .By>
Date: Thu 22/09/2016 12:03
Subject: Package #DH4946376
Attachment: 4023cd96fe5.zip
Dear helloitmenice,
The package #DH4946376 you ordered has arrived today. There is some confusion in the address you provided.
Please review the address in the attached order form and confirm to us. We will deliver as soon as we receive your reply.
—–
Beulah Murray
DHL Express Support

22 September 2016: 4023cd96fe5.zip: Extracts to: package dhl express ~0EAD6~.js - Current Virus total detections 6/55*
.. MALWR** shows a download of an encrypted file from:
http ://affordabledentaltours .com/g8xa1lt which is transformed by the script to UNDLiWCqgT.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fa1043788961c4bacea94de799b6cc840abe5a874034ee69f0c92bf749eb6d0b/analysis/1474542522/

** https://malwr.com/analysis/OWUxOWViMzExZTRjNDRlOThkNDBmMjgwN2YwMWYwOTM/
Hosts
69.162.148.70: https://www.virustotal.com/en/ip-address/69.162.148.70/information/

*** https://www.virustotal.com/en/file/55ae3b73ad8e8b60f3afc50bf12449efbf90b0ddb27d0ce8392edfa3760b25b1/analysis/1474544725/
___

RAR to JavaScript: Ransomware - Email attachments
- http://blog.trendmicro.com/trendlabs-security-intelligence/rar-javascript-ransomware-figures-fluctuations-email-attachments/
Sep 22, 2016 - "... Based on our analysis, 71% of known ransomware families arrive via email... Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions... Trend Micro has already blocked and detected 80-million-ransomware-threats during the first half of the year; 58% of which came from email attachments. Throughout this year, we followed Locky’s spam campaign and how its ever changing email file attachments contributed to its prevalence. Based on our monitoring, the rising number of certain file types in email attachments is due to Locky. The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/09/Months-01.jpg
In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download -other- ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments — which could explain how WSF became the second file type attachment most used by threats. With WSF, two different scripting languages can be combined. The tactic makes it difficult to detect since it’s not a file type that endpoint solutions normally monitor and flag as malicious. Cerber was also spotted using this tactic in May 2016:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/09/Bar-Graph-01.jpg
The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/09/spam_copy_locky.jpg
Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat... One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files..."

"The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Rising Tides of SPAM
> http://blog.talosintel.com/2016/09/the-rising-tides-of-spam.html
Sep 21, 2016 - "... According to CBL*, the last time spam volumes were this high was back in mid-2010:
* http://www.abuseat.org/totalflow.html
... An internal graph generated by SpamCop which illustrates the overall size of the SpamCop Block List (SCBL) over the past year. Notice how the SCBL size hovers somewhere under 200K IP addresses pre-2016, and more recently averages closer to 400K IP addresses, spiking to over 450K IPs in August:
> https://1.bp.blogspot.com/-F_KsOhc5lR8/V-K5XqlX3zI/AAAAAAAAAW4/g5lVadyda1Q9r9grlsCCCVJMnUuwE-R5QCLcB/s640/image01.png
... We cannot predict the future and stop spam attacks before they start. Therefore, in any reasonably well-designed spam campaign there will always exist a very narrow window of time between when that spam campaign begins, and when anti-spam coverage is deployed to counter that campaign. In most anti-spam systems, this "window of opportunity" for spammers may be on the order of seconds or even minutes. Rather than make their email lists more targeted, or deploying snowshoe style techniques to decrease volume and stay under the radar, for these spammers it has become a race. They transmit as much email as cyberly possible, and for a short time they may successfully land malicious email into their victims' inboxes. For evidence of this, we need not look very far. Analyzing email telemetry data from the past week, we can readily see the influence of these high-volume spam campaigns:
> https://4.bp.blogspot.com/-irvFPvK7ISA/V-K5mRS774I/AAAAAAAAAW8/Lr15oNK0X2UUdvtM_3ehr77fWFoXHpbUACLcB/s640/image00.jpg
... Conclusion: Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be -critical- to an organization's survival. Restoration plans need to be regularly reviewed -and- tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are -never- to be trusted!"

:fear::fear: :mad:

AplusWebMaster
2016-09-23, 13:24
FYI...

Fake 'Transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/transactions-details-malspam-delivers-locky/
23 Sep 2016 - "... Locky downloaders... an email with the subject of 'Transactions details' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file named Transactions details scan {random characters}.js... One of the emails looks like:
From: Lora Mooney <Mooney.771@ gallerystock .com>
Date: Fri 23/09/2016 06:35
Subject: Transactions details
Attachment: 9fc2fd82d4e.zip
Dear xerox.774, this is from the bank with reference to your email yesterday.
As you requested, attached is the scan of all the transactions your account made in September 2016.
Please let us know if you need further assistance.

Lora Mooney
Credit Controller ...

23 September 2016: 9fc2fd82d4e.zip: Extracts to: Transactions details scan 358AD50.js
Current Virus total detections 6/55*. MALWR** shows a download of an encrypted file from
http ://prospower .com/kqp479c7 which is transformed by the script to L12I1sh9pd9X2.dll (VirusTotal 11/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7f9e4bcf79f6c8c66bb4ac460ed9ac58da3741d514e5d677adeae996bc0f12be/analysis/1474609615/

** https://malwr.com/analysis/MTU3YWFiN2YyMjE5NDAwNThkNDYyNWM3YWJjODM0OWQ/
Hosts
207.7.95.142

*** https://www.virustotal.com/en/file/b5e226a6424eabab9c12ef093ddc4317ba74af87c0241c957c7615bcc5a57130/analysis/1474609924/
___

Fake 'Photo' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank-email-photo-from-xxxxxxx-malspam-delivers-locky-zepto/
23 Sep 2016 - "... Locky downloader with a blank/empty email with the subject of 'Photo from Ryan (random name)' coming as usual from random companies, names and email addresses with a random named zip attachment named along the lines of IMG- today’s/yesterday’s date - 2 characters and several numbers .zip containing a WSF file. The “photo from” name in the subject matches the alleged senders name... One of the emails looks like:
From: Ryan nock <Ryan9244@ gmail .com>
Date: Fri 23/09/2016 00:51
Subject: Photo from Ryan
Attachment: IMG-20160922-WA000752.zip

Body content: Totally blank/empty

23 September 2016: IMG-20160922-WA000752.zip: Extracts to: AGRN0718.wsf - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://allcateringservices .in/8rcybi43?rRffpf=NrdcbOsmH | http ://klop .my/8rcybi43?rRffpf=NrdcbOsmH
http ://williamstarnetsys .org/8rcybi43?rRffpf=NrdcbOsmH which is transformed by the script to
raDSyGb1.dll (VirusTotal 8/57***). These WSF files post back to C&C http ://94.242.57.152 /data/info.php
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/42a964bbcc138f2375ff96c2f03f04fb1b774b698fdf7b12f81e39f3146a2648/analysis/1474598473/

** https://malwr.com/analysis/ZmMwYzRjNWFiMTNjNDIxZThhY2RlYzkzZDNlZDA2OTk/
Hosts
103.231.41.127
103.8.25.156
142.4.4.160
94.242.57.152

*** https://www.virustotal.com/en/file/90bc55226146cd669a3b8afdb3ab9880ccbfd646543968c15febadaee546d680/analysis/1474605834/
___

Fake 'Document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank-email-document-from-xxxxxx-malspam-pretending-to-come-from-gmail-delivers-locky-zepto/
23 Sep 2016 - "... another set of blank/empty emails with the subject of 'Document from Horacio (random name)' pretending to come from random names @ gmail .com with a malicious word doc attachment delivers Locky ransomware... These are NOT coming from Gmail... One of the email looks like:
From: Horacio minto <Horacio92942@ gmail .com>
Date: Fri 23/09/2016 11:06
Subject: Document from Horacio
Attachment:DOC-20160923-WA0008360.docm

Body content: Totally empty/blank

23 September 2016: DOC-20160923-WA0008360.docm - Current Virus total detections 8/55*. Malwr** shows a download of an encrypted file from http ://rutlandhall .com/bdb37 which is transformed by the macro to hupoas.dll
(VirusTotal 10/57***) posts back to C&C at http ://158.255.6.129 /data/info.php ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.com/en/file/d9f73a4d39205954203c38dd7329703b4f83037785749d561eccb10655b0a421/analysis/

** https://malwr.com/analysis/ZWI2YTQzMGIyMzA2NDM0OGFhZDMwNzE5ZDdjOGUyMzU/
Hosts
217.160.5.7
94.242.57.152
158.255.6.129

*** https://www.virustotal.com/en/file/914a3f5c518087e4e49509610ea4367a9e9f3301b3a42682606616ace56215ab/analysis/1474629008/

:fear::fear: :mad:

AplusWebMaster
2016-09-27, 03:28
FYI...

Locky changed - now an .odin extension
- https://myonlinesecurity.co.uk/locky-ransomware-changed-now-a-odin-extension/
26 Sep 2016 - "... the file extension to the encrypted files which is now .odin . They are still using .wsf files inside zips today... first series pretends to come from your-own-domain with a subject of:
Re: Documents Requested and the body saying:
Dear [redacted],
Please find attached documents as requested.
Best Regards,
[redacted]

The second series comes from random senders with a subject of 'Updated invoice #[random number]' and random names, job positions and companies in the body with a body content:
Our sincere apology for the incorrect invoice we sent to you yesterday.
Please check the new updated invoice #3195705 attached.
We apologize for any inconvenience.
——-
Socorro Bishop
Executive Director Marketing PPS ...

See MALWR* which does show the encrypted files and Payload Security** which does not but shows the downloads...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/analysis/OWEzOWI5ZDgzMjUzNGIwOTk3YTE0NzY4YmNiZmNmNmI/
Hosts
94.23.97.227
62.173.154.240

** https://www.hybrid-analysis.com/sample/22ad72331096a72cc5265a2397dcf51e5e6e018a4c8aed4f1137590db976e574?environmentId=100
Contacted Hosts
94.23.97.227
62.173.154.240
5.196.200.247
86.110.118.114
52.34.245.108

- https://blog.opendns.com/2016/09/26/odin-lockys-latest-persona/
Sep 26, 2016

:fear::fear: :mad:

AplusWebMaster
2016-09-27, 13:06
FYI...

Locky malware office rtf files - new delivery method
- https://myonlinesecurity.co.uk/new-malware-delivery-method-fast-spreading-probably-locky-with-office-rtf-files-with-individual-passwords/
27 Sep 2016 - "... a major change this morning in what I assume is a Locky or Dridex delivery system. The files come as RTF files but each rtf file has an individual password. None of the online automatic analysers or Virus Total, see any malicious content, because they cannot get past the password. Once you insert the password, you can then get to the macro, but I haven’t managed to decode it..
Update: I am being told it is Dridex, but am waiting on confirmation via analysis by several other researchers.
Once you insert the password you see a file looking like this. (This was opened in LIbre Office and not Microsoft word for safety reasons, where there is no enable content button):
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/final_notice-1024x590.png
... Individual passwords for the file names inside the zips are:
Final Notice#i4qb43c.rtf tRgHs8UOo
Invoice-a00h.rtf TVOS3v8
Statementj34f-69g_%l13te91u.rtf xpaGK1x0r
We are seeing various subjects on these emails all using random names in subject line that matches the name of the alleged sender, including:
Fwd:Invoice from Driscoll Welch
Fw:Final Notice from Zane Reyes
Marvin Yates Statement
Re:Bill from Richard Contreras
Statement from Lionel Roth
Howard Cantrell Notice
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. One of the emails looks like:
From: Driscoll Welch <emma.qe@ ntlworld .com>
Date: Tue 27/09/2016 08:47
Subject: Fwd:Invoice from Driscoll Welch
Attachment: Invoice-a00h.rtf
The Transfer should appear within 2 days. Please check the document attached.
You may also need Document Pwd: TVOS3v8
Driscoll Welch

DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake 'Post For Amendment' SPAM - Java Adwind Trojan
- https://myonlinesecurity.co.uk/post-for-amendment-pretending-to-come-from-danny-chunnwesternunion-com-malspam-delivers-java-adwind/
27 Sep 2016 - "We continue to see Java Adwind Trojans daily.. This one is an email with the subject of
'Post For Amendment' pretending to come from danny.chunn@ westernunion .com <accounts@ petnet .com.ph> with a genuine PDF attachment which contains a link, that when clicked downloads a rar file containing a Java.jar file... The particular difference is the PDF attachment is a genuine PDF which pretends to be a notice from Google Drive to download another PDF. The actual link-behind-the-download is -not- to Google drive but to a hacked/compromised WordPress site
https ://www.makgrills .com/wp-content/Transaction-Ref0624193.rar
which downloads the rar file containing the Java Adwind Trojan. Note the HTTPS: The RAR file extracts to Agent Sendout Report.PDF.Doc.XLS.TXT.jar and if you have the windows default setting of “don’t show file extensions” set, you will think it is either a plain text file. The malspammer has added belts & braces though by naming it as report.PDF.Doc.XLS.TXT ... WARNING: Java Adwind is a very dangerous remote access backdoor Trojan, that has cross OS capabilities and can potentially run and infect any computer or operating system including windows, Apple Mac, Android and Linux. It however can only be active or infect you if you have Sun/Oracle Java installed*...
* https://www.theguardian.com/technology/askjack/2013/feb/08/java-remove-ask-jack-technology
... One of the emails looks like:
From: danny.chunn@ westernunion .com <accounts@ petnet .com.ph>
Date: Mon 26/09/2016 09:41
Subject: Post For Amendment
Attachment: Transaction-Ref06214193.pdf
Agent,
View and post request for amendment. The Western union transaction is returned from a recieving agent. Details of the transaction has been attached
Thanks & Regards,
Danny Chunn
Asst Mgr|Operations
Branch Operations,
Western Union Money Transfer
Door – 26,Street- 920,Roudat Al Khail
P O Box ? 5600,Doha,State of Qatar ...

The PDF when opened looks like this image which pretends to say that you need to click the link to download the PDF from Goggle Drive:
[ spoof_google_drive ]
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/spoof_google_drive.png

27 September 2016: Transaction-Ref06214193.pdf: downloads: Transaction-Ref0624193.rar which extracts to
Agent Sendout Report.PDF.Doc.XLS.TXT.jar - Current Virus total detections 16/55* for .jar file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5b0bc44dbb7ae452a76cfe0c85e14ca732ea4d74b72da44888b71a96218a1076/analysis/1474955483/
___

Fake 'Attached:Scan' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-attachedscan70-and-others.html
27 Sep 2016 - "This -fake- scanned document leads to Locky ransomware:
Subject: Attached:Scan(70)
From: Zelma (Zelma937@ victimdomain .tld)
To: victim@ victimdomain .tld;
Date: Tuesday, 27 September 2016, 14:15

There does not appear to be any body text. My trusted source tells me that the subject is a combination of the words Attached/Copy/File/Emailing and Document/Receipt/Scan plus a random two-digit number. Attached is a ZIP file with a name similar to the subject, containing a malicious .wsf script. This script then downloads components...
(Long list at the dynamoo URL above.)
The payload is Locky ransomware, phoning home to:
5.196.200.247/apache_handler.php (OVH, Ireland / Just Hosting, Russia)
62.173.154.240/apache_handler.php (JSC Internet-Cosmos, Russia)
uiwaupjktqbiwcxr .xyz/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
rflqjuckvwsvsxx .click/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
dypvxigdwyf .org/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
ntqgcmkmnratfnwk .org/apache_handler.php
wababxgqgiyfrho .su/apache_handler.php
ytqeycxnbpuygc .ru/apache_handler.php
ocuhfpcgyg .pl/apache_handler.php
cifkvluxh .su/apache_handler.php
sqiwysgobx .click/apache_handler.php
yxmagrdetpr .biz/apache_handler.php
xnoxodgsqiv .org/apache_handler.php
vmibkkdrlnircablv .org/apache_handler.php
Recommended blocklist:
5.196.200.0/24
62.173.154.240
86.110.118.114 "
___

RIG EK on large malvertising campaign
- https://blog.malwarebytes.com/cybercrime/exploits/2016/09/rig-exploit-kit-takes-on-large-malvertising-campaign/
Sep 27, 2016 - "... spotted a malvertising attack on popular website answers .com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub .com). Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected -without- even having to click on it:
> https://blog.malwarebytes.com/wp-content/uploads/2016/09/flow2.png
... In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary... domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to -bypass- traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel. Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs... Indicators of compromise:

ads.retradio .com: 184.168.165.1: https://www.virustotal.com/en/ip-address/184.168.165.1/information/
63.141.242.35: https://www.virustotal.com/en/ip-address/63.141.242.35/information/

RIG Exploit Kit Distributing CrypMIC Ransomware
- https://atlas.arbor.net/briefs/index#1789371819
Sep 22, 2016

:fear::fear: :mad:

AplusWebMaster
2016-09-28, 12:16
FYI...

Fake 'Document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/document-no-25845584-pretending-to-come-from-random-names-at-accounts-your-own-email-domain-delivers-locky/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Document No 25845584' (random numbers) pretending to come from random names at accounts@ your-own-email-domain or company with a random named zip attachment containing an hta file... One of the emails looks like:
From: random names at accounts@your own email domain or company
Date: Wed 28/09/2016 01:38
Subject: Document No 25845584
Attachment: Document No 25845584.zip
Thanks for using electronic billing
Please find your document attached
Regards
MAVIS CAWLEY

28 September 2016: Document No 25845584.zip: Extracts to: GVJL2720.hta - Current Virus total detections 16/55*
MALWR** was unable to get any payload or find any download sites. Payload Security*** shows a download of an encrypted filedatalinks .ir/g76vub8 which is transformed by the script to a working Locky binary. (Unfortunately Payload Security does not show the actual file or allow it to be downloaded in the free web version)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8ab6baad0f126d46ddfd76c8c993cf55ea8390f45b45cc66ab881f9148c5f75d/analysis/1475037203/

** https://malwr.com/analysis/Yzk5OTE2NmIxMDlmNDIzYmE2ZjRmYWI5MjI0NmZiZTg/

*** https://www.hybrid-analysis.com/sample/8ab6baad0f126d46ddfd76c8c993cf55ea8390f45b45cc66ab881f9148c5f75d?environmentId=100
Contacted Hosts
144.76.172.200
52.24.123.95
52.85.209.134
52.33.248.56
128.241.90.219
___

Locky download and C2 locations ...
- http://blog.dynamoo.com/2016/09/locky-download-and-c2-locations-2016-09.html
28 Sep 2016 - "It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.
Binary download locations:
(Long list of domain names at the dynamoo URL above.)...
C2s:
176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh .biz/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
rluqypf .pw/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk .biz/apache_handler.php [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap .info/apache_handler.php
kdbbpmrdfnlno .pl/apache_handler.php
jlhxyspgvwcnjb .work/apache_handler.php
dceaordeoe .ru/apache_handler.php
gisydkcsxosyokkuv .work/apache_handler.php
mqlrmom .work/apache_handler.php
wfgtoxqbf .biz/apache_handler.php
ndyevynuwqe .su/apache_handler.php
vgcfwrnfrkkarc .work/apache_handler.php
Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158 "
___

Fake 'Neopost documents' SPAM - Locky – Odin version
- https://myonlinesecurity.co.uk/neopost-documents-0000888121970-malspam-leads-to-locky-odin-version/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Neopost documents' 0000888121970 coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/neopost-1024x730.png

28 September 2016: 0000888121970_statement_000088812197051.zip: Extracts to: ZQSA4705.wsf
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from one of these locations:
http ://bigballsincowtown .com/67fgbcni?gjGmIb=KpIHjmIwkWU
http ://lucianasaliani .com/67fgbcni?gjGmIb=KpIHjmIwkWU
which is transformed by the script to aCOldXqKQqm2.dll (VirusTotal 6/57***) posts back to C&C
http ://194.67.208.69 /apache_handler.php - Payload Security[4] shows a lot more C2 connections... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2f3768de758b536ad1e20f8f0722cf94001190c0a222bd24af2cb6e696dcfaa7/analysis/1475081527/

** https://malwr.com/analysis/Yjg1Yzg5MzQyMDEwNDIwMWE3NjM1ZWY5NTJjMzA0NGE/
Hosts
69.89.27.246
174.127.104.173
70.40.220.107
176.103.56.98
194.67.208.69

*** https://www.virustotal.com/en/file/3de5def1abc38e0f94eab65caaad1ec031b0d90fde638ea5b5572ee7f7a02d50/analysis/1475077530/

4] https://www.hybrid-analysis.com/sample/2f3768de758b536ad1e20f8f0722cf94001190c0a222bd24af2cb6e696dcfaa7?environmentId=100
Contacted Hosts
69.89.27.246
174.127.104.173
176.103.56.98
194.67.208.69
45.63.98.158
86.110.118.114
___

Something evil on 69.64.63.77
- http://blog.dynamoo.com/2016/09/something-evil-on-69646377.html
28 Sep 2016 - "This appears to be some sort of exploit kit leveraging hacked sites, for example:
[donotclick]franchidiscarpa[.]com/index.php
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report*. The IP address appears to be a customer of ServerYou... Country: UA ...
These other domains are hosted on the same IP:
[donotclick]j8le7s5q745e .org
[donotclick]3wdev4pqfw1u .org
[donotclick]fg1238tq38le .net
All of those domains are registered to:
.. Registrant Country: RU ...
It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking."
* http://urlquery.net/report.php?id=1475082161540
77.81.224.215: https://www.virustotal.com/en/ip-address/77.81.224.215/information/

69.64.63.77: https://www.virustotal.com/en/ip-address/69.64.63.77/information/
>> https://www.virustotal.com/en/url/f146215e56a28967f291e4336031589ceba6bf5a63e77d0973816f3f44ca9a84/analysis/
___

Fake 'Clients accounts' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/clients-accounts-malspam-delivers-locky/
27 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Clients accounts' coming as usual from random companies, names and email addresses with a random named zip attachment containing a wsf file... One of the emails looks like:
From: Lon Kane <Kane.84@ fixed-189-180-187-189-180-32.iusacell .net>
Date: Thu 01/09/2016 19:22
Subject:Clients accounts
Attachment: a966ea5acc18.zip
Dear monika.griffithe,
I attached the clients’ accounts for your next operation.
Please look through them and collect their data. I expect to hear from you soon.
Lon Kane
VP Finance & Controller ...

27 September 2016: a966ea5acc18.zip: Extracts to: Clients accounts 32C58E xls.wsf
Current Virus total detections 8/55*. MALWR**... Payload Security*** shows a download of an encrypted file from
techskillscenter .net/zenl0z which is transformed by the script to 2Ez76BlaytMAH.dll (VirusTotal 6/57[4]) Unusually, Payload Security describes this dll file as informative, rather than malicious, which would normally mean it has some sort of anti-analysis/sandbox protection to it... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/28b1148b3744a91bc2a0b7b611b81f440a161d419b4a815dbebc0b67f4199394/analysis/1474996887/

** https://malwr.com/analysis/YTU5OWRkMGIzN2JlNGMwNmI5MTIzYWZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.hybrid-analysis.com/sample/28b1148b3744a91bc2a0b7b611b81f440a161d419b4a815dbebc0b67f4199394?environmentId=100
Contacted Hosts
173.247.251.145
5.196.200.247
94.242.55.225
86.110.118.114
69.195.129.70

4] https://www.virustotal.com/en/file/e82f509ebf314ef36d39227012e70f8e2e56015b02d84f5350bc2ae6e40418b6/analysis/1474997682/

:fear::fear: :mad:

AplusWebMaster
2016-09-29, 14:05
FYI...

Fake 'Bill' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-bill-for-documents-bill.html
29 Sep 2016 - "This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:
Bill for documents 31564-29-09-2016
Bill for parcel 08388-28-09-2016
Bill for papers 657-29-09-2016

Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following servers:
194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)
Payload detection for the version analysed was 16/56* but there could be an updated payload by now.
Recommended blocklist:
194.67.208.69
89.108.83.45 "
* https://www.virustotal.com/en/file/b7a32686fc6560314f211388e118294ee182384b02bb723ad0cd5322e4044a00/analysis/

- https://myonlinesecurity.co.uk/bill-for-documents-57608-28-09-2016-malspam-delivers-locky-odin/
29 Sep 2016 - "... Locky downloaders with a series of blank/empty emails with the basic subject of 'Bill for documents' 57608-28-09-2016 pretending to come from no reply @ random companies, with a semi- random named .rar attachment containing a .JS file. These are using the new .Odin file extension on the encrypted files.. The MALWR report* shows contact with an attempted download of Net framework and some sort of mapping... The subjects vary with each email. They all start with 'bill' for and either documents, paper or parcel the a series of random numbers and the date, looking something like:
Bill for documents 57608-28-09-2016
Bill for papers 9341672-28-09-2016
Bill for parcel 422-29-09-2016

... One of the emails looks like:
From: no-reply@ simplyorganic .com
Date: Thu 29/09/2016 00:44
Subject: Bill for documents 57608-28-09-2016
Attachment: Bill 57608-28-09-2016.rar

Body content: totally blank

29 September 2016: Bill 57608-28-09-2016.rar: Extracts to: Bill 5100-4868433109.js
Current Virus total detections 8/53**. MALWR* shows a download of an encrypted file from one of these locations:
http ://g2cteknoloji .com/8g74crec?rnhaXNpMuW=MWIKgpzUlE which is transformed by the script to ErUxQjD1.dll
(VirusTotal 9/57***) shows C2 on http ://89.108.83.45 /apache_handler.php and also shows various other script files. Payload Security[4] shows a few other C2 servers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/analysis/YmI0YzExZGVjZTcxNGJmOTllMzAxMzQ1ZWMyYWMyNWQ/
Hosts
185.26.144.135
194.67.208.69
89.108.83.45

** https://www.virustotal.com/en/file/4436ae4a8c584b3eac79cfbde57fa3ce039e111873546aa764018af430ee2097/analysis/1475114609/

*** https://www.virustotal.com/en/file/b7a32686fc6560314f211388e118294ee182384b02bb723ad0cd5322e4044a00/analysis/1475120852/

4] https://www.hybrid-analysis.com/sample/4436ae4a8c584b3eac79cfbde57fa3ce039e111873546aa764018af430ee2097?environmentId=100
Contacted Hosts
185.26.144.135
89.108.83.45
194.67.208.69
45.63.98.158
69.195.129.70
52.42.26.69
52.84.40.221
___

Fake 'Debit Card blocked' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-temporarily-blocked-leads.html
29 Sep 2016 - "The attachment on this spam email leads to Locky ransomware:
From: "Ambrose Clements"
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400
Dear [redacted]
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.

Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download...
(Many domain names listed at the dynamoo URL above.)
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo .pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
gqackht .biz/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
bgldptjuwwq .org/apache_handler.php
cxnlxkdkxxxt .xyz/apache_handler.php
rcahcieii .work/apache_handler.php
uxaoooxqqyuslylw .click/apache_handler.php
vwktvjgpmpntoso .su/apache_handler.php
upsoxhfqut .work/apache_handler.php
nqchuuvgldmxifjg .click/apache_handler.php
ofoclobdcpeeqw .biz/apache_handler.php
kfvigurtippypgw .pl/apache_handler.php
toescilgrgvtjcac .work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132 "

- https://myonlinesecurity.co.uk/your-debit-card-is-temporarily-blocked-malspam-delivers-locky/
29 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Temporarily blocked' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .WSF file... One of the emails looks like:
From: Jarvis Mason <Mason.2892@ paneltek .ca>
Date: Thu 01/09/2016 19:22
Subject: Temporarily blocked
Attachment: debit_card_4b69ba102.zip
Dear [redacted],
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.
King regards,
Jarvis Mason
Technical Manager – Online Banking ...

1 September 2016: ea00debit_card_4b69ba102.zip: Extracts to: debit card details 92CF6066.wsf
Current Virus total detections 6/54*. Payload Security** shows a download of an encrypted file from
fhgmediaent .com/66aslu which is transformed by the script to 1lenb5SzGBo0mpu.dll (VirusTotal 10/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/115bac93955f4e84cacf6cc58cedcc01718e1c5482b162ab20766f0b2aa0e62a/analysis/1475140581/

** https://www.hybrid-analysis.com/sample/115bac93955f4e84cacf6cc58cedcc01718e1c5482b162ab20766f0b2aa0e62a?environmentId=100
Contacted Hosts
23.227.132.66
91.200.14.93
195.123.210.11
185.117.155.20
91.234.33.132

*** https://www.virustotal.com/en/file/21b075bcbd44fd4d9776d7a1d62300cab6a15ecab493f48ed843c0ee10bd4122/analysis/1475141313/
___

Fake 'Receipt' xls SPAM - Locky
- http://blog.dynamoo.com/2016/09/malware-spam-receipt-103-526-receiptxls.html
29 Sep 2016 - "This spam leads to Locky ransomware:
From rosalyn.gregory@ gmail .com
Date Thu, 29 Sep 2016 21:07:46 +0800
Subject Receipt 103-526

I cannot tell if there is any body text, however there is an -attachment- Receipt.xls which contains malicious code... that in the case of the sample I analysed downloads a binary from:
opmsk .ru/g76ub76
There will be -many- other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov .example .com] (SKS-LUGAN, Ukraine)
xpcwwlauo .pw/apache_handler.php [hostname: vjc .kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57*. Malicious IPs and domains overlap quite a bit with this earlier attack**. This version of Locky encrypts files with a .odin extension...
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132 "
1] https://malwr.com/analysis/ZGRhZWJjNDY0MjI3NGRjYmJmNTFlNjJjYmZhNTUyN2I/
Hosts
85.17.31.113
89.108.83.45

2] https://www.hybrid-analysis.com/sample/c2e69534f5d8f44fdd2a57eb2f881fcfa9a6f5bd043c6ee9439fd947c10cc2d8?environmentId=100
Contacted Hosts
85.17.31.113
91.200.14.93
89.108.83.45
195.123.210.11
91.234.33.132

* https://www.virustotal.com/en/file/7dcb938abd8ede86ea09f5eb36c27d10c9baf26f4ca008b1a29cfbf631f19135/analysis/1475156266/

** http://blog.dynamoo.com/2016/09/malware-spam-temporarily-blocked-leads.html
___

Fake 'New Order' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/new-order-claudia-schmiesing-delivers-java-adwind/
29 Sep 2016 - "We continue to see Java Adwind Trojans daily... This one is an email with the subject of 'New Order' pretending to come from Claudia Schmiesing <claudia.schmiesing@ gmx .net> with a fuzzy unclear embedded image, that has a link hidden behind it, that when-clicked downloads a zip file containing a Java.jar file. This particular version is very badly detected. Java Adwind is normally quite well detected on Virus Total...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/new-order-Claudia-Schmiesing-1024x695.png

29 September 2016: flwfbq.zip: Extracts to: ORDER.jar - Current Virus total detections 4/55*. MALWR**

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/89b7c74cdcb5c2cef4d6a96995efaa8dfc5c6b38317bf7def048819f4798f814/analysis/1475172675/

** https://malwr.com/analysis/MWNkNzg3YzQ4MDQ5NDViNDkzMjUzNjZkODJlNWI3Mzg/
Hosts
23.105.131.212

:fear::fear: :mad:

AplusWebMaster
2016-09-30, 13:16
FYI...

Fake 'Receipt' SPAM - delivers Locky – Odin
- https://myonlinesecurity.co.uk/random-receipt-pretending-to-come-from-gmail-addresses-delivers-locky-odin/
30 Sep 2016 - "The Locky ransomware malware gang appear to be copying Dridex this week and going back to using word docs with embedded macros to deliver the ransomware... Locky downloaders.. a blank/empty email with the subject of 'Receipt' 45019-0740 (random numbers) pretending to come from random names at gmail .com with a random named word doc. The doc attachment name matches the subject line... One of the emails looks like:
From: chandra.har?@ gmail .com
Date: Fri 30/09/2016 10:12
Subject: Receipt 45019-0740
Attachment: Receipt 45019-0740.doc

Body content: Totally Blank/Empty

30 September 2016: Receipt 45019-0740.doc - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from http ://travelinsider .com.au/021ygs7
which is transformed by the script to hupoas.dll (VirusTotal 8/57***). C2 is
http ://149.202.52.215 /apache_handler.php . Payload Security[4] shows the multiple additional C2 sites. Neither online sandbox actually show any Locky screenshots today, but Malwr clearly shows odin files in the lists... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/34fc30a2186fcdab2701153db4bc36c20d3e8cf99f18e9cad7b454cbcfa142ff/analysis/1475226679/

** https://malwr.com/analysis/ZTNmNmYwNWIxZDE2NDFiZTk0NzhkMzRjNjkxNjdmNWE/
Hosts
203.98.84.123
89.108.83.45
149.202.52.215

*** https://www.virustotal.com/en/file/74d0cc4d5412b7147256791f2d8ec00f26a109f59e802828a19c787bb3f53bda/analysis/1475227548/

4] https://www.hybrid-analysis.com/sample/34fc30a2186fcdab2701153db4bc36c20d3e8cf99f18e9cad7b454cbcfa142ff?environmentId=100
Contacted Hosts
203.98.84.123
89.108.83.45
91.200.14.93
149.202.52.215
185.43.4.143
___

Fake 'Parcel details' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/another-dhl-cannot-deliver-your-parcel-malspam-delivers-locky/
30 Sep 2016 - "... Locky downloaders.. an email pretending to be a DHL cannot deliver message with the subject of 'Parcel details' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DHL_parcel containing a WSF file... fake/spoofed DHL (and other delivery companies) malspam emails... One of the emails looks like:
From: DHL <Phelps.0827@ parket-ekonom .ru>
Date: Fri 30/09/2016 10:48
Subject: Parcel details
Attachment: DHL_parcel_06cda564b.zip
Dear berkeley,
We couldn’t deliver your parcel on September 30th because we couldn’t verify the given address.
Attached is the shipment label. Please print it out to take the parcel from our office.
Label-ID: acd8e33709cb62ea9825f9de779d1dfb8f6b566af6779b11928a9e053f
Best Wishes,
Reyes Phelps
DHL Express Service

30 September 2016: DHL_parcel: Extracts to: DHL parcel 25514DCA.wsf - Current Virus total detections 7/55*
.. MALWR** seems unable to decode/decrypt these very heavily obfuscated scripting files. Payload Security*** shows a download of an encrypted file from fernandoarias .org/tmlvg7el which is transformed by the script to
a working Locky file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5a7ce310ba4edebb31382d3d05230363867737ccd3bec5bebe27343a97689e61/analysis/1475228984/

** https://malwr.com/analysis/NTQzM2YzMmI1YTdiNDc3YzkyZDVlYzZkODA4ZmU2YjE/

*** https://www.hybrid-analysis.com/sample/5a7ce310ba4edebb31382d3d05230363867737ccd3bec5bebe27343a97689e61?environmentId=100
Contacted Hosts
91.186.0.7
52.34.245.108
52.222.157.47
52.41.235.21

:fear::fear: :mad:

AplusWebMaster
2016-10-03, 13:40
FYI...

Fake 'Scan' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-scan-2016-1003-152626-sent.html
3 Oct 2016 - "This -fake- document scan leads to Locky ransomware:
From: DAMON ASHBROOK
Date: 3 October 2016 at 10:56
Subject: [Scan] 2016-1003 15:26:26
--
Sent with Genius Scan for iOS.

The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat. This Malwr analysis* shows some of the infection in action. Overall my sources tell me that the various malicious macros download...
(Long list of domain-names listed at the dynamoo URL above.)
C2 locations are:
149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou .info/apache_handler.php
krmwgapkey .work/apache_handler.php
hruicryqytbmc .xyz/apache_handler.php
vswaagv .org/apache_handler.php
smskymrtssawsjb .org/apache_handler.php
wvandssbv .org/apache_handler.php
ytxsbkfjmyxglvt .click/apache_handler.php
rqybmggvssutf .xyz/apache_handler.php
qaemlwlsvqvgcmbke .click/apache_handler.php
btlyarobjohheg .ru/apache_handler.php
civjvjrjjlv .pw/apache_handler.php
xlarkvixnlelbsvxl .xyz/apache_handler.php
A DLL is dropped with a detection rate of 19/57**.
Recommended blocklist:
149.202.52.215
217.12.199.244 "
* https://malwr.com/analysis/MzdlZjhkOGE3Njk3NDRjNjhkNjFiN2I1YzIyZWZkNGI/
Hosts
69.89.29.98
149.202.52.215

** https://www.virustotal.com/en/file/8a8296877ee7c8df755204f98c5be0dad849ca74abe1b282f26314c769c1f68e/analysis/1475489696/
___

Fake 'please sign' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-please-sign-leads-to-locky.html
3 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: please sign
From: Ricardo Buchanan
Date: Monday, 3 October 2016, 10:27
Hi [redacted],
I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.
Best Wishes,
Ricardo Buchanan
CEO

In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name... obfuscated script... appears to download Locky ransomware. Analysis is pending.
UPDATE: This Hybrid Analysis* clearly shows Locky in action. According to my sources there are no C2s..."
(Long list of domain-names at the dynamoo URL above.)
* https://www.hybrid-analysis.com/sample/2b3bfd64d9cba71141dbc927d68196252c338a5c061ae66a0536ede587633b61?environmentId=100
Contacted Hosts
65.49.80.83
165.246.165.245
52.34.245.108
52.85.184.19
63.245.215.95

- https://myonlinesecurity.co.uk/lots-and-lots-of-locky-this-monday-morning/
3 Oct 2016 - "... loads of Locky today. We are seeing multiple subjects, emails and attachments. We are seeing XLS files and the typical .wsf files inside zips... email looks like:
From: KIETH WOOLDRIDGE <kieth.wooldridge.61@ kimiabiosciences .com> (random senders)
Date: Mon 03/10/2016 08:45
Subject: [Scan] 2016-1003 12:14:45
Attachment: 2016-1003 12-14-45.xls

Sent with Genius Scan for iOS.

... (another) version is:
From: Anita Ramsey <Ramsey.663@ equestrianarts .org> (random senders)
Date: Mon 03/10/2016 09:51
Subject: please sign
Attachment: paperwork_scan_35886e2.zip extracts to paperwork scan ~D45D50C5.wsf
Hi [redacted],
I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.
Best Wishes,
Anita Ramsey
Head of Corporate Relations

MALWR [1] [2] [3] | VirusTotal [4][5][6] downloads from
http ://mmm2.aaomg .com/jhg45s and http ://crossroadspd .com/jhg45s which will be converted to siluans.dll
(Virustotal 14/57*) or from ossiatzki .com/dyke9 which is converted to MMCnbLicrHhc.dll (virusTotal 14/57**)..
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://malwr.com/analysis/YzBlYzNkMWU1MDU3NDEzMzhhYzJiYjZmYTI0ZWJlYmM/
Hosts
96.0.130.2
217.12.199.244

2] https://malwr.com/analysis/OWMwZTM2N2I5MzRlNDZjOGIyNTZmMTNmNmU4ZWRjZmY/
Hosts
208.71.139.66
217.12.199.244

3] https://malwr.com/analysis/NDJlYjI0Yjc4MTRjNGIxYjgzNGI5ZWVjOGJlMWJkMzE/

4] https://www.virustotal.com/en/file/656a21fecd45381a611ab2ccefaeb1e30fa0e591314bb84028659e1e6e76deb0/analysis/1475484796/

5] https://www.virustotal.com/en/file/2103272020aacf5de2d7f86c95e47f8f53db6d6529ba5327b8e003d54c1f0120/analysis/1475484485/

6] https://www.virustotal.com/en/file/75c64e65071345abd00bdad287d5d791526fc10ad0b56176617e0622afb76724/analysis/1475484779/

* https://www.virustotal.com/en/file/8a8296877ee7c8df755204f98c5be0dad849ca74abe1b282f26314c769c1f68e/analysis/1475479730/

** https://www.virustotal.com/en/file/8a8296877ee7c8df755204f98c5be0dad849ca74abe1b282f26314c769c1f68e/analysis/1475479730/

*** https://www.hybrid-analysis.com/sample/75c64e65071345abd00bdad287d5d791526fc10ad0b56176617e0622afb76724?environmentId=100
Contacted Hosts
111.221.40.34
54.218.66.17
52.85.184.121

:fear::fear: :mad:

AplusWebMaster
2016-10-04, 13:33
FYI...

Fake 'Refund' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/refund-pretending-to-come-from-random-delivery-parcel-or-postal-companies-malspam-delivers-locky/
4 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Refund' pretending to come from various randomly chosen delivery, parcel or postal companies with a semi random named zip attachment starting with refund containing a WSF file... a very small portion of the several hundred received in the last few minutes, so -Any- delivery company is likely to be spoofed.
Royal Mail
PostNL
Schenker AG
Japan Post Group
FedEx
DHL
DHL Express

One of the emails looks like:
From: Royal Mail <Reynolds.21@ usacabs .com>
Date: Thu 01/09/2016 19:22
Subject: Refund
Attachment: refund_scan_a2e0a7b.zip
Dear [redacted], please submit the return form to receive the refund.
The parcel must have its original packaging. The return form is attached in this mail.
Best regards,
Elsa Reynolds
Royal Mail

4 October 2016: refund_scan_a2e0a7b.zip: Extracts to: refund scan 392CDC4.wsf
Current Virus total detections 8/54*. Payload Security** shows a download of an encrypted file from
motos13 .com/w0bmffo which is transformed by the script to a working Locky file. Unfortunately Payload Security does not show or allow download of the file in the free web version. This looks like the version with no C2 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1a7c6c4ffe12b91b6e7862f997ac3effd81d3287f9ce014827ca2817a80d04a5/analysis/1475567273/

** https://www.hybrid-analysis.com/sample/1a7c6c4ffe12b91b6e7862f997ac3effd81d3287f9ce014827ca2817a80d04a5?environmentId=100
Contacted Hosts
81.93.240.134
52.85.184.21
52.41.235.21
___

Fake 'Bill for parcel' SPAM - delivers Locky – Odin
- https://myonlinesecurity.co.uk/bill-for-parcel-064983-04-10-2016-malspam-delivers-locky-odin/
4 Oct 2016 - "... Locky downloaders.. a -blank- email with the subject of 'Bill for parcel' 064983-04-10-2016 pretending to come from no-reply @ random email addresses with a random named zip attachment containing a WSF file. This version of Locky with an Odin-extension is using DLL files, whereas last night’s version* used .exe files.
* https://myonlinesecurity.co.uk/surevoip-malspam-pretending-to-come-from-voicemailandfax-random-domains-delivers-locky/
The subject line will always start with 'Bill' for then it will be either 'Parcel, Document, Documents, Papers' or other similar words then a random number then today’s date... One of the emails looks like:
From: no-reply@ speroresources .com
Date: Tue 04/10/2016 08:04
Subject: Bill for parcel 064983-04-10-2016
Attachment: Bill 772-04-10-2016.zip

Body content: totally blank/empty

4 October 2016: Bill 772-04-10-2016.zip: Extracts to: Bill 3609756-04-10-2016.wsf
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://aluvista .com/erg7cbr?QJWtIXrQ=oUDSEKIWsF which is transformed by the script to WkOUeAz1.dll
(VirusTotal 7/56***). C2 is http ://158.255.6.115 /apache_handler.php - other C2 locations are shown in the Payload Security report[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a88047c3dd88619759257367793bd518a50ad6db498d17d7678128e00800ce58/analysis/1475561395/

** https://malwr.com/analysis/ZTRlYTJiZGNiODRkNDQyMWJkMjRlZWIzNmQyM2ViMzk/
Hosts
78.46.34.83
158.255.6.115

*** https://www.virustotal.com/en/file/75ba07a1a0b915bb0f17fc5690bcf036623d3b8465c445a650589ae01db6fa9d/analysis/1475567524/

4] https://www.hybrid-analysis.com/sample/a88047c3dd88619759257367793bd518a50ad6db498d17d7678128e00800ce58?environmentId=100
Contacted Hosts
78.46.34.83
158.255.6.115
81.177.26.201
52.85.184.9
___

Fake 'Voicemail' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/surevoip-malspam-pretending-to-come-from-voicemailandfax-random-domains-delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Voicemail' from [random name] [random number] <[random number]> [random time] pretending to come from voicemailandfax@ random email addresses with a semi-random named zip attachment containing a HTA file... One of the emails looks like:
From: SureVoIP <voicemailandfax@ nexgtech .com>
Date: Mon 03/10/2016 22:22
Subject: Voicemail from Sherri metcalf 00780261644 <00780261644> 00:01:40
Attachment: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip
Message From “Sherri metcalf 00780261644” 00780261644
Created: 2016.10.03 16:23:42
Duration: 00:01:40 ...

3 October 2016: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip: Extracts to: 0332451600272.hta
Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
acaciainvest .ro/98h86f?HmaeXAiu=CQDbSkNs which is transformed by the script to xsyMCaVC1.exe
(VirusTotal 5/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9abbebeff1ca1b7b82fec591ba32ad34a3f1ef71ec4461ecfdaf4954bf3a9d9d/analysis/1475531086/

** https://www.hybrid-analysis.com/sample/9abbebeff1ca1b7b82fec591ba32ad34a3f1ef71ec4461ecfdaf4954bf3a9d9d?environmentId=100
Contacted Hosts
188.240.2.32
149.202.52.215
81.177.26.201
52.85.184.21

*** https://www.virustotal.com/en/file/baa0febcc3562a4dd5e4d7967a6296b7057a40533a0a890a4fb96e7297ef370f/analysis/1475531106/
___

Fake 'Travel Itinerary' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/travel-itinerary-from-random-airlines-delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Travel Itinerary' pretending to come from random airline companies with a semi-random named zip attachment starting with 'Travel_Itinerary' containing a WSF file... I have seen these pretend to come from just about every airline in existence. Some received include:
Asiana Airlines <Flynn.92@ dsldevice .lan>
Swiss Air Lines <Hamilton.560@ dsldevice .lan>
Lufthansa <Cardenas.4568@ sewerlinereplacementrichmond .com>
Thai Airways <Mercer.030@ airtelbroadband .in>
Singapore Airlines <Burt.5051@ nbftv .no>
Cathay Pacific <Pacheco.074@ telecomitalia .it>
Turkish Airlines <Barker.585 @sabanet .ir>
Emirates <Flores.935@ deborahkellymft .com>
Virgin Australia <Terry.46@ philipskillman .com>
Qantas Airways <Weiss.213@ ceas .com.ve>

One of the emails looks like:
From: Asiana Airlines <Flynn.92@ dsldevice .lan>
Date: Mon 03/10/2016 19:09
Subject: Travel Itinerary
Attachment: Travel_Itinerary-a884558.zip
Dear [redacted]
Thank you for flying with us! We attached the Travel Itinerary for Your booking number #3FD6F18.
See the paid amount and flight information.
Best regards,
Stephan Flynn
Asiana Airlines

3 October 2016: Travel_Itinerary-a884558.zip: Extracts to: Travel_Itinerary-4F2AD50.wsf
Current Virus total detections 5/54*. MALWR is unable to fully analyse these and get any download links or payload. Payload Security** shows a download of an encrypted file from
onlinesigortam .net/njahqfis which is transformed by the script to a working Locky file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/30554d3f44ed96bb38ce2787b4896bb6b9103d0559446543282d29d866b228d5/analysis/1475518144/

** https://www.hybrid-analysis.com/sample/30554d3f44ed96bb38ce2787b4896bb6b9103d0559446543282d29d866b228d5?environmentId=100
Contacted Hosts
159.253.36.221
185.135.80.235
91.219.31.49
178.63.238.182
69.195.129.70
50.112.202.19
52.85.184.9

:fear::fear: :mad:

AplusWebMaster
2016-10-05, 13:11
FYI...

Fake 'Document' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-document-from-leads-to.html
5 Oct 2016 - "I have only received a single sample of this spam, presumably it comes from random senders. There is no-body-text in my sample.
Subject: Document from Paige
From: Paige cuddie (Paige592035@ gmail .com)
Date: Wednesday, 5 October 2016, 9:37

In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script... DOC-20161005-WA0002715.wsf. Automated analysis [1] [2] shows this sample downloads from:
euple .com/65rfgb?EfTazSrkG=eLKWKtL
There will be many other locations besides this. Those same reports show the malware (in this case Locky ransomware) phoning home to:
88.214.236.36 /apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100 /apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)
The sample I found downloaded a legitimate binary from ciscobinary.openh264 .org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.
Recommended blocklist:
88.214.236.0/23
109.248.59.0/24 "
1] https://malwr.com/analysis/MDdlZDI1NTkxZDllNDFkY2I5NDNhYmZkYjY3YzEyMWU/
Hosts
23.88.37.83
88.214.236.36

2] https://www.hybrid-analysis.com/sample/55db7c90aa39935e68f8cf3b704863e35d36cc6f9020a96d9eeaad9786382bb1?environmentId=100
Contacted Hosts
23.88.37.83
88.214.236.36
109.248.59.100
52.32.150.180
52.85.184.129
52.41.235.21
___

Fake 'complaint letter' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/complaint-letter-malspam-delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with complaint_letter_ containing a WSF file... note the misspelled/typo error in the email body, 'King regards'. We have seen that quite frequently... One of the emails looks like:
From: Roxie Davis <Davis.863@ adsl.viettel .vn>
Date: Wed 05/10/2016 10:20
Subject: complaint letter
Attachment: complaint_letter_cb9d039ea.zip
Dear [redacted], client sent a complaint letter regarding the data file you provided.
The letter is attached. Please review his concerns carefully and reply him as soon as possible.
King regards,
Roxie Davis

5 October 2016: complaint_letter_cb9d039ea.zip: complaint letter 4A683AD.wsf
Current Virus total detections 8/53*... Payload Security** shows a download of an encrypted file from
upper-classmen .com/k1hd6 which is transformed by the script to RpKwxNZ92.dll (VirusTotal 8/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/2bde1d10e7e95afda85ca2d8add32869a617cc35a0897f99ba421e80e2fa4cad/analysis/1475660416/

** https://www.hybrid-analysis.com/sample/2bde1d10e7e95afda85ca2d8add32869a617cc35a0897f99ba421e80e2fa4cad?environmentId=100
Contacted Hosts
192.138.189.69
109.248.59.100
88.214.236.36
217.12.223.78
109.248.59.164
91.219.31.49

*** https://www.virustotal.com/en/file/a04edaf748d2ee104b77d2fa397e25de733fd61a805fa1a727d49115e98e8efc/analysis/1475661773/
___

Fake 'Cancellation request' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/cancellation-request-malspam-delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Cancellation request' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with Cancellation_Form_ containing a .JS file... One of the emails looks like:
From: Katharine Clayton <Clayton.892@ myfghinc .com>
Date: Wed 05/10/2016 19:40
Subject: Cancellation request
Attachment: Cancellation_Form_3805419.zip
Dear [redacted], to cancel the request you made on October 4th, you need to fill out the cancellation form attached in this email.
Contact us if you need further assistance.
Best regards,
Katharine Clayton
Clients Support

5 October 2016: Cancellation_Form_3805419.zip: Extracts to: Cancellation Form 4FDE6.js
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from
http ://noisecontrols .com/dctpl4c which is transformed by the script to CSWzQT0oHGGp27m.dll
(VirusTotal 11/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e89b3ba98162dab52901cd32a9c09eed497c29cfe63a5d3bffe22bb4916105b7/analysis/1475693156/

** https://malwr.com/analysis/MGQwNDU3ZjU3YjYxNDNjYmFiNzkyY2FkODY5MWI3MjQ/
Hosts
101.100.175.250

*** https://www.virustotal.com/en/file/08ea7f6edd43aafd9bbcba6fe39b3276003b661c4d3e20ef0616909f4ac8bbcc/analysis/1475694004/

:fear::fear: :mad:

AplusWebMaster
2016-10-06, 12:35
FYI...

Fake 'Your Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/your-order-malspam-delivers-locky/
6 Oct 2016 - "... Locky downloader.. an email with the subject of 'Your Order' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting order_details_ containing a .JS file... One of the emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: order_details_bfa256b5.zip
Your order has been proceeded. Attached is the invoice for your order A-1376657.
Kindly keep the slip in case you would like to return or state your product’s warranty.

6 October 2016: order_details_bfa256b5.zip: Extracts to: Cancellation Form 0D582E2.js
Current Virus total detections 7/54*. MALWR** shows a download of an encrypted file from
http ://pioneerschina .com/xwks4 which is transformed by the script to Prxa55gCpc.dll (VirusTotal 12/56***)
C2 http ://217.12.223.78 /apache_handler.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8e340b1b9f0244c4d4641cc0fd38b1a77e8b82fa408b86c7868bd9d44d470f41/analysis/1475741537/

** https://malwr.com/analysis/N2JhMWQ4NTYxZTA4NDRjOGJkNTMwYzQ5ZTE0NzdkOWI/share/42698fd693c448d5bb86ec016cdab8ad
Hosts
69.195.71.128
217.12.223.78

*** https://www.virustotal.com/en/file/b8a533ffb930227bbdda57b77eb1e7b4397fb98e62b2b5f418cef59809f6f404/analysis/1475742167/

- http://blog.dynamoo.com/2016/10/malware-spam-your-order-and-inevitable.html
6 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Adrian Salinas
Date: 6 October 2016 at 10:13
Subject: Your Order
Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.

Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js
According to my source, these various scripts then download a component...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following IPs (belonging pretty much to the usual suspects):
46.8.44.105 /apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76 /apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21 /apache_handler.php (TheFirst-RU, Russia)
217.12.223.78 /apache_handler.php (ITL, Ukraine)
46.183.221.134 /apache_handler.php (Dataclub, Latvia) ...
Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78 "
___

Fake 'Invoice' SPAM - .doc attachment leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-invoice-123456-12345678.html
6 Oct 2016 - "This -fake- financial spam leads to malware:
From: invoices@ [redacted] .com
Date: 6 October 2016 at 07:16
Subject: Invoice-365961-42888419-888-DE0628DA
Dear Customer,
Please find attached Invoice 42888419 for your attention.
Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept'
### This mail has been sent from an un-monitored mailbox ###

The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc... The sample I sent for automated analysis [1] [2] downloads some data from:
eaglemouth .org/d5436gh
... my sources (thank you, you know who you are) that there are additional download locations at:
dabihfluky .com/d5436gh
fauseandre .net/d5436gh
This particular variant of Locky ransomware uses black hat hosting for this download location rather than a -hacked- legitimate site. All these domains are hosted on the following IPs:
62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France) ...
(Many domain-names listed at the dynamoo URL above.) ...
A DLL is dropped with a detection rate of 13/56*.
UPDATE: I completely forgot to include the C2. D'oh.
109.248.59.164 /apache_handler.php (Netart, Russia)
Recommended blocklist:
62.84.69.75
85.118.45.12
109.248.59.164 "
1] https://malwr.com/analysis/ODUxOTJmODJiOGFiNDQyMmE1YTEyMDcwN2E5ODBmMjU/
Hosts
85.118.45.12

2] https://www.hybrid-analysis.com/sample/3d408b187f4447f10ed230d85ee772aacf9268017f756508c752f41e7456db35?environmentId=100
Contacted Hosts
62.84.69.75
109.248.59.164
52.32.150.180
54.192.203.206

* https://virustotal.com/en/file/9a443a11fa29e83884cbd38ec265fb12e134eecfac3bfa92f0a46066ce680d76/analysis/1475744035/

:fear::fear: :mad:

AplusWebMaster
2016-10-07, 12:44
FYI...

Fake 'wrong paychecks' SPAM - delivers Locky/Odin
- https://myonlinesecurity.co.uk/wrong-paychecks-malspam-delivers-locky-odin/
7 Oct 2016 - "... Locky downloader.. an email with the subject of 'wrong paychecks' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with paychecks_ containing a .JS file... One of the emails looks like:
From: Guy Bennett <Bennett.75@ janicerich .com>
Date: Thu 06/10/2016 22:17
Subject: wrong paychecks
Attachment: paychecks_43b3b18.zip
Hey [redacted]. They send us the wrong paychecks. Attached is your paycheck arrived to my email by mistake.
Please send mine back too.
Best regards,
Guy Bennett

7 October 2016: ea00paychecks_43b3b18.zip: Extracts to: paychecks exported 5648A20E.js
Current Virus total detections 11/54*. MALWR** shows a download of an encrypted file from
http ://bdfxb .com/jp0zuso which is transformed by the script to YXljL8XPAjn.dll (VirusTotal 10/56***). Payload Security[4] shows multiple C2 and additional download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6e7156d0edea9f639e9cab9a3a3b9e6d68aa2d03c04cb71ec791b782751d43bb/analysis/1475801339/

** https://malwr.com/analysis/OTNiMTUxMTE2MDk0NDg1MGE4MGE4Nzg0OTJjN2NhMjU/
Hosts
182.92.220.92

*** https://www.virustotal.com/en/file/ad6304a559bbbed68f00bb5226a6c83802a65562ea35245f6719cce82b23966d/analysis/1475820102/

4] https://www.hybrid-analysis.com/sample/6e7156d0edea9f639e9cab9a3a3b9e6d68aa2d03c04cb71ec791b782751d43bb?environmentId=100
Contacted Hosts
31.210.120.156
185.82.217.98
185.75.46.122
185.154.13.182
95.213.179.232
69.195.129.70

:fear::fear: :mad:

AplusWebMaster
2016-10-11, 13:06
FYI...

Dridex - random subjects with cab files - SPAM
- https://myonlinesecurity.co.uk/dridex-delivered-via-random-subjects-with-cab-files/
11 Oct 2016 - "... an email with a variety of subjects along the lines of 'Form Sydnee I. Hahn' (initial word is either Form/Token/License/Certificate or other similar word followed by a name that matches the name in the body of the email, coming as usual from random companies, names and email addresses with a semi-random named cab file attachment (that matches the subject word) containing a .JS file (cab files are Microsoft specific archives (zip files) that are normally used for windows updates. Almost any unzipping tool will extract them, however windows explorer will natively extract and -autorun- any content inside a cab file if double clicked to open them. This looks like Dridex today, rather than the Locky ransomware...
Update 09.30 UTC: A second run starting with a mix of .cab files and .zip files, possibly because many mail filtering systems including Mail Scanner used on a high proportion of Linux mail servers detects and warns about .cab files by default. Some servers are set to block them automatically. This server is set to warn about potentially dangerous file extensions but not block them (to certain domains only) so I can obtain malware samples to warn/alert and submit to anti-virus companies and help protect everybody. For every cab file that I have received so far, I also got a warning message to my postmaster/admin email address. The sort of subjects we are seeing include:
Form Sydnee I. Hahn
Token Jolie T. Barrett
License Armando H. Bates
Certificate Brittany T. Beach
Archive Linda K. McLaughlin
Papers Sylvia C. Price
Agreement Dieter U. Vinson
Report David W. Rogers
Document Isaac Q. Lucas

One of the emails looks like:
From: HilariSydnee I. Hahn <rtep.springvale@ ljh .com.au>
Date: Tue 11/10/2016 08:03
Subject: Form Sydnee I. Hahn
Attachment: Form.cab
Good morning
Please review your Form.
I’m waiting for your reply
Kindest regards
Sydnee I. Hahn

An alternative body content:
Hi
Here is your Token.
Pls inform me the answer as soon as posible
Regards
Jolie T. Barrett

An alternative body content:
Greetings
Here is your License.
I’m still waiting for your answer
Cain M. Rogers

11 October 2016: Form.cab: Extracts to: 20792.tmp - Current Virus total detections 0/55*
.. MALWR** shows a download from http ://www .mobilemanager .fr/log.khp which gave me 20792.tmp (VirusTotal 6/56***)
Detections are inconclusive but Payload Security[4] indicates that this is most probably Dridex banking Trojan, However that also shows an error in running the file with an unsupported system message. That might mean that there is a fault with the Dridex binary or more likely that the Dridex malware gang have added even more protections to their malware and stopping it running when a sandbox or VM is detected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/27d11690658375556a1ac420e5dec40c1b33f58adb45019e901131826d214e0e/analysis/1476169831/

** https://malwr.com/analysis/YTFmNTQ5MmZhMGI5NDNkNTliNzYwNjdlOTYxZDc3YmE/
Hosts
217.76.132.43

*** https://www.virustotal.com/en/file/e1181a711a7771ed3f8a44537c2a0d6e161039fd4f152b43b25fd4e8f7f3389c/analysis/1476170061/

4] https://www.hybrid-analysis.com/sample/27d11690658375556a1ac420e5dec40c1b33f58adb45019e901131826d214e0e?environmentId=100
Contacted Hosts
217.76.132.43
195.154.163.166
88.213.204.147

:fear::fear: :mad:

AplusWebMaster
2016-10-12, 12:15
FYI...

Fake 'Payment - wire transfer' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/did-you-authorize-any-wire-transfer-to-our-account-malspam-delivers-java-adwind/
12 Oct 2016 - "... daily.. -fake- financial themed emails containing java adwind attachments...
This article[1] from a couple of years ago explains why you should remove it.
If you cannot remove it then it -must- be kept up-to-date[2] .. be extremely careful with what you download or open...
1] https://www.theguardian.com/technology/askjack/2013/feb/08/java-remove-ask-jack-technology
2] https://java.com/en/download/
... The email looks like:
From: Account <order@ coreadmin .eficaz .cl>
Date: Wed 12/10/2016 04:56
Subject: RE: Payment
Attachment: Details.zip
Hi,
Did you authorize any wire transfer to our account?
We have received an amount of USD79,948.12 from your account and we do not know what this fund is for.
We do not have any transaction with your company that we know about. So why making payment to us.
Please see the attached remittance documents and double-check with your bank.
We wait for your comment.
Best Regards,
Leo Lee,
Navkar Corporation Ltd
215 Lumpoo Road, Wadsampraya, Pranakorn
Bangkok, 10200 Thialand ...

12 October 2016: details.jar (119kb) - Current Virus total detections 5/55*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/830aaeccfa79f9cee2eded1c6d7bfb987d936776cf28f511c33086d008a419f7/analysis/1476250143/

** https://www.hybrid-analysis.com/sample/830aaeccfa79f9cee2eded1c6d7bfb987d936776cf28f511c33086d008a419f7?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2016-10-13, 14:46
FYI...

WSF email attachments - latest malware delivery vehicle
- https://www.helpnetsecurity.com/2016/10/13/wsf-attachments-malware-delivery/
Oct 13, 2016 - "Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via -unsolicited- emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software... According to Symantec*, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email...
> https://www.helpnetsecurity.com/images/posts/WSF_attachments.jpg
Number of blocked emails containing malicious WSF attachments by month "

Surge of email attacks using malicious WSF attachments
* https://www.symantec.com/connect/fr/blogs/surge-email-attacks-using-malicious-wsf-attachments
12 Oct. 2016 - "Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files...
Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer...
> Tips on protecting yourself from ransomware
Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
Always keep your security software up to date to protect yourself against any new variants of malware.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email."

:fear::fear: :mad:

AplusWebMaster
2016-10-18, 12:56
FYI...

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/final-payment-request-pretending-to-come-from-hmrc-delivers-malware/
17 Oct 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ websitesage60 .us> with a malicious word doc attachment is another one from the current bot runs... I do not know exactly what malware this downloads... The website that the macro inside the malicious word doc connects to is not owned or controlled by HMRC or any other part of the UK government and has been registered to be used as a malware/fraud site http ://hmrc.gsigov .co.uk using false details:
- http://whois.domaintools.com/gsigov.co.uk .. on IP 185.81.113.102 ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/Final-payment-request_hmrc-1024x771.png

The word doc, which falsely states it was created in an earlier version of word and you 'should enable editing to view it', when opened safely pretends to be a VAT notice and surcharge liability and you need to pay £29,678:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/hmrc_17_oct_2017-1024x800.png

17 October 2016: 18066000010075130101.doc - Current Virus total detections 4/54*. MALWR** shows a download from
http ://hmrc.gsigov .co.uk/vat.exe (VirusTotal 4/56***). Payload Security [1] [2] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/17e9c084a4ded4553efca2a6eb68f483cfc2b880cd94e7f0d54c87a6d01ec574/analysis/1476717095/

** https://malwr.com/analysis/NmViZmE4MTQ0NjU0NGQ5YjgxYjJkNDUzNDBiZGU2MTg/
Hosts
185.81.113.102: https://www.virustotal.com/en/ip-address/185.81.113.102/information/
> https://www.virustotal.com/en/url/82f096cd17a5af664277503e81861d262112aa88280086f712ce25bf1ebb33a8/analysis/

*** https://www.virustotal.com/en/file/81d7053fa58811477d3c032976c95cef41721a3b9508d52fa0f87a853079d687/analysis/1476724305/

1] https://www.hybrid-analysis.com/sample/17e9c084a4ded4553efca2a6eb68f483cfc2b880cd94e7f0d54c87a6d01ec574?environmentId=100
Contacted Hosts
185.81.113.102

2] https://www.hybrid-analysis.com/sample/81d7053fa58811477d3c032976c95cef41721a3b9508d52fa0f87a853079d687?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2016-10-19, 12:11
FYI...

Fake 'RE: P/O' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/re-po-malspam-delivers-java-adwind/
19 Oct 2016 - "We continue to be plagued daily by -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Sales <order@ ncima-holding .ci>
Date: Tue 18/10/2016 18:28
Subject: RE: P/O
Attachment: NEW P.O.zip
Attached is the Purchase order list
please confirm so we can proceed.
Thank you.
——————————-
sent from my iPad ...

19 October 2016: New P.O.jar (273kb) - Current Virus total detections 9/56*. Payload Security**...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cfeaaece9afcf59a87bcf8485bbd08df01085528544a258f48ba66316c0613a7/analysis/1476831444/

** https://www.hybrid-analysis.com/sample/cfeaaece9afcf59a87bcf8485bbd08df01085528544a258f48ba66316c0613a7?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2016-10-20, 13:31
FYI...

Fake 'Credit Note' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecurity.co.uk/credit-note-cn-81553-from-nordstrom-inc-7907-malspam-delivers-trickbot-dyre-banking-trojan/
20 Oct 2016 - "... an email with the subject of 'Credit Note CN-81553 from Nordstrom Inc (7907)' pretending to come from Accounts <message-service@ post. xero .com> with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the emails looks like:
From: Accounts <message-service@ post. xero .com>
Date: Thu 20/10/2016 01:21
Subject: Credit Note CN-81553 from Nordstrom Inc (7907)
Attachment:CN_81274.zip
Hi Orlando,
Attached document is your credit note CN-81553 for 508.18 AUD.
This has been allocated against invoice number.
If you have any questions, please let us know.
Thanks,
Staff Leasing Inc.

20 October 2016: CN_81274.zip: Extracts to: CN-81274.scr - Current Virus total detections 17/57*
.. Payload Security** shows a download/drop of another file RXGp0aqU55eY5AnMxB.exe.exe (VirusTotal 8/57***)
Payload Security[4] .. appears to be dyre/trickloader banking Trojan ... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a1332c9c788d29a2486e953a3f648a049b780e1398fe1f3ffc88968c7fd2a19a/analysis/1476937031/

** https://www.hybrid-analysis.com/sample/a1332c9c788d29a2486e953a3f648a049b780e1398fe1f3ffc88968c7fd2a19a?environmentId=100
Contacted Hosts
185.14.29.13
78.47.139.102
91.219.28.77

*** https://www.virustotal.com/en/file/352e9b44f3badb36770369e3b73f1787545767938db5134a297e6558281f862d/analysis/1476932944/

4] https://www.hybrid-analysis.com/sample/352e9b44f3badb36770369e3b73f1787545767938db5134a297e6558281f862d?environmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77
80.79.114.179
___

Fake 'FedEx' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/fake-spoofed-fedex-unable-to-deliver-malspam-emails-continue-to-deliver-ransomware/
20 Oct 2016 - "We are seeing an uptick in the 'FedEx - unable to deliver' malspam emails this week... they are so common and I always get 1 or 2 every day.. today I am receiving quite an increase in numbers over the usual amount... With the holiday season quickly approaching and many more people shopping online, we will see a dramatic increase in these over the next few weeks and months as more people wait for their deliveries... The sort of subjects that you see with this malspam nemucod ransomware campaign which will always have random numbers include:
Delivery Notification, ID 00898050
Shipment delivery problem #0000613766
Problem with parcel shipping, ID:0000857607
Problems with item delivery, n.00000693983
Unable to deliver your item, #0000274397

One of the emails looks like:
From: FedEx Ground <wade.barry@ hosteriasanpatricio .com .ar> or FedEx 2Day A.M. <ruben.morris@ hosteriasanpatricio .com .ar>
Date: Thu 01/09/2016 19:22
Subject: Shipment delivery problem #0000613766 or Delivery Notification, ID 00898050
Attachment: FedEx_ID_0000613766.zip
Dear Customer,
We could not deliver your item.
Please, open email attachment to print shipment label.
Sincerely,
Wade Barry,
Sr. Support Agent.
Or
Dear Customer,
We could not deliver your item.
Shipment Label is attached to email.
Warm regards,
Ruben Morris,
Sr. Operation Manager.

20 October 2016: FedEx_ID_0000613766.zip: Extracts to: FedEx_ID_0000613766.doc.wsf
Current Virus total detections 25/55*: Payload Security** shows downloads of the usual multiple files from
www .industrial-automation .at/counter/?ad=17MGS22ZVQcqSyHw4VU2NvC5SL4eCPhCJb&id=LZUB9RUv-KCRW63gDdZ5mD075Y_vJ1F6feiXr_Sv5Nbbhxr8QKIPLwoOhYdjCOIqaWV65TnMZepmeok-Renqlmw1ioeBLbM8&rnd=01
(with a range from 01–04 that delivers different parts of the malware package)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3cb101c4aa29180cb4132c88d8764073214e7595264fb5cbe552a48b141e16f6/analysis/1476944618/

** https://www.hybrid-analysis.com/sample/3cb101c4aa29180cb4132c88d8764073214e7595264fb5cbe552a48b141e16f6?environmentId=100
Contacted Hosts
212.152.181.199
___

Fake 'ACH Payment' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecurity.co.uk/ach-payment-notification-malspam-delivers-trickbot-dyre-banking-trojan/
20 Oct 2016 - "... an email with the subject of 'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the emails looks like:
From: ap_vendor_pay2@ bankofamerica .com
Date: Thu 01/09/2016 19:22
Subject: ACH Payment Notification
Attachment: payment002828870.zip
LOGICEASE SOLUTIONS INC Vendor:10288253 Pay Dt: 20150903
Pay Ref Num: 2000548044
Please download and view payment document attached.
Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
The net amount deposited to account number ending XXXX3195
designated by you is $1019.93
IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.7486.
This message, and any attachments, is for the intended recipient’s only, may contain information that is privileged, confidential and/or proprietary and subject to important termsr. If you are not the intended recipient, please delete this message.

20 October 2016: payment002828870.zip: Extracts to: paymen1189d2028.scr . Current Virus total detections 8/56*
.. Payload Security** shows this is likely to be Trickbot/Dyre banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d66ccf3ba28b5016d0683854acfefcea9330d7a92da9c001307cf11a49fb9672/analysis/1476964410/

** https://www.hybrid-analysis.com/sample/d66ccf3ba28b5016d0683854acfefcea9330d7a92da9c001307cf11a49fb9672?environmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77

:fear::fear: :mad:

AplusWebMaster
2016-10-24, 15:15
FYI...

Fake 'Receipt' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-fake-receipt-leads-to.html
24 Oct 2016 - "Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example, spam with a format similar to the following is currently being sent out:
Date: Mon, 24 Oct 2016 16:03:30 +0530
From: christa.hazelgreave@ gmail .com
Subject: Receipt 68-508

Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta. You can see some of the malicious activity in this Hybrid Analysis*...
(List of domain-names at the dynamoo URL above.)
The malware is Locky ransomware phoning home to:
109.234.35.215/linuxsucks .php (McHost.ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy .example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt .work/linuxsucks .php [208.100.26.234] (Steadfast, US) ...
Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234 "
* https://www.hybrid-analysis.com/sample/d8bbd5091053a2b9c68dda3ad3d31af3cca83b15270f3bf4a5448d56b07acc03?environmentId=100
Contacted Hosts
96.0.115.240
107.180.23.49
216.239.139.112
120.117.3.119

- https://myonlinesecurity.co.uk/blank-receipt-malspam-email-pretending-to-come-from-random-names-at-gmail-com-delivers-locky-with-a-shit-extension/
24 Oct 2016 - "... Locky downloader.. a blank/empty email with the subject of 'Receipt 00180-6477' (random numbers) pretending to come from random names at gmail .com with a semi-random named zip attachment starting with 'receipt' that matches the subject containing a random numbered wsf file starting with 'receipt'... One of the emails looks like:
From: jennie.winzer@ gmail .com
Date: Mon 24/10/2016 15:05
Subject: Receipt 00180-6477
Attachment: Receipt 00180-6477.zip

Body content: Totally blank/empty

24 October 2016: Receipt 00180-6477.zip: Extracts to: Receipt 83357-830129.wsf
Current Virus total detections 11/55*.. MALWR** shows a download of an encrypted file from
http ://beyondhorizon .net/076wc?EVgYCyg=JQHYinB which is transformed by the script to uYYRbVgee1.dll
(VirusTotal 6/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1c2c1bd9e9d4583823f27ba8a02723903db13adf8fdd142c912c14737ce04467/analysis/1477318650/

** https://malwr.com/analysis/ZGI2ODk1MjYyNjQ4NDNlZGJkYzE4ZmZlNDhkNzA4Yzc/
Hosts
192.185.96.52

*** https://www.virustotal.com/en/file/d0c87e2b1b3e35d9e8de022213168e24484c6c911a42314d6f8c945e86ac5705/analysis/1477325610/

4] https://www.hybrid-analysis.com/sample/1c2c1bd9e9d4583823f27ba8a02723903db13adf8fdd142c912c14737ce04467?environmentId=100
Contacted Hosts
192.185.96.52
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
208.100.26.234
___

Fake 'Complaint letter' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-complaint-letter-leads-to.html
24 Oct 2016 - "This spam leads to Locky ransomware:
From "Justine Hodge"
Date Mon, 24 Oct 2016 19:27:53 +0600
Subject Complaint letter
Dear [redacted],
Client sent a complaint letter regarding the data file you provided.
The letter is attached.
Please review his concerns carefully and reply him as soon as possible.
Best regards,
Justine Hodge

The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS script with a name starting with "saved letter"... scripts download...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to the following URLs:
109.234.35.215/linuxsucks .php (McHost .ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host .ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)...
... Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221 "

- https://myonlinesecurity.co.uk/complaint-letter-malspam-delivers-locky-using-a-shit-extension/
24 Oct 2016 - "... Locky downloader.. an email with the subject of 'Complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with saved_letter containing a js file... One of the emails looks like:
From: Mia Dickerson <Dickerson.0865@ pipelinemedia .com.au>
Date: Mon 24/10/2016 12:58
Subject: Complaint letter
Attachment: saved_letter_9ff72a60.zip
Dear [redacted], Client sent a complaint letter regarding the data file you provided. The letter is attached. Please review his concerns carefully and reply him as soon as possible. Best regards, Mia Dickerson

24 October 2016: saved_letter_9ff72a60.zip: Extracts to: saved letter 9A2B8.js
Current Virus total detections 11/55*.. MALWR* shows a download of an encrypted file from
http ://gruffcrimp .com/352gr0 which is transformed by the script to RuBjy2wiCxyLGr.dll (VirusTotal 9/57***).
Payload security[4] shows the download from
adultmagstore .com/itc0h81 and the c2 from load of different servers -all- using /linuxsucks .php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7802a12b287a074749375dadf37a0ad8b0cdd1523a2a56648c98da97e9b6e1aa/analysis/1477310600/

** https://malwr.com/analysis/NTZkNDY3NGEzYjJhNDMzN2EyZmEyYzRiM2U1NTNiNmU/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/ce71a69c33ab210fc4ff083539f03e38b54562249a2acda71a1faa931bf16283/analysis/1477329868/

4] https://www.hybrid-analysis.com/sample/7802a12b287a074749375dadf37a0ad8b0cdd1523a2a56648c98da97e9b6e1aa?environmentId=100
Contacted Hosts
66.154.71.36
81.177.22.221
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
___

Trick Bot – spread via malvertising ...
- https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
Oct 24, 2016 - "... payload was spread via a malvertising campaign, involving Rig Exploit Kit:
> https://blog.malwarebytes.com/wp-content/uploads/2016/10/malvertising_chain.png
... After being deployed, Trick Bot copy itself into %APPDATA% and deletes the original sample... Trick Bot is composed of several layers. As usually, the first layer is used for the protection – it carries the encrypted payload and tries to hide it from AV software:
> https://blog.malwarebytes.com/wp-content/uploads/2016/10/schema-1.png
... Below we can see it’s decrypted form revealing the attacked online-banking systems:
> https://gist.githubusercontent.com/hasherezade/0c464f970018f509444243b67a0c5447/raw/ff782ca8fc4df7edb464d2fa5e3f9d4e665cb1de/dinj.xml
Conclusion: Trick Bot have many similarities with Dyreza, that are visible at the code design level as well as the communication protocol level. However, comparing the code of both, shows, that it has been rewritten from scratch. So far, Trick Bot does not have as many features as Dyreza bot. It may be possible, that the authors intentionally decided to make the main executable lightweight, and focus on making it dynamically expendable using downloaded modules. Another option is that it still not the final version. One thigh is sure – it is an interesting piece of work, written by professionals. Probability is very high, that it will become as popular as its predecessor."
Appendix: http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html – analysis of the TrickBot at Threat Geek Blog
'Trickbot C2s:
188.138.1.53 :8082
27.208.131.97 :443
37.109.52.75 :443
91.219.28.77 :443
193.9.28.24 :443
37.1.209.51 :443
138.201.44.28 :443
188.116.23.98 :443
104.250.138.194 :443
46.22.211.34 :443
68.179.234.69 :443
5.12.28.0 :443
36.37.176.6 :443'
(More detail at the malwarebytes URL at the top of this post.)

:fear::fear: :mad:

AplusWebMaster
2016-10-25, 12:36
FYI...

Fake 'Budget forecast' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/budget-forecast-malspam-delivers-locky-with-a-shit-extension/
25 Oct 2016 - "... Locky downloader.. an email with the subject of 'Budget forecast' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with 'budget' containing a vbs file that pretends to be an Excel .XLS file... One of the emails looks like:
From: Alejandra Rojas <Rojas.2910@ dsldevice .lan>
Date: Mon 24/10/2016 22:38
Subject: Budget forecast
Attachment: budget_xls_b71db945.zip
[redacted] asked me to send you the Budget forecast for next project. Please check and ask him if you are not clear with the task.

25 October 2016: budget_xls_b71db945.zip: Extracts to: budget 34A81F8A xls.vbs
Current Virus total detections 2/55*.. MALWR** shows a download of an encrypted file from
http ://fannyfuff .com/7qx9pmdt which is transformed by the script to QoTcrNU2qu051Uv0.dll (VirusTotal 21/57***).
Neither MALWR nor Payload Security[4] are showing the encrypted files... That might be due to a sandbox/ VM protection in the malware or it might not have run properly. Earlier versions yesterday [1] [2] using WSF, JS or HTA delivery methods did run fully in the online sandboxes. The vbs versions might not... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4591f9bf7ef46157de42bbb91c6e448ae34b1ac7f5e88b40f71e2994c05508ce/analysis/1477345935/

** https://malwr.com/analysis/MjY2NmFhM2NlNDMwNDYxNDhhMWZjNmJkM2YxNGYyYzk/
Hosts
67.171.65.64
77.123.137.221
91.200.14.124
91.226.92.225
185.102.136.77
69.195.129.70

*** https://www.virustotal.com/en/file/c61172e5915cc5e6f51efff25f98f8a705acfac2a4124c159efbd508218441bb/analysis/1477378265/

4] https://www.hybrid-analysis.com/sample/4591f9bf7ef46157de42bbb91c6e448ae34b1ac7f5e88b40f71e2994c05508ce?environmentId=100
Contacted Hosts
201.238.211.140
91.226.92.225
185.102.136.77
77.123.137.221
91.200.14.124
69.195.129.70

1] https://myonlinesecurity.co.uk/complaint-letter-malspam-delivers-locky-using-a-shit-extension/

2] https://myonlinesecurity.co.uk/blank-receipt-malspam-email-pretending-to-come-from-random-names-at-gmail-com-delivers-locky-with-a-shit-extension/
___

Fake 'Scan Data' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-blank-document-file-image.html
25 Oct 2016 - "Perhaps minimalist spam works better - there is currently a Locky spam run with on of the subjects 'Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data' plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript... There is no body text... These automated analyses [1] [2]... show that it is Locky...
(Long list of domain-names at the dynamoo URL above.)
... The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh
A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56*. The malware then phones home to one of the following locations:
185.127.27.100/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks .php (Volia DataCentre, Ukraine)
... Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221 "
1] https://www.hybrid-analysis.com/sample/1d45cbeea0024291526b5f992de3d56f98654cc6e5e3fa13701fa36d4eb47a6b?environmentId=100
Contacted Hosts
103.247.11.115
46.105.246.22
91.200.14.124
185.127.27.100
77.123.137.221

2] https://www.hybrid-analysis.com/sample/4485e022714503f0c8e88fb6265dd32597c7acdedff614c63243ddc33a2bbf80?environmentId=100
Contacted Hosts
203.190.54.3
91.200.14.124
77.123.137.221
185.127.27.100

* https://virustotal.com/en/file/5948ceff8012d80f9b2dcef7316aa94d3a171d309c78e6b021b6af6928f16a0d/analysis/1477405965/

- https://myonlinesecurity.co.uk/blank-image-picture-doc-malspam-delivers-locky/
25 Oct 2016 - "... Locky downloader... a blank empty email with a variety of subjects like scan, image, pic, doc etc. pretending to come form random names at Gmail .com with a zip attachment that matches the subject containing a js file... Some of the subjects seen include:
Image 249
Blank 962
Document 7
Pic 3
Scan Data 405
Picture 125
File 11
Doc 74
img 7

One of the emails looks like:
From: HUGH HALVERSON <hughhalverson94@ gmail .com>
Date: Tue 25/10/2016 14:47
Subject: Image 249
Attachment: Image 249.zip

Body content: totally empty/blank

25 October 2016: Image 249.zip: Extracts to: Pic 767.js - Current Virus total detections 9/54*
.. MALWR** shows a download of an encrypted file from
http ://rajashekharkubasad .com/g76dbf?ettSsUhngke=NlfFMTpqoQa which is transformed by the script to WgNUiSSFP1.dll (VirusTotal 3/56***). Payload Security[4] shows this version is using .thor extension for the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6018c7425c70fc746f2170b989846eeb7f0839f7d5363393cca623288c099616/analysis/1477403985/

** https://malwr.com/analysis/NDRiZTdiZmRhMjBjNGYzZmIzN2QzNzk3N2U0YzEyMjc/
Hosts
43.225.54.151

*** https://www.virustotal.com/en/file/5948ceff8012d80f9b2dcef7316aa94d3a171d309c78e6b021b6af6928f16a0d/analysis/1477405261/

4] https://www.hybrid-analysis.com/sample/6018c7425c70fc746f2170b989846eeb7f0839f7d5363393cca623288c099616?environmentId=100
Contacted Hosts
43.225.54.151
185.127.27.100
77.123.137.221
91.200.14.124
___

Fake 'Wrong model' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/wrong-model-malspam-delivers-locky/
25 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong model' coming as usual from random companies, names and email addresses with a semi random named zip attachment starting with fixed_invoice containing a vbs file... One of the emails looks like:
From: Randal Burks <Burks.3744@ pocketgreens .com>
Date: Tue 25/10/2016 19:45
Subject: Wrong model
Attachment: fixed_invoice_74957728.zip
We apologize for sending the wrong model of the product yesterday. Attached is the new invoice for your product No. 31066460.

25 October 2016: fixed_invoice_74957728.zip: Extracts to: fixed invoice 8A3254C.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://idesjot .net/3ab4af which is transformed by the script to B0HRoIuyMVXc7V.dll (VirusTotal 13/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5d4638e8fe72d9aa0cd9de9de2dec621ff8036632085383f06216bbf86144a43/analysis/1477421251/

** https://malwr.com/analysis/YjQyNWRmYTEyMWE2NGRjYzkzYjY4ZTc2YjI5MzgxMzA/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/92288d1b91f442f24e2c7ac83944c5a76f980f6441f443818c51cbc250350fd6/analysis/1477421558/
___

Another Day, Another Spam...
- https://isc.sans.edu/diary.html?storyid=21635
2016-10-25 - "... attackers have always new ideas to deliver their malicious content to us... Attached to this mail, a malicious ZIP file with a .pif file inside. The file is in fact a PE file (MD5: 2aa0d2ae9f8492e2b4acda1270616393). The hash was unknown to VT but once uploaded, it was reported as a very old worm, nothing very malicious... The second example was received by one of our readers is a -fake- SharePoint notification:
> https://isc.sans.edu/diaryimages/images/sharepoint-spam.png
The link points to hxxp ://thekchencholing .org/.https/www/sharepoint.com/sites/shareddocument/SitePages/Home.aspx/index.php?wreply=YW5keS5nZXJhZXJ0c0BjZWdla2EuYmUN (the site has been cleaned up in the meantime). SharePoint is a common Microsoft tool used in big organizations and people could be lured by this kind of message. Most spam campaigns are easy to detect but some messages, when properly redacted, may lure the victim easily. We are never far from an unfortunate click. Stay safe!.."

thekchencholing .org: 180.210.205.66: https://www.virustotal.com/en/ip-address/180.210.205.66/information/
>> https://www.virustotal.com/en/url/c18105e1416e2551a8d2fba08858afaaff7dda425e1c8c5b4053a16d7e89b208/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-10-26, 15:51
FYI...

Fake 'Help Desk' SPAM - leads to Adwind
- http://blog.dynamoo.com/2016/10/malware-spam-western-union-help-desk.html
26 Oct 2016 - "Just by way of a change, here's some -malspam- that doesn't lead to Locky:

Screenshot: https://3.bp.blogspot.com/-dlvhqYrMCTU/WBCRzjJrt_I/AAAAAAAAI-A/2MJ_OrwDeXYquGIY5GqH5FqLaQEkRlp7wCLcB/s1600/wu.png

In this case, the link in the email goes to:
linamhost .com/host/Western_Union_Agent_Statement_and_summary_pdf.jar
This is a Java file - if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it -won't- run. VirusTotal* identifies it as the Adwind Backdoor**. The Malwr report[3] shows it attempting to contact:
boscpakloka .myvnc .com [158.69.56.128] (OVH, US)
A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis[4]. Check the Dropped Files section of the Malwr Report[3] for more. Personally, I recommend blocking -all- dynamic DNS domains such as myvnc .com in corporate environments. At the very least I recommend blocking 158.69.56.128."
* https://virustotal.com/en/file/51d0f63e2d215ab1e4240468b8a518412472dc90ed24fffb8e5cf1e7aa75ede2/analysis/1477480451/

** https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml

3] https://malwr.com/analysis/ZGJmZTZmODg1Y2IxNGY1ODlkZmUxNmYzMTdmNjg2MDE/
Hosts
158.69.56.128: https://www.virustotal.com/en/ip-address/158.69.56.128/information/
>> https://www.virustotal.com/en/url/5fd78ba19e032c82c193f7dfb6214a7f9d3a6638febb06463f2dc498fd20e69c/analysis/

4] http://www.malware-traffic-analysis.net/2016/10/23/index2.html

myvnc .com: 8.23.224.108: https://www.virustotal.com/en/ip-address/8.23.224.108/information/
>> https://www.virustotal.com/en/url/a555b9bd84b98c57685e74ee539c510ac06174239692add1fce57478f4e01802/analysis/
___

Fake 'Your order' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-your-order-has-been.html
26 Oct 2016 - "This curiously worded spam email leads to Locky ransomware:
Subject: Your order has been proceeded
From: Elijah Farrell
Date: Wednesday, 26 October 2016, 12:41
Your order has been proceeded.
Attached is the invoice for your order 2026326638.
Kindly keep the slip in case you would like to return or state your product's warranty.

The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name. The various scripts download a component... (thank you to my usual source for this)
(Long list of domain-names at the dynamoo URL above.)
The downloaded binary then phones home to:
78.46.170.94/linuxsucks .php [hostname: k-42 .ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks .php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost .hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks .php [hostname: weblinks-3424 .ru] (Sobis, Russia)
It also tries to phone home...
Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225 "

- https://myonlinesecurity.co.uk/your-order-has-been-proceeded-malspam-delivers-locky/
26 Oct 2016 - "... Locky downloader.. which is running concurrently with THIS[1] is an email with the subject of 'Your order has been proceeded' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with order_details containing a vbs file... typical subject line is 'Your order has been processed' -not- 'Your order has been proceeded'...
1] https://myonlinesecurity.co.uk/invoice-350797-93872806-090-9b5248a-malspam-delivers-locky/
... One of the emails looks like:
From: Alex Gonzalez <Gonzalez.46337@ solardelaluna .com>
Date: Wed 26/10/2016 12:35
Subject: Your order has been proceeded
Attachment: order_details_56f220432.zip
Your order has been proceeded. Attached is the invoice for your order 9563076204. Kindly keep the slip in case you would like to return or state your product’s warranty.

26 October 2016: order_details_56f220432.zip: Extracts to: order details 144BAA.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://hankookm.com/lun77kyf which is transformed by the script to q3SAQ4aZNZ0p.dll ...
C2 are http ://95.46.98.25 /linuxsucks.php and http ://umjjvccteg .biz/linuxsucks.php
Payload Security[3] shows several others as well... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7ac05a684a3ea68c5b27164609e41d093e5a46447d26a96347223f43ab2f1ab4/analysis/1477482479/

** https://malwr.com/analysis/NzE2YWY2YTkyNDczNDNhMmE3NmE3ZWRjYjkyMTBlNzE/
Hosts
101.79.129.33
95.46.98.25
78.46.170.94
91.226.92.225
69.195.129.70

3] https://www.hybrid-analysis.com/sample/7ac05a684a3ea68c5b27164609e41d093e5a46447d26a96347223f43ab2f1ab4?environmentId=100
Contacted Hosts
173.254.70.156
95.46.98.25
91.226.92.225
78.46.170.94
___

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/invoice-350797-93872806-090-9b5248a-malspam-delivers-locky/
26 Oct 2016 - "... Locky downloader.. an email with the subject of 'Invoice-350797-93872806-090-9B5248A' (random numbers) pretending to come from invoice@ random companies and email addresses with a random numbered invoice zip attachment containing a jse file... One of the emails looks like:
From: invoices@ greyport .net
Date: Wed 26/10/2016 12:35
Subject: Invoice-350797-93872806-090-9B5248A
Attachment: 20161026_93872806_Invoice.zip
Dear Customer,
Please find attached Invoice 93872806 for your attention.
Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept’ ...

26 October 2016: 20161026_93872806_Invoice.zip: Extracts to: 167402123_Invoice.jse
Current Virus total detections 7/55*. MALWR was unable to show any connections or downloads. Payload Security** shows a download of an encrypted file from
glyderm .com.ph/t76f3g?awKAvfeuvvV=PyooUmcME but doesn’t show or allow download of the actual Locky binary... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a7aae98937f75698b4b0183a57c152034a085c383fa75460d8322abaae14e889/analysis/1477481832/

** https://www.hybrid-analysis.com/sample/a7aae98937f75698b4b0183a57c152034a085c383fa75460d8322abaae14e889?environmentId=100
Contacted Hosts
162.214.20.198
91.200.14.124
144.76.177.194
185.127.27.100
69.195.129.70
52.32.150.180
54.230.197.227
___

WhatsApp in-the-wild scams
- https://blog.malwarebytes.com/cybercrime/2016/10/uk-whatsapp-users-warned-of-latest-in-the-wild-scam/
Oct 26, 2916

Other related post(s):
WhatsApp Elegant Gold Hits the Digital Catwalk
> https://blog.malwarebytes.com/cybercrime/2015/07/whatsapp-elegant-gold-hits-the-digital-catwalk/
Don’t Get Stuck on WhatsApp Stickers…
> https://blog.malwarebytes.com/cybercrime/2015/09/dont-get-stuck-on-whatsapp-stickers/
Scams, PUPs Target Would-be WhatsApp Voice Users
> https://blog.malwarebytes.com/cybercrime/2015/03/scams-pups-target-would-be-whatsapp-voice-users/
WhatsApp Hack Promises Messages, Delivers PUPs
> https://blog.malwarebytes.com/cybercrime/2014/02/whatsapp-hack-promises-messages-delivers-pups/
WhatsApp Spam Campaign Leads to Malware
> https://blog.malwarebytes.com/cybercrime/2014/02/whatsapp-spam-campaign-leads-to-malware/

:fear::fear: :mad:

AplusWebMaster
2016-10-27, 12:37
FYI...

Fake 'Bill overdue' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/bill-overdue-fake-telephone-bill-malspam-delivers-locky-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'Bill overdue' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with detailed_bill containing a vbs file... One of the emails looks like:
From: Edmund Parks <Parks.390@ airtelbroadband .in>
Date: Thu 27/10/2016 09:11
Subject: Bill overdue
Attachment: detailed_bill_251752d.zip
This is from the Telephone Company to remind you that your bill is overdue. Please see the attached bill for the fine charge.

27 October 2016: detailed_bill_251752d.zip: Extracts to: detailed bill 1C938E2.vbs
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from
http ://tahradeep .com/1tuqd which is transformed by the script to yNBjdb1LZklImF.dll (VirusTotal 11/57***).
C2 are http ://83.217.11.193 /linuxsucks.php | http ://91.201.42.24 /linuxsucks.php
Payload Security[4] shows a few different download locations for the encrypted files but no C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d34506c4df6e8e6d832cf02f13a75e4e7c777b54e7d14a6157592ce2ecee7002/analysis/1477556155/

** https://malwr.com/analysis/ZTE3YTBhYzBhN2M4NDI5NmI2MjVhZTE0YWZiMmM2ODU/
Hosts
67.171.65.64
91.201.42.24
83.217.11.193

*** https://www.virustotal.com/en/file/b15c8626ac50030a3bf9899fa293d49bd20d270f55db9d23ce3ec6a5c8d4f6a5/analysis/1477557085/

4] https://www.hybrid-analysis.com/sample/d34506c4df6e8e6d832cf02f13a75e4e7c777b54e7d14a6157592ce2ecee7002?environmentId=100
Contacted Hosts
67.171.65.64
119.29.37.110
122.114.89.157

- http://blog.dynamoo.com/2016/10/malware-spam-this-is-from-telephone.html
27 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Bill overdue
From: Alexandria Maxwell
Date: Thursday, 27 October 2016, 9:35
This is from the Telephone Company to remind you that your bill is overdue.
Please see the attached bill for the fine charge.

The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script... detailed bill C43A9.vbs. The Malwr Report* and Hybrid Analysis** for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download...
(Long list of domain-names at the dynamoo URL above.)
... A DLL is dropped with a detection rate of 11/56***, and the malware then phones home to:
91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150 "

* https://malwr.com/analysis/OWUyNjBhNjhjMDk1NGZlNzg3OGJlMWZkNDI0YTNmMDM/
Hosts
92.53.96.20
91.201.42.24
83.217.11.193

** https://www.hybrid-analysis.com/sample/a1e351acf6d8d5e8c6c77056db06a3390dcc38ac5e980bfc8763f9bf270c6eaf?environmentId=100
Contacted Hosts
67.171.65.64
83.217.11.193
91.230.211.150
91.201.42.24

*** https://virustotal.com/en/file/f81df93d41b76ab8ab7a8ffc3d7d82401ff16a838265c78c1b7f5972a74e5e9e/analysis/1477560896/
___

Fake 'Account Reactivation' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/account-reactivation-western-union-malspam-delivers-java-adwind/
27 Oct 2016 - "... -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Npc@ westernunion .com <accounts@ petnet .com .ph>
Date: Thu 27/10/2016 04:56
Subject: Account Reactivation
Attachment: Account Reactivation.zip
Dear Agent,
Our security team has detected a hacking attempt on your account /Terminal . Luckily, the attempt has been blocked and the account/ terminal has been suspended with no financial loss.
Now in order to reactivate the account and avoid the recurrence of such incident, we strongly recommend that you follow the reactivation process attached and share the outcome with our security team copied.
Let us know if you have any questions.
Kind regards,
Zineb Abdouss
Sr. Regional Operations Specialist, North, and Western Asia
Western Union
7th floor, shore 13
1100 Boulevard Al Qods-Quartier Sidi Maarouf
20270 Casablanca – Morocco ...

27 October 2016: Account Reactivation manual.jar (119kb) - Current Virus total detections 22/56*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dd77c71029f128b2af21de543aa88580e80f0416a10aeddf707c92ea4e949fa5/analysis/1477547372/

** https://malwr.com/analysis/ZjI2YTVjODZlMzc2NDU4Y2IxOGZkZDNlMjZmZGM3MzM/
Hosts
216.107.152.224
___

Fake 'Order Details' SPAM - delivers malware
- https://myonlinesecurity.co.uk/james-correy-re-order-details-delivers-malware-via-malicious-office-docs/
27 Oct 2016 - "An email with the subject of 'Re: Order Details' pretending to come from James Correy <jamescorrey@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Update: I am reliably informed it is a pony dropper with the pony binary embedded inside the word doc using
http ://www .octpendant .org.in/chixthree-18oct-18nov/gate.php

27 October 2016: BL-06038711.DOC - Current Virus total detections 11/54*... a manual analysis of the macro enabled doc shows a connection to http ://travelinsider .com.au/021ygs7 which currently gives a php error... opens in Microsoft word with a message to 'enable editing to see content'... Payload Security** does show an informative download of an .exe file JF.cm d which VirusTotal 15/56*** detects...
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/media-dynamic-content-plugin-missing-1-1024x306.png

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/james-correy-order-detail-1024x621.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a94b7a584177c0ecb52fdbf6c88ec0cc7db68f6d30c2388a0e3315cfa75bbeaf/analysis/1477547380/

** https://www.hybrid-analysis.com/sample/a94b7a584177c0ecb52fdbf6c88ec0cc7db68f6d30c2388a0e3315cfa75bbeaf?environmentId=100

*** https://www.virustotal.com/en/file/baa3db070e5159a667142ab3455804c3d2cabfda09dbbb350a9d9dcb89315c00/analysis/1477548223/
___

Fake 'E-TICKET' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-e-ticket-41648-leads-to.html
27 Oct 2016 - "More Locky ransomware today..
From "Matthew standaloft"
Date Thu, 27 Oct 2016 15:20:27 +0530
Subject E-TICKET 41648
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Matthew standaloft

Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil... (according to my usual source):
(Long list of domain-names at the dynamoo URL above.)
... This drops a malicious DLL with a detection rate of 9/56*. The following C2 servers are contacts:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks .php (FLP Anoprienko Artem Arkadevich aka host-ua .com, Ukraine)
213.159.214.86/linuxsucks .php (JSC Server, Russia)
Recommeded blocklist (also see this other spam run** today):
83.217.11.193
91.201.202.12
213.159.214.86 "
* https://www.virustotal.com/en/file/f195f0da0a35eaffac0eb1865f455b3c05dcc06ed07b7dc47b57068798328277/analysis/

** http://blog.dynamoo.com/2016/10/malware-spam-this-is-from-telephone.html

- https://myonlinesecurity.co.uk/e-ticket-malspam-delivers-locky-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'E-TICKET 0385' (random numbers) coming as usual from random companies, names and email addresses with a semi-random numbered zip attachment that matches the subject number containing a random numbered wsf file... One of the emails looks like:
From: Jacqueline lewis <Jacqueline.lewis022@ pro-youthrodeo .org>
Date: Thu 01/09/2016 19:22
Subject: E-TICKET 0385
Attachment: 0385.zip
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Jacqueline lewis

27 October 2016: 0385.zip: Extracts to: 8910682.wsf - Current Virus total detections 9/55*
MALWR** shows a download of an encrypted file from http ://139.162.29.193 /g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
which is transformed by the script to mujVqbry1.dll (VirusTotal 9/56***). C2 is:
http ://83.217.11.193 /linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a29904be0bf177371a833326ff90c16a571e0abcba0748655f8bc38aa223b021/analysis/1477560672/

** https://malwr.com/analysis/NGVmYjM5ZjlhOWJhNGVlMzhhNDg3MjQyZTI2YWRlM2U/
Hosts
139.162.29.193
83.217.11.193

*** https://www.virustotal.com/en/file/f195f0da0a35eaffac0eb1865f455b3c05dcc06ed07b7dc47b57068798328277/analysis/1477559703/
___

Fake 'Receipt' SPAM - delivers locky
- https://myonlinesecurity.co.uk/blank-email-receipt-malspam-delivers-locky-thor-version/
27 Oct 2016 - "... Locky downloader... a -blank- email with the subject of 'Receipt' 1578-92517 (random numbers) once again pretending to come from random names at Gmail .com with a semi-random named/numbered zip attachment matching the subject line containing a WSF file... One of the emails looks like:
From: ashley.baring@ gmail .com
Date: Thu 27/10/2016 15:15
Subject: Receipt 1578-92517
Attachment: Receipt 1578-92517.zip

Body content: completely blank/empty

27 October 2016: Receipt 1578-92517.zip: Extracts to: Receipt 89598-1810311.wsf
Current Virus total detections 13/55*. MALWR** shows a download of an encrypted file from
http ://www .acclaimenvironmental .co.uk/g67eihnrv?TCwKroMse=uwIrKcwhz which is transformed by the script to TQTOMcCTi1.dll (VirusTotal 7/57***). C2 http ://83.217.11.193 /linuxsucks.php. Payload Security[4] shows additional C2 locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/660a7cb74634e747b90f7f0b9577419b5d6b7d9f4a6abfc60db7b2239e5119eb/analysis/1477578664/

** https://malwr.com/analysis/ODdmMTZjNzk5OWM1NDRjMWFlNjViMjNmM2YwNTlhZWY/
Hosts
89.145.76.9
83.217.11.193

*** https://www.virustotal.com/en/file/021765c87962d63139b33213a72051b44c6b0b7223da76b97ce9cb22c50f63bc/analysis/1477579336/

4] https://www.hybrid-analysis.com/sample/660a7cb74634e747b90f7f0b9577419b5d6b7d9f4a6abfc60db7b2239e5119eb?environmentId=100
Contacted Hosts
89.145.76.9
213.159.214.86
83.217.11.193
91.201.202.12
192.42.116.41
52.32.150.180
54.192.11.30

:fear::fear: :mad:

AplusWebMaster
2016-10-28, 14:29
FYI...

Fake 'New fax received' SPAM - delivers Trickbot banking trojan
- https://myonlinesecurity.co.uk/important-new-fax-received-malspam-delivers-trickbot-banking-trojan/
28 Oct 2016 - "... unusual email with the subject of 'Important – New fax received' pretending to come from Administrator <Administrator@ internalfax .net> or Administrator <Administrator@ internalfax .com> with either a malicious word doc attachment or a zip file containing a .js file which downloads Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/Important-New-fax-received-1024x545.png

Both emails pass all validation checks, SPF & DKIM so blow past spam filters and -both- domains are newly registered -today- with the sole aim of spreading malware. Domains are both registered by and hosted by Godaddy..

28 October 2016: InternalFax.js - Current Virus total detections 3/55*. MALWR** shows a download from
http ://www .tessaban .com/admin/images/jsjsjsihfsdkq.png which of course is -not- a png but a renamed .exe file. The JavaScript -renames- it to vQjiLVqR.exe and autoruns it. (VirusTotal 26/56***). Payload Security[4] was unable to contact any download sites or download the malware...

28 October 2016: InternalFax.doc - VirusTotal 2/52[5] | Payload Security[6] shows a download from
futuras.comdodocdoddus .exe which is -renamed- to 10575.exe and autorun by the macro in the word doc
(VirusTotal 8/56[7]) MALWR[8] shows the downloads from either
http ://futuras .com/dodocdoddus.exe or http ://fax-download .com/lindoc1.exe
(fax-download .com registered -yesterday- 27 October 2016 and hosted on 23.95.37.89 host.colocrossing .com)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

futuras .com: 203.199.134.21: https://www.virustotal.com/en/ip-address/203.199.134.21/information/
>> https://www.virustotal.com/en/url/e313f9947829a98e1effa6b72a32750ffa9b18d905940887243514a5c72471fe/analysis/

23.95.37.89: https://www.virustotal.com/en/ip-address/23.95.37.89/information/
>> https://www.virustotal.com/en/url/9bc3e88dd692047bedf0394b318cc9e83e891319d1ca3c32c203c7117ad0d8cd/analysis/

* https://www.virustotal.com/en/file/549ff50ccc5636d99059651ddd5f3b61d397993a0edf30f06e6d70af6016788a/analysis/1477673159/

** https://malwr.com/analysis/Y2FhZTg2YWU3OTBkNGVjYmE5NzJjYzIyYjM1NmUxNzQ/
Hosts
61.19.247.54
78.47.139.102
91.219.28.77
8.254.207.62
193.9.28.24
37.1.209.51
138.201.44.28
188.116.23.98
104.250.138.194
80.79.114.179

*** https://www.virustotal.com/en/file/7affc9ec43629fe57f1d1fd3b3c59429c785e73b0519973b0bfa1b4fb260a96d/analysis/1477671917/

4] https://www.hybrid-analysis.com/sample/549ff50ccc5636d99059651ddd5f3b61d397993a0edf30f06e6d70af6016788a?environmentId=100
Contacted Hosts
61.19.247.54
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

5] https://www.virustotal.com/en/file/f1be2922e7c17559d76410022ba6c1af3b2bc3750e9026fbbbfe7fcaa2f65ff1/analysis/1477672660/

6] https://www.hybrid-analysis.com/sample/f1be2922e7c17559d76410022ba6c1af3b2bc3750e9026fbbbfe7fcaa2f65ff1?environmentId=100
Contacted Hosts
23.95.37.89
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

7] https://www.virustotal.com/en/file/005b4ed1a002fd9f05154721eebe8859d0813687db30cc64be14e18c23e5b444/analysis/1477674272/

8] https://malwr.com/analysis/YjUwYzA0OGEyMmU0NGMzMDhmNzM5NzE0ZmVhODZhNmI/
Hosts
210.16.101.168
203.199.134.21
78.47.139.102
54.243.70.107
64.182.208.184
64.182.208.182
64.182.208.181
64.182.208.183
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
___

Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/payment-history-malspam-delivers-locky-thor-version/
28 Oct 2016 - "... Locky downloader... an email with the subject of 'Payment history' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with payment_history containing a VBS file... This is very similar to last night’s Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecurity.co.uk/please-review-malspam-delivers-locky-thor-version/
One of the emails looks like:
From: Lionel Hall <Hall.748@ nrjleman .com>
Date: Fri 28/10/2016 09:58
Subject: Payment history
Attachment: payment_history_64b96be.zip
The payment history for the first week of October 2016 is attached as you requested. Please review it and let us know if you have any question.

28 October 2016: payment_history_64b96be.zip: Extracts to: payment history EE5B8 PDF.vbs
Current Virus total detections 8/54*. MALWR** shows a download of a file from
http ://92hanju .com /utl41nrt which is renamed by the script to r7vl3GrYKGPE0uLB0.dll (VirusTotal 12/56***).
C2 is http ://83.217.11.193 /linuxsucks.php . Payload Security[4] shows alternative download locations & C2 but for some strange reason isn’t showing the downloaded Locky binary as malicious... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8cd5ebd6f4789fd83fb694b05f2d80882145a2f3781717de7033ea5f9422560c/analysis/1477646733/

** https://malwr.com/analysis/M2IyNmIwYTBkZjdjNDViMWEyZDJkNjYwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193

*** https://www.virustotal.com/en/file/a2fd8099409d19ca43a86e0580f2ac19e178b1032696ac259c0e72874aa2fed9/analysis/1477647176/

4] https://www.hybrid-analysis.com/sample/8cd5ebd6f4789fd83fb694b05f2d80882145a2f3781717de7033ea5f9422560c?environmentId=100
Contacted Hosts
213.176.241.230
185.154.13.79
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150

- http://blog.dynamoo.com/2016/10/malware-spam-payment-history-leads-to.html
28 Oct 2016 - "... another spam run pushing Locky ransomware:
Subject: Payment history
From: Theodore Wilkins
Date: Friday, 28 October 2016, 10:09
The payment history for the first week of October 2016 is attached as you requested.
Please review it and let us know if you have any question.

The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script... (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].
There are many different variants of the script, downloading components...
(Many domain-names listed at the dynamoo URL above.)
... (Thank you to my usual source for this data). The malware phones home to:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks .php [hostname: tarasik1.infium .net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks .php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks .php (Dunaevskiy Denis Leonidovich, Ukraine) ...
A DLL is dropped with a detection rate of 12/57*.
Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79 "
1] https://malwr.com/analysis/ZGFmYzVlM2YxYzQyNDM5YWFiNjNjNTNjZjRjNWQ4MmU/
Hosts
185.2.128.114
46.148.26.99

2] https://www.hybrid-analysis.com/sample/e36ec20bac9e7489d25f369ceddcd28cf5016564c4221898fc69e5dc621ce10e?environmentId=100
Contacted Hosts
185.2.128.114
185.154.13.79
83.217.11.193
194.1.239.152
91.230.211.150
46.148.26.99

* https://virustotal.com/en/file/7f18dddbc1732112c95e212c69b49e15bad15df7c33c7d40ca243a6dcce904b6/analysis/
___

Fake 'Document' SPAM - delivers trickbot banking Trojan
- https://myonlinesecurity.co.uk/document-from-random-name-at-your-own-email-domain-malspam-delivers-trickbot-banking-trojan/
28 Oct 2016 - "An email with the subject of 'Document' from random names pretending to come from random name <random.name@ victim domain .tld> with a malicious word doc attachment delivers a trickbot banking Trojan... This uses a somewhat complicated method of delivery to try to bypass antivirus and content protection, but basically the macro inside the word doc creates a lnk file, calls on powershell to run the lnk file which connects to the web server to download a file, which is in turn renamed, moved & autorun by the powershell instruction inside the macro. The alleged senders name matches the subject line, the name in the body of the email and the document name... The email looks like:
From: Tommy Griggs <Tommy.Griggs@ oneknight .co.uk>
Date: Fri 28/10/2016 02:37
Subject: Document from Griggs
Attachment: Griggs-2810-824.doc
My company sent you a document. Check it attached.
Regards,
Tommy Griggs
Challenger Limited

28 October 2016: Griggs-2810-824.doc - Current Virus total detections 3/53*
Payload Security** shows a download from futuras .com/ksdjgdfhmsc.exe (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/615e955e5a20f64604d73ec268bde17a8eeca9935e2ac74d4c3aa12d300ecf9b/analysis/1477637824/

** https://www.hybrid-analysis.com/sample/615e955e5a20f64604d73ec268bde17a8eeca9935e2ac74d4c3aa12d300ecf9b?environmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

*** https://www.virustotal.com/en/file/42033709c722815b5b4fdc222fc3d56be9be9b217084ab878a144ed5550d4e79/analysis/1477629101/
___

Dridex - new "0-Day-Distribution" method
- https://payload-security.blogspot.co.uk/2016/10/on-dridex-and-new-zero-day-distribution_27.html
Oct 27, 2016 - "The banking trojan Dridex (also known as Cridex, Feodo, Geodo, etc.) has been distributed in the past via malicious documents containing macros sent by E-Mail. Just yesterday we discovered a new distribution method that is undetected by the various Sandbox solutions we have access to and all AV engines. We were able to happily share and send those infected files via Skype, Gmail and other platforms. So while Dridex itself isn't new, the distribution method definitely is - and it will be very successful looking at current 0% detection ratio. In a sense, it is a "zero-day-distribution" method so we decided to use that term...
> https://3.bp.blogspot.com/-DTnOJp68-VQ/WBGhmW3uTNI/AAAAAAAAUEk/Aup-F3edw1EP95-wy2o9EP18HBsCse5LACLcB/s1600/vt.png
As has been a recent trend we see for targetted attacks (more on that later), this malicious Office file does not contain any macros (or exploits, actually) to execute the payload... Instead, the document contains an embedded file, which can be extracted from the "oleObject1.bin" file in the "embeddings" folder. In this case, as it is a Word file, the relative pathway would be word/embeddings/oleObject1.bin... Simply opening the document will cause nothing to happen initially. Instead, the embedded file has to be double-clicked. This is the first "hurdle" that most Sandbox systems will have difficulties with:
> https://3.bp.blogspot.com/-4gHVNlGDmuI/WBDs9trd_WI/AAAAAAAAJUA/5SCDDgqpb_gIOCRLfa-XZ9tJh_KcOHVKACLcB/s1600/Captura%2Bde%2Bpantalla%2B2016-10-26%2Ba%2Blas%2B19.50.17.png
After double-clicking the file - on a default configured system - an additional prompt will have to be passed:
> https://2.bp.blogspot.com/-sjrRV6nAjwo/WBD1pWjzLFI/AAAAAAAAJUs/e2MiS7caqAoE9MJmaf6jaibzlN_3LWzTQCLcB/s1600/Captura%2Bde%2Bpantalla%2B2016-10-26%2Ba%2Blas%2B20.26.36.png
... only if we -click- "Open" on that prompt, the actual LNK file and consequently the Command Prompt -> Powershell execution chain will trigger and download Dridex..."
(More detail at the payload-security URL above.)

>> https://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
___

'Your Bill' is -Not- Overdue ... Locky
- https://isc.sans.edu/diary.html?storyid=21647
2016-10-27 - "... It looks like today's ransomware subject is 'Your Bill is Overdue'. But then again, don't bother blocking it. Block ZIP'ed visual basic scripts. This round of Locky makes blocking a tad harder by using 'application/octet-stream' as a Content-Type instead of 'application/zip'... I received just about 1,000 attachments like that, and about 4000 total..."

:fear::fear: :mad:

AplusWebMaster
2016-10-31, 14:40
FYI...

Fake 'Wrong tracking number' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-wrong-tracking-number.html
31 Oct 2016 - "This spam email leads to Locky ransomware:
From "Samuel Rodgers"
Date Mon, 31 Oct 2016 15:21:22 +0530
Subject Wrong tracking number
It looks like the delivery company gave us the wrong tracking number.
Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.

The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script... named something like tracking number A99DB PDF.vbs... full list of download locations...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to:
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd aka majorhost .net, Russia)
5.187.7.111/linuxsucks. php (Fornet Hosting, Spain)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152 "

- https://myonlinesecurity.co.uk/malspam-email-wrong-tracking-number-delivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong tracking number' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with tracking_number_ containing a VBS file that pretends to be a PDF... similar to recent Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecurity.co.uk/please-review-malspam-delivers-locky-thor-version/

31 October 2016: tracking_number_aa587827b.zip: Extracts to: tracking number A1964B3 PDF.vbs
Current Virus total detections 6/55*. Payload Security** seems unable to get any payload from this vbs although manual analysis easily revealed the download locations:
http ://business-cambodia .com/he8wtc | http ://archilog .at/imwjmt | http ://badznaptak .pl/inlgm49
http ://aconetrick .com/6yoajl7 | http ://ficussalm .com/8pmjmwp
All these files are executable files and the VBS just renames them to a DLL and autoruns it VirusTotal 14/57[3]...
One of the emails looks like:
From: Eldridge Beard <Beard.69896@ srimina .com>
Date: Mon 31/10/2016 09:05
Subject: Wrong tracking number
Attachment: tracking_number_aa587827b.zip
It looks like the delivery company gave us the wrong tracking number. Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/371466f64c559e9b65742d9d186308191f6559966e3ec12577eac9d6922ec06d/analysis/1477906017/

** https://www.hybrid-analysis.com/sample/371466f64c559e9b65742d9d186308191f6559966e3ec12577eac9d6922ec06d?environmentId=100

3] https://www.virustotal.com/en/file/5609291ff37549dc4bd735eb50134e869d1c9804bf56cd07de8ba42410c22940/analysis/1477908982/
___

Fake 'SureVoIP' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-surevoip-voicemail-from.html
31 Oct 2016 - "This -fake- voicemail message leads to Locky ransomware:
Subject: Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From: SureVoIP (voicemailandfax@[redacted])
Date: Monday, 31 October 2016, 11:17
Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@ [redacted]

Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component...
(Long list of domain-names at the dynamoo URL above.)
The C2 servers overlap with the ones found here.
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152 "
___

Fake 'electronic billing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/malspam-email-thanks-for-using-electronic-billing-delivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Document No 50319282' (random numbers) pretending to come from accounts @ your own email address with a semi-random named zip attachment starting with file containing a WSF file... One of the emails looks like:
From: NANNIE DONNELLY <accounts@ [redacted] .co.uk>
Date: Thu 01/09/2016 19:22
Subject: Document No 50319282
Attachment: File 50319282.zip
Thanks for using electronic billing
Please find your document attached
Regards
NANNIE DONNELLY

31 October 2016: File 50319282.zip: Extracts to: XY4918-1310.wsf - Current Virus total detections 10/55*
MALWR** shows a download of a file from
http ://www .shavash .ir/g7cberv?LoeMqQM=BQqhBkykpgn which is renamed by the script to hndYhViGx1.dll
(VirusTotal 8/56***). C2 are http ://95.163.107.41 /linuxsucks.php and http ://tdhyjfxltpj .pw/linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e1823d871472e75be73c4bc2a0a74f4e32b2cbee5a23990639c6b90858adcc5c/analysis/1477916645/

** https://malwr.com/analysis/M2JiZTcwOWI2MjFlNDQ1NGEyYjUxODc2ZTdkYzEyMWU/
Hosts
136.243.80.209
146.120.89.98
91.107.107.241
95.163.107.41
192.42.116.41

*** https://www.virustotal.com/en/file/90dbb959c99f85a72dbdf815c6a58c178fc792c557be1e0bbd169e04419c2326/analysis/1477926737/
___

Fake 'BANK SLIP' SPAM - delivers Tesla keylogger
- https://myonlinesecurity.co.uk/malspam-email-bank-slip-delivers-unknown-malware/
31 Oct 2016 - "... malware delivery email... an email with the subject of 'BANK SLIP' coming as usual from what looks like random companies, names and email addresses with a zip attachment that contains some unknown malware. VirusTotal only shows generic detections...
Update: I am being reliably informed that it is Agent Tesla keylogger* that sends info home to aqeel@ ubsrwp .pk . A recent similar attack but using malicious word docs with macros to deliver the payload is described HERE** with screenshots and a good description of the information...
* https://twitter.com/malwrhunterteam/status/793018062953938944

** https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting

31 October 2016: Bank Slip.zip: Extracts to: Bank Slip.exe - Current Virus total detections 9/57[3]
MALWR doesn’t show much [4]. | Payload Security[5]...
3] https://www.virustotal.com/en/file/fa35daba4d0a9241648b3705686bd27c21248c8bb185e0fce4f219286e1ef690/analysis/1477892702/

4] https://malwr.com/analysis/YzNhYzBhYmNkY2Q2NGQ3MDkzY2UyYzM5YTkxZDIxZGM/

5] https://www.hybrid-analysis.com/sample/fa35daba4d0a9241648b3705686bd27c21248c8bb185e0fce4f219286e1ef690?environmentId=100

One of the emails looks like:
From: wagagrove@ otbsporti.com
Date: Thu 01/09/2016 19:22
Subject: BANK SLIP
Attachment: Bank Slip.zip
Dear Sir,
Pleased be informed payment done as attached.
Regards,
Waga
Sales/Account Department
MOTOTECHNICA SOLUTION LTD.
GST NO : 0018898212965 ...

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

ubsrwp .pk: 198.24.190.35: https://www.virustotal.com/en/ip-address/198.24.190.35/information/

:fear::fear: :mad:

AplusWebMaster
2016-11-01, 14:21
FYI...

Fake 'Transaction declined' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/malspam-email-transaction-declined-delivers-locky/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Transaction declined' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with transaction-details_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
From: Elena Cooper <Cooper52780@ centraldetraducao .com>
Date: Thu 01/09/2016 19:22
Subject: Transaction declined
Attachment: transaction-details_e78be58f7.zip
Dear [redacted],
This is to inform that the transaction you made yesterday is declined.
Please look through the attachment for the verification of the card details.
Best Regards,
Elena Cooper

Manual decoding of this slightly obfuscated vbs script shows Download locations are:
http ://17173wang .com/f6w0p
http ://cdxybg .com/iribzm
http ://51qudu .com/mqy2pj4
http ://sonsytaint .com/4mgxlrf
http ://koranjebus .net/4rwg5
1 November 2016: paytransaction-details_e78be58f7.zip: Extracts to: transaction_details_39B163E4_PDF.vbs
delivers [VirusTotal 8/55*].. f6w0p [VirusTotal 7/55**]. Neither MALWR nor Payload Security[3] seem able to actually get the download locations or any payload in these VBS files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/354a08f1e154aad7c44b99faf632a59f6424f93dc99b1da567baaa3d6db6bbe1/analysis/1477997125/

** https://www.virustotal.com/en/file/af4139e2c91341c2cade54b6adf67ddcfc41805103d4fb59419ec9973ee12a66/analysis/1477997325/

3] https://www.hybrid-analysis.com/sample/354a08f1e154aad7c44b99faf632a59f6424f93dc99b1da567baaa3d6db6bbe1?environmentId=100

17173wang .com: 120.27.107.115: https://www.virustotal.com/en/ip-address/120.27.107.115/information/
cdxybg .com: 125.88.190.31: https://www.virustotal.com/en/ip-address/125.88.190.31/information/
51qudu .com: 118.123.18.92: https://www.virustotal.com/en/ip-address/118.123.18.92/information/
sonsytaint .com: 67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
138.201.244.4: https://www.virustotal.com/en/ip-address/138.201.244.4/information/
koranjebus .net: 67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
138.201.244.4: https://www.virustotal.com/en/ip-address/138.201.244.4/information/

- http://blog.dynamoo.com/2016/11/malware-spam-this-is-to-inform-that.html
1 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Transaction declined
From: Chandra Frye
Date: Tuesday, 1 November 2016, 10:48
Dear [redacted],
This is to inform that the transaction you made yesterday is declined.
Please look through the attachment for the verification of the card details.
Best Regards,
Chandra Frye

The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs)... communicates with the URLs below, but you can be sure that there are many more examples:
51qudu .com/mqy2pj4
bjzst .cn/qgq4dx
danapardaz .net/zrr8rtz
litchloper .com/66qpos7m
creaciones-alraune .es/dx8a5
adasia .my/f5qyi10
alecrim50 .pt/g28w495t
zizzhaida .com/a0s9b
silscrub .net/07ifycb
Hybrid Analysis is inconclusive*.
If I get hold of the C2s or other download locations then I will post them here."
* https://www.hybrid-analysis.com/sample/184d976d078561186aa0f5e9ee7b5df42f296ba02a4233ccae7a0b4ac05b0b8e?environmentId=100
UPDATE: My usual reliable source tells me that these are all the download locations...
(Long list of domain-names at the dynamoo URL above.)
... These are the C2s:
91.234.32.202/linuxsucks .php (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
81.177.22.164/linuxsucks .php (NETPLACE, Russia)
Recommended blocklist:
91.234.32.202
81.177.22.164 "
___

Fake 'New Fax' SPAM - leads to TrickBot
- http://blog.dynamoo.com/2016/11/malware-spam-new-fax-message.html
1 Nov 2016 - "This -fake- fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

Screenshot: https://3.bp.blogspot.com/-DtzfLWMDTaA/WBiswJBCfII/AAAAAAAAJBY/O8YEZCu1_-YIieL2OLxGQlp8rT8kGq23QCLcB/s1600/confidential-fax.png

Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54*. Both the Malwr report** and Hybrid Analysis*** give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:
www .tessaban .com/img/safafaasfasdddd.exe
This is a -hacked- legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr[4] and Hybrid Analysis reports[5] give the following suspect traffic:
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)
... 3NT Solutions (aka Inferno Solutions/inferno .name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit... If we excise the domestic IPs and blackhole the 3NT/Inferno/uadomen .com ranges we get a recommended blocklist of:
37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24
However, there's more to this... The original email message is actually signed by local-fax .com and it turns out that this domain was created just -today- with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking. All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously..."
* https://virustotal.com/en/file/8e36513dd7f611f25af2f7d6987dd92944fd0898eb3924df07c8b8aad4c38347/analysis/

** https://malwr.com/analysis/NjliZDdmZmZiNzc5NGNjM2IyMDBjNTdlMjk1NGEzZjQ/
Hosts
61.19.247.54
78.47.139.102
54.197.246.207
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24

*** https://www.hybrid-analysis.com/sample/8e36513dd7f611f25af2f7d6987dd92944fd0898eb3924df07c8b8aad4c38347?environmentId=100

4] https://malwr.com/analysis/MWQxYWFiMjg1NzhkNGIxYjhmMWUwYTRjODQ1YjRjMzU/
Hosts
78.47.139.102
23.23.107.79
64.182.208.182
64.182.208.184
64.182.208.183
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51

5] https://www.hybrid-analysis.com/sample/069ac0b81c552fba6ab768759249691d407ad8b67a98bf82548a951f468f629b?environmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28

- https://myonlinesecurity.co.uk/malspam-email-gds-new-fax-message-delivers-malware/
1 Nov 2016 - "An email with the subject of 'GDS – New Fax Message' pretending to come from GDS Fax <service@ gov-fax. co .uk> with a malicious word doc containing macros which downloads what looks like Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/11/gds-new-fax-message-1024x555.png

1 November 2016: gvt_uk_01112016.doc - Current Virus total detections 3/54*
MALWR** shows a download from http ://www .tessaban .com/img/safafaasfasdddd.exe (VirusTotal 10/56***)
Payload Security [1] [2] Dynamoos blog[3] gives details of a slightly different email delivering the same word docs & malware payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/4c424fe45453840002ac944d167c45e1f77000485848dec65a46ca53a2b04ba3/analysis/1477997908/

** https://malwr.com/analysis/ZTI2ZjM1OWM1NjA3NDExZDk0ZTBjOTg4YWQxYzM2Mzc/
Hosts
61.19.247.54
78.47.139.102
54.243.164.241
64.182.208.182
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51

*** https://www.virustotal.com/en/file/069ac0b81c552fba6ab768759249691d407ad8b67a98bf82548a951f468f629b/analysis/1478011826/

1] https://www.hybrid-analysis.com/sample/4c424fe45453840002ac944d167c45e1f77000485848dec65a46ca53a2b04ba3?environmentId=100

2] https://www.hybrid-analysis.com/sample/069ac0b81c552fba6ab768759249691d407ad8b67a98bf82548a951f468f629b?environmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28

3] http://blog.dynamoo.com/2016/11/malware-spam-new-fax-message.html
___

Fake 'Your Invoice' SPAM - delivers yet more Locky
- https://myonlinesecurity.co.uk/malspam-email-your-invoice-sipus16-953639-delivers-yet-more-locky-ransomware-today/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Invoice: SIPUS16-953639' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with SIPUS16 containing a wsf file... One of the emails looks like:
From: invoicing@ costruzionieimpianti .com
Date: Tue 01/11/2016 15:47
Subject: Your Invoice: SIPUS16-953639
Attachment: SIPUS16-953639.zip
Dear Sirs,
Please find your invoice enclosed. We kindly ask you to respect our payment terms.
For questions please contact our sales office.
Kind regards,
Dorema UK Ltd.

1 November 2016: SIPUS16-953639.zip: Extracts to: INV_NO_79980148.wsf - Current Virus total detections 11/55*
.. MALWR** shows a download of an encrypted file from
http ://bappeda .palangkaraya .go.id/87yfhc?xFqceIrSlI=MNKhDTrM
which is transformed by the script to GdxPTYAwwe1.dll (VirusTotal 12/56***). Same malware and delivery method as this earlier malspam run[4] using fake invoices... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/71133d3e55a03bc55c26da7f759671e522bfabcd88c4189f25fedf6c2244e16a/analysis/1478009132/

** https://malwr.com/analysis/YzFkZTIzNTdmZDhhNGZhZDllMDZkMzJkNTE5YjEzNWU/
Hosts
180.250.3.118
185.82.217.88
51.255.107.20

*** https://www.virustotal.com/en/file/a2fd8099409d19ca43a86e0580f2ac19e178b1032696ac259c0e72874aa2fed9/analysis/1477647176/

4] https://myonlinesecurity.co.uk/malspam-email-invoice-pretending-to-come-from-infoyour-own-domain-delivers-locky/
___

Windows 0-day vuln - CVE-2016-7855
- https://www.helpnetsecurity.com/2016/11/01/google-warns-actively-exploited-windows-zero-day/
Nov 1, 2016 - "Google has disclosed to the public the existence of a Windows zero-day vulnerability (CVE-2016-7855*) that is being actively exploited in the wild... The same vulnerability has been shared with both Microsoft and Adobe on October 21st, as it also affected Flash Player. But while Adobe has already pushed out an update with the patch[1], Microsoft has not been so quick.
1] https://helpx.adobe.com/security/products/flash-player/apsb16-36.html
... They have advised users to update Flash and implement the Microsoft patch as soon as it is made available..."
>> https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html

* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7855
11/01/2016 - "... as exploited in the wild in October 2016.
___

HookAds malvertising ...
- https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/
Nov 1, 2016 - "... we wrote about a new piece of malware called ‘Trick Bot‘ which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered -another- malvertising campaign that started at least in mid August, and which leverages decoy adult portals to spread malware. Internally, we call it the 'HookAds campaign' based on a string found within the delivery URL... upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects... much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month... We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an -iframe- to adult banner is injected dynamically. The ad is served from a third-party server which performs -cloaking- in order to detect whether this is legitimate new traffic or not...
The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in:
> https://blog.malwarebytes.com/wp-content/uploads/2016/10/206.png
185.51.244.206 / 185.51.244.207 / 185.51.244.208
... The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF)...
Conclusion: The HookAds malvertising campaign is -still- running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit..."
IOCs
IPs:
185.51.244.206
185.51.244.207
185.51.244.208 ..."
(More detail at the malwarebytes URL above.)

:fear::fear: :mad:

AplusWebMaster
2016-11-02, 13:34
FYI...

Fake 'Transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/email-malspam-transactions-delivers-locky/
2 Nov 2016 - "... Locky downloader... an email with the subject of 'Transactions' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with last_transactions_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
From: Berry Rutledge <Rutledge35@ shakedownbarvail .com>
Date: Wed 02/11/2016 09:32
Subject: Transactions
Attachment: last_transactions_fb079ee.zip
Hi [redacted]
[random name]called me yesterday updating about the transactions on company’s account from last month.
Examine the attached transaction record. Please let me know if you need more help.
Best Regards,
Berry Rutledge

2 November 2016: last_transactions_fb079ee.zip: Extracts to: last_transactions_2EA31C0_PDF.vbs
Current Virus total detections 9/54*. Manual analysis of the vbs shows a download of a file from one of these locations:
http ://bddja .com/p0u44p8z | http ://akira-sushi34 .ru/przgzq | http ://3rock .ie/qdq1fv4c
http ://cokealong .com/0l609 | http ://fiveclean .com/14msj3
which is renamed by the script to a dll and autorun (VirusTotal 7/55**). Neither MALWR nor Payload Security*** ever seem able to display the download URLs or obtain any payload form these VBS scripts, although manual analysis shows it very easily with minimal de-obfuscation of the VBS code...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9f27b89a91a82aa49d0c71d2e62684cd9c6aa8518b7b5dbd61a0f009cbac72d2/analysis/1478080807/

** https://www.virustotal.com/en/file/b0cd7938dbc7f7025ab2d17e7b52e12473d1c852adab230e0858a43cf95d57c9/analysis/1478083429/

*** https://www.hybrid-analysis.com/sample/9f27b89a91a82aa49d0c71d2e62684cd9c6aa8518b7b5dbd61a0f009cbac72d2?environmentId=100
___

Fake 'part 4' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/malspam-email-part-4-as-promised-delivers-locky/
2 Nov 2016 - "... Locky downloader... an email with the subject of 'part 4' (random numbers between 0 & 9) coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the emails looks like:
From: TRACIE MACALLISTER <traciemacallister@ perceptualproductions .com>
Date: Thu 01/09/2016 19:22
Subject: part 4
Attachment: JLJEWM918399.zip
As promised
TRACIE

2 November 2016: JLJEWM918399.zip: Extracts to: PTKBJH1522.wsf - Current Virus total detections 12/54*
MALWR** shows a download of an encrypted file from
http ://aifgroup .jp/43ftybb8?eOcQFhG=ytopbCntxmF which is transformed by the script to BdJXwnO1.dll
(VirusTotal 12/56***). C2 are
http ://194.28.87.26 /linuxsucks.php | http ://51.255.107.20 /linuxsucks.php
http ://194.1.239.152 /linuxsucks.php
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2f54be0dfff63089130ba18bb95d8ecfbf8ce637691ad5f3a041e3434db7aeb4/analysis/1478081153/

** https://malwr.com/analysis/ZDI2ZjEyYWQ5YTM4NDk3OTk4ODBlMDVlNmI3YmI3NjE/
Hosts
122.200.219.36
194.28.87.26
51.255.107.20
194.1.239.152

*** https://www.virustotal.com/en/file/610e1f5a9386b13cbaac217f05f8089270136ccab00922856fb992eb08a9d12f/analysis/1478084176/
___

Fake 'Companies House' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/malspam-email-companies-house-new-company-complaint-delivers-trickbot-banking-trojan/
2 Nov 2016 - "An email with the subject of 'Companies House – new company complaint' pretending to come from Companies House <noreply@ companieshouses .co.uk> with a malicious word doc with macros delivers Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/11/Companies-House-new-company-complaint-1024x553.png

2 September 2016: Complaint.doc - Current Virus total detections 4/54*
Payload security** shows a download of sweezy.exe from futuras .com/img/dododocdoc.exe (VirusTotal 6/57***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/985e9f4c5a49e26782141c7cd8f4ce87b0e0a026d078b67b006e17e12f9eb407/analysis/1478089229/

** https://www.hybrid-analysis.com/sample/985e9f4c5a49e26782141c7cd8f4ce87b0e0a026d078b67b006e17e12f9eb407?environmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
193.107.111.164
91.219.28.58
193.124.177.117
91.219.28.77
193.9.28.24

*** https://www.virustotal.com/en/file/d4b1fd9f55c11a5d63d417e43fd1bd871c5be842ed3ea1888981536da8dd9c6d/analysis/1478089108/

- http://blog.dynamoo.com/2016/11/malware-spam-companies-house-new.html
2 Nov 2016 - "This fake Companies House spam leads to TrickBot malware... Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic:

Screenshot: https://2.bp.blogspot.com/-wBSmA67_OZA/WBoNcqG5fDI/AAAAAAAAJCU/w4yr8II2mGkp1K2LjoOlncYom626O2NIACLcB/s1600/companies-house.png

The sender is either noreply@ companies-house .me.uk or noreply@ companieshouses .co.uk - both those domains have actually been registered by the spammers with -fake- WHOIS details... All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you -block- email traffic from those IPs.
Attached is a Word document Complaint.doc (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55[2]] which according to this Hybrid Analysis[1] downloads a binary from:
futuras .com/img/dododocdoc.exe
This is saved as sweezy.exe and has a detection rate of 7/57[3]. At present that download location is down, probably due to exceeding bandwidth quota. The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday[4]:
78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)
The uadomen .com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.
Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117 "
1] https://www.hybrid-analysis.com/sample/985e9f4c5a49e26782141c7cd8f4ce87b0e0a026d078b67b006e17e12f9eb407?environmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
193.107.111.164
91.219.28.58
193.124.177.117
91.219.28.77
193.9.28.24

2] https://virustotal.com/en/file/985e9f4c5a49e26782141c7cd8f4ce87b0e0a026d078b67b006e17e12f9eb407/analysis/

3] https://www.virustotal.com/en/file/d4b1fd9f55c11a5d63d417e43fd1bd871c5be842ed3ea1888981536da8dd9c6d/analysis/

4] http://blog.dynamoo.com/2016/11/malware-spam-new-fax-message.html
___

Fake 'DSCF6693' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank-malspam-email-dscf6693-pdf-delivers-locky/
1 Nov 2016 - "... Locky downloader... a totally -blank- email with the subject of 'DSCF6693.pdf' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DSCF that matches the subject containing a wsf file... One of the emails looks like:
From: ROXIE LANGBAINE <roxie.3506@ madebuynana .nl>
Date: Tue 01/11/2016 19:51
Subject: DSCF6693.pdf
Attachment: DSCF6693.zip

Body content: totally blank/empty

1 November 2016: DSCF6693.zip: Extracts to: DSCF1121.wsf - Current Virus total detections 8/54*
MALWR** shows a download of a file from
http ://el-sklep .com/76vvyt?JazeMXLjl=JXhbIC which is transformed by the script to YHvwcTj1.dll
(VirusTotal 5/57***). C2 are
http ://194.28.87.26 /linuxsucks.php | http ://51.255.107.20 /linuxsucks.php
http ://qiklchkunuhhbrk .org/linuxsucks.php | http ://194.1.239.152 /linuxsucks.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8cd5ebd6f4789fd83fb694b05f2d80882145a2f3781717de7033ea5f9422560c/analysis/1477646733/

** https://malwr.com/analysis/NTQzZWMxMDNhNzA5NDdhZWIwNTM1MTdiMTdmZWI5ZDc/
Hosts
88.198.110.138
194.28.87.26
51.255.107.20
194.1.239.152
69.195.129.70

*** https://www.virustotal.com/en/file/3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93/analysis/1478031176/
___

Sundown EK ...
- http://blog.talosintel.com/2016/10/sundown-ek.html
Oct 31, 2016 - "... IOC - Subdomains not included due to usage of domain wildcarding during campaign
Conclusion: The last couple of months have lead to major shifts in the exploit kit landscape with major players disappearing rapidly. We are now in a place where only a handful of exploit kits remain active and kits that would have previously been part of a second tier of EKs have started to rise to prominence. Sundown is a far more widely distributed exploit kit than was initially thought. Even though it doesn't have a huge footprint from an infrastructure perspective, there are lots of users interacting with these kits."
- https://blogs.cisco.com/wp-content/uploads/sundown_ips.txt
109.236.87.40
109.236.92.187
217.23.7.27
93.190.139.250
217.23.7.26
212.92.127.207
185.106.120.86
185.104.8.168
185.104.8.167
185.104.8.166

:fear::fear: :mad:

AplusWebMaster
2016-11-03, 13:36
FYI...

Fake 'Urgent payment' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-urgent-payment-request.html
3 Nov 2016 - "This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.
Subject: !!! Urgent payment request
From: erika.whitwell@ hillcrestlife .org (erika.whitwell@ hillcrestlife .org)
Date: Thursday, 3 November 2016, 10:01
ERIKA WHITWELL ...

Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js)...
UPDATE: This Hybrid Analysis* shows the script downloading from:
dornovametoda .sk/jhb6576?jPUTusVX=GXNaiircxm
There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):
194.28.87.26/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
109.234.34.227/message.php (McHost .Ru, Russia)
Recommended blocklist:
194.28.87.26
93.170.123.119
109.234.34.0/24 "
* https://www.hybrid-analysis.com/sample/66a636d24a61bcd808b1372820070a6b4281328db66377815743e9c7e9fbf4c1?environmentId=100
Contacted Hosts
81.0.217.3
194.28.87.26
93.170.123.119
109.234.34.227
54.192.185.153

- https://myonlinesecurity.co.uk/urgent-payment-request-malspam-email-delivers-even-more-locky/
3 Nov 2016 - "... Locky downloader... an email with the subject of '!! Urgent payment request' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .js file... One of the emails looks like:
From: christi.hayton@ artemisridge .com
Date: Thu 01/09/2016 19:22
Subject: !! Urgent payment request
Attachment: ea05237624050-3072993672-201611145320-0296.zip
CHRISTI HAYTON Telefon: +49 1743 / 51-9283 Fax: +49 1743 / 5166-9283 ...

3 November 2016: 5237624050-3072993672-201611145320-0296.zip
Extracts to: 2119873724-8372344101-201611211525-3816.js - Current Virus total detections 8/55*
MALWR** shows a download of an encrypted file from
http ://centinel .ca/jhb6576?rigWApln=iwDykXRT which is converted by the script to lpFtmm1.dll (VirusTotal 9/56***)
C2 http ://194.28.87.26 /message.php . Payload Security[4] shows additional C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4413867a650386f06547d3f257e401b023eed906be5fc22a2c3a5fd78a1d6e22/analysis/1478165027/

** https://malwr.com/analysis/ZmY0ZmM2YjY1NDcyNGI0NGJmMmQzMTc5NWI0MzI3Nzg/
Hosts
64.34.157.170
194.28.87.26

*** https://www.virustotal.com/en/file/0e6bd3de7ac49ff4438a592892e0bb8da9596be4ed8328459c239c6f3b4dec86/analysis/1478166325/

4] https://www.hybrid-analysis.com/sample/4413867a650386f06547d3f257e401b023eed906be5fc22a2c3a5fd78a1d6e22?environmentId=100
Contacted Hosts
64.34.157.170
109.234.34.227
93.170.123.119
194.28.87.26
54.192.48.225
___

More Locky ...
- http://blog.dynamoo.com/2016/11/moar-locky-2016-11-03.html
3 Nov 2016 - "... Locky runs overnight... here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:
(Long list of domain-names at the dynamoo URL above.)
... C2s:
51.255.107.20 /message .php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
85.143.215.209 /message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
91.230.211.103 /message .php (Optibit LLC, Russia)
91.239.232.171 /message .php (Hostpro Ltd, Ukraine)
93.170.123.119 /message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
194.28.87.26 /message.php (Hostpro Ltd, Ukraine)
51.255.107.20 /linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
194.1.239.152 /linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
194.28.87.26 /linuxsucks.php (Hostpro Ltd, Ukraine)
Recommended blocklist:
51.255.107.20
85.143.215.209
91.230.211.103
91.239.232.171
93.170.123.119
194.1.239.152
194.28.87.26 "
___

Fake 'Summons' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-email-from-the-crown-prosecution-service-delivers-malware/
3 Nov 2016 - "... updated run of the old 'You’ve been witness summoned to court / You are hereby summoned to appear to court to give evidence' is spreading today... Once you insert the “captcha” numbers into the submit box and press submit, you get a random numbered zip file that extracts to a js.file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/11/Your-queue-REF-number-18UP6M78-1024x781.png

3 November 2016: 66504.zip: Extracts to: Case Details.js - Current Virus total detections 3/55*
MALWR** shows a download of a file from
http ://rudarskiinstituttuzla .ba/modules/mod_stat/bidkemjarf/localbbrs.exe (VirusTotal 4/57***)
Payload Security[4]... earlier this week, this sort of -spoofed- UK Government emails were used to deliver Trickbot banking Trojan. This malware payload looks somewhat different to those: MALWR[5].. Payload Security[6] analysis of downloaded malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1c667f888bc723636efc64171eed8f3d4e38bae37d35b5fa4bad63374de919ad/analysis/1478169130/

** https://malwr.com/analysis/N2U3Y2Q0MDczODc5NDI5ZTkxYWNiM2VmOTlmYzUzZWE/
Hosts
176.9.10.243

*** https://www.virustotal.com/en/file/b7da4b0dec3bb5b6d7c13f3a686cbaca77347edef93e8896f809e2ad44a36684/analysis/1478169467/

4] https://www.hybrid-analysis.com/sample/1c667f888bc723636efc64171eed8f3d4e38bae37d35b5fa4bad63374de919ad?environmentId=100
Contacted Hosts
176.9.10.243
208.118.235.148
148.163.112.203
148.163.112.203

5] https://malwr.com/analysis/NWYyZGU0ODZmZmI2NDgwY2FhYjAxMmEzZTg1NmM4NTU/

6] https://www.hybrid-analysis.com/sample/b7da4b0dec3bb5b6d7c13f3a686cbaca77347edef93e8896f809e2ad44a36684?environmentId=100
Contacted Hosts
208.118.235.148
148.163.112.203
___

Fake 'Bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/pay-your-maintenance-bill-malspam-delivers-locky/
3 Nov 2016 - "... Locky downloader... an email telling you to pay your maintenance bill with the subject of 'Bill' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with november_bill_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
From: Ericka Oneill <Oneill000@ soundsolutionsrecording .com>
Date: Thu 03/11/2016 13:40
Subject: Bill
Attachment: november_bill_450e7d7f0.zip
Dear [redacted]
To continue using our maintenance service, please pay for last month’s fee by 4th of November.
The bill is attached in the email.
Please keep it for later purposes.
King Regards,
Ericka Oneill

3 November 2016: november_bill_450e7d7f0.zip: Extracts to: TN E3E6314.vbs - Current Virus total detections 8/55*
Manual analysis shows a download of a file from one of these locations:
http ://aurora.cdl-sc .org.br/gj789z
http ://davidart .com.tw/haa4vt4u
http ://artlab .co.il/hgm0chod
http ://dingeabyss .com/1jawie
http ://sehyokette.net/1t6ywcjb
... which is renamed by the script to a DLL (VirusTotal 8/57**). Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/534be16bf3610f3ec6f2138537c09cfc9306883d3230a33039c7873d95c50ccb/analysis/1478181547/

** https://www.virustotal.com/en/file/5cb3150d153b7f080468e1d008e7eea67a9e149406345c2eacd3353bd224b27a/analysis/1478181696/

*** https://www.hybrid-analysis.com/sample/534be16bf3610f3ec6f2138537c09cfc9306883d3230a33039c7873d95c50ccb?environmentId=100
Contacted Hosts
220.229.238.7
130.208.19.136
188.127.237.66
195.123.211.65
___

Fake 'Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/order-903644-acknowledgement-malspam-delivers-locky/
3 Nov 2016 - "... Locky downloader... an email with the subject of 'Order 903644 (Acknowledgement)' [random numbers] coming as usual from random companies, names and email addresses with a zip attachment that starts with several random letters then a series of numbers that matches the subject order number containing a VBS file... One of the emails looks like:
From: CORA FRANZKE <eml@ durellaw .com>
Date: Thu 03/11/2016 14:50
Subject: Order 903644 (Acknowledgement)
Attachment: jf903644.zip
Please find document attached

3 November 2016: jf903644.zip: Extracts to: KUnyn699-32121.vbs - Current Virus total detections 5/55*
Payload Security**...Manual analysis shows a download of a file from one of these locations
albakrawe-uae .com/i9jnrc
cosywall .pl/i9jnrc
eldamennska .is/i9jnrc
irk.24abcd .ru/i9jnrc
schuhdowdy .net/i9jnrc
teriisawa .com/i9jnrc
(VirusTotal 11/56***). C2 are 109.234.35.230 | 176.103.56.119 /message.php. This also uses the Tor network... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c7770c386ace2153ab7c4e843b703af43ca20d5907f691c952ff1e2bea232e68/analysis/1478185057/

** https://www.hybrid-analysis.com/sample/c7770c386ace2153ab7c4e843b703af43ca20d5907f691c952ff1e2bea232e68?environmentId=100
Contacted Hosts
192.186.246.98
109.234.35.230
176.103.56.119
54.240.184.221
80.239.137.72

*** https://www.virustotal.com/en/file/0e969221c2e8d9c76a5ad863a80be2486a867ad8358bffd3a56158fcf7e3997e/analysis/1478192229/

:fear::fear: :mad:

AplusWebMaster
2016-11-04, 13:45
FYI...

Fake 'Please verify' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/i-have-proofread-the-technical-document-you-sent-malspam-delivers-locky/
4 Nov 2016 - "... Locky downloader... an email that pretends to be about proofreading the technical document you sent with the subject of 'Please verify' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with tech_doc_ containing a VBS file... very similar to recent Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just -renames- it to the -dll- name... Payload Security report[2]...
1] https://myonlinesecurity.co.uk/please-review-malspam-delivers-locky-thor-version/
One of the emails looks like:
From: Coleen Barr <Barr84@ homedesigners171 .com>
Date: Fri 04/11/2016 09:49
Subject: Please verify
Attachment: tech_doc_dc405d482.zip
Hey [redacted], as you requested, I have proofread the technical document you sent.
There are some confused parts in it.
Please verify the parts highlighted in the attached document.
Best Wishes,
Coleen Barr

4 November 2016: tech_doc_dc405d482.zip: Extracts to: NRV4MO04.vbs - Current Virus total detections 10/55*
Manual analysis shows a download of a file from one of these locations:
http ://good-gamess .ru/qz7at0 | http ://astrotranspersonal .com.ar/rhiup3j | http ://goldendogs .nl/s6ymz2k
http ://bahutnorma .net/2pceo6 | http ://rangyinby .com/3ixr99t (VirusTotal 7/57**)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/27967fcab0325dde16477f2820c13d0b7791b570685e7fe8fd5f3761e84c130e/analysis/1478253546/

** https://www.virustotal.com/en/file/76326e00f5c73deb873315e927e96a57b5509e774957e16f4bd5d7a905b5def1/analysis/1478253708/

2] https://www.hybrid-analysis.com/sample/8a4886a90e0088eea4d676fa6d3fa73c187c100a0edfe5219d3383faef1a5587?environmentId=100
___

Fake 'Payroll Payslip' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/spoofed-western-union-payroll-payslip-no-reply-malspam-delivers-java-adwind-jacksbot/
4 Nov 2016 - "... fake financial themed emails containing java adwind/Java Jacksbot Trojan attachments... can only be active or infect you -if- you have Sun/Oracle Java installed... The email looks like:
From: wu.paymaster@ westernunion .com <postmaster@ fanavaelecomp .com>
Date: Fri 04/11/2016 06:37
Subject: Payroll Payslip (NO-REPLY)
Attachment: Details.zip
Dear agent,
Attached is your payslip for the payroll period of 01 October 2016 to 01 November 2016.To view your Payslip, simply type in your Personal Password when asked for a password. If you did not submit your personal password, just type in your last name followed by the birthday (Format: MMddyyyy) and the last four (4) digits of your employee id number when asked for a password (e.g., ocampo011320141234). Please make sure to use lowercase letters, no spaces and no special characters when typing your password, name suffix is also part of your lastname...
Sincerely,
Accounting Department

4 November 2016: Payrol Payslip.jar (323 kb) - Current Virus total detections 17/56* - Payload Security**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/925bf7321cf679d72ecdd8a26e4c5c34a494ea35e4672b6cd5f5fc844d297b62/analysis/1478239741/

** https://www.hybrid-analysis.com/sample/925bf7321cf679d72ecdd8a26e4c5c34a494ea35e4672b6cd5f5fc844d297b62?environmentId=100
Contacted Hosts
216.107.152.224

:fear::fear: :mad:

AplusWebMaster
2016-11-07, 14:08
FYI...

Fake 'Financial documents' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-financial-documents-leads.html
7 Nov 2016 - "The never-ending Locky ransomware onslaught continues. This -fake- financial spam has a malicious attachment:
Subject: Financial documents
From: Judy Herman
To: [redacted]
Date: Monday, 7 November 2016, 10:53
Hi [redacted],
These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.
Best Wishes,
Judy Herman

Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs ... This particular script (and there will be others like it) attempts to download from:
http ://coachatelier .nl/lg8s2
http ://bechsautomobiler .dk/m8idi9j
http ://desertkingwaterproofing .com/ma4562
http ://zapashydro .net/6sgto2bd
http ://owkcon .com/6xgohg6i
According to this Hybrid Analysis*, the malware then phones home to:
195.123.211.229 /message .php [hostname: panteleev.zomro .com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102 /message .php [hostname: endgo .ru] (Hostpro Ltd. / hostpro .com.ua, Ukraine)
188.65.211.181 /message .php (Knopp, Russia)
Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181 "
* https://www.hybrid-analysis.com/sample/7e7b5f1d4a9122a769993f0e35620319e504ac15e82a71d88d4f4934c5a6d198?environmentId=100
Contacted Hosts
141.138.169.200
195.123.211.229
185.67.0.102
188.65.211.181

- https://myonlinesecurity.co.uk/financial-documents-malspam-delivers-locky/
7 Nov 2016 - "... Locky downloader... an email with the subject of 'Financial documents' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with fin_docs_ containing a VBS file... One of the emails looks like:
From: Delbert Mckay <Mckay8375@ purrfectsports .com>
Date: Mon 07/11/2016 10:57
Subject: Financial documents
Attachment: fin_docs_c605c39a.zip
Hi [redacted]
These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.
Best Wishes,
Delbert Mckay

7 November 2016: fin_docs_c605c39a.zip: Extracts to: NRV_3O63MI_.vbs - Current Virus total detections 5/54*
Payload Security** shows downloads of a file from the same locations which is renamed by the script to qltoUhLp0.dll (VirusTotal 9/57***). C2 are:
188.65.211.181 | 185.67.0.102 | 195.123.211.229 .. all use /message.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/01714bc90522b34266f3dbaf74f3e6f4a9f97d1a76761c2980f608981eeee280/analysis/1478516808/

** https://www.hybrid-analysis.com/sample/01714bc90522b34266f3dbaf74f3e6f4a9f97d1a76761c2980f608981eeee280?environmentId=100
Contacted Hosts
213.176.241.230
188.65.211.181
185.67.0.102
195.123.211.229

*** https://www.virustotal.com/en/file/692bf3cf0829c5717aafa65a3fc76a2c8be84529fbdbd6959da7083f9e1771d0/analysis/1478517111/
___

Fake 'Scanned image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-scanned-image-from-mx2310uyour-own-email-domain-malspam-delivers-locky/
7 Nov 2016 - "... Locky downloader... an email with the subject of 'Scanned image' from MX2310U@ your-own email domain pretending to come from office@ your-own email domain with a semi-random named zip attachment in the form of office@ your-own email domain _random numbers.zip containing a .JS file... One of the emails looks like:
From: office@ ...
Date: Mon 07/11/2016 14:16
Subject: Scanned image from MX2310U@ ...
Attachment: office@ ...zip
Reply to: office@ ... <office@ ...>
Device Name: MX2310U@ ...
Device Model: MX-2310U
Location: Reception
File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format...

7 November 2016: office@ ...zip: Extracts to: JYF16212-1319.js - Current Virus total detections 8/53*
Payload Security** shows a download of an encrypted file from henrytye .com /hgf65g?ymWrOm=LeFqAxKmfIY
which is renamed by the script to bRewBexBO1.dll ...
C2: 81.177.180.53 /message.php and 176.103.56.120 /message.php. Unfortunately the free web version of Payload Security does not give the actual downloaded file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/42463692f4dba0a50fb1e457632295b83f829b413aef68f7e4f8ba533aec6317/analysis/1478531957/

** https://www.hybrid-analysis.com/sample/42463692f4dba0a50fb1e457632295b83f829b413aef68f7e4f8ba533aec6317?environmentId=100
Contacted Hosts
103.6.196.80
81.177.27.222
176.103.56.120
81.177.180.53
52.34.245.108
52.222.171.240
___

Fake 'Scan' SPAM - more Locky
- https://myonlinesecurity.co.uk/sent-with-genius-scan-for-ios-malspam-delivers-even-more-locky/
7 Nov 2016 - "... Locky downloader... an email with the subject of '[Scan] 2016-1107 17:29:49' coming as usual from random companies, names and email addresses with a zip attachment named after todays date and a time containing a wsf file... One of the emails looks like:
From: MAURICIO BLUM <mauricio.blum.72@ tullochcapital .com>
Date: Mon 07/11/2016 22:30
Subject: [Scan] 2016-1107 17:29:49
Attachment: 2016-1107 17-29-49.zip
Sent with Genius Scan for iOS.

7 November 2016: 2016-1107 17-29-49.zip: Extracts to: UNA516807-3039.wsf - Current Virus total detections 8/55*
MALWR** and Payload Security*** both show a download of an encrypted file from
http ://futuregroup .cz/98ynhce?IspgpFMAU=eJftALCrAxBwhich is converted by the script to
cflaTvC1.dll (VirusTotal 11/56[4]). C2: http ://81.177.27.222 /message.php and 176.103.56.120 /message.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/09340a9933b9d6080fd98f81214fb34cdae5d6b85c6f28ffe9a2dbab67d0aada/analysis/1478558924/

** https://malwr.com/analysis/YTBhZmU3ZjJhZTA4NDFlMDgwZGVmODMxMjBhZTU3OGU/
Hosts
85.207.99.25
81.177.27.222

*** https://www.reverse.it/sample/09340a9933b9d6080fd98f81214fb34cdae5d6b85c6f28ffe9a2dbab67d0aada?environmentId=100
Contacted Hosts
85.207.99.25
81.177.27.222
176.103.56.120
52.222.157.74

4] https://www.virustotal.com/en/file/94da93f36182f5d8da8cb3e9b45bbfe23ef5e0a21cef07a0d917bfae3be7324a/analysis/1478556970/
___

Fake 'American Express' phish
- https://myonlinesecurity.co.uk/important-notice-information-regarding-your-cardmembership-american-express-phishing/
7 Nov 2016 - "... American Express phishing email...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/American-Express-Important-Notice-Information-Regarding-Your-CardMembership.png?fit=1223%2C1033&ssl=1

... shows a website that looks like this included in a frame so it is never actually on your computer at all.
(I had to split the screenshot into 2 parts to get all the information they want, Which is a lot more than normal.)
>> https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/GENAU03002117.png?resize=1024%2C625&ssl=1

>>> https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/GENAU03002117_part2.png?resize=1024%2C548&ssl=1

... It will NEVER be a genuine email from American Express or any other bank or credit card company so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email.."

:fear::fear: :mad:

AplusWebMaster
2016-11-08, 13:28
FYI...

Fake 'Parcel2Go' SPAM - delivers malware
- https://myonlinesecurity.co.uk/25024552-parcel2go-delivery-announce-delivers-malware/
8 Nov 2016 - "An email with the subject of '#25024552 Parcel2go delivery announce' (random numbers) pretending to come from random senders with a -link- to Google Drive that downloads a malicious word doc delivers malware... The link is still live at the time of posting despite being reported yesterday to Google...

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/25024552-Parcel2go-delivery-announce.png?resize=1024%2C743&ssl=1

8 November 2016: parchel2go567313.doc - Current Virus total detections 3/54*
Both MALWR** and Payload Security*** show a connection to & download from
http ://findserviceapp .com.br/mr6.exe but only Payload Security actually managed to retrieve the malware but doesn’t describe it as malicious, only describing it as informative... (VirusTotal 6/56[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/874b5b645a4af4010e200ddcd28953777e3822f8012a377b48d01e2428e1a2e6/analysis/1478535435/

** https://malwr.com/analysis/ZDkxODRlYmM1MDQ1NDZjZDllZTc4NzE2ZGRlOWY5MTA/
Hosts
192.185.208.115

*** https://www.hybrid-analysis.com/sample/874b5b645a4af4010e200ddcd28953777e3822f8012a377b48d01e2428e1a2e6?environmentId=100
Contacted Hosts
192.185.208.115

4] https://www.virustotal.com/en/file/6e7785213d6af20f376a909c1ecb6c9bddec70049764f08e5054a52997241e3d/analysis/1478602406/
___

Fake 'Statement' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-statement-leads-to-locky.html
8 Nov 2016 - "Another terse fake financial spam leading to Locky ransomware:
Subject: Statement
From: accounts@ somedomain .tld
Date: Tuesday, 8 November 2016, 10:59
For your Information.

The sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script... named in a format similar to SLM245260-0214.wsf. Hybrid Analysis* of this one sample shows a download occurring from:
gpstrackerbali .com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG
There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56** and the malware appears to phone home to:
185.118.66.90 /message.php (vpsville.ru, Russia)
158.69.223.5 /message.php (OVH, Canada)
Recommended blocklist:
185.118.66.90
158.69.223.5 "
* https://www.hybrid-analysis.com/sample/bd1186a197812bf4421e4d78fac1e6bba9bb48447552057820078616a0c867ac?environmentId=100
Contacted Hosts
219.83.68.90
185.118.66.90
158.69.223.5
52.34.245.108
52.85.209.44

** https://virustotal.com/en/file/7e6c08f576eeef7c44558fdfc8c6961de15d16d15ab5cf8615951084a5960007/analysis/1478605400/

- https://myonlinesecurity.co.uk/statement-malspam-pretending-to-come-from-accounts-random-senders-delivers-locky/
8 Nov 2016 - "... Locky downloader... an email with the subject of 'Statement' coming from accounts@ random companies, names and email addresses with a semi-random named zip attachment starting with Statement PDF containing a WSF file... One of the emails looks like:
From: accounts@ energycontrol .gr
Date: Tue 08/11/2016 10:58
Subject: Statement
Attachment: Statement PDF – 9022558992.zip
For your Information.

8 November 2016: Statement PDF – 9022558992.zip: Extracts to: SLM245260-0214.wsf - Current Virus total detections 9/55*
Payload Security** shows a download of an encrypted file from
http ://gpstrackerbali .com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG which is converted by the script to
GMbsdHBsIX1.dll (VirusTotal 14/56***)... A list of alternative download sites so far discovered by another researcher[4] has been posted on pastebin[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bd1186a197812bf4421e4d78fac1e6bba9bb48447552057820078616a0c867ac/analysis/1478604149/

** https://www.hybrid-analysis.com/sample/bd1186a197812bf4421e4d78fac1e6bba9bb48447552057820078616a0c867ac?environmentId=100
Contacted Hosts
219.83.68.90
185.118.66.90
158.69.223.5
52.34.245.108
52.85.209.44

*** https://www.virustotal.com/en/file/7e6c08f576eeef7c44558fdfc8c6961de15d16d15ab5cf8615951084a5960007/analysis/1478604056/

4] https://twitter.com/Racco42/status/795949000352497664

5] http://pastebin.com/VGvZafjs
___

Fake 'Suspicious movements' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/suspicious-movements-malspam-referencing-u-s-office-of-personnel-management-delivers-locky/
8 Nov 2016 - "... Locky downloader... an email that pretends to be a notification from U.S. Office of Personnel Management with the subject of 'Suspicious movements' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of pdf_recipients name_random numbers.zip containing a .JS file... One of the emails looks like:
From: Cristobal Johns <Johns.Cristobal@ autoimmunkrankheit .de>
Date: Tue 08/11/2016 12:17
Subject: Suspicious movements
Attachment: pdf_forum_534e144e2.zip
Dear[redacted], Angel from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.

King regards,
Cristobal Johns
Account Manager ...
U.S. Office of Personnel Management
1265 E Street, NW
Washington, DC 20415-1000

8 November 2016: pdf_forum_534e144e2.zip: Extracts to: NRV_AM00I_.js - Current Virus total detections 6/55*
MALWR** shows a download of a file from http ://dowfrecap .net/3muv7 which is renamed by the script to a DLL and autorun (VirusTotal 9/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1f96de60845e00107df0dca41bbafc43f0de0d7ee877b7aa81d044ed07ff332b/analysis/1478607538/

** https://malwr.com/analysis/YmJmMjg2Y2E5NTc4NGFhMzk4MDgzNzhhMDYzN2Q0Nzk/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/b4666da4baaa120e4995e5838c74f794a02bbdf813f1985ebb9a72114a1f0ba6/analysis/1478609031/

- http://blog.dynamoo.com/2016/11/malware-spam-suspicious-movements-leads.html
8 Nov 216 - "This fake financial spam leads to Locky ransomware:
Subject: Suspicious movements
From: Marlene Parrish
Date: Tuesday, 8 November 2016, 12:52
Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager...
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000

The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js)... That particular script downloads a malicious component from one of the following locations:
vexerrais .net/6sbdh
centinel .ca/wkr1j6n
3-50-90 .ru/u4y5t
alpermetalsanayi .com/vuvls
flurrbinh .net/6mz3c5q
There will probably be other download locations. This Hybrid Analysis* and this Malwr report** show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56***."
* https://www.hybrid-analysis.com/sample/abf1b500588148f48e628f8f941ce44fcbcd3457ceb045a51be40dba641cc169?environmentId=100
Contacted Hosts
67.171.65.64
52.34.245.108
52.85.184.253

** https://malwr.com/analysis/NGFjZjIxNDVkNmY2NDNiZWFlMDE4ZjI1YzEwMTZmNzc/
Hosts
213.176.241.230

*** https://virustotal.com/en/file/79d4121c1286129c193dce22c23fae9e44b6f06bc53ebe566345db044d9c6bc6/analysis/1478613989/
___

Fake 'Order' SPAM - more Locky
- https://myonlinesecurity.co.uk/order-88222889-malspam-delivers-even-more-locky/
8 Nov 2016 - "... Locky onslaught continues... an email with the extremely generic subject of 'Order 88222889 (random numbers)' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the emails looks like:
From: TUAN LILLIE <eml@ woolleymarket .com>
Date: Tue 08/11/2016 16:12
Subject: Order 88222889
Attachment: jAlR88222889.zip
Please find document attached

8 November 2016: jAlR88222889.zip: Extracts to: XWZ429433-2034.wsf - Current Virus total detections 10/55*
MALWR** shows a download of an encrypted file from
http ://inzt .net/67j5hg?nrxLhJ=HYkWYO -or- http ://all-kaigo .com/67j5hg?nrxLhJ=HYkWYO
which is converted by the script to woxUgKy2.dll (VirusTotal 12/56***). C2: http ://158.69.223.5 /message.php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/eed1469d0ce13290f8151b3833de27c473cafeec97cf3aa9f7b060d1ba968613/analysis/1478621842/

** https://malwr.com/analysis/YTMzZjdhYmYyOWE0NDk3YTgwN2JkOWE2NjM2YmI5NTE/
Hosts
219.94.203.182
193.24.220.4
185.118.66.90
158.69.223.5

*** https://www.virustotal.com/en/file/a2fd8099409d19ca43a86e0580f2ac19e178b1032696ac259c0e72874aa2fed9/analysis/1477647176/

:fear::fear: :mad:

AplusWebMaster
2016-11-09, 13:09
FYI...

Fake 'Amazon order' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-your-amazoncom-order-has.html
9 Nov 2016 - "Overnight there has been a massive -fake- Amazon spam run leading to Locky ransomware:
From: Amazon Inc [auto-shipping27@ amazon .com]
Date: 8 November 2016 at 23:10
Subject: Your Amazon .com order has dispatched (#021-3323415-8170076)
Dear Customer,
Greetings from Amazon.com,
We are writing to let you know that the following item has been sent using DHL Express.
For more information about delivery estimates and any open orders, please visit...
Your order #021-3323415-8170076 (received November 8, 2016)
Your right to cancel ...

All the versions I have seen contain those same formatting errors. Details vary from message to message (e.g. carrier, reference numbers). Attached is a malicious ZIP file (e.g. ORDER-608-0848796-6857907.zip) containing a malicious javascript file (e.g. F-9295287522-9444213500-201611165156-2601.js)... My usual source (thank you) tells me that the various scripts download a component...
(Long list of domain-names at the dynamoo URL above.)
... It appears to drop a malicious DLL with a detection rate of 32/56*. The following C2 servers have been identified:
85.143.212.23 /message.php (PrdmService LLC, Russia)
158.69.223.5 /message.php (OVH, Canada)
UPDATE: According to the Hybrid Analysis** the dropped Locky binary actually has an MD5 of ad6fb318002df4ffc80795cc31d529b4 and a detection rate of 28/56***.
Recommended blocklist:
85.143.212.23
158.69.223.5 "
* https://virustotal.com/en/file/7e6c08f576eeef7c44558fdfc8c6961de15d16d15ab5cf8615951084a5960007/analysis/

** https://www.hybrid-analysis.com/sample/f8c0330e2b6f001221bc59d6dd9a7b009c89e445d944423ce048ee9eb6f61ea9?environmentId=100
Contacted Hosts
5.9.189.68
85.143.212.23
158.69.223.5
52.34.245.108
52.222.157.37
61.213.151.43

*** https://virustotal.com/en/file/57a0f81246a70462028c1adf1b5d8f02580845084e12a5edf3652bb2d9b2077d/analysis/1478684633/

- https://myonlinesecurity.co.uk/your-amazon-com-order-has-dispatched-malspam-delivers-locky/
8 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Amazon .com order has dispatched (#324-3101580-5413719) [random numbers]' pretending to come from Amazon .com <auto-shipping6@ amazon .com>... The js file inside the zip and the downloaded Locky file are identical to this slightly earlier malspam run[1]...
1] https://myonlinesecurity.co.uk/fax-transmission-malspam-delivers-locky/
One of the emails looks like:
From: Amazon .com <auto-shipping6@ amazon .com>
Date: Thu 01/09/2016 19:22
Subject: Your Amazon .com order has dispatched (#324-3101580-5413719)
Attachment: ORDER-324-3101580-5413719.zip
Dear Customer,
Greetings from Amazon .com,
We are writing to let you know that the following item has been sent using DHL Express.
For more information about delivery estimates and any open orders, please visit...
Your order #324-3101580-5413719 (received November 8, 2016)
Your right to cancel...

1] 8 November 2016: F-9456818814-1332384076-201611050929-1010.zip: Extracts to: F-8526972159-4046871521-201611111127-2039.js
Current Virus total detections 12/55*. MALWR** shows a download of an encrypted file from
http ://masiled .es/7845gf?ukORpqyil=ukORpqyil which is converted by the script to
ukORpqyil1.dll (VirusTotal 14/57***). C2 http ://158.69.223.5 /message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1d53eea74370ea0b1135a6191f3e6b10111fbba9acdedd8de81f1ac205b04de7/analysis/1478643166/

** https://malwr.com/analysis/MWMwYzNkNjI0NGMzNDhkYmE0MDhmOGM3YWVkZjJlNTQ/
Hosts
185.76.77.219
158.69.223.5

*** https://www.virustotal.com/en/file/57a0f81246a70462028c1adf1b5d8f02580845084e12a5edf3652bb2d9b2077d/analysis/1478643306/
___

Fake 'FedEx' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fedex-we-could-not-deliver-your-parcel-malspam-now-delivering-locky-ransomware/
9 JNov 2016 - "... Locky downloader... an email with the subject of 'We could not deliver your parcel, #551196' (random numbers) pretending to come from -FedEx- Standard Overnight with a malicious word doc downloading Locky... The email looks like:
From: FedEx Standard Overnight <cbrecareers@ cbre .com>
Date: Wed 09/11/2016 07:50
Subject: We could not deliver your parcel, #551196
Attachment: FedEx.doc
Hello,
We could not deliver your item. Please, download Delivery Label attached to this email.
Kaja Helscher – Area Manager FedEx , CA
Regards

9 November 2016: FedEx.doc - Current Virus total detections 18/55*
Payload Security** shows a download from http ://perfectionbm .top/ll/ldd.php which is saved as 0.7055475 and autorun by the macro (VirusTotal 9/55***). Payload Security[4]. C2 are 51.255.107.6 /message.php and
81.177.27.222 /message.php... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4665c9d5c277cacd3d02dbde9068383608010efaff0bb0651e6434c45e79c387/analysis/1478674872/

** https://www.hybrid-analysis.com/sample/4665c9d5c277cacd3d02dbde9068383608010efaff0bb0651e6434c45e79c387?environmentId=100
Contacted Hosts
46.22.220.32
51.255.107.6
81.177.27.222

*** https://www.virustotal.com/en/file/fff3094bafb300e7c3c589421da75d1db142ea8201ebd32071bb9af8e1b5bb55/analysis/1478676422/

4] https://www.hybrid-analysis.com/sample/fff3094bafb300e7c3c589421da75d1db142ea8201ebd32071bb9af8e1b5bb55?environmentId=100
Contacted Hosts
51.255.107.6
81.177.27.222
___

Fake 'Account temporarily suspended' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/account-temporarily-suspended-malspam-delivers-locky/
9 Nov 2016 - "... Locky downloader... an email with the subject of 'Account temporarily suspended' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of recipients name_random numbers.zip containing a .JS file... One of the emails looks like:
From: Ethan Talley <Talley.Ethan@ glycomicscenter .com>
Date: Wed 09/11/2016 09:43
Subject: Account temporarily suspended
Attachment: ea00ba32a5.zip
Dear Customer.
You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.
Best regards.

9 November 2016: hp_printer_e1b837ff1.zip: Extracts to: 6011290KI.js - Current Virus total detections 8/55*
MALWR** shows a download of a file from http ://locook .com/n8kacjjc which is renamed by the script to hC0VoiB2fRYyoJt8.dll (VirusTotal 9/57***). Payload security[4] shows C2 81.177.26.136 | 185.118.164.125
95.46.8.109 /message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/34e7db96d92427129ff291dc560eb4e493293934623c1488d877bcaa178b70e1/analysis/1478684678/

** https://malwr.com/analysis/YmE0OTAyYjU2NWRkNGY2ZmIzZDVkM2MwODRlODM5YTQ/
Hosts
123.57.33.148

*** https://www.virustotal.com/en/file/e6a049854bc79f2a622406532db3b574f4dc840cff3097b0f76435903965ed32/analysis/1478685279/

4] https://www.hybrid-analysis.com/sample/34e7db96d92427129ff291dc560eb4e493293934623c1488d877bcaa178b70e1?environmentId=100
Contacted Hosts
123.57.33.148
67.171.65.64
81.177.26.136
185.118.164.125
95.46.8.109

- http://blog.dynamoo.com/2016/11/malware-spam-account-temporarily.html
9 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Nicole Roman
Date: 9 November 2016 at 10:44
Subject: Account temporarily suspended
Dear Customer.
You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.
Best regards.

The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script... That particular script attempts to download a binary... This Hybrid Analysis* and this Malwr report** show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56***..."
* https://www.hybrid-analysis.com/sample/043c88441157aea9fc7e2937a72bb52ef0ac12f11a7ef368ef4b4b8995956973?environmentId=100
Contacted Hosts
67.171.65.64
52.32.150.180
54.230.197.17
63.245.215.95
52.35.54.251

** https://malwr.com/analysis/MWIzNjZiZjYyZWY2NGExZGI0YzU2ZTY3MDMzNzA4NGQ/
Hosts
67.171.65.64

*** https://virustotal.com/en/file/a5ec68acee9b36b677afe5234a4b0fed65dbbea193fae40963e8aa679c9108b7/analysis/1478689362/
___

Fake 'E-bill' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-shell-fuel-card-e-bill.html
9 Nov 2016 - "This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:
Subject: Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
From: KELLY MOORHOUSE (kelly.moorhouse@ edbn .org)
Date: Wednesday, 9 November 2016, 12:52
KELLY MOORHOUSE
Last & Tricker Partnership
3 Lower Brook Mews
Lower Brook Street
Ipswich Suffolk IP4 1RA
T: 01473 252961 F: 01473 233709 M: 07778464004 ...

Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf)... For one sample script, the Hybrid Analysis* and Malwr report** indicate a binary is downloaded from one of the following locations:
alamanconsulting .at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent .mobi/0ftce4?aGiszrIV=gRLYYDHSna
This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56***.
85.143.212.23 /message.php (PrdmService LLC, Russia)
158.69.223.5 /message.php (OVH, Canada)
These are the same C2s as seen here[4]."
* https://www.hybrid-analysis.com/sample/56976392c070533cf79d0ed154557baaada34b5a00a42258512d3c8294f90743?environmentId=100
Contacted Hosts
185.98.7.100
120.136.10.80
85.143.212.23
158.69.223.5
52.32.150.180
52.85.184.199

** https://malwr.com/analysis/ZGI5ZGEyYTFiMTIyNDNjOTg4ZmZhNmNjMGM5YmRjMTU/
Hosts
185.98.7.100
120.136.10.80
85.143.212.23
158.69.223.5

*** https://virustotal.com/en/file/32a248553f993f13600a89700827eedf1a59b34b0da46cf4c22cc29e7f412141/analysis/1478698613/

4] http://blog.dynamoo.com/2016/11/malware-spam-your-amazoncom-order-has.html

:fear::fear: :mad:

AplusWebMaster
2016-11-10, 14:16
FYI...

Fake 'Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-fake-receipt-attachment-in-blank-email-from-spoofed-gmail-addresses/
10 Nov 2016 - "... Locky downloader... a -Blank- email with the subject of 'Receipt 93-241363' (random numbers) pretending to come from random names @ Gmail.com with a zip attachment containing a WSF file... One of the emails looks like:
From: brianna.simister@ gmail .com
Date: Thu 10/11/2016 10:14
Subject: Receipt 93-241363
Attachment: Receipt 93-241363.zip

Body content: Totally empty/Blank

10 November 2016: Receipt 93-241363.zip: Extracts to: FGNTHQ253308.wsf - Current Virus total detections 8/55*
MALWR** shows a download of an encrypted file from http ://livinghealthyworld .com/845yfgh?nivGYcwhUYT=mCDCzF
which is converted by the script to idJsCdj1.dll (VirusTotal 8/55***). C2 http ://107.181.174.34 /message.php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a4e2b4dd079cded1657b799f6f65d461236fcd98e80dce6970869b8f129f5d19/analysis/1478772972/

** https://malwr.com/analysis/ZTRmMTQ2ZjZhMWM2NGUyNTkyNTNlZTE5MmU2ZGU0ZDE/
Hosts
104.37.35.78
107.181.174.34

*** https://www.virustotal.com/en/file/94318246828e60488656f0315bb6b9965be755d54e3564b70335a89fd51419b3/analysis/1478773545/
___

Fake 'Document' SPAM - more Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-document-from-attachment-in-blank-email-from-spoofed-gmail-addresses/
10 Nov 2016 - "... Locky downloader... a -blank- email with the subject of 'Document from Amparo' (random names) pretending to come from random names @ Gmail .com with a zip attachment containing a WSF file... One of the emails looks like:
From: Amparo ormerod <Amparo734987@ gmail .com>
Date: Thu 10/11/2016 14:38
Subject: Document from Amparo
Attachment: DOC-20161110-WA000458.zip

Body content: Totally empty/blank

10 November 2016: DOC-20161110-WA000458.zip: Extracts to: RPPMS171825.wsf - Current Virus total detections 8/55*
Payload Security** shows a download of an encrypted file from
project-group .pro/845yfgh?eKSrkxbtC=rewwnkHmjMh which is converted by the script to idJsCdj1.dll
(VirusTotal 11/56***). C2 107.181.174.34 /message.php and others... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/faa5eb0b920e8af1baa804a80187831a4f224c9a48b0abeeb9613f1308c35b10/analysis/1478793348/

** https://www.hybrid-analysis.com/sample/faa5eb0b920e8af1baa804a80187831a4f224c9a48b0abeeb9613f1308c35b10?environmentId=100
Contacted Hosts
185.43.5.211
188.127.237.175
86.110.117.244
107.181.174.34
85.143.212.23
69.195.129.70
52.84.13.31
74.216.233.251
52.35.54.251
71.19.173.112
165.254.32.128
23.4.187.27

*** https://www.virustotal.com/en/file/d7f6d727a2ec4eab8a4aca816bbea770078f6f428f5c902e27ae36a00551ca2e/analysis/1478794808/
___

Ransomware doesn’t mean 'game over'
- https://blog.malwarebytes.com/101/2016/11/ransomware-doesnt-mean-game-over/
Nov 10, 2016 - "... Over the course of just a few years, this threat has evolved from an annoying pop-up to a screen freezer that utilizes disturbing imagery to a sophisticated malicious program that encrypts important files. New technologies are popping up all the time that combat the ransomware issue, however most (if not all) require active protection -before- you get infected. But what do you do if your company has already been infected?... at least in the criminal’s eyes, once a user gets infected, there is no recovery option other than paying the ransom. Also, victims actually pay-the-ransom directly to the criminal, cutting out any need for middlemen or having to sell piles of stolen credit card information on darknet forums... It’s likely that the future of ransomware will include things like blackmail (threats to post trade secrets or company intel online or releasing customer information), more aggressive infection and AV evasion techniques, and better target identification—all techniques that we know how to combat. However, while the news of how to stop the malware is spreading, millions of people are still going to get infected because they didn’t 'get the memo'...
> Option 1: Backups: ... make -sure- you keep some kind of file history enabled in your -backup- solution so you can revert to a previous backup if necessary. Also, utilize off-site and/or cloud backups[1] rather than storing everything on a network drive, since many ransomware families are capable of reaching through mapped connections and connected drives to encrypt files outside of the victim HD...
1] http://www.csoonline.com/article/3075385/backup-recovery/will-your-backups-protect-you-against-ransomware.html
> Option 2: Decryption: ... If you get hit once, your files are encrypted and there is nothing you can do about it — or so many people think. Thanks to the diligent efforts of our information security community, there are actually many decryptors available online[2]. This software, when matched with the correct ransomware family, can decrypt files for free...
2] https://www.nomoreransom.org/
> Option 3: Negotiate: ... At the end of the day, the bad guys just want to get paid, which means that historically they have been open to negotiating and returning a few files for a smaller amount of profit. To be absolutely clear, I do -not- endorse or support paying cybercriminals the ransom. However, it has to be understood that for some folks, the loss of files would be far more damaging than just paying the ransom fee...
> Conclusion: So there you have it, the three methods, outside of utilizing modern anti-ransomware security software to prevent infection, that can help you recover from a ransomware attack. They might not be absolute solutions, but anything is better than losing valuable data to cybercriminals. Maybe knowing how disappointing the recovery methods are for a ransomware attack will motivate some folks to actually use proactive protection and anti-ransomware technology, which remains the best option for fighting ransomware infection* -not- allowing the malware to encrypt your files in the first place."
* https://www.malwarebytes.com/pdf/infographics/ransomware-infographic.pdf?utm_source=blog&utm_medium=social

:fear::fear: :mad:

AplusWebMaster
2016-11-11, 15:07
FYI...

Fake 'Tech Support Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-malspam-technical-support-order/
11 Nov 2016 - "... Locky downloader... an email with the subject of 'Order' pretending to come from Technical Support at random companies, and email addresses with zip attachment in the format of order_ < recipients name >.zip containing a .js file... One of the emails looks like:
From: Technical Support <Hogan.Terrance@ dl0349 .screaming .net>
Date: Fri 11/11/2016 11:42
Subject: Order
Attachment: order_scans.zip
Dear Customer
The item you’ve ordered is on delay due to the unknown problem regarding your bank account you paid from.
Please check you data in the attachment as soon as you can.
Best Wishes,
Terrance Hogan
Technical Support

11 November 2016: order_scans.zip: Extracts to: -91Q99QFW2H2-.js - Current Virus total detections 7/55*
Manual analysis shows a download of a file from one of these locations:
http ://g2el .com/grj2qqih | http ://gusi .biz/gu7h38t | http ://nsrcconsulting .com/dumu1sl
http ://thirlnak .net/5crdsr | http ://scupwail .com/5ghkmmf which is renamed by the script and autorun
(VirusTotal 10/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f9c85ea854224c918d8e69f4f30e4cc662177da1777260ab1fc60e3e499f6b4f/analysis/1478866769/

** https://www.virustotal.com/en/file/9696edf496836fd7fc28fdc0d73acfceb7f2cf789ee11f9aec55e8b9c97f7be8/analysis/1478865179/

g2el .com: 167.88.3.113: https://www.virustotal.com/en/ip-address/167.88.3.113/information/
gusi .biz: 88.85.81.9: https://www.virustotal.com/en/ip-address/88.85.81.9/information/
nsrcconsulting .com: 113.197.39.189: https://www.virustotal.com/en/ip-address/113.197.39.189/information/
thirlnak .net: 67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
213.176.241.230: https://www.virustotal.com/en/ip-address/213.176.241.230/information/
scupwail .com: 213.176.241.230
67.171.65.64
___

Blank or NO subject SPAM - malformed/broken email delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-damaged-malformed-broken-malspam-with-no-subject/
11 Nov 2016 - "... Locky downloader... a damaged/malformed/broken email with either a -blank- subject line or the subject of <no subject> coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of todays date and loads of random numbers containing a .JS file. Despite the delivered email being malformed or damaged, the actual attachment works fine and will encrypt your computer if you open or run the .js file inside the zip...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/broken_locky_email.png?resize=1024%2C965&ssl=1

11 November 2016: 20161111174617885403.zip: Extracts to: 201611111333125461862851.js
Current Virus total detections 10/55*. MALWR** shows a download of an encrypted file from
http ://ibluegreen .com/487ygfh?hpuarlLJK=hpuarlLJK which is converted by the script to hpuarlLJK1.dll
(VirusTotal 9/57***). C2: http ://85.143.212.23 /message.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bd7fb1c37ad757b3a6fd5b5b0bb2f8ea2c37677fd115477afca22ebd62ebbdab/analysis/1478868610/

** https://malwr.com/analysis/ODM5YmZkNDg4ODJhNGU4OWE4MmJjNDRlYjBjMDMzZGQ/
Hosts
222.231.31.195: https://www.virustotal.com/en/ip-address/222.231.31.195/information/
85.143.212.23: https://www.virustotal.com/en/ip-address/85.143.212.23/information/

*** https://www.virustotal.com/en/file/b37ad160678ea1e516a0b0d019ff065662509afcdcef7d84bfe102a428b14cea/analysis/1478867406/
___

Fake 'Virtual card' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-virtual-card-malspam/
11 Nov 2016 - "... Locky downloader... an email with the subject of 'Virtual card' coming as usual from random companies, names and email addresses with a zip attachment in the format of virtualcard_recipient name.zip containing a .js file... One of the emails looks like:
From: Carmella Sandoval <Sandoval.Carmella@ usstidewater .org>
Date:Fri 11/11/2016 18:37
Subject: Virtual card
Attachment: virtualcard_wellsybolujou.zip
Dear Client! A virtual card you have ordered is now ready but not active.
In order to activate it, please open the attached document and specify your personal data when it’s possible.

11 November 2016: virtualcard_wellsybolujou.zip: Extracts to: 6KO1G7XU-3827P1594ZITKI6G51.js
Current Virus total detections 7/55*. Manual analysis shows a download of a file from one of these locations:
spoiltgirlsclub .com/x6usth1 | eddermiaul .net/2yr5egml | mangdesign .com/ud7gv4 | hzcysw .net/u1qmyaw
darbyreis .com/39hv30q9 which is renamed by the script (VirusTotal 11/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a88b9cb8f791d2030d7e6e269fed97f4095b9b15f04bdbac325ad7a6d7e1401c/analysis/1478889495/

** https://www.virustotal.com/en/file/8c9abd6446f67381bb21c4062bee685ec4115ea8e7ae5bb3b9ee7ab038864476/analysis/1478889911/

spoiltgirlsclub .com: 64.69.219.91: https://www.virustotal.com/en/ip-address/64.69.219.91/information/
eddermiaul .net: 213.176.241.230: https://www.virustotal.com/en/ip-address/213.176.241.230/information/
67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
mangdesign .com: 121.40.24.159: https://www.virustotal.com/en/ip-address/121.40.24.159/information/
hzcysw .net: 116.255.152.112: https://www.virustotal.com/en/ip-address/116.255.152.112/information/
darbyreis .com: 213.176.241.230
67.171.65.64
___

Malicious SPAM volume hits two year high
- https://www.helpnetsecurity.com/2016/11/11/malicious-spam-volume/
Nov 11, 2016 - "According to the Kaspersky Lab Spam and Phishing in Q3 report*, the company’s products blocked 73,066,751 attempts to attack users with malicious attachments. This is the largest amount of malicious spam since the beginning of 2014 and is a 37 percent increase compared to the previous quarter. The majority of those attachments were ransomware Trojan downloaders:
> https://www.helpnetsecurity.com/images/posts/kaspersky-112016-spam.jpg
... the percentage of spam in global email traffic in September hit an all-time high for the year so far at 61.25 percent..."
* https://securelist.com/analysis/quarterly-spam-reports/76570/spam-and-phishing-in-q3-2016/
Proportion of spam in email traffic
> https://cdn.securelist.com/files/2016/11/spam_q3_2016_eng_11.png
Sources of spam by country
>> https://cdn.securelist.com/files/2016/11/spam_q3_2016_eng_12.png
Countries -targeted- by malicious mailshots
>>> https://cdn.securelist.com/files/2016/11/spam_q3_2016_eng_15.png
___

Ransomware doesn’t mean 'game over'
- https://blog.malwarebytes.com/101/2016/11/ransomware-doesnt-mean-game-over/
Nov 10, 2016 - "... Over the course of just a few years, this threat has evolved from an annoying pop-up to a screen freezer that utilizes disturbing imagery to a sophisticated malicious program that encrypts important files. New technologies are popping up all the time that combat the ransomware issue, however most (if not all) require active protection -before- you get infected. But what do you do if your company has already been infected?... at least in the criminal’s eyes, once a user gets infected, there is no recovery option other than paying the ransom. Also, victims actually pay-the-ransom directly to the criminal, cutting out any need for middlemen or having to sell piles of stolen credit card information on darknet forums... It’s likely that the future of ransomware will include things like blackmail (threats to post trade secrets or company intel online or releasing customer information), more aggressive infection and AV evasion techniques, and better target identification—all techniques that we know how to combat. However, while the news of how to stop the malware is spreading, millions of people are still going to get infected because they didn’t 'get the memo'...
> Option 1: Backups: ... make -sure- you keep some kind of file history enabled in your -backup- solution so you can revert to a previous backup if necessary. Also, utilize off-site and/or cloud backups[1] rather than storing everything on a network drive, since many ransomware families are capable of reaching through mapped connections and connected drives to encrypt files outside of the victim HD...
1] http://www.csoonline.com/article/3075385/backup-recovery/will-your-backups-protect-you-against-ransomware.html
> Option 2: Decryption: ... If you get hit once, your files are encrypted and there is nothing you can do about it — or so many people think. Thanks to the diligent efforts of our information security community, there are actually many decryptors available online[2]. This software, when matched with the correct ransomware family, can decrypt files for free...
2] https://www.nomoreransom.org/
> Option 3: Negotiate: ... At the end of the day, the bad guys just want to get paid, which means that historically they have been open to negotiating and returning a few files for a smaller amount of profit. To be absolutely clear, I do -not- endorse or support paying cybercriminals the ransom. However, it has to be understood that for some folks, the loss of files would be far more damaging than just paying the ransom fee...
> Conclusion: So there you have it, the three methods, outside of utilizing modern anti-ransomware security software to prevent infection, that can help you recover from a ransomware attack. They might not be absolute solutions, but anything is better than losing valuable data to cybercriminals. Maybe knowing how disappointing the recovery methods are for a ransomware attack will motivate some folks to actually use proactive protection and anti-ransomware technology, which remains the best option for fighting ransomware infection -not- allowing the malware to encrypt your files in the first place."

:fear::fear: :mad:

AplusWebMaster
2016-11-12, 18:33
FYI...

Fake -Blank- SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-blank-email-with-double-zipped-attachment/
12 Nov 2016 - "... Locky downloader... a blank email with the subject of '18026 sandra' pretending to come from r.gaffney@ mmu. ac.uk with a zip attachment containing -another- zip that eventually extracts to a .JS file that delivers Locky... One of the emails looks like:
From: r.gaffney@ mmu. ac.uk
Date: Thu 01/09/2016 19:22
Subject: 18026 sandra
Attachment: MESSAGE_43437218629_sandra.zip

Body content: completely empty/blank

12 November 2016: MESSAGE_43437218629_sandra.zip: which extracts to ALERT_23367_ZIP.zip which in turn extracts to: ALERT_23367.js - Current Virus total detections 7/54*
Payload Security shows a download of a file from www .parametersnj .top/user.php?f=1.dat which gave user.exe
(VirusTotal 3/57**). Payload Security***. C2 107.181.174.34 | 85.143.212.23 | 185.82.217.29 | 107.181.174.34
all using /message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/11ca353248442da2bdf025f30fddd9fdb767b943cba4c8d74b45bb8dd6df87b8/analysis/1478957028/

** https://www.virustotal.com/en/file/3daa6cad3276de7d48de3ec93c57dda2eb364306c3ee190d09f04bd92d82a08e/analysis/1478957725/

*** https://www.hybrid-analysis.com/sample/3daa6cad3276de7d48de3ec93c57dda2eb364306c3ee190d09f04bd92d82a08e?environmentId=100
Contacted Hosts
107.181.174.34
85.143.212.23
185.82.217.29
52.32.150.180
52.222.171.99
35.160.111.237
77.109.131.232

:fear::fear: :mad:

AplusWebMaster
2016-11-15, 13:54
FYI...

Fake 'EFax' SPAM - delivers Trickbot banking Trojan
- https://myonlinesecurity.co.uk/trickbot-banking-trojan-delivered-by-spoofed-efax-malspam-pretending-to-come-from-scanner-your-own-email-address/
15 Nov 2016 - "An email pretending to be an EFax delivery message with the subject of 'You have recevied a message' pretending to come from Fax Scanner <scanner@ victim domain .tld> with a malicious word doc delivers the latest Trickbot banking Trojan...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/faxscanner-spoofed-efax.png?resize=1024%2C373&ssl=1

15 November 2016: Message efax system-1332.doc - Current Virus total detections 4/54*
Payload Security shows a download from ‘http :// www .tessaban .com/admin/images/ldjslfjsnot.png’ which is renamed by the macro script to wer5.exe and autorun (Payload Security **) (VirusTotal 9/56***)
tessaban .com 61.19.247.54 has been used for malware spreading for some time now and really needs blocking
[1] [2] [3] [4]... DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e55787eaf33cf1c66ccf0fbcefb2e6100df7f8459b41f7dd83cad731d2917684/analysis/1479191384/

** https://www.hybrid-analysis.com/sample/0fbcf007f230bf0c3ab424c805312b1234c442336ab081af7d6b0ea072df717d?environmentId=100
Contacted Hosts
78.47.139.102
193.107.111.164
81.177.13.236
185.86.77.224

*** https://www.virustotal.com/en/file/0fbcf007f230bf0c3ab424c805312b1234c442336ab081af7d6b0ea072df717d/analysis/1479185920/

1] https://virustotal.com/en/url/d517f6363af4ae167dcb14a21611177c06f513e1d550fb954d274e0ca964077a/analysis/1479194525/

2] http://95.34.115.158/report.php?id=1478197500549
IP: 61.19.247.54

3] https://virustotal.com/en/url/3e835d9cb4aac1bfda3d6764458295e86c7db6831e373a864ccaffa27dfdefd0/analysis/1479194687/

4] http://95.34.115.158/report.php?id=1479194667714
IP: 61.19.247.54

:fear::fear: :mad:

AplusWebMaster
2016-11-16, 14:40
FYI...

Fake 'MoneyGram' SPAM - deliver java jacksbot
- https://myonlinesecurity.co.uk/java-jacksbot-delivered-by-spoofed-moneygram-international-malspam/
16 Nov 2016 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... The email looks like:
From: GGCC Payment Discrepancy <GGCCPaymentDiscrepancy@ gmail .com>
Date: Wed 16/11/2016 06:08
Subject: Second request of Confirmation of payment, ref 3748155
Attachment: REVIEW AND RELEASE TRANSACTION.zip (contains 2 identical java.jar files Branch Spreadsheet.jar and Cash Report.jar)
Good afternoon,
We need your assistance in obtaining documents for this transaction. The customer claims the funds were not received and we are conducting an investigation. Please provide the following documents:
Receive documents
Customers identification (if available)
Any other information the agent may have
Attached are the transaction details.
In order to satisfy the customers claim we must receive the documentation no later than 18th November 2016. Failure to do so may result in a debit to your account. Please notify us immediately should you encounter any delays.
*Also be sure to include the reference number in the subject field/body of email to avoid duplicate emails.*
Thank you,
Ilona Karamon
Resolution Assurance Analyst I
MoneyGram International
P: 18003285678 ext: 582134
MoneyGram International
KBC, Konstruktorska 13
Warsaw, 02-673 Poland ...

16 November 2016: Branch Spreadsheet.jar (323 kb) - Current Virus total detections 22/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/660bbbecca7063a6d7ec8476ddb2a6572d67d4e60887724e8cdc743abd605efb/analysis/1479280071/
___

Fake 'QuickBooks' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/dridex-delivered-via-spoofed-quickbooks-invoice-00482-imitating-random-companies/
16 Nov 2016 - "... an email with the subject of 'Invoice 00482' from Orrell Filtration Ltd (random companies) with a -link- in the email body to download a zip file that downloads Dridex banking Trojan... which delivers Invoice 00482.zip which extracts to Invoice 00482.js...

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/Invoice-00482-from-Orrell-Filtration-Ltd.png?resize=1024%2C688&ssl=1

16 November 2016: Invoice 00482.zip: Extracts to: Invoice 00482.js - Current Virus total detections 2/54*
Payload Security** shows a download of a file from www .rtbh.bravepages .com/images/Manual.pdf which is -not- a pdf but a renamed .exe file which in turn is renamed by the script to GYGMgcC.exe (VirusTotal 10/56***). (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ba3c5b75998083faaeb3bb1d1a9cb9884047a180a4e70517981e91693b4f9cfd/analysis/1479298844/

** https://www.hybrid-analysis.com/sample/ba3c5b75998083faaeb3bb1d1a9cb9884047a180a4e70517981e91693b4f9cfd?environmentId=100
Contacted Hosts
69.27.174.10
45.124.64.220
110.138.108.142
72.249.45.71
216.234.115.137

*** https://www.virustotal.com/en/file/5da26d73d08903a72a372571e1d69441daca62b93b226a7ed01559860274233b/analysis/1479299700/

4] https://www.hybrid-analysis.com/sample/5da26d73d08903a72a372571e1d69441daca62b93b226a7ed01559860274233b?environmentId=100
Contacted Hosts
45.124.64.220
110.138.108.142
72.249.45.71
216.234.115.137
___

Fake 'Tax Refund' Phish
- http://blog.dynamoo.com/2016/11/phishing-office-365-tax-refund-service.html
16 Nov 2016 - "Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

Screenshot: https://4.bp.blogspot.com/-pDmYR6qA9zw/WCw_ItN2_XI/AAAAAAAAJJM/99ICglTD0qYlrXfjIvauuYUy08vscKiWwCLcB/s1600/office-365-tax.png

The link in the email leads to updatemicrosoftonline .com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page:
> https://1.bp.blogspot.com/-TXxXnPQl6Dw/WCxCSXGYjjI/AAAAAAAAJJc/b3iew0KU3G0reIcHIW0mFXClfFSyOnk-wCLcB/s1600/hmrc-phish.png
This multi-phish page has -twelve- UK banks set up on it:
Barclays, Halifax, HSBC, Lloyds Bank, NatWest, Royal Bank of Scotland, Santander, TSB, Metro Bank, Clydesdale Bank, The Co-Operative Bank, Tesco Bank..
Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft. The screenshots below are the sequence if you choose TSB bank:
> https://4.bp.blogspot.com/-iciyhkhyYlM/WCxFVqhqikI/AAAAAAAAJJo/EdWpGbGdWuAr29vhZfThPKHBwQ-dRkspgCLcB/s1600/tsb-phish-1.png
(More examples shown at the 1st dynamoo URL at the top.)
... Once you have entered all the information, the process appears to -fail- and you are directed to a genuine HMRC site instead. A list of sites found in 89.248.168.0/24 can be found... I suggest that the entire network range looks questionable and should be -blocked-."
___

'Mega' attacks on the Rise
- http://fortune.com/2016/11/15/akamai-ddos-report/
Nov 15, 2016 - "... hackers knocking websites offline with massive floods of Internet traffic is nothing new. But the pattern of these so-called DDoS attacks (for “distributed denial of service”) is changing, according to a new report* from internet provider Akamai...
* https://content.akamai.com/pg7426-pr-soti-report.html
... the overall number of DDoS attacks has not risen significantly in 2016, but that the force of these attacks is increasing. Akamai says it confronted 19 “mega attacks” in the third quarter of this year, including the two biggest it has ever encountered in history... The prime targets for the -19- “mega” attacks, which Akamai defines as those that reach over 100 Gbps, were media and entertainment companies, though gaming and software firms were also hit. The two record-breaking attacks, reaching 623 Gbps and 555 Gbps, were directed at security blogger Brian Krebs. The attacks succeeded in taking down Krebs’ website until Jigsaw, a unit of Google’s parent company Alphabet... deployed its Project Shield service to deflect the attack. The reason for this recent surge in mega attacks is tied to security defects in the 'Internet of things'. This involves hackers taking over millions of everyday devices connected to the Internet — especially DVRs, security cameras and home routers — and conscripting them to be part of a botnet army, known as Mirai. Mirai gained widespread notoriety in October, after hackers briefly used it to obstruct consumers’ access to popular sites like Amazon and Twitter, and many of the devices under its control are still compromised. As Akamai suggests, the 'Internet of Things' problem may just be beginning..."

:fear::fear: :mad:

AplusWebMaster
2016-11-17, 13:54
FYI...

Fake 'Sage Invoice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trickbot-banking-trojan-delivered-by-spoofed-sage-outdated-invoice/
17 Nov 2016 - "An email with the subject of ' pretending to come from 'Sage Invoice' with a malicious word doc delivers Trickbot banking Trojan... sageinvoices .com / sage-invoice .com /sage-invoices .com are all newly created -yesterday- ... domains sending these emails include:
Sage Invoice <service@ sage-invoices .com>
Sage Invoice <service@ sage-invoice .com>
Sage Invoice <service@ sageinvoice .com> ...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/outdated-sage-invoice.png?resize=1024%2C689&ssl=1

17 November 2016: SageInvoice.doc - Current Virus total detections 3/54*
Payload Security** shows a download from http ://delexdart .com/images/gfjfgklmslifdsfnln.png which is not a png file but a renamed .exe file which is renamed by the macro to scsadmin.exe and auto run using PowerShell (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6f5f73e8917c99da56ce48d7f9a0cecd969aee6023ce04841a623aaed4681da2/analysis/1479380615/

** https://www.hybrid-analysis.com/sample/6f5f73e8917c99da56ce48d7f9a0cecd969aee6023ce04841a623aaed4681da2?environmentId=100
Contacted Hosts
182.50.132.43
78.47.139.102
193.107.111.164
81.177.13.236
185.86.77.224

*** https://www.virustotal.com/en/file/528a19217a78adbea6b0caa72534dda0ec024d24943dcabcee364f627afb4f91/analysis/1479381072/

sage-invoices .com: 50.63.202.56: https://www.virustotal.com/en/ip-address/50.63.202.56/information/
sage-invoice .com: 184.168.221.34: https://www.virustotal.com/en/ip-address/184.168.221.34/information/
sageinvoice .com: 50.63.202.34: https://www.virustotal.com/en/ip-address/50.63.202.34/information/
//

- http://blog.dynamoo.com/2016/11/malware-spam-sage-invoice-servicesage.html
17 Nov 2016 - "This -fake- financial spam leads to Trickbot banking trojan...

Screenshot: https://3.bp.blogspot.com/-swzy7zLG5Yg/WC2YTD1Y_-I/AAAAAAAAJKw/MQbLx3R8vXMIOu-6MYUFix1yxQCQfiGUACLcB/s1600/sage-trickbot.png

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54*. Hybrid Analysis** shows malicious network traffic to:
substan.merahost .ru/petrov.bin [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost .com.ua, Ukraine)
A malicious file scsnsys.exe is dropped with a detection rate of 8/53***.
The domain sage-invoices .com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication... I recommend that you -block- traffic from that domain or check your filters to see who may have it.
Recommended blocklist:
sage-invoices .com
185.86.77.0/24 "
* https://virustotal.com/en/file/79ff976c5ca6025f3bb90ddfa7298286217c21309c897e6b530603d48dea0369/analysis/

** https://www.hybrid-analysis.com/sample/79ff976c5ca6025f3bb90ddfa7298286217c21309c897e6b530603d48dea0369?environmentId=100
Contacted Hosts
61.19.247.54
78.47.139.102
193.107.111.164
81.177.13.236
185.86.77.224

*** https://virustotal.com/en/file/528a19217a78adbea6b0caa72534dda0ec024d24943dcabcee364f627afb4f91/analysis/
___

Fake 'Please check' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/please-check-the-information-malspam-tries-to-deliver-trickbot-banking-trojan/
17 Nov 2016 - "... an email with the subject of 'Please check the information-3878358' (random numbers) pretending to come from random names at your-own-email-domain that tries to deliver Trickbot banking Trojan... tessaban .com 61.19.247.54 has been used for malware spreading for some time now and really needs blocking [1]...
1] https://virustotal.com/en/url/d517f6363af4ae167dcb14a21611177c06f513e1d550fb954d274e0ca964077a/analysis/1479194525/
One of the emails looks like:
From: Brigitte Guidry <Brigitte.Guidry@ victim domain .tld >
Date: Thu 17/11/2016 02:48
Subject: Please check the information-3878358
Attachment: invoice_2222.zip
Hi,
I have attached an invoice-4654 for you.
Regards,
Brigitte Guidry

17 November 2016: invoice_2222.zip: Extracts to: invoice_1711.js - Current Virus total detections 2/54*
MALWR** shows an attempted download of a file from http ://www .tessaban .com/admin/images/ospspps.png currently giving a 404 not found which should be renamed by the script to an .exe file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/40679f44e4d62b42b621a3450f51b5fa5a706796cbe2d203e1dc128fa4d511e8/analysis/1479370770/

** https://malwr.com/analysis/YjU2ZGMzNTU3OWQzNDQ5ZmI0NTU5Njk0ZmZiNWQxYzI/
Hosts
61.19.247.54: https://www.virustotal.com/en/ip-address/61.19.247.54/information/
> https://virustotal.com/en/url/d517f6363af4ae167dcb14a21611177c06f513e1d550fb954d274e0ca964077a/analysis/
___

Fake AMEX Phish
- https://myonlinesecurity.co.uk/please-activate-your-personal-security-key-american-express-phishing/
17 Nov 2016 - "... The subject is 'Please activate your Personal Security Key' coming from American Express
<welcome@ amex-mails .com>. Additional sending addresses so far found include:
Amex-mails .com | amexmails .com | amex-emails .com | amexmails .com
were -all- registered -today- by surprise, surprise: Godaddy .com. They currently do not have an IP number associated with them. When they were received, the emails came from:
172.99.87.130 - San Antonio Texas US AS27357 Rackspace Hosting ...
The weird thing is the emails appear -blank- when opened in Outlook, but using view source I can see the email in its full glory, including the links-to-click to get to the-phishing-site... A screenshot of the html is:
> https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/american_express_safe_key.png?fit=678%2C913&ssl=1
Alternative links in emails go to:
http :// amexsafekeys .com | http ://americanexpressafekey .com | http ://amex-mails .com
| http:// amexmails .com
aexpsafekeys .com was registered -yesterday- 16 November 2016 and hosted on these IP addresses:
95.163.127.249 | 188.227.18.142 which look like they belong to a -Russian- network.
http ://amexsafekeys .com was also registered -yesterday- by the same Russian name and hosted on same IP addresses: 188.227.18.142 | 95.163.127.249
http ://americanexpressafekey .com also registered -yesterday- same IP addresses. Following the link to aexpsafekeys .com, you get a typical phishing page like this, where they want all the usual information about you, your family and bank/credit cards etc.:
> https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/amex_phishing_safe_key.png?resize=1024%2C603&ssl=1 "

95.163.127.249: https://www.virustotal.com/en/ip-address/95.163.127.249/information/
> https://www.virustotal.com/en/url/405d0ea0bdc36a69248d08b5adf16a73312feb311bfb81654e0d1023f21c2a5d/analysis/
188.227.18.142: https://www.virustotal.com/en/ip-address/188.227.18.142/information/
> https://www.virustotal.com/en/url/405d0ea0bdc36a69248d08b5adf16a73312feb311bfb81654e0d1023f21c2a5d/analysis/

104.168.87.178: https://www.virustotal.com/en/ip-address/104.168.87.178/information/
> https://www.virustotal.com/en/url/405d0ea0bdc36a69248d08b5adf16a73312feb311bfb81654e0d1023f21c2a5d/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-11-18, 12:55
FYI...

Fake 'Western Union' SPAM - delivers jacksbot Trojan
- https://myonlinesecurity.co.uk/java-jacksbot-delivered-by-spoofed-western-union-malspam-final-warning-for-sending-limit-breach/
18 Nov 2016 - "... an email with the subject of 'FINAL WARNING FOR SENDING LIMIT BREACH' pretending to come from Western Union – Agent Support Team <emeagentsupports.westernunion@ gmail .com> delivers java Adwind / Java Jacksbot...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/FINAL-WARNING-FOR-SENDING-LIMIT-BREACH..png?resize=1024%2C624&ssl=1

18 November 2016: Exceeded Limit Spreadsheet.exe - Current Virus total detections 15/57*
Payload Security** shows lots of files being dropped/extracted from this file which is renamed by itself to winlogin.exe and in turn drops a multitude of identical xml files and a java.jar file which is Java Jacksbot (VirusTotal 23/56***)... All 3 links (there is one behind the image) go to:
http ://webkamagi .com/admin/images/Send Limit Exceeded.html where you see this screenshot that starts off with a circle and the words scanning and ends up looking like this that auto-downloads a file from:
http ://gicfamily .org/admin/file/Exceeded%20Limit%20Spreadsheet.exe (if for some reason it doesn’t auto-download then the download button delivers the malware):
> https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/nortonscan.png?w=863&ssl=1
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a7d17122ff9a948d7b21464f75ce7644d44307c20c3536385ec0926e913d32d4/analysis/1479432563/

** https://www.hybrid-analysis.com/sample/a7d17122ff9a948d7b21464f75ce7644d44307c20c3536385ec0926e913d32d4?environmentId=100
Contacted Hosts
216.107.152.224

*** https://www.virustotal.com/en/file/ae1d631a0b15512070779c6ace1239eacbc695be20d558fc5c99b864ce7f7288/analysis/1479453441/
___

Ransomware hits record levels
- https://www.helpnetsecurity.com/2016/11/18/encryption-ransomware-hits-record-levels/
Nov 18, 2016 - "The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1:
> https://www.helpnetsecurity.com/images/posts/phishme-112016-1.jpg
PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:
Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity.
Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities. Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time. During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible...
> https://www.helpnetsecurity.com/images/posts/phishme-112016-2.jpg
While ransomware dominates the headlines, PhishMe’s Q3 Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016. Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns..."
> http://phishme.com/2016-q3-malware-review/

:fear::fear: :mad:

AplusWebMaster
2016-11-21, 14:42
FYI...

Fake 'Spam mailout' SPAM - delievers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-spoofed-isp-you-have-been-sending-spam-notifications/
21 Nov 2016 - "... Locky downloader... an email pretending to come from an ISP, saying that you have been sending spam with the subject of 'Spam mailout' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the form of logs_recipients name.zip... Locky has changed the encrypted file extension to .aesir - See:
- https://myonlinesecurity.co.uk/locky-changed-to-use-aesir-file-extension-and-changed-c2-format/
"... Locky has changed the encrypted file extension to .aesir as well as the C2 to “/information.cgi”. I am also informed there is a slight change to the name of the ransomware notification file that they drop on your desktop. It appears to now be _[number]-INSTRUCTION.html "
One of the emails looks like:
From: Lula Mcmahon <Mcmahon.Lula@ mtsallstream .net>
Date:Mon 21/11/2016 07:37
Subject: Spam mailout
Attachment: logs_hajighasem1c.zip
Dear hajighasem1c
We’ve been receiving spam mailout from your address recently.
Contents and logging of such messages are in the attachment.
Please look into it and contact us.
Best Regards,
Lula Mcmahon
ISP Support ...

21 November 2016: logs_hajighasem1c.zip: Extracts to: M9JJW0NTAD20O3-D53D73LEXZG60.js
Current Virus total detections 6/55*. Payload Security** and MALWR*** shows a download of an encrypted file from:
iproaction .com/utg8md which is renamed by the script to 2INuijvClpaC.dll (VirusTotal 6/57[4]). C2 have changed in these & they now post to 46.8.29.175 /information.cgi. Other C2's in the Payload security report...
... difficult to see the changed extension to .aesir until you look at:
- https://www.hybrid-analysis.com/sample/7d8f69106ca48bd9c3946487e9c0bce95347a6705487b23bc2df7e3d51469ba0?environmentId=100
and scroll down to Installation/Persistance and then dropped files...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8fc9010aed6eef1f19989975c768c0b2136d2e274015dca64c15a8c5f4dd045d/analysis/1479717501/

** https://www.hybrid-analysis.com/sample/8fc9010aed6eef1f19989975c768c0b2136d2e274015dca64c15a8c5f4dd045d?environmentId=100
Contacted Hosts
194.28.173.247
213.32.66.16
91.219.28.51
46.8.29.175
52.32.150.180
54.192.46.61
95.101.81.97

*** https://malwr.com/analysis/YzU5ODQxMzQyZTI3NDhkMzgzZTc0ZDE0ZTdkZmYyY2U/
Hosts
194.28.173.247

4] https://www.virustotal.com/en/file/d11a86c4a7fbcee8bbae385237b521bb141d5e3c4e70ca9082d61a54c7aec6f3/analysis/1479718456/
___

Fake 'Amazon' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-spoofed-your-amazon-com-order-has-dispatched/
21 Nov 2016 - "... email with the subject of 'Your Amazon .com order has dispatched (#713-7377848-7745100)
(random numbers) pretending to come from Amazon Inc <auto-shipping4@ amazon .com> with a zip attachment matching the subject. It looks like -Locky has- changed the encrypted file extension to .aesir as well as the C2 to “/information.cgi”... One of the emails looks like:
From: Amazon Inc <auto-shipping4 @amazon .com>
Date: Mon 21/11/2016 09:40
Subject: Your Amazon .com order has dispatched (#713-7377848-7745100)
Attachment: ORDER-713-7377848-7745100.zip
Dear Customer,
Greetings from Amazon .com,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit...
Your order #713-7377848-7745100 (received November 20, 2016)
Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20
Thank you for shopping at Amazon .com ...

21 November 2016: ORDER-713-7377848-7745100.zip: Extracts to: KBDGUB350132.js
Current Virus total detections 11/55*. MALWR** shows a download of an encrypted file from
http ://jmltda .cl/hfvg623?wCTlMeE=wCTlMeE which is renamed by the script to wCTlMeE1.dll
(VirusTotal 9/57***). C2 are http :// 89.108.73.124 /information.cgi | http :// 91.211.119.98 /information.cgi
http ://185.75.46.73 /information.cgi. Payload Security [4]shows the same... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7d8f69106ca48bd9c3946487e9c0bce95347a6705487b23bc2df7e3d51469ba0/analysis/1479721475/

** https://malwr.com/analysis/YzI3OTk0NmJkZGRiNDlkY2EyZGQzMjdiMGRlMWMzZjY/
Hosts
186.103.213.249
91.211.119.98
185.75.46.73
89.108.73.124

*** https://www.virustotal.com/en/file/bf5f0715cf5d9c66cffff00811738fa50ade225a4eb26f828e160a5c977388b1/analysis/1479721490/

4] https://www.hybrid-analysis.com/sample/7d8f69106ca48bd9c3946487e9c0bce95347a6705487b23bc2df7e3d51469ba0?environmentId=100
Contacted Hosts
186.103.213.249
89.108.73.124
91.211.119.98
185.75.46.73
52.42.26.69
54.192.46.93
35.160.111.237
___

Fake 'LogMein' SPAM - leads to Hancitor/Vawtrak
- http://blog.dynamoo.com/2016/11/malware-spam-your-logmeincom.html
21 Nov 2016 - "This -fake- financial spam leads to malware:
From: billing@ secure-lgm .com
Date: 21 November 2016 at 18:35
Subject: Your LogMein.com subscription has expired!
Dear client,
You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.
You can download the bill directly from the LogMeIn website ...
Please use another credit card or payment method in order to avoid complete service interruption.
Event type: Credit Card Declined
Account email: [redacted] .com
At: 21/11/2016...
© LogMeIn Inc

The link in the email actually goes to a page at reg .vn /en/view_bill.php?id=encoded-email-address (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55*. Automated analysis [1] [2] shows malicious network traffic... A malicious executable is dropped with a detection rate of 7/57**. The payload appears to be Hancitor/Vawtrak. The domain secure-lgm .com appears to have been created for the purposes of sending the email... probably fake WHOIS details...
Recommended blocklist:
95.215.111.222
newaronma .com
libinvestusa .com "
* https://www.virustotal.com/en/file/fc1f1845e47d4494a02407c524eb0e94b6484045adb783e90406367ae20a83ac/analysis/

1] https://malwr.com/analysis/NGZlMzFkMzYzZTZmNDcyNWE2ODM4ODNhNTQ1ZGM4YmQ/
Hosts
95.215.111.222
54.197.251.22
69.89.31.104

2] https://www.hybrid-analysis.com/sample/fc1f1845e47d4494a02407c524eb0e94b6484045adb783e90406367ae20a83ac?environmentId=100
Contacted Hosts
95.215.111.222
54.235.212.238
69.89.31.104

** https://www.virustotal.com/en/file/70dfe7e80ad1f4736e62a556085c9c31389be62b5187a72c1edac0df17447dbe/analysis/
inst.exe
___

Something evil on 64.20.51.16/29...
- http://blog.dynamoo.com/2016/11/something-evil-on-6420511629-customer.html
21 Nov 2016 - "I wrote about this evil network on 64.20.51.16/29 (a customer of Interserver, Inc) over a year ago*, identifying it as a hotbed of fraud. Usually these bad networks don't hang around for very long, but in this case it seems to be -very- persistent. This time it came to notice from a terse spam with a PDF attached:
From: Lisa Liang [ineedu98@ hanmail .net]
To: me@ yahoo .com
Date: 20 November 2016 at 23:23
Subject: 11/21/2016 Amended
FYI

Attached is a file Amended copy.pdf which when you open it (-not- recommended) looks blurry with "VIEW" in big red letters... The link-in-the-email goes to bit .ly/2fJbyol - if you put the "+" on the end of a Bitly link then you can see the number of -clickthroughs- and what the landing page is (www .serviceupgrade .tech/pdf.php in this case)... Clicking through gives you a login page for "Adobe PDF Online" which is of course a generic -phishing- page... Analysis of the 64.20.51.16/29 range finds -193- sites historically connected with it marked as being -phishing- or some other -malicious- activity. There are at least -284- sites currently within that range, of which the following are -both- hosted in that range currently and are malicious... 11% of the total sites in the range have been tagged by SURBL or Google as being -bad- and to be honest there are probably a LOT more but those services haven't caught up yet. In any case, there seems to be nothing of value in 64.20.51.16/29 and I strongly recommend that you -block- traffic to the entire range."
* http://blog.dynamoo.com/2015/09/evil-network-6420511629-interserver-inc.html

i.e.: serviceupgrade .tech: 64.20.51.22: https://www.virustotal.com/en/ip-address/64.20.51.22/information/
>> https://www.virustotal.com/en/url/7d2656f670e91593c788329a72959195bc3b1ad4fc79725760f6ee3c448e6402/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-11-22, 12:59
FYI...

Fake 'Delivery status' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-aesir-delivered-by-delivery-status-malspam/
22 Nov 2016 - "... Locky downloader... an email with the subject of 'Delivery status' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of document_recipients name .zip... One of the emails looks like:
From: Jocelyn Sears <Sears.Jocelyn@ teklinks .net>
Date: Tue 22/11/2016 07:20
Subject: Delivery status
Attachment: document_mrilw.zip
Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.

22 November 2016: document_mrilw.zip: Extracts to: R9SZO3SDB89J399GW52V80-N2AXBG71NVG2XT.js
Current Virus total detections 10/55*. MALWR** shows a download of a file from
http ://sadhekoala .com/lvqh1 which is converted by the script to 7wYxQEPdqwq.dll (VirusTotal 5/56***).
Payload Security [4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3d0956e798b0763a612ff4deeeedda81ad79093ec73f46dc2cf391c67bf20737/analysis/1479802918/

** https://malwr.com/analysis/MTU1NGMyYWM3NWFmNGE1YjljN2U3MjAxOWVkMDMyNzk/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/64f851d6e1c01fea1353c5fc5775cb1860529d4a13742652c656f9c4e461292c/analysis/1479803154/

4] https://www.hybrid-analysis.com/sample/3d0956e798b0763a612ff4deeeedda81ad79093ec73f46dc2cf391c67bf20737?environmentId=100
Contacted Hosts
67.171.65.64
188.120.250.138
213.32.66.16
91.201.202.130
95.213.186.93
52.32.150.180
52.85.184.60
35.160.111.237

- http://blog.dynamoo.com/2016/11/malware-spam-delivery-status-leads-to.html
22 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Delivery status
From: Gilbert Hancock
Date: Tuesday, 22 November 2016, 8:51
Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.

In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component... According to this Malwr analysis*, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55**. The Hybrid Analysis*** reveals the following C2 locations:
91.201.202.130 /information.cgi [hostname: dominfo.dp .ua] (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
95.213.186.93 /information.cgi [hostname: djaksa.airplexalator .com] (Selectel, Russia)
188.120.250.138 /information.cgi [hostname: olezhkakovtonyuk.fvds .ru] (TheFirst-RU, Russia)
213.32.66.16 /information.cgi (OVH, France)
For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:
91.201.202.130
95.213.186.93
188.120.250.138
213.32.66.16 "
* https://malwr.com/analysis/ZWYyZWY1YTI2Zjk1NDgwYzk0ZGIwZTIzNTQ4NTgzZDA/
Hosts
187.45.240.4

** https://virustotal.com/en/file/22cfee1e5a8772878b5fe0aeec77eb83167fbe53777e8855474e9f40db1c4788/analysis/1479806600/

*** https://www.hybrid-analysis.com/sample/b62d39de287c82b340c7c3c9111093ffe4e0647fa8b79ce1d5d744059b400da2?environmentId=100
Contacted Hosts
187.45.240.4
188.120.250.138
91.201.202.130
213.32.66.16
95.213.186.93
52.32.150.180
52.85.184.195
___

Fake 'Invoice' SPAM - delivers Locky
- http://blog.dynamoo.com/2016/11/malware-spam-invoice-123456-from-random.html
22 Nov 2016 - "This -fake- financial spam appears to come from a random sender in the victim's-own-domain, but this is just a simple forgery. The payload is Locky ransomware.
Subject: Invoice 5639438
From: random sender (random.sender@ victimdomain .tld)
Date: Tuesday, 22 November 2016, 8:43
Attached is the document 'Invoice 5639438'.

The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf)... According the the Malwr analysis*, that script downloads from:
manage .parafx .com/98y4h?AdIXigNCmu=UdJVux
There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56**. The Hybrid Analysis*** of the same sample shows the malware contacting the following C2 locations:
89.108.73.124 /information.cgi (Agava, Russia)
91.211.119.98 /information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
94.242.55.81 /information.cgi (RNet, Russia)
Recommended blocklist:
89.108.73.0/24
91.211.119.98
94.242.55.81 "
* https://malwr.com/analysis/YTdlYzE1NWUzNWNiNGJkMGIxN2YwNzk5YmRkZTQ1YmE/
Hosts
69.57.3.3
91.211.119.98

** https://virustotal.com/en/file/1c31ff15331252edf5cd2ddf4372fe624cd66a0501225579f0b8f892210a1ba1/analysis/

*** https://www.hybrid-analysis.com/sample/14be2a1318cfc80e36206d26df409c5cbdbdb3397773cd980be0527e82e2f172?environmentId=100
Contacted Hosts
69.57.3.3
94.242.55.81
89.108.73.124
91.211.119.98
35.160.111.237
___

Fake 'Documents Requested' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/documents-requested-pretending-to-come-from-random-names-at-your-own-email-domain-delivers-locky/
22 Nov 2016 - "... Locky downloader... an email with the subject of 'Documents Requested' pretending to come from random names at your-own-email-domain... One of the emails looks like:
From: Darlene <Darlene2@ victim domain .uk>
Date: Tue 22/11/2016 11:26
Subject: Documents Requested
Attachment: doc(598).zip
Dear [redacted]
Please find attached documents as requested.
Best Regards,
Darlene

22 November 2016: doc(598).zip: Extracts to: 9932613_EUZCK_6312135.wsf - Current Virus total detections 12/53*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b101a4cbf461f1e6aca2fc553b4d624e5594fd03850f9a878a8e3eb18e057cc4/analysis/1479814057/

** https://www.hybrid-analysis.com/sample/b101a4cbf461f1e6aca2fc553b4d624e5594fd03850f9a878a8e3eb18e057cc4?environmentId=100
Contacted Hosts
72.51.24.224
94.242.55.81
95.46.114.205
54.240.162.83
35.160.111.237
___

Fake 'tax bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/your-tax-bill-debt-due-date-is-today-malspam-delivers-locky-aesir/
22 Nov 2016 - "... Locky downloader... an email pretending to be a tax bill with the subject of 'Please note' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of tax_recipients name.zip... One of the emails looks like:
From: Lance Barron <Barron.Lance@ dramaticallybetterhealth .com>
Date: Tue 22/11/2016 17:41
Subject: Please note
Attachment: tax_goal.zip
Dear goal
Your tax bill debt due date is today . Please fulfill the debt.
All the information and payment instructions can be found in the attached document.
Best Wishes,
Lance Barron
Tax Collector ...

22 November 2016: tax_goal.zip: Extracts to: 6WMK287O33R4XN6.js - Current Virus total detections 6/55*
MALWR** shows a download of an encrypted file from:
http ://govorokhm .ru/huz9ex2sd8 which is converted by the script to xHVh9Aflvj4.dll (VirusTotal 9/57***)
Payload Security [4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e680822da8be44d75e19ff21747a0c49008b934b6b3e3bc979deed9c94fac7ce/analysis/1479836521/

** https://malwr.com/analysis/MTU1NGMyYWM3NWFmNGE1YjljN2U3MjAxOWVkMDMyNzk/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/9f49d837fcb163266e4254b57a493936f785bf0a124044eeb2a3ec69d16bb226/analysis/1479839432/

4] https://www.hybrid-analysis.com/sample/e680822da8be44d75e19ff21747a0c49008b934b6b3e3bc979deed9c94fac7ce?environmentId=100
Contacted Hosts
94.142.140.191
195.123.209.8
213.32.66.16
95.213.186.93
52.42.26.69
54.240.162.83
35.160.111.237
___

Fake 'DocuSign' SPAM - delivers ASN1 ransomware
- https://myonlinesecurity.co.uk/spoofed-docusign-you-have-a-new-encrypted-document-malspam-attempts-to-download-asn1-ransomware/
21 Nov 2016 - "An email with the subject of 'You have a new Encrypted Document' pretending to come from DocuSign <service@ docusigndocuments .com> with a malicious macro enabled word doc tries to download ASN1 ransomware... These do -not- come from the genuine DocuSign company. docusigndocuments .com and the other domains listed have been registered -today- and hosted at Godaddy .com with what are probably -fake- details...
The three domains and sending email addresses also used in this malspam ransomware attempt are:
DocuSign <service@ DOCUSIGN-DOCUMENT .COM>
DocuSign <service@ docusigndocument .com>
DocuSign <service@ docusigndocuments .com> ...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/docusign_encrypted-_document.png?resize=1024%2C560&ssl=1

The enclosed word doc looks like:
> https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/encrypted_document.png?resize=1024%2C911&ssl=1

21 November 2016: EncryptedDocument.doc - Current Virus total detections 18/54*
Both MALWR** & Payload Security*** show it tries to download
http ://majesticbrass .com/1061911a3e0a74827a76bbd7bfe16d20.exe which is currently giving a 404 not found. This site was used in an similar ransomware attack at the end of last week[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ec397faf8be5ad9e4ace5d7cb570d268f982a91cfb63ceb3b06338fd9ab17966/analysis/1479766715/

** https://malwr.com/analysis/Y2M1YWNlYjVlN2FmNGQ2Njg2OTg5MjMyNjFhYWFkN2I/
Hosts
64.176.31.64
184.51.0.241

*** https://www.hybrid-analysis.com/sample/ec397faf8be5ad9e4ace5d7cb570d268f982a91cfb63ceb3b06338fd9ab17966?environmentId=100
Contacted Hosts
64.176.31.64

4] https://myonlinesecurity.co.uk/unknown-ransomware-delivered-via-you-have-received-a-new-secure-document-malspam/

64.176.31.64: https://www.virustotal.com/en/ip-address/64.176.31.64/information/
> https://www.virustotal.com/en/url/6dd694efbda2f00f4fdf04dd90e4b7f4a3b6ae5f98ac8dd81c5915e15d645cb0/analysis/
2016-11-22

:fear::fear: :mad:

AplusWebMaster
2016-11-23, 13:29
FYI...

Fake 'Pay Attention' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-please-pay-attention-leads.html
23 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Please Pay Attention
From: Bill Rivera
Date: Wednesday, 23 November 2016, 9:45
Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.

The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script... According to this Malwr report* a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56**. The Hybrid Analysis*** clearly shows the ransomware in action and shows it communicating with the following URLs:
95.213.186.93 /information.cgi [hostname: djaksa.airplexalator .com] (Selectel, Russia)
195.123.209.8 /information.cgi [hostname: kostya234.itldc-customer .net] (Layer6, Latvia)
213.32.66.16 /information.cgi (OVH, France)
Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16 "
* https://malwr.com/analysis/MWY5ZDY1MDk2YjBmNDE1NmFkNzY0MWMwN2UyMTMzYWQ/
Hosts
31.204.153.171

** https://virustotal.com/en/file/8ccdf5e1e5a1fdeee1c64d57b1ed108ad115bfee725e1ac5bf6d2a73c2463eb2/analysis/1479896120/

*** https://www.hybrid-analysis.com/sample/757304112654f09f5913b7d4eb6de1d6fb983cd529cbe3151e3573840f581d09?environmentId=100
Contacted Hosts
31.204.153.171
213.32.66.16
195.123.209.8
95.213.186.93
52.34.245.108
54.240.162.85
92.122.214.10

- https://myonlinesecurity.co.uk/please-pay-attention-you-havent-paid-the-full-amount-malspam-delivers-locky/
23 Nov 2016 - "... Locky downloader... an email pretending to tell you that you haven’t paid the full amount, with the subject of 'Please Pay Attention' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of lastpayment_recipient name.zip... One of the emails looks like:
From: Gabriela Diaz <Diaz.Gabriela@ deepredmedia .com>
Date: Wed 23/11/2016 08:27
Subject: Please Pay Attention
Attachment: lastpayment_lickit.zip
Dear lickit, we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment – please check it out.

23 November 2016: payment_history_64b96be.zip: Extracts to: 2BE46B4PX7ZU28.js
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from
http ://risewh .com/pg31nkp which is renamed by the script to
W0heF8ZofNrqpj9Z .dll (VirusTotal 5/56***). Payload Security[4]...
Other download sites include:
risewh .com/pg31nkp
jinxlaze .com/rysuuttn
naturalnepodlogi .cba .pl/utnnyduqa
offerrat .com/12mi44q
pineysprat .com/zqdjx ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f70ff5b1c8e04a3b73ff53b4784d8ec6a35195679f5b0eafec31f7af792fad2f/analysis/1479894064/

** https://malwr.com/analysis/ZGViZTZlNTFkMjY3NDE5ZWEwZTY3NTUyNTU3YTE3MzQ/
Hosts
202.103.25.79

*** https://www.virustotal.com/en/file/ba64a529e4ed9faea3f88e4d238d03a09549abdabcae34c6e07475667d8b6275/analysis/1479894314/

4] https://www.hybrid-analysis.com/sample/f70ff5b1c8e04a3b73ff53b4784d8ec6a35195679f5b0eafec31f7af792fad2f?environmentId=100
Contacted Hosts
202.103.25.79
213.32.66.16
95.213.186.93
195.123.209.8
52.42.26.69
54.240.162.221
___

Fake 'Bill' SPAM - delivers more Locky
- https://myonlinesecurity.co.uk/random-bills-coming-from-random-senders-at-your-own-email-domain-delivers-even-more-locky/
23 Nov 2016 - "... Locky downloader... a -blank/empty- email with the subject of 'Bill-85548' (random numbers) pretending to come from random names at your-own-email-address/company or domain with a totally random numbered zip attachment... One of the emails looks like:
From: paris hymer <paris.hymer@ victim domain .co .uk>
Date: Thu 01/09/2016 19:22
Subject: paris hymer ...
Attachment: 7c8b9b79dd4ef599dd5d0c6db9b2d530.zip

Body content: totally blank

23 November 2016: 7c8b9b79dd4ef599dd5d0c6db9b2d530.zip: Extracts to: qivrlftajqpvl4kfverdv6vu8ecbwdxe.js
Current Virus total detections 10/55*. MALWR** shows a download of an encrypted file from
http ://parenclub-devilsenangels .nl/08yhrf3?ELghUu=ELghUu which is converted by the script to
ELghUu1.dll (VirusTotal 8/55***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7f219892244608787ea17b46ad7df45045541f45af47b5b0e9f85758a8ea59af/analysis/1479893531/

** https://malwr.com/analysis/MGM2OWFmMzU5YmE3NDM4YmE2YTBlNzFjMzYyZGI5YTI/
Hosts
195.211.74.100
94.242.55.81
80.87.202.49

*** https://www.virustotal.com/en/file/675c681f4c9684685dda43e5e96983c1688bef6d68583562d60fe673dafb3d0c/analysis/1479895272/

4] https://www.hybrid-analysis.com/sample/7f219892244608787ea17b46ad7df45045541f45af47b5b0e9f85758a8ea59af?environmentId=100
Contacted Hosts
195.211.74.100
80.87.202.49
94.242.55.81
95.46.114.205

- http://blog.dynamoo.com/2016/11/moar-locky-bill-12345-from-victims-own.html
23 Nov 2016 - "This spam has no-body-text and appears to come from within the sender's-own-domain. It leads to Locky ransomware. For example:
From: julia newenham [julia.newenham@ victimdomain .tld]
Date: 23 November 2016 at 10:44
Subject: Bill-76137

There is a randomly-named ZIP (e.g. 589af1aa1aaf4cb9ce571fced687b8ac.zip) containing a randomly-named malicious javascript... A malicious DLL is dropped with an MD5 of 4e207b30c5eae01fa136f3d89d59bbbe and
a detection rate of 9/56*. The malware then communicates with:
80.87.202.49 /information.cgi (JSC Server, Russia)
94.242.55.81 /information.cgi (RNet, Russia)
95.46.114.205 /information.cgi (PE Gornostay Mikhailo Ivanovich aka time-host .net, Ukraine)
Recommended blocklist:
80.87.202.49
94.242.55.81
95.46.114.205 "
* https://virustotal.com/en/file/675c681f4c9684685dda43e5e96983c1688bef6d68583562d60fe673dafb3d0c/analysis/
___

Fake 'Scanned Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trickbot-banking-trojan-delivered-by-spoofed-hp_printer-at-your-own-email-address-malspam/
23 Nov 2016 - "An email with the subject of 'Scanned Documents' pretending to come from HP Digital Device <HP_Printer@ victim domain .tld> with a malicious macro enabled word doc delivers Trickbot banking Trojan...
The email looks like:
From: HP Digital Device <HP_Printer@ victim domain .tld>
Date: Wed 23/11/2016 04:27
Subject: Scanned Documents
Attachment: Scan552.doc
Please open the attached document.
This document was digitally sent to you using an HP Digital Sending device.
This email has been scanned for viruses and spam.

23 November 2016: Scan552.doc - Current Virus total detections 11/51*
Payload Security**.. shows downloads from http ://wingsbiotech .com/images/kjcoiejceiwejf.png
which is -not- an image file but a renamed .exe that the macro renames to newfle.exe and autoruns
(VirusTotal 12/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d692c5e5b0284352c42cf48c42f439f3b15c6c2f9d3726d7c5e1d89d0b070818/analysis/1479879729/

** https://www.hybrid-analysis.com/sample/d692c5e5b0284352c42cf48c42f439f3b15c6c2f9d3726d7c5e1d89d0b070818?environmentId=100
Contacted Hosts
69.89.31.134
78.47.139.102
193.107.111.164
37.1.213.189
185.86.77.224

*** https://www.virustotal.com/en/file/f30f4827c6ef9917fa3e19e8a33649181732f6a8d6c5974a7552675f6401c494/analysis/1479882669/
___

Fake 'LETTER' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-fake-spoofed-emails-from-your-own-email-address-delivering-locky-aesir/
23 Nov 2015 - "... Locky downloader... an email with the subject of 'Emailing: LETTER 5.pdf' (random numbers) pretending to come from random names at your-own-email-domain... One of the emails looks like:
From: queen <queen.gaffney@ victim domain .tld >
Date: Wed 23/11/2016 13:39
Subject: Emailing: LETTER 5.pdf
Attachment: LETTER 5.zip
Please find attachment.

This email has been checked for viruses by Avast antivirus software.

23 November 2016: LETTER 5.zip: Extracts to: fnpqatfwistcg4r3ccoanyajwkqjlgq7.js
Current Virus total detections 13/55*... Payload Security** shows a download of an encrypted file from
http ://paulking .it/08yhrf3?yRLXgsuxJ=yRLXgsuxJ which is converted by the script to yRLXgsuxJ1.dll
(VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e10ecc1cad2a5bd09a60c9ee9344099694cfd1e19b197346cfa5da863bfb46fc/analysis/1479908406/

** https://www.hybrid-analysis.com/sample/e10ecc1cad2a5bd09a60c9ee9344099694cfd1e19b197346cfa5da863bfb46fc?environmentId=100
Contacted Hosts
151.1.182.231
95.46.114.205
82.146.32.92
91.107.107.165
52.32.150.180
54.240.162.106

*** https://www.virustotal.com/en/file/d0f125574c97e5665a27588a359c5b36e56d1fa44a559b0f75339d9e5b78081c/analysis/1479909224/
___

Fake 'subpoena' SPAM - leads to malware
- http://blog.dynamoo.com/2016/11/malware-spam-financial-records-subpoena.html
23 Nov 2016 - "This spam purports to come from Michael T Diver who is a real Oklahoma attorney, but it doesn't really and is just a simple forgery:
From: MICHAEL T. DIVER [michael -at- lawfirmofoklahoma .com]
Date: 23 November 2016 at 15:24
Subject: RE:RE: financial records subpoena
See you in court !!!
Subpoena for server
Thank you,
MICHAEL T. DIVER ...

The telephone number and also potentially the email address are genuine, but they are certainly not being sent from this law firm. The link-in-the-email goes to a legitimate but -hacked- Vietnamese site at techsmart .vn/backup2/get.php?id= (the last bit is a Base 64 representation of the victim's email address). In testing the payload site was -down- but previous emails of this type have lead to the Vawtrak banking trojan."

techsmart .vn: 103.18.6.140: https://www.virustotal.com/en/ip-address/103.18.6.140/information/
___

[b]Fake 'Payment confirmation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-standard-bank-payment-confirmation-delivers-locky-aesir/
23 Nov 2016 - "... Locky downloader... an email with the subject of 'Payment confirmation 7477' (random numbers) pretending to come from Standard Bank <ibsupport@ standardbank .co .za>...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/standard-bank-payment-confirmation.png?resize=1024%2C716&ssl=1

23 November 2016: PaymentConfirmation7477.zip: Extracts to: wbxz7lyfob8mwyygqstzfffj7aere8wz.js
Current Virus total detections 13/54*. MALWR** shows a download of an encrypted file from
http ://rdyy .cn/08yhrf3?OYxgQhzazR=OYxgQhzazR which is converted by the script to OYxgQhzazR1.dll
(VirusTotal 12/56***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9c6a9138670c0c2a11b5e8f7eefc2ac194473ee01dfb85c38866b09e574eb366/analysis/1479919853/

** https://malwr.com/analysis/MzZmNWE5NWI0NzM1NDgyNGJiYjMxMTIxMTA5MzViNGQ/
Hosts
103.28.44.206
82.146.32.92
91.107.107.165
95.46.114.205

*** https://www.virustotal.com/en/file/d0f125574c97e5665a27588a359c5b36e56d1fa44a559b0f75339d9e5b78081c/analysis/1479919518/

4] https://www.hybrid-analysis.com/sample/9c6a9138670c0c2a11b5e8f7eefc2ac194473ee01dfb85c38866b09e574eb366?environmentId=100
Contacted Hosts
103.28.44.206
91.107.107.165
82.146.32.92
95.46.114.205
___

Fake 'Attention Required' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attention-required-hr-department-havent-received-the-receipt-malspam-delivers-even-more-locky-today/
23 Nov 2016 - "... Locky malware... with the subject of 'Attention Required' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of receipt_recipient.name.zip... One of the emails looks like:
From: Angela Holmes <Holmes.Angela@ murilobertini .com>
Date: Wed 23/11/2016 16:14
Subject: Attention Required
Attachment: receipt_xerox.805.zip
Dear xerox.805, our HR Department told us they haven’t received the receipt you’d promised to send them.
Fines may apply from the third party. We are sending you the details in the attachment.
Please check it out when possible.

23 November 2016: receipt_xerox.805.zip: Extracts to: Z8B105E8IK89A9HX.js - Current Virus total detections 15/55*
MALWR** shows a download of a file from http ://orantpamir .net/el3w488r9 which is converted by the script to
fWk6epu1.dll (VirusTotal 9/57***). Payload Security[4]...
Manual analysis shows these download locations
orantpamir .net/el3w488r9
oimeferio .net/sl60vci
websdns .com/k0ais
gigabothosting .com/kiltoonxqa
gpsfiles .nl/lywk0py
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1d69bb8fa98cdce5b8725b7c6ad08a1bcd3d55decbb78819612f0e8fe6505204/analysis/1479921317/

** https://malwr.com/analysis/ZGEyYjJkMWYyZWY2NDYzMTg1N2ZmNGQ1YTg0NTA1NjI/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/6d74e553c3a6cc84589f01e4e35e6a3387093f35f2121f1f1979c076710d9de4/analysis/1479921871/

4] https://www.hybrid-analysis.com/sample/1d69bb8fa98cdce5b8725b7c6ad08a1bcd3d55decbb78819612f0e8fe6505204?environmentId=100
Contacted Hosts
67.171.65.64
95.46.8.175
46.8.29.176
52.32.150.180
54.240.162.221
52.35.54.251

:fear::fear: :mad:

AplusWebMaster
2016-11-25, 15:04
FYI...

Fake 'Important Info' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-important-information.html
25 Nov 2016 - "This spam leads to Locky ransomware:
Subject: Important Information
From: Etta Figueroa
Date: Friday, 25 November 2016, 10:28
Dear [redacted], your payment was not processed due to the problem with credentials.
Payment details are in the attached document.
Please check it out as soon as possible.

The name of the sender varies. Attached is a ZIP file beginning with payment_ and then the first part of the victim's email address. This analysis comes from my trusted usual source (thank you!). It contains a randomly-named malicious javascript that downloads a component... The malware then phones home to:
213.32.66.16 /information.cgi (OVH, France)
89.108.118.180 /information.cgi (Datalogika / Agava, Russia)
91.201.42.83 /information.cgi [hostname: aportom .com] (RuWeb, Russia)
Recommended blocklist:
213.32.66.16
89.108.118.180
91.201.42.83 "

- https://myonlinesecurity.co.uk/important-information-your-payment-was-not-processed-malspam-delivers-more-locky-zzzzz/
25 Nov 2016 - "... Locky downloader... an email with the subject of 'Important Information' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment_recipient’s name.zip... One of the emails looks like:
From: Clay Clarke <Clarke.Clay@ static .vnpt .vn>
Date: Thu 01/09/2016 19:22
Subject: Important Information
Attachment: payment_montag.zip
Dear montag, your payment was not processed due to the problem with credentials.
Payment details are in the attached document.
Please check it out as soon as possible.

25 November 2016: payment_montag.zip: Extracts to: HQ5q97uu9s2.js - Current Virus total detections 8/54*
Payload Security**. MALWR*** shows a download of an encrypted file from
http ://thinx .net/rkp2tpxlrg which is converted by the script to Oe3cTld33aTOQyLh.tdb (VirusTotal 15/56[4]). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[5] and Bleeping computer[6] has a good write up about the use of non standard file extensions by Locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8cd5ebd6f4789fd83fb694b05f2d80882145a2f3781717de7033ea5f9422560c/analysis/1477646733/

** https://www.hybrid-analysis.com/sample/fc33b7423af50cd10cf53d86f0adf8495a8ca02d6227d4f9f826c5c0d6256ebe?environmentId=100
Contacted Hosts
107.180.41.245
213.32.66.16
91.201.42.83
54.240.162.31
35.160.111.237

*** https://malwr.com/analysis/M2IyNmIwYTBkZjdjNDViMWEyZDJkNjYwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193

4] https://www.virustotal.com/en/file/f7a9f479980d1f856dd85a1dfaa9c7e3184ada3e19ddd61cfaf799d00dd33efe/analysis/1480069873/

5] https://myonlinesecurity.co.uk/locky-changed-again-to-use-zzzzz-file-extensions/

6] http://www.bleepingcomputer.com/news/security/locky-ransomware-putting-us-to-sleep-with-the-zzzzz-extension/
___

Fake -blank/body- SPAM - more Locky
- https://myonlinesecurity.co.uk/blank-email-with-random-subjects-delivers-even-more-locky-zzzzz/
25 Nov 2016 - "... Locky downloader... a -blank- email with the subject of (random number recipient name) coming or pretending to come from recipient name_olive at random email addresses with a semi-random named zip attachment in the format of INFO_random number_recipients name.zip that contains another zip file... One of the emails looks like:
From: derekolive@ blueyonder .co.uk
Date: Fri 25/11/2016 08:10
Subject: 57051 derek
Attachment: INFO_052297_derek.zip

Body content: Totally Blank/empty

25 November 2016: INFO_052297_derek.zip: which extracts to MONEY_14189_ZIP.zip which in turn Extracts to:
MONEY_14189.js. Current Virus total detections 3/55*. MALWR** shows a download of a file from
http ://www .vollyuper .top/admin.php?f=2.dat which gave MALWR rad68D08.tmp (VirusTotal 4/57***)...
Update: the same series of emails with these .js files also have -other- links that are currently downloading Cerber ransomware. These sites include:
http ://otreytl .bid/search.php?f=x1.dat | http ://hqtrssx .top/search.php?f=x2.dat (VirusTotal 5/57[4])
(Payload Security [5]). (MALWR [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7fad0a74e5cc06505ccf5d88dab2a1db5fb18618618e117b9adeab44bb5fa2da/analysis/1480061873/

** https://malwr.com/analysis/M2IyNmIwYTBkZjdjNDViMWEyZDJkNjYwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193

*** https://www.virustotal.com/en/file/ab8bea243f4e500a44a4aa0a3a4055fe71233ea0e0af82ae4de2e66578d761df/analysis/1480062381/

4] https://www.virustotal.com/en/file/ab8bea243f4e500a44a4aa0a3a4055fe71233ea0e0af82ae4de2e66578d761df/analysis/1480062381/

5] https://www.hybrid-analysis.com/sample/d949f0f2118dc1077d9aff0b90efb81c16c7e927e153dd7f30ce1dae16bca919?environmentId=100
Contacted Hosts
63.55.11.0-31
15.93.12.0-31
194.165.16.0-255
194.165.17.0-255
194.165.18.0-255
194.165.19.0-167

6] https://malwr.com/analysis/YTA1YmY2NWExOGRmNGQ4ZWEyZTk4ZjEyNzc5MjE2OTA/
Hosts
63.55.11.0-31
15.93.12.0-31
194.165.16.0-255
194.165.17.0-255
194.165.18.0-255
194.165.19.0-255
___

Moar Locky 2016-11-25
- http://blog.dynamoo.com/2016/11/moar-locky-2016-11-25.html
25 Nov 2016 - "This data comes from my trusted usual source, so far I have only seen a single example. This morning's spam run has a -subject- with one of the following words:
DOC, DOCUMENT, FAX, IMG, LABEL, ORD, PHOTO, PIC, SCAN, SHEET

..plus a four digit random number. Attached is a ZIP file with a name mating the subject, containing a randomly-named malicious javascript that attempts to download a component... The payload is Locky ransomware, phoning home to:
185.118.167.144 /information.cgi [hostname: bogdankarpenko1998.pserver .ru] (Chelyabinsk-Signal, Russia)
91.142.90.55 /information.cgi (Miran, Russia)
Recommended blocklist:
185.118.167.144
91.142.90.55 "
___

Fake 'New voice mail' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/11/malware-spam-vigor2820-series-new-voice.html
25 Nov 2016 - "This -fake- voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.
Subject: [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
From: voicemail@ victimdomain .tld
To: victim@ victimdomain .tld
Date: Friday, 25 November 2016, 12:58
Dear webmaster :
There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
You might want to check it when you get a chance.Thanks!

The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript... This Malwr analysis* shows behaviour consistent with Locky ransomware... The C2s to block are the same as here**, namely:
185.118.167.144 /information.cgi [hostname: bogdankarpenko1998.pserver .ru] (Chelyabinsk-Signal, Russia)
91.142.90.55 /information.cgi (Miran, Russia)
Recommended blocklist:
185.118.167.144
91.142.90.55 "
* https://malwr.com/analysis/YWU1NzQ4MmJhNGRlNGJmNGFmMjBhZGVmNTdlMzQ4NWU/
Hosts
92.60.224.52
185.118.167.144
91.142.90.55
** http://blog.dynamoo.com/2016/11/moar-locky-2016-11-25.html
___

Locky hidden in image file hitting Facebook, LinkedIn
- https://www.helpnetsecurity.com/2016/11/25/locky-image-file-facebook-linkedin/
Nov 25, 2016 - "Malware masquerading as an image file is still spreading on Facebook, LinkedIn, and other social networks. Check Point researchers have apparently discovered how cyber crooks are embedding malware in graphic and image files, and how they are executing the malicious code within these images to infect social media users with Locky ransomware variants... As they are searching for a solution, the Check Point research team advises* users not-to-open-any-image they have received from another user and have downloaded on their machine... A video demonstration of the attack can be viewed below:
> https://youtu.be/sGlrLFo43pY "

* http://blog.checkpoint.com/2016/11/24/imagegate-check-point-uncovers-new-method-distributing-malware-images/
2016/11/24 - "... attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user -clicks- on the downloaded file..."

:fear::fear: :mad:

AplusWebMaster
2016-11-28, 12:49
FYI...

Fake 'Purchase Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-purchase-order-donotreplysouth-staffordshire-com-delivers-locky/
28 Nov 2016 - "... Locky downloader... an email with the subject of 'Purchase Order No. 90373' (random numbers) coming or pretending to come donotreply@ south-staffordshire .com with a semi-random named zip attachment that matches the subject line... One of the emails looks like:
From: donotreply@ south-staffordshire .com
Date: Mon 28/11/2016 09:45
Subject: Purchase Order No. 90373
Attachment: PO90373.zip
Please find attached Purchase Order No. 90373.
PLEASE DO NOT REPLY TO THIS ADDRESS.
If you have any queries in regards to your Purchase Order, please contact your requestor, Reinaldo horrocks on 01922 062460 ext 5580...

28 November 2016: payment_history_64b96be.zip: Extracts to: 93410605.wsf - Current Virus total detections 8/55*
MALWR* is not giving any payload or download sites. Payload Security*** shows a download of an encrypted file from
restauranttajmahal .ca/87nft3?iNKevOML=ChKIolivpc which is converted by the script to a dll and autorun.
Unfortunately Payload Security does not show or make the dll available for download in the free web version... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f4bc93583d1a56568c2c20a313709cd61e433699aed650aa877d1c82ab2a6ceb/analysis/1480327255/

** https://malwr.com/analysis/M2U1OTFhODIxODhkNGY5NmIyYTVhZjQ5ZDI4MWEwMDY/

*** https://www.hybrid-analysis.com/sample/f4bc93583d1a56568c2c20a313709cd61e433699aed650aa877d1c82ab2a6ceb?environmentId=100
Contacted Hosts
76.74.128.120
185.115.140.210
185.118.67.162
213.32.90.193
52.34.245.108
54.240.162.88
___

Fake 'Urgent Alert' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/urgent-alert-we-have-detected-a-suspicious-money-atm-withdrawal-from-your-card-delivers-locky/
28 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent Alert' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of ATM_recipients name.zip... One of the emails looks like:
From: Tami Soto <Soto.Tami@ lelycentereast .com>
Date: Mon 28/11/2016 09:22
Subject: Urgent Alert
Attachment: ATM_etgord34truew.zip
Dear etgord34truew, we have detected a suspicious money ATM withdrawal from your card.
For your security, we have temporarily blocked the card.
All the details are in the attachment. Please open it when possible.

28 November 2016: ATM_etgord34truew.zip: Extracts to: HQ6za5d7.js - Current Virus total detections 7/53*
MALWR** shows a download of an encrypted file from http ://dodowiz .com/ynux4ac
which is converted by the script to x3NzzWXgCcwO.tdb (VirusTotal 6/52***). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[4] and Bleeping computer[5] has a good write up about the use of non standard file extensions by Locky
(Payload Security [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7fdc3a28aafd165fd28bfd379675453c8aa890cf43c3faaaf0d1f3b0b835f481/analysis/1480324767/

** https://malwr.com/analysis/ZDdlZTNiZWRmZTU4NDE5ZDk3MTFiODk1MzY1YTIyZDc/
Hosts
183.98.152.2

*** https://www.virustotal.com/en/file/f8481d025fc86efc197bb1e2c54b20c5e21f737bd37040615cccc851a8bc6ccf/analysis/1480329111/

4] https://myonlinesecurity.co.uk/locky-changed-again-to-use-zzzzz-file-extensions/

5] http://www.bleepingcomputer.com/news/security/locky-ransomware-putting-us-to-sleep-with-the-zzzzz-extension/

6] https://www.hybrid-analysis.com/sample/7fdc3a28aafd165fd28bfd379675453c8aa890cf43c3faaaf0d1f3b0b835f481?environmentId=100
Contacted Hosts
213.176.241.230
213.32.66.16
91.201.42.83
185.146.171.180
52.32.150.180
54.240.162.86
52.35.54.251
___

Fake 'Bill' SPAM - more Locky
- https://myonlinesecurity.co.uk/more-locky-delivered-by-bill-malspam-spoofed-to-come-from-your-own-email-address/
28 Nov 2016 - "... Locky downloader... another blank/empty malspam pretending to come from random names at your-own-email-address with the subject of 'Bill-4491989' (random numbers) with a random named zip attachment. All these emails have a To: line of resort@ doggiespalace .com with a hidden bcc: to your email address... One of the emails looks like:
From: earlene mitchel <earlene.mitchel@ your-own-email-domain .co.uk>
Date: Mon 28/11/2016 12:07
Subject: Bill-4491989
To: resort@ doggiespalace .com
Attachment: d58e224b0e2266fb80b74c3b46f03fd1.zip

Body content: totally blank/empty

28 November 2016: d58e224b0e2266fb80b74c3b46f03fd1.zip: Extracts to: 64621603.wsf
Current Virus total detections 8/50*. MALWR is unable to get any malware or download sites. Payload Security** shows a download of an encrypted file from sinmotor .com/87nft3?XztYNBph=nhYXdz which is converted by the script to MxoWCE1.dll (VirusTotal 9/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c247ccf81e4c83e930f9068c81d693bbbe26ebac32b36ce2a021ed58ba910cc7/analysis/1480329075/

** https://www.hybrid-analysis.com/sample/c247ccf81e4c83e930f9068c81d693bbbe26ebac32b36ce2a021ed58ba910cc7?environmentId=100
Contacted Hosts
61.7.236.41
213.32.90.193
185.115.140.210
185.118.67.162
2.16.4.42
52.32.150.180
54.240.162.245
35.160.111.237

*** https://www.virustotal.com/en/file/b68089962a9cbc7d9b67a5e32949430b80e2aaebfd165b315325fb8dc95bb90a/analysis/1480333048/
___

Fake 'Message' SPAM - more Locky
- https://myonlinesecurity.co.uk/even-more-locky-spoofed-to-come-from-your-own-email-address/
28 Nov 2016 - "... Locky downloader... another malspam pretending to come from donotreply at your-own-email-address that pretends to be an email from a scanner/printer with the subject of 'Message from RNP0024D5D73B3A' (random numbers) with a semi-random named zip attachment in the format of todays date random numbers_random numbers.zip... One of the emails looks like:
From: donotreply@ your-own-email-address .co.uk
Date: Mon 28/11/2016 11:30
Subject: Message from “RNP0024D5D73B3A”
Attachment: 201611281559326883_0033.zip
This E-mail was sent from “RNP0024D5D73B3A” (Aficio MP 2352).
Scan Date: Mon, 28 Nov 2016 15:59:32 +0430)
Queries to: {redacted}

28 November 2016: 201611281559326883_0033.zip: Extracts to: 95130643.wsf - Current Virus total detections 6/55*
Payload Security** shows a download of an encrypted file from somersetautotints .co.uk/87nft3?viqtJpG=zELkPdJaI which is converted by the script to lkVpqyuH1.dll which VirusTotal 9/56*** shows is the same file as this concurrent malspam run[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d941a5d08b5c5d5326a87ee5487e9545f4c8ab7dd2598cab10907290ae9363d0/analysis/1480336074/

** https://www.hybrid-analysis.com/sample/d941a5d08b5c5d5326a87ee5487e9545f4c8ab7dd2598cab10907290ae9363d0?environmentId=100
Contacted Hosts
5.133.180.146
213.32.90.193
54.240.162.123
91.198.174.192
91.198.174.208

*** https://www.virustotal.com/en/file/b68089962a9cbc7d9b67a5e32949430b80e2aaebfd165b315325fb8dc95bb90a/analysis/

4] https://myonlinesecurity.co.uk/more-locky-delivered-by-bill-malspam-spoofed-to-come-from-your-own-email-address/

:fear::fear: :mad:

AplusWebMaster
2016-11-29, 13:21
FYI...

Fake 'XLS Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/please-find-attached-a-xls-invoice-spoofing-ansell-lighting-delivers-locky/
29 Nov 2016 - "An email with the subject of 'Please find attached a XLS Invoice 293192' (random numbers) pretending to come from creditcontrol@ random companies with a malicious Excel XLS spreadsheet attachment delivers Locky... The email looks like:
From: creditcontrol@ riversideglass .com
Date: Tue 29/11/2016 08:01
Subject: Please find attached a XLS Invoice 293192
Attachment: INVOICE.TAM_293192_20161129_C415186AD.xls
Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting ...

29 November 2016: INVOICE.TAM_293192_20161129_C415186AD.xls - Current Virus total detections 9/56*
Payload Security** shows a download from thegarageteam .gr/087gbdv4 which is an encrypted file that gets converted by the macro to luswiacs1.dll. Unfortunately Payload Security does not make this file available in the free web version. MALWR*** did give the dll (VirusTotal 9/57[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/129ec23c0ba2f25c2d16979b5cba49bcede8dd1810be9ee7692ecd81928f984a/analysis/1480406523/

** https://www.hybrid-analysis.com/sample/129ec23c0ba2f25c2d16979b5cba49bcede8dd1810be9ee7692ecd81928f984a?environmentId=100
Contacted Hosts
178.32.154.18
95.213.195.123
213.32.90.193
185.115.140.210
52.34.245.108
54.240.162.84
35.160.111.237

*** https://malwr.com/analysis/NTMwNjg4YzY0ZmQ2NDIxZWE5OTg5ZTM5ZmJlYjc3ZTY/
Hosts
178.32.154.18
213.32.90.193
95.213.195.123
185.115.140.210

4] https://www.virustotal.com/en/file/82bada2b9dff8dda1af7ff24b3d7e1542f524efde9437fd5f609f0e1da87a797/analysis/1480407357/
___

Fake 'For Your Consideration' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/for-your-consideration-malspam-delivers-locky/
29 Nov 2016 - "... Locky downloader... an email with the subject of 'For Your Consideration' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the emails looks like:
From: Elliott Osborn <Osborn.Elliott@ airtelbroadband .in>
Date: Tue 29/11/2016 11:22
Subject: For Your Consideration
Attachment: unpaid_evf.zip
Greetings! You paid for yesterday’s invoice – the total sum was $4636.
Unfortunately, you hadn’t included the item #47089-14743 of $688.
Please transfer the remainder as soon as possible.
All details are in the attachment. Please check it out to see whether we are right.

29 November 2016: unpaid_evf.zip: Extracts to: -snk-7030904.js - Current Virus total detections 12/55*
MALWR** shows a download of an encrypted file from one of these 2 locations
http ://tytswirl .com/u2asa61 and http ://kalbould .wa .gov.au/n9zz5r8 which is converted by the script to AddoClgYDJ4J3F.tdb (VirusTotal 6/57***). The tdb file is actually a dll file that is run by rundll32 but given a different extension... Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c63301b2c4fd9c12a6448d8ed62b02233a82b955cf4a3a0f6cae8dc789510be5/analysis/1480418735/

** https://malwr.com/analysis/MmNjODJjOGM5NzViNDBkNmFiMTc5OWU3MzQ5NWJhM2Q/
Hosts
103.9.65.107
67.171.65.64

*** https://www.virustotal.com/en/file/23f17284a564f93446a539ddb6d585aa22ca80fc08e3285571bae75906255400/analysis/1480419080/

4] https://www.hybrid-analysis.com/sample/c63301b2c4fd9c12a6448d8ed62b02233a82b955cf4a3a0f6cae8dc789510be5?environmentId=100
Contacted Hosts
103.9.65.107
67.171.65.64
52.42.26.69
54.240.162.193
___

Fake 'File COPY' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/can-you-please-pass-this-invoice-for-payment-thank-you-malspam-delivers-locky/
29 Nov 2016 - "An email with the subject of 'File COPY.29112016.94400.XLS Sent 29/11/2016' (random numbers) pretending to come from random senders with a malicious Excel XLS spreadsheet attachment delivers Locky ransomware... The email looks like:
From: ALLGREEN-USSING, RODOLFO <RODOLFO.ALLGREEN-USSING@ PARFEMY-ELNINO .SK>
Date: Tue 29/11/2016 13:23
Subject: File COPY.29112016.94400.XLS Sent 29/11/2016
Attachment: COPY.29112016.94400.XLS
can you please pass this invoice for payment thank you...

29 November 2016: COPY.29112016.94400.XLS - Current Virus total detections 9/55*
Payload Security** shows a download of an encrypted file from steffweb .dk/087gbdv4 which is converted by the macro to luswiacs1.dll (VirusTotal 10/56***). Although the Locky dll file -name- is the same as today’s earlier XLS malspam[1] run the file itself is different...
1] https://myonlinesecurity.co.uk/please-find-attached-a-xls-invoice-spoofing-ansell-lighting-delivers-locky/
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e1f9b6cb0d9011b43c0046d2af0cda6a712234924d0e7deaee7b203e597b4e84/analysis/1480430599/

** https://www.hybrid-analysis.com/sample/e1f9b6cb0d9011b43c0046d2af0cda6a712234924d0e7deaee7b203e597b4e84?environmentId=100
Contacted Hosts
94.231.108.252

*** https://www.virustotal.com/en/file/f9c5b8f5c1e82bbf6d78a15d3704eace908415ac92e7b094275df8da9a9d9124/analysis/
___

Fake 'eFax' SPAM - drops Nymaim variant
- http://blog.dynamoo.com/2016/11/fake-efax-spam-uses-hacked-sharepoint.html
29 Nov 2016 - "This -fake -fax leads to a malicious ZIP file:

Screenshot: https://4.bp.blogspot.com/-wZb3FWqAD5A/WD3TV0fBq3I/AAAAAAAAJRI/sFrEf53_CuYEpmz69Ih7AS90USWVFfU3gCLcB/s1600/efax.png

The link in the email goes to a -hacked- Sharepoint account, in this case:
https ://supremeselfstorage-my.sharepoint .com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1
It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise[2]. The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical -scripts- named:
Fax_11292016_page1.js
Fax_11292016_page2.js
... Hybrid Analysis* of the script indicates this is Nymaim[3] downloading a component from:
siliguribarassociation .org/images/staffs/documetns.png
A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56**. The malware then phones home to:
stengeling .com/20aml/index.php
The domain stengeling .com appears to have been -created- for this malware and has -anonymous- registration details. It is apparently -multihomed- on the following IPs:
4.77.129.110, 18.17.224.92, 31.209.107.100, 37.15.90.12, 43.132.208.7, 45.249.111.213, 52.61.200.235
61.25.216.8, 67.25.164.206, 74.174.194.169, 88.214.198.162, 92.74.29.236, 111.241.115.90, 115.249.171.24
119.71.196.177, 135.55.94.211, 143.99.241.18, 147.89.60.135, 156.180.11.60, 162.74.9.51, 168.227.171.254
176.114.21.171, 184.131.179.44, 207.77.174.212
Each of those IPs appears to be a -hacked- legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:
butestsis .com
sievecnda .com
specsotch .com
crileliste .com
stengeling .com "
* https://www.hybrid-analysis.com/sample/eb01f7d4eb17acc99795dac1fe11cff6897f9367f7c4cbd9192d464b68f8a382?environmentId=100
Contacted Hosts
216.158.76.73
115.249.171.24
45.249.111.213
168.227.171.254
31.209.107.100

** https://www.virustotal.com/en/file/e0f18540f8eff9f8f5a74d18ee9263979e16b1a3a7aa5480504c827e12756c60/analysis/

2] https://support.microsoft.com/en-us/kb/2551603

3] http://cyber.verint.com/nymaim-malware-variant/
___

Fake 'Insufficient funds' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/insufficient-funds-malspam-delivers-locky/
28 Nov 2016 - "... Locky.. an email with the subject of 'Insufficient funds' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment-recipient name.zip... One of the emails looks like:
From: Ruby Quinn <Quinn.Ruby@ villatk .gr>
Date: Mon 28/11/2016 20:58
Subject: Travel expense sheet
Attachment: payment-gold.zip
Dear gold,
Your bill payment was rejected due to insufficient funds on your account.
Payment details are given in the attachment.

28 November 2016: payment-gold.zip: Extracts to: -snk-007064018.js - Current Virus total detections 14/55*
MALWR** shows a download of an encrypted file from http ://leyuego .com/ejxgf1iy which is converted by the script to Ddrh0VO4W20.tdb (VirusTotal 7/57***). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[4] and Bleeping computer[5] has a good write up about the use of non standard file extensions by Locky (Payload Security [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7eca0c5aed0dbffbad69ef6a54c81897738c0ce3aa13b4add2d052c9f36bb475/analysis/1480370317/

** https://malwr.com/analysis/NWU1NTBkODBhNWE3NDY2ZTlhMWNkNjYxM2I0MjkyN2E/
Hosts
121.201.23.80

*** https://www.virustotal.com/en/file/800c7cc5396ea3a83eea8399c767071d1474c8c277f9b3f527d9c8344efd631e/analysis/1480371353/

4] https://myonlinesecurity.co.uk/locky-changed-again-to-use-zzzzz-file-extensions/

5] http://www.bleepingcomputer.com/news/security/locky-ransomware-putting-us-to-sleep-with-the-zzzzz-extension/

6] https://www.reverse.it/sample/7eca0c5aed0dbffbad69ef6a54c81897738c0ce3aa13b4add2d052c9f36bb475?environmentId=100
Contacted Hosts
121.201.23.80
185.12.95.92
213.32.66.16
85.143.214.58
52.34.245.108
54.240.162.4
35.160.111.237
___

Apple ID – Phish
- https://myonlinesecurity.co.uk/reset-your-password-or-unlock-your-apple-id-phishing/
29 Nov 2016 - "... mass Apple phish... received about 200 so far this morning. Many of which are getting past spam filters because they seem to have found some sending addresses that aren’t yet listed in spam databases and that don’t use SPF /DKIM /DMARC so authentication checks don’t fail. Most mail servers are set up to ignore lack of mail authentication, rather than automatically delete or quarantine...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/29_11_2016_apple_phish.png?resize=1024%2C644&ssl=1

The links in the body go to
http ://k4dot .biz/admindb/gi.html which -redirects- to http ://tkmarketingsolutions .com/skynet/Itunes/apple/

k4dot .biz: 161.58.203.203: https://www.virustotal.com/en/ip-address/161.58.203.203/information/
tkmarketingsolutions .com: 67.212.91.221: https://www.virustotal.com/en/ip-address/67.212.91.221/information/

... follow the link you see a webpage looking like:
> https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/29_11_2016_apple_phish_website.png?resize=1024%2C565&ssl=1
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

:fear::fear: :mad:

AplusWebMaster
2016-11-30, 12:17
FYI...

Fake 'Urgent bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/urgent-bill-has-invalid-account-number-malspam-delivers-locky/
30 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the emails looks like:
From: Adolfo Alexander <Alexander.Adolfo@ escondidohistory .org>
Date: Wed 30/11/2016 09:06
Subject: Urgent
Attachment: unpaid_forum.zip
Dear forum, our accountant informed me that in the bill you processed, the invalid account number had been specified.
Please be guided by instructions in the attachment to fix it up.

30 November 2016: unpaid_forum.zip: Extracts to: -snk-284042943.js - Current Virus total detections 10/55*
MALWR** shows a download of an encrypted file from http ://revaitsolutions .com/ij1driqioc which is converted by the script to K3GepPJAfH.tdb (VirusTotal 5/57***). Payload Security[4]. The tdb file is actually a dll file that is run by rundll32 but given a different extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7f4910729fb867976838d0f3bf255c543b9bc11b3ecfc1caeda3a35c37e76c7d/analysis/1480496588/

** https://malwr.com/analysis/MmFiNzdjMTcyZjhlNGQ1ZmJkNWE4YmE3ODJmZGYyMWI/
Hosts
166.62.28.127

*** https://www.virustotal.com/en/file/9c37090d0c05b0fbad89785d9aee3b67e5d1e18b4b9f9933ddc3a3fd3942cc9b/analysis/1480498073/

4] https://www.hybrid-analysis.com/sample/7f4910729fb867976838d0f3bf255c543b9bc11b3ecfc1caeda3a35c37e76c7d?environmentId=100
Contacted Hosts
166.62.28.127
185.75.46.138
91.201.41.145
91.142.90.46
52.42.26.69
54.240.162.193
52.35.54.251
___

Fake 'Attached Image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attached-image-in-blank-email-spoofed-to-come-from-canonyour-own-email-address-delivers-locky/
30 Nov 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky... The email looks like:
From: canon@ thespykiller .co.uk
Date: Wed 30/11/2016 09:23
Subject: Attached Image
Attachment: 6479_005.docm

Body content: Totally blank/empty

30 November 2016: 6479_005.docm - Current Virus total detections 9/55*
Both MALWR** and Payload Security*** show a download from satherm .pt/873nf3g which is converted by the macro to ajufr51.dll (VirusTotal 5/57[4]). Manual analysis shows an attempt to download from
http ://travelinsider .com.au/021ygs7 which is currently giving me a 404. There are normally 5 or 6 download locations buried inside the macro or scrpt files with these Locky versions.
C2 http ://91.142.90.61 /information.cgi | 95.213.195.123 /information.cgi... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/92bad79438931ff897bc4bb6cc01b873cc79c4aa1418bd2ba2800dc495cdd55b/analysis/1480498411/

** https://malwr.com/analysis/MjEwOGQ3YTJhYWU3NGMwZWJmYTg2Mjg0NmRjZWQzNTQ/
Hosts
80.172.235.175
91.142.90.61

*** https://www.hybrid-analysis.com/sample/92bad79438931ff897bc4bb6cc01b873cc79c4aa1418bd2ba2800dc495cdd55b?environmentId=100
Contacted Hosts
80.172.235.175
95.213.195.123
91.142.90.61
2.16.4.33
52.42.26.69
54.240.162.55
52.35.54.251
91.198.174.192
91.198.174.208

4] https://www.virustotal.com/en/file/920940626c9c69c60b9c139ecd932bd11a5b50a562dd9a613e7a86ebc5d447b1/analysis/1480499902/
___

Forced install - Chrome extension...
- https://blog.malwarebytes.com/cybercrime/2016/11/forced-into-installing-a-chrome-extension/
Nov 29, 2016 - "We have found a number of websites whose sole purpose is to try and force an extension on anyone visiting that site with Chrome. Most often, you can likely land on one of these sites after a -redirect- from a crack, keygen, or adult entertainment site... site runs a JavaScript producing this dialog box, telling you you’ll have to 'Add Extension to Leave':
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/prompt1.png
Clicking “Cancel” once changes it to add a tick box marked “Prevent this page from creating additional dialogs”:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning2w.png
Thinking that this is the ticket out of the page, you will tick that box and click “OK”. At this point, your tab will go into “Full Screen” mode, and you can see which extension they want you to install:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning3w.png
The app is called Veritasi and a big arrow pointing to the “Add extension” button is displayed on the site. Clicking the said button initiates the installation of the app:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning4.png
When I looked up Veritasi, we noticed it was added to the “Web Store” the same day we found it and it’s supposedly meant to improve your sound quality online:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/soundimprove.png
A similar extension was found and described by Botcrawl.com who classified it as adware. It has the permission “Read and change all your data on the websites you visit”, which is not unusual for a browser extension, but it’s all what -adware- needs to do its job:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/permissionsw.png
If your Windows machine gets stuck on a site like this, use the Ctrl-Alt-Del key combination to invoke the Task Manager. Use “End Process” on every active “chrome.exe” process until the browser shuts down. When you restart Chrome, it will ask if you want to “Restore” the open tabs. I would recommend -not- to, unless it’s really necessary. We have sent in an abuse report and blocked the sites involved to protect as many possible victims as we could..."
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/abuse.png
... A full removal guide can be found on our forums*..."
* https://forums.malwarebytes.org/topic/191194-removal-instructions-for-veritasi/

:fear::fear: :mad:

AplusWebMaster
2016-12-01, 16:19
FYI...

Fake 'efax' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/efax-message-from-unknown-2-pages-delivers-an-unknown-malware/
1 Dec 2016 - "... an email with the subject of 'efax message from unknown – 2 page(s)' pretending to come from eFax <message@ inbound-efax-au .org> with a link-to-download-a-zip-file that extracts to 2 identical .js files named fax page 1 and fax page 2...

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/efax-message-from-unknown-2-pages.png?resize=1024%2C773&ssl=1

1 December 2016: Fax.zip: Extracts to: Fax_page1.js - Current Virus total detections 3/55*
MALWR** shows a download of a file from ‘http ://mohdsuhaimy .com/wp-content/uploads/2006/06/background.png’ which is -not- a png (image file) but a -renamed- .exe which is renamed back by the script to an .exe file (VirusTotal 15/57***). (Payload Security [4]). Previously this trick & delivery method has delivered Trickbot banking Trojan. However this binary looks different and gives some indication of ransomware behaviour...
Update: I am reliably informed that this is Dridex Banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/eab3ba338c11bb3b4d569845a3183b0f397d21cdffe116c7cd5797e1f525c570/analysis/1480579221/

** https://malwr.com/analysis/NDdiMjI1M2FhMGE3NGI1ZmIwZjc4ZDJhYmMwMWZjYWU/
Hosts
173.247.245.31

*** https://www.virustotal.com/en/file/e661113bc86740bd22871cc64c1d6b46a68c503b3ef1d96224dcdfd69a676a19/analysis/1480579728/

4] https://www.hybrid-analysis.com/sample/eab3ba338c11bb3b4d569845a3183b0f397d21cdffe116c7cd5797e1f525c570?environmentId=100
Contacted Hosts
173.247.245.31
111.69.33.166
104.236.219.229
185.8.165.33
___

Fake 'Invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-spoofed-invoices-from-random-companies-with-a-zip-file-that-pretends-to-be-a-docm-delivers-locky/
1 Dec 2016 - "... Locky downloader... an email with the subject of 'E-Mailed Invoices Invoice_87313391' (random numbers) coming or pretending to come from random companies, names and email addresses with what appears to be a word docm attachment - In reality this attachment is a standard zip file that has been erroneously named as a word macro doc. It will not open in word or any other word processing program. This zip contains a VBS file. Trying to open the alleged word doc in Word gives this error message:
> https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/word-cannot-open.png?w=524&ssl=1
... One of the emails looks like:
From: WAUGH, HORACIO <HORACIO.WAUGH@ originalyin .ca>
Date: Thu 01/12/2016 09:23
Subject: E-Mailed Invoices Invoice_87313391
Attachment: Invoice_87313391.docm
Please find attached your latest purchase invoice...
Any queries with either the quantity or price MUST be notified immediately to the department below.
Yours sincerely, Sales Ledger Department...
This email has been scanned by the Symantec Email Security.cloud service...

1 December 2016: Invoice_87313391.docm (actually a zip file): Extracts to: fGDpAMD-0438.vbs
Current Virus total detections on docm(zip) VirusTotal on VBS 20/55*. Payload Security** shows a download of an encrypted file from speckftp .de/978t6rve which is converted by the script to nhbzalOHj.343 (VirusTotal 37/56***)
Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 etc or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0aa96f85e76db5ece5c1e9f237f03f88d460d5e6d104709a1c3fcf7d29b838aa/analysis/1480587704/
fGDpAMD-0438.vbs

** https://www.hybrid-analysis.com/sample/a034291c6179b74fb1f95ccb2873f2e534b2de5416725259634261862283fe92?environmentId=100
Contacted Hosts
87.106.247.11
95.213.195.123
91.142.90.61
54.240.162.180

*** https://www.virustotal.com/en/file/83999bcca96a289e240d119ca15f1ac486104071f9fa656b551a03d73315c5fd/analysis/1480587701/
___

Fake 'Invoice' SPAM - links to Dridex
- https://myonlinesecurity.co.uk/invoices-from-random-companies-accounts-messaging-servicepost-xero-org-delivers-dridex-banking-trojan/
1 Dec 2016 - "... an email with the subject of 'Invoice INV-01823 (Amended)' from Fleurs (random numbers and random companies) coming from Accounts <messaging-service@ post-xero .org>. There is no zip attachment but a -link- in the email to download a zip... post-xero .org is a newly created domain that is registered to a Chinese entity with probably -fake- details. It appears to be hosted on OVH in France... One of the emails looks like:
From: Accounts <messaging-service@ post-xero .org>
Date: Thu 01/12/2016 08:02
Subject: Invoice INV-01823 (Amended) from Fleurs
Attachment: link-in-email to INV-01823.zip
Dear Customer, Please find attached invoice INV-01823 (Amended) for 421.59 GBP. This invoice was sent too early in error. The payment date should be 7th December 2016. Kindly accept our apologies for the oversight and for any inconvenience caused. The amount outstanding of 421.59 GBP is due on 07 Dec 2016. View and pay your bill:
https ://in.xero .com/vjNPxBRausdmfvsgnZKOMWvyHsISTwYm If you have any questions, please do not hesitate to contact us. Kind regards, Accounts Department ...

The link in the body does -not- go to xero .com which is a legitimate small business accounting software but to a criminal controlled site on SharePoint: ‘https :// ryandixon-my.sharepoint .com personal/judy_dixonconstructionwa_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=k9xc1qR8YuAKTF6D2%2bMExORcjRIY3nQj8RB7WhdXaSw%3d&docid=09d01294b7e434b2aad87127682150354&rev=1’

1 December 2016: INV-01823.zip: Extracts to: INV-01823.js - Current Virus total detections 6/54*
.. where comments show this downloads the same Dridex banking Trojan from the -same- locations as described in THIS earlier post:
> https://myonlinesecurity.co.uk/efax-message-from-unknown-2-pages-delivers-an-unknown-malware/
The basic rule is NEVER open any attachment to an email [OR click-on-links in the body] unless you are expecting it..."
* https://www.virustotal.com/en/file/eab3ba338c11bb3b4d569845a3183b0f397d21cdffe116c7cd5797e1f525c570/analysis/1480587854/
INV-01823.js

post-xero .org: 46.105.101.84: https://www.virustotal.com/en/ip-address/46.105.101.84/information/

ryandixon-my.sharepoint .com: 104.146.222.33: https://www.virustotal.com/en/ip-address/104.146.222.33/information/
>> https://www.virustotal.com/en/url/fb73140cb655194a60def83b4eddf8c55a73312c406e63d12061ea251aa7e61f/analysis/
1/68
___

Fake 'Payment Information' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/payment-information-you-have-forgotten-to-specify-insurance-payments-delivers-locky/
1 Dec 2016 - "... Locky downloader... an email with the subject of 'Payment Information' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of P_recipient’s name.zip... One of the emails looks like:
From: Helga Hull <Hull.Helga@ dreamactunion .org>
Date: Thu 01/12/2016 18:23
Subject: Payment Information
Attachment: P_rek.zip
Good afternoon. Thank you for sending the bill.
Unfortunately, you have forgotten to specify insurance payments.
So, we cannot accept the payment without them.
All details are in the attachment.

1 December 2016: P_rek.zip: Extracts to: -6dt874p53077.js - Current Virus total detections 16/55*
MALWR** shows a download of an encrypted file from http ://trewincefarm .co.uk/xlyy7 which is converted by the script to 0UBE8YF7q1BcN.zk (VirusTotal 11/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/

** https://malwr.com/analysis/Njg0ZmViNDdjN2RlNGUxZTk1MDljMDc4MWI5ZWVmYjU/
Hosts
82.211.96.24

*** https://www.virustotal.com/en/file/14b933fc72e99e0002d6614ab869bd41d3b1ce28dc1f0817b33b9b70126ea45e/analysis/1480617465/

4] https://www.hybrid-analysis.com/sample/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa?environmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
46.8.29.155
31.41.47.50
52.32.150.180
54.240.162.129
35.160.111.237
___

Worldwide cyber-crime network hit in coordinated raids
- http://www.reuters.com/article/us-germany-cyber-idUSKBN13Q4Z6
Dec 1, 2016 - "One of the world's biggest networks of hijacked computers, which is suspected of being used to attack online banking customers, has been taken down following police swoops in 10 countries, German police said on Thursday. In an internationally coordinated campaign, authorities carried out the raids on Wednesday, seized servers and website domains and arrested suspected leaders of a criminal organization, said police and prosecutors in northern Germany. Officials said they had seized 39 servers and several hundred thousand domains, depriving criminals of control of more than 50,000 computers in Germany alone. These hijacked computers were used to form a 'botnet' to knock out other websites. Two people who are believed to have been the administrators of the botnet infrastructure known as 'AVALANCHE' were arrested in Ukraine, investigators said. Another person was arrested in Berlin, officials added. The strike came in the same week that hackers tried to create the world's biggest botnet, or an army of zombie computers, by infecting the routers of 900,000 Deutsche Telekom (DTEGn.DE) with malicious software. The attack failed but froze the routers, causing outages in homes, businesses and government offices across Germany on Sunday and Monday, Deutsche Telekom executives said. Police said criminals had used the 'AVALANCHE' botnet targeted in Wednesday's international raids since 2009 to send phishing and spam emails. More than a million emails were sent per week with malicious attachments or links. When users opened the attachment or clicked on the link, their infected computers became part of the botnet. Investigators said the suspects had operated the commandeered network and made it available to other criminal groups, who had used it to send spam and phishing mails, defraud online banking user and to spread ransomware, a form of online extortion scheme. Officials estimated worldwide damages at upward of several hundred million euros. Authorities have identified 16 suspected leaders of the organization from 10 different countries. A court in Verden, northern Germany, has issued arrest warrants for seven people on suspicion of forming a criminal organization, commercial computer fraud and other criminal offences. The raids came after more than four years of intensive investigation by specialists in 41 countries."

:fear::fear: :mad:

AplusWebMaster
2016-12-02, 13:42
FYI...

Fake 'Pay Attention' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/please-pay-attention-the-contractor-requires-including-vat-in-the-service-receipt-malspam-delivers-locky/
2 Dec 2016 - "... Locky downloader... an email with the subject of 'Please Pay Attention' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of SCAN_recipient’s name.zip... One of the emails looks like:
From: Claud Hopper <Hopper.Claud@ jvaclub .com>
Date: Fri 02/12/2016 09:35
Subject: Please Pay Attention
Attachment: SCAN_ard.zip
Greetings! Informing you that the contractor requires including VAT in the service receipt.
Sending the new invoice and payment details in the attached file.
Please open and study it as soon as possible – we need your decision.

2 December 2016: SCAN_ard.zip: Extracts to: -uvk3166985727v.js - Current Virus total detections 8/55*
MALWR** shows a download of an encrypted file from http ://supermarkety24 .pl/levsyp8vp which is converted by the script to 5viAGx9N.zk (VirusTotal 8/56***) | Payload Security[4] | Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9df0d08438cce099ad9c81e5385ddb4c75cb9b02411a8f1316dddc49716f138f/analysis/1480674917/

** https://malwr.com/analysis/Njg0ZmViNDdjN2RlNGUxZTk1MDljMDc4MWI5ZWVmYjU/
Hosts
82.211.96.24

*** https://www.virustotal.com/en/file/6faddf7a86b558f4a80e12c1da51ce2e492d66c618b1d029abd6f45b1b8bf79b/analysis/1480676872/

4] https://www.hybrid-analysis.com/sample/9df0d08438cce099ad9c81e5385ddb4c75cb9b02411a8f1316dddc49716f138f?environmentId=100
Contacted Hosts
193.106.106.169
95.46.98.25
91.201.41.145
46.8.29.173
___

Fake 'Emailing..." SPAM - delivers Locky
- https://myonlinesecurity.co.uk/emailing-eps000007-spoofed-from-random-names-at-your-own-email-address-delivers-locky/
2 Dec 2016 - "An email with the subject of 'Emailing: EPS000007' (random numbers) pretending to come from random names at your-own-email-address with a malicious word doc attachment delivers Locky... The email looks like:
From: edmund <edmund.simister@ malware-research .co.uk>
Date: Fri 02/12/2016 12:39
Subject: Emailing: EPS000007
Attachment: EPS000007.docm
Please find attachment.

This email has been checked for viruses by Avast antivirus software...

2 December 2016: EPS000007.docm - Current Virus total detections 10/56*
MALWR** shows a download of an encrypted file from http ://solid-consulting .nl/74t3nf4gv4 which is converted by the macro to likyir1.exe (VirusTotal 8/57***). Payload security[4]. C2: http ://195.19.192.99 /information.cgi
Other download locations seen on manual analysis of the macro include:
solid-consulting .nl/74t3nf4gv4 | taikosushibar .com.br/74t3nf4gv4 | tatooshsfds .com/74t3nf4gv4
sudeepgurtu .com/74t3nf4gv4 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/800ad944808ea513b1a7964bb22d7f44a0d0b071404638878692794ceaec7b8c/analysis/1480682348/

** https://malwr.com/analysis/MWJmZDk3MjI4NmMxNDBlMGI2MzRjOTdlMzg0YjlmYjA/
Hosts
149.210.133.178
195.19.192.99

*** https://www.virustotal.com/en/file/6292c2b85b29c9dc019f731f7f2ab488876a15b49d71444f075f87712107a7fa/analysis/1480680017/

4] https://www.hybrid-analysis.com/sample/800ad944808ea513b1a7964bb22d7f44a0d0b071404638878692794ceaec7b8c?environmentId=100
Contacted Hosts
149.210.133.178
195.19.192.99
91.142.90.61
31.41.47.50
52.34.245.108
54.240.162.246
___

Fake 'Attached Document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attached-document-in-blank-email-spoofed-to-come-from-canonyour-own-email-address-delivers-locky/
2 Dec 2016 - "A -blank- email with the subject of 'Attached Document' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky. This series of malspam emails contain the same macro downloaders and end up delivering the -same- Locky payload as described in THIS* earlier post where they used an Epson scanner/printer... The email looks like:
From: canon@ my onlinesecurity .co.uk
Date: Fri 02/12/2016 15:52
Subject: Attached Document
Attachment: 0160_004.docm

Body content: Totally blank/empty

* https://myonlinesecurity.co.uk/emailing-eps000007-spoofed-from-random-names-at-your-own-email-address-delivers-locky/
2 Dec 2016

:fear::fear: :mad:

AplusWebMaster
2016-12-05, 13:07
FYI...

Fake blank body SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank-email-from-random-senders-with-random-numbers-starting-051220160-or-041220161-malspam-delivers-locky/
5 Dec 2016 - "... Locky downloader... a completely -blank- email with the subject consisting of random numbers coming or pretending to come from random companies, names and email addresses with a zip attachment that matches the subject line numbers. I have received about 1500 copies of this malspam overnight. All the ones that I have seen start with either 051220160 or 041220161... One of the emails looks like:
From: Monica clare <Monica.clare85349@ fit4elegance .com>
Date: Mon 05/12/2016 00:47
Subject: 051220160746377790277
Attachment: 051220160746377790277.zip

Body content: totally blank/empty

5 December 2016: 051220160746377790277.zip: Extracts to: 201612031200123557933004.vbs
Current Virus total detections 14/55*. Payload Security** shows a download of an encrypted file from
http ://natashacollis .com/8765r which is converted by the script to yqUePnct.343 (VirusTotal 11/53***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b2e7d2181bd70ff519676f25ae5d8a548969d58b3e702d22c7dc7248dff54499/analysis/1480911167/

** https://www.hybrid-analysis.com/sample/b2e7d2181bd70ff519676f25ae5d8a548969d58b3e702d22c7dc7248dff54499?environmentId=100
46.16.59.177
91.142.90.61

*** https://www.virustotal.com/en/file/17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf/analysis/1480922615/
___

Fake 'No subject' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-emailing-9376924272-no.html
5 Dec 2016 - "This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension '.osiris'. The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attached to that is an XLS file of the same name and it includes this body text:
Your message is ready to be sent with the following file or link
attachments:
_9376_924272
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls . The macro in the malicious Excel file downloads a component...
(Long list of domain-names at the dynamoo URL above.)
... You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:
185.82.217.28 /checkupdate [hostname: olezhkakovtony11.example .com] (ITL, Bulgaria)
91.142.90.61 /checkupdate (Miran, Russia)
195.19.192.99 /checkupdate (OOO EkaComp, Russia)
Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99 "
1] https://malwr.com/analysis/YTQzZjMwNjI5NTI2NDNlNTg5OTA3YzlmYTg3YzBjZjA/
Hosts
66.96.147.105
91.142.90.61

2] https://malwr.com/analysis/ZWVhM2RjNWUxNjYyNGMzYjhjMjcwZjAyNDQ4N2IzNjU/
Hosts
94.152.38.41
185.82.217.28

- https://myonlinesecurity.co.uk/blank-email-with-no-subject-xls-attachment-delivers-locky/
5 Dec 2016 - "... Locky downloader... another -blank- email with no-subject coming or pretending to come from random companies, names and email addresses with an XLS spreadsheet attachment... One of the emails looks like:
From: Rolf titterington <Rolf.titterington91@ prestonlegacy .com>
Date: Mon 05/12/2016 09:44
Subject: no subject
Attachment: 2016120502434302394842.xls

Body content: empty

5 December 2016: 2016120502434302394842.xls - Current Virus total detections 16/55*
MALWR** shows a download of an encrypted file from http ://soulscooter .com/87t34f which is converted by the script to shtefans1.spe (VirusTotal 6/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to. I am informed that Locky is now using .Osiris file extensions on the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/

** https://malwr.com/analysis/MzA4NDllNjZmYmFhNGU1MGFlMThhNGI1YWU5MDQ3NTk/
Hosts
212.97.132.199
195.19.192.99
91.142.90.61
185.82.217.28

*** https://www.virustotal.com/en/file/7acbf2edb7b7435e21cda70b6a0b7d3fdaed248b63d27208b3b1ca38a18c4a1d/analysis/1480932128/

4] https://www.hybrid-analysis.com/sample/f26bde59d716e3640febe42250016233db77eb263045114956fc2bd4befad404?environmentId=100
___

Fake 'Consider This' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-please-consider-this-leads.html
5 Dec 2016 - "This -fake- financial spam leads to malware:
From: Aimee Guy
Date: 5 December 2016 at 13:32
Subject: Please Consider This
Dear [redacted],
Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.
Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date. The scripts download another component...
(Long list of domain-names at the dynamoo URL above.)
... It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54*. The malware then phones home to the following locations:
91.142.90.61 /information.cgi [hostname: smtp-server1 .ru] (Miran, Russia)
195.19.192.99 /information.cgi (EkaComp, Russia)
These IPs were also used in this earlier attack**.
Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99 "
* https://virustotal.com/en/file/6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e/analysis/

** http://blog.dynamoo.com/2016/12/malware-spam-emailing-9376924272-no.html
___

Fake 'Sage invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoofed-sage-outdated-invoice-delivers-dridex-banking-trojan/
5 Dec 2016 - "... an email with the subject of 'Outdated invoice' coming or pretending to come from Sage invoice <no-reply@ sage-uk .org> . There is no zip attachment with this Dridex delivery today, but a-link-in-the-body to download an invoice.zip from a hacked/compromised/fraudulently set up sharepoint site... from a site set up by the criminals to malspam the Dridex banking Trojan. The site is registered to a Chinese entity and hosted on an OVH server in France (SAGE-UK .ORG 46.105.101.84 ns3060005.ip-188-165-252.eu). One of the emails looks like:
From: Sage invoice <no-reply@ sage-uk .org>
Date: Mon 05/12/2016 12:48
Subject: Outdated invoice
Attachment: link in email to download invoice.zip
Software for business
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link below to download your account invoice:
https ://invoice.sage .co.uk/Account?864394=xUzlmOHtPY
If we have any information about you which is incorrect or if there are any changes to your details please let us know so that we could keep our records accurate...

5 December 2016: Invoice.zip: Extracts to: Invoice.js - Current Virus total detections 3/53*
Payload Security** shows a download from ‘http ://neelkanthelevators .com/images/about1.png’ (VirusTotal 10/56***). Payload Security[4]. This is -not- a png (image file) but a -renamed- .exe file, which the script renames to LzG7FzcEz.exe and runs... The basic rule is NEVER open any attachment to an email [OR click-a-link in it] unless you are expecting it..."
* https://www.virustotal.com/en/file/cff532924f6bcb240cbee418f0bdc0845c7da0a05c936411959e3b65dcf9bc83/analysis/1480944742/

** https://www.hybrid-analysis.com/sample/cff532924f6bcb240cbee418f0bdc0845c7da0a05c936411959e3b65dcf9bc83?environmentId=100
Contacted Hosts
104.219.248.77
195.154.92.54
185.8.165.33
104.236.219.229
91.201.40.33

*** https://www.virustotal.com/en/file/f4a7eab4131c7bde1868fd68e13ab00819b15863b556b1a5d6c2afdc85721a54/analysis/

4] https://www.hybrid-analysis.com/sample/f4a7eab4131c7bde1868fd68e13ab00819b15863b556b1a5d6c2afdc85721a54?environmentId=100
Contacted Hosts
195.154.92.54
185.8.165.33
104.236.219.229
91.201.40.33

46.105.101.84: https://www.virustotal.com/en/ip-address/46.105.101.84/information/
___

Fake 'Shipping status' SPAM - delivers Vawtrak malware
- http://blog.dynamoo.com/2016/12/malware-spam-shipping-status-changed.html
5 Dec 2016 - "This -fake- UPS spam has a malicious attachment:
From: UPS Quantum View [ups@ ups-service .com]
Date: 5 December 2016 at 17:38
Subject: Shipping status changed for your parcel # 1996466
Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.
There must be someone present at the destination address, on the delivery day, to receive the parcel.
Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
The delivery invoice can be downloaded from our website ...
Thank you for shipping with UPS
Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.

The link-in-the-email actually goes to a URL vantaiduonganh .vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain. This DOC file contains a malicious macro, the Malwr report* indicates that it downloads components from:
parkovka-rostov .ru/inst.exe
stela-krasnodar .ru/wp-content/uploads/pm22.dll
Those two locations are legitimate -hacked- sites. This has a detection rate of 7/56** plus a DLL with a detection rate of 37/56***. The malware appears to be Hancitor/Pony/Vawtrak, phoning home to:
cothenperci .ru/borjomi/gate.php
madingtoftling .com/ls5/forum.php
Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia)... malicious domains are also hosted on the same IP...
(List of domain-names at the dynamoo URL above.
... Recommended blocklist:
185.31.160.11
parkovka-rostov .ru
stela-krasnodar .ru "
* https://malwr.com/analysis/YmM1OGI0Mjk0MzU5NDJiNDkxNzk1MDM1OTg2MmYyM2I/
Hosts
54.243.91.166
185.31.160.11
77.222.42.115
81.177.165.101

** https://www.virustotal.com/en/file/6307a60f2ada31c9bea047d116e5831acdd58e74a30eb59e8cf67121f4912355/analysis/1480963673/

*** https://www.virustotal.com/en/file/77538c6364ff79df91a83a9bba37b4b25af16c721e935910942645c23ec2acb8/analysis/1480964472/
___

Fake 'Urgent Data' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/urgent-data-the-error-occurred-during-payment-malspam-delivers-locky/
5 Dec 2016 - "... Locky downloader... an email with the subject of 'Urgent Data' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment random numbers.zip... One of the emails looks like:
From: Consuelo Wells <Wells.Consuelo@ skriverconsult .ch>
Date: Mon 05/12/2016 20:20
Subject: Urgent Data
Attachment: payment9095450.zip
Dear [redacted],
The error occurred during payment. Sending you details of the transaction.
Please pay the remaining amount as soon as possible.
King Regards,
Consuelo Wells

5 December 2016: payment9095450.zip: Extracts to: ~3X072I792ZJ.js - Current Virus total detections 4/55*
MALWR** shows a download of an encrypted file from http ://prosperer .mg/3n7uihwc0p which is converted by the script to yQC6CSDVn.zk (VirusTotal 5/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/26ba3b70d022cf6b0e5d3fb886cb2385d4606cd5034329bc10f9b9b432a6ab7c/analysis/1480969517/

** https://malwr.com/analysis/YTdkZmVjNDU2YTA2NDQ3NjkwMjUwMDY5NzE0ZDFkOGE/
Hosts
212.83.148.70
46.4.63.6

*** https://www.virustotal.com/en/file/aeb5a7ca92eff486a830f83391aa3758ab8e0e7f46dcc7f5d85673cda2e6dd49/analysis/1480970106/

4] https://www.hybrid-analysis.com/sample/26ba3b70d022cf6b0e5d3fb886cb2385d4606cd5034329bc10f9b9b432a6ab7c?environmentId=100
Contacted Hosts
212.83.148.70
46.4.63.6
185.146.168.13
95.46.114.147

:fear::fear: :mad:

AplusWebMaster
2016-12-06, 15:57
FYI...

Fake 'PO' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/inv-1465095170-for-po-0ac27757-malspam-delivers-locky/
6 Dec 2016 - "An email with the subject of 'Inv# 1465095170 for PO# 0AC27757' (random numbers) pretending to come from random senders with a malicious word doc spreadsheet attachment delivers Locky osiris... The email looks like:
From: From: pettengell, judith <judith.pettengell@ ds54 .com>
Date: Tue 06/12/2016 12:18
Subject: Inv# 1465095170 for PO# 0AC27757
Attachment: 0AC27757_1465095170.docm
Please do not respond to this email address. For questions/inquires, please
contact our Accounts Receivable Department.
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc...

6 December 2016: 0AC27757_1465095170.docm - Current Virus total detections 8/51*
MALWR** shows a download of an encrypted file from http ://union1 .cn/0bgsvtr3 which is converted by the script to dipund1.rap (VirusTotal 9/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
C2 http ://185.115.140.210 /checkupdate | http ://91.142.90.46 /checkupdate | http ://213.32.66.16 /checkupdate ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f8f226d3a018ceae734fb0d99d3eb24b824be1691fe3a58a67b6fc1b5602c37d/analysis/1481027450/

** https://malwr.com/analysis/MmNkMTBmZTllY2EwNGYzZThlOGJkZDUzYTMyNTQ0YTk/
Hosts
139.129.41.209
185.66.12.43
91.142.90.46
185.115.140.210
213.32.66.16

*** https://www.virustotal.com/en/file/43b77c86ad55d12d551c95b48d4edb9ba59196cfcfe0febb59c90289d7c8ca05/analysis/1481027967/

4] https://www.reverse.it/sample/f8f226d3a018ceae734fb0d99d3eb24b824be1691fe3a58a67b6fc1b5602c37d?environmentId=100
___

Fake 'Recent order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/recent-order-malspam-delivers-locky/
6 Dec 2016 - "... an email with the subject of 'Recent order' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of order random numbers.zip which delivers Locky ransomware... One of the emails looks like:
From: Jocelyn Dodson <Dodson.Jocelyn@ netpalouse .com>
Date: Tue 06/12/2016 09:29
Subject: Recent order
Attachment: order3202227.zip
Dear adkins,
The counteragent has conducted the checking and found no confirmed payment for the recent order...
All details are in the attachment.
Feel free to email us if you have any inquiry.
King Regards,
Jocelyn Dodson

6 December 2016: order3202227.zip Extracts to: ~8FX934T59F85.js - Current Virus total detections 6/54*
MALWR** shows a download of an encrypted file from http ://steffweb .dk/bkjybit which is converted by the script to AEyjwjkWiBbl6.zk (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/696a04cd293935e41bd24965ee66984c7cb87f3a2843268ef43628358eafcd7c/analysis/1481018575/

** https://malwr.com/analysis/ZmU5MGNkMjc2MTYwNDRiYmIzNTQ5YmQ3OWQwMWQxMjQ/
Hosts
94.231.108.252

*** https://www.virustotal.com/en/file/954e1c5227e613c498cf8cbccd4ddd25daf678dcdf0a31f8ca2b30819a26173b/analysis/

4] https://www.hybrid-analysis.com/sample/696a04cd293935e41bd24965ee66984c7cb87f3a2843268ef43628358eafcd7c?environmentId=100
Contacted Hosts
94.231.108.252
91.203.5.176
85.143.213.71
176.112.219.101
95.46.114.147
___

Amazon - phish
- https://myonlinesecurity.co.uk/new-return-requested-on-amazon-for-order-502-2849265-1928845-phishing/
6 Dec 2016 - "'New Return Requested on Amazon for order 502-2849265-1928845' pretending to come from Amazon .co.uk <annazon@ amazonaws .co.uk> is one of the latest -phish- attempts to steal your Amazon Account. This one only wants your Amazon log in details... The link leads to http ://tolmasoft .ru/ViewListingAccount-dvk@ [redacted].co.uk.html...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/amazon_phishing_site_login-1.png?resize=1024%2C608&ssl=1

When you fill in your user name and password you get immediately -redirected- to the genuine Amazon.co.uk home page, where you think that you have logged in properly. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

tolmasoft .ru: 5.187.1.187: https://www.virustotal.com/en/ip-address/5.187.1.187/information/
___

'AppIe ID' phish
- http://blog.dynamoo.com/2016/12/sms-phish-your-appie-id-is-due-to.html
6 Dec 2016 - "This SMS spam is actually a phishing message:

Screenshot: https://2.bp.blogspot.com/-OF33yrXObzM/WEbVQ1ga3LI/AAAAAAAAJSw/i-SqQzFwukAOG-WXGClQvWuoBhuFi_ZGwCLcB/s1600/apple-phish.png

This is one of those odd SMSes that doesn't seem to come from an actual number. If you follow through the link you end up on a straightforward Apple phishing page:
> https://2.bp.blogspot.com/-wsiOA1HPCv0/WEbWL6fzahI/AAAAAAAAJS4/Jf3Jpr8A23oSfoJA6KDHI3YX6U1v8wnVgCLcB/s1600/apple-phish.jpg

The website appieid-support .com is hosted on 108.167.141.128 which is a customer of WebsiteWelcome... no-doubt-fake WHOIS details... The domain was created just today. Avoid."

108.167.141.128: https://www.virustotal.com/en/ip-address/108.167.141.128/information/
>> https://www.virustotal.com/en/url/01068689ee7b84963dd0c9ca393919d1a6170f37dc076a9054b4e03a64926b4d/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-12-07, 14:58
FYI...

Fake 'Invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/three-invoices-4282-284-4283-99-4287-564-are-not-paid-malspam-delivers-locky/
7 Dec 2016 - "... an email with the subject of 'Invoices' pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Locky ransomware... One of the emails looks like:
From: Margery Hinton <Hinton.Margery@ bluelinedesignoh .com>
Date: Wed 07/12/2016 10:10
Subject: Invoices
Attachment: invoices0660953.zip
Dear zowm,
By today, three invoices (4282, $284; 4283, $99; 4287, $564) are not paid.
Starting tomorrow, fines will be charged. Please make appropriate payments.
All details are in the attachment.
Best Regards,
Margery Hinton
Sales Director

7 December 2016: invoices0660953.zip: Extracts to: ~8G9Z5BP2U18O48QKC6O54YE4.js
Current Virus total detections 2/55* Payload Security** shows a download of an encrypted file from
sagaoil .ro/jv5f0mrnea which is converted by the script to BQODhCNNx.zk ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dabd27dcf3e5a3ef3c2b89c480a1c69c10bb1f9b2b53614c5e5d45026a175f64/analysis/1481105284/

** https://www.hybrid-analysis.com/sample/dabd27dcf3e5a3ef3c2b89c480a1c69c10bb1f9b2b53614c5e5d45026a175f64?environmentId=100
Contacted Hosts
123.232.111.58
91.210.80.80
85.143.213.71
91.203.5.176
176.112.219.101
194.67.215.228
52.34.245.108
52.222.157.179
___

Fake 'Card Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-aquaid-card-receipt-malspm-delivers-locky-osiris/
7 Dec 2016 - "An email spoofing Aquaid with the subject of 'Card Receipt' coming from random senders with a malicious word doc attachment delivers Locky Osiris...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/card-receipt-spoofed-aquaid.png?resize=1024%2C673&ssl=1

7 December 2016: CARD547 8914860.docm - Current Virus total detections 12/56*
MALWR** shows a download of an encrypted file from http ://unilite .ro/hfycn33 which is converted by the script to spircent1.mda (Payload Security ***) (virusTotal 10/54[4]). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7c2122fabf2336ff47b075e6686c688eac30933c5aed813a42c5e8b8c3918284/analysis/1481104682/

** https://malwr.com/analysis/ZGIzNTQ1ZmYzNjM2NDdhNmJmYjNhN2E3NWNlODEwYWM/
Hosts
188.213.21.75
91.142.90.46
213.32.66.16

*** https://www.hybrid-analysis.com/sample/7c2122fabf2336ff47b075e6686c688eac30933c5aed813a42c5e8b8c3918284?environmentId=100
Contacted Hosts
188.213.21.75
91.142.90.46
88.214.236.182
213.32.66.16
52.42.26.69
52.222.157.29
52.35.54.251

4] https://www.virustotal.com/en/file/cc7881da1ff9fd1f96a20abe9689adef39a7a05e07f7678cdffee4ad3b9fc7dc/analysis/1481105595/
___

Stegano EK hiding in pixels of malicious ads
- http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/
Dec 6, 2016 - "Millions of readers who visited popular news websites have been targeted by a series of malicious ads -redirecting- to an exploit kit exploiting several -Flash- vulnerabilities. Since at least the beginning of October, users might have encountered ads promoting applications calling themselves 'Browser Defence' and 'Broxu' using banners similar to the ones below:
1] http://www.welivesecurity.com/wp-content/uploads/2016/12/1-xlch3.png
...
2] http://www.welivesecurity.com/wp-content/uploads/2016/12/2-y0vbp.png
These advertisement banners were stored on a remote domain with the URL hxxps ://browser-defence .com and hxxps ://broxu .com. Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin. The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel... After successful redirection, the landing page checks the userAgent looking for Internet Explorer, loads a Flash file, and sets the FlashVars parameters via an encrypted JSON file. The landing page also serves as a middleman for the Flash and the server via ExternalInterface and provides basic encryption and decryption functions. The Flash file has another Flash file embedded inside and, similarly to the -Neutrino- exploit kit, it comes with three different exploits based on the Flash version... Conclusion: The Stegano exploit kit has been trying to fly under the radar since at least 2014. Its authors have put quite some effort into implementing several techniques to achieve self-concealment. In one of the most recent campaigns we detected, which we traced back at least to the beginning of October 2016, they had been distributing the kit through advertisement banners using steganography and performing several checks to confirm that they were not being monitored. In the event of successful exploitation, the vulnerable victims’ systems had been left exposed to -further- compromise by various malicious payloads including backdoors, spyware and banking Trojans. Exploitation by the Stegano kit, or any other known exploit kit for that matter, can often be avoided by running fully patched software and by using a reliable, updated internet security solution..."
(More detail at the welivesecurity/ESET URL above.)

browser-defence .com: Could not find an IP address for this domain name...

broxu .com: 162.255.119.66: https://www.virustotal.com/en/ip-address/162.255.119.66/information/
>> https://www.virustotal.com/en/url/a939bc5be6fc51af443f5776bd849965f5347367a1f65419b5cddeb95f9ee098/analysis/
___

AdGholas malvertising ...
- https://blog.malwarebytes.com/cybercrime/exploits/2016/12/adgholas-malvertising-business-as-usual/
Dec 6, 2016 - "... A group identified as AdGholas* by Proofpoint which has been involved in the stealthiest attacks we have seen in recent history, was caught again and exposed by Eset**... The last bit of activity from AdGholas after the Proofpoint exposé was July 20th of this year. However, according to our telemetry, less than two months later the group was back at it with some of the -largest- malvertising attacks we have ever documented... The interesting aspect about this malvertising campaign is that the US was -not- one of the targets. Instead we saw Canada, the UK, Australia, Spain, Italy, and Switzerland as the most active geolocations. We observed most attacks happen in Canada and the UK as seen below on this heat map:
> https://blog.malwarebytes.com/wp-content/uploads/2016/12/heatmap.png
Despite not targeting the US, the latest AdGholas campaign has once again reached epic proportions and unsuspecting users visiting top trusted portals like Yahoo or MSN (not to mention many top level publishers) were exposed to malvertising and malware if they were not protected..."
* https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight

** http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

:fear::fear: :mad:

AplusWebMaster
2016-12-08, 14:11
FYI...

Fake 'Emailing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/emailing-mx62edo-08-12-2016-documents-your-own-email-address/
8 Dec 2016 - "An email with the subject of 'Emailing: MX62EDO 08.12.2016' pretending to come from documents@ your-own-email-address with a malicious word doc delivers Locky Osiris... The email looks like:
From: documents@ thespykiller .co.uk
Date: Thu 08/12/2016 10:05
Subject: Emailing: MX62EDO 08.12.2016
Attachment:
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 08.12.2016
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
This email has been checked for viruses by Avast antivirus software...

8 December 2016: MX62EDO 08.12.2016.docm - Current Virus total detections 10/54*
MALWR** shows a download of an encrypted file from http ://netfun .be/hb74 which is converted by the script to clsooach1.feds (VirusTotal 11/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4cefb793010150a0c217ca7eb3410a70221e11c6ba7cb094c8d0bf743bc3bb79/analysis/1481192959/

** https://malwr.com/analysis/NmZhYjk5MjIyNzUwNDQ1ZTk0MTRkZWJkODUyYTU2NzU/
Hosts
81.4.68.175
176.121.14.95

*** https://www.virustotal.com/en/file/d8bb07cade0050f0daab6d2d31be7de375c5b01f0c3ee243e002d1f79026e3f3/analysis/1481193005/

4] https://www.hybrid-analysis.com/sample/011ad4aeaa6bcdb5327f0a0c44429dfd062bef3708e5f273c6053dc974926f78?environmentId=100
Contacted Hosts
188.93.230.41
185.127.24.247
213.32.66.16
91.142.90.46
176.121.14.95
52.42.26.69
52.222.157.29
___

Fake 'Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-random-orders-with-long-random-reference-number-malspam-delivers-locky/
8 Dec 2016 - "... an email with the subject of 'Order #0850834' (random numbers) coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment matching the subject line which delivers Locky ransomware... One of the emails looks like:
From: Latoya Byrd <Byrd.Latoya@ flceo .com>
Date: Thu 08/12/2016 11:29
Subject: Order #0850834
Attachment: order-0850834.zip
Hello ard, your order #0850834 ...
Sending you the receipt. Please pay it prior to next week.
The receipt is in the attachment.
Best Wishes,
Latoya Byrd
Delivery Manager

8 December 2016: order-0850834.zip: Extracts to: ~5Z36TWQXK9014CO228K8V0C.js
Current Virus total detections 6/55*. MALWR** shows a download of an encrypted file from
http ://file4hosti .info/ne92o1u which is converted by the script to 7JpjNVpwmyeHv.zk (VirusTotal 4/53***).
Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/144de00c3ac9373089eb01ed192bb412008bf3300941deb6f72a5fe4caf0a767/analysis/1481196535/

** https://malwr.com/analysis/YTMwODJkZWJmMWZmNGQ3NmExMTQ4NTUxMjVjODQ0ZWY/
Hosts
107.172.55.203

*** https://www.virustotal.com/en/file/f4852ae6a9d4b68090d04999ce90410ad1872ca7fb062f236a37d33ecda41db7/analysis/1481197588/

4] https://www.hybrid-analysis.com/sample/144de00c3ac9373089eb01ed192bb412008bf3300941deb6f72a5fe4caf0a767?environmentId=100
Contacted Hosts
104.168.87.215
107.172.55.203
178.159.42.248
185.46.11.236
52.34.245.108
52.32.150.180
35.160.111.237
91.198.174.192
91.198.174.208
54.239.168.21
___

Fake 'Scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scan-from-a-samsung-mfp-malspam-delivers-locky-osiris/
8 Dec 2016 - "... an email with the subject of 'Scan' from a Samsung MFP coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of Untitled_date_random numbers.zip which delivers Locky ransomware... One of the emails looks like:
From: GARRY MENZIES <garry.menzies.1825@ pricemarketresearch .com>
Date: Wed 07/12/2016 21:41
Subject: Travel expense sheet
Attachment: Untitled_07122016_46160.zip
Regards
Garry
Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit ...
This message has been scanned for malware by Websense...

8 December 2016: Untitled_07122016_46160.zip: Extracts to: N396390423.jse - Current Virus total detections 19/55*
MALWR** shows a download of an encrypted file from http ://raivel .pt/45gdfgf?SEOtErERwE=yLVujYkT which is converted by the script to XtPmJmcsvIP1.dll (VirusTotal 24/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries... DLL files... rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/011ad4aeaa6bcdb5327f0a0c44429dfd062bef3708e5f273c6053dc974926f78/analysis/1481168279/

** https://malwr.com/analysis/YTE5NDM2Yjc0MzNkNGQ4M2IyYTU5MzQ0YTM3YThkMjY/
Hosts
188.93.230.41
91.142.90.46

*** https://www.virustotal.com/en/file/1c950172857b52c45d8a480acd3d14b5cc1877acf0bef9aaad55ff73990fe217/analysis/

4] https://www.hybrid-analysis.com/sample/011ad4aeaa6bcdb5327f0a0c44429dfd062bef3708e5f273c6053dc974926f78?environmentId=100
Contacted Hosts
188.93.230.41
185.127.24.247
213.32.66.16
91.142.90.46
176.121.14.95
52.42.26.69
52.222.157.29
___

Tax refund - phish
- https://myonlinesecurity.co.uk/tax-refund-overpayment-33216-dvla-vehicle-licensing-agency-phishing/
8 Dec 2016 - "... DVLA Vehicle Licensing Agency phishing email trying to get your information...

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/vehicle-licencing-agency-phishing-email.png?resize=1024%2C712&ssl=1

If you follow the links you end up on an identical copy of the gov .uk site asking for usual identity and financial details:
> https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/fake-gov_uk_vehicle-tax-refund-site.png?resize=1024%2C533&ssl=1
Phishing sites so far discovered include (email links go to a site which -redirects- you to other sites):
- https ://cissdemexico .com/.2DriverLicence2ADM2/2y2Driving2e2Licences2acc2/24w823w82Driving2w25and22w2Transport2w826w2gov28uk25/23Lega2r28obligations62Apply2refund2x82driving24/Refund.php
- https ://chadena .com/.cha/
- https ://fyfe-interiors .com/.lol/
- https ://partnersinsharing .com/.124DL828ADM825/2384x48390Driving9019x319Licences0638cbd419/7836Lega523x92148obligations639Apply915x3420/517x9427c481Driving827x5and32v0417Transport71x5638x319gov31uk24/Refund "

cissdemexico .com: 162.211.127.202: https://www.virustotal.com/en/ip-address/162.211.127.202/information/

chadena .com: 109.163.208.100: https://www.virustotal.com/en/ip-address/109.163.208.100/information/

fyfe-interiors .com: 202.129.244.101: https://www.virustotal.com/en/ip-address/202.129.244.101/information/

partnersinsharing .com: 69.16.221.200: https://www.virustotal.com/en/ip-address/69.16.221.200/information/

:fear::fear: :mad:

AplusWebMaster
2016-12-09, 12:03
FYI...

Fake 'Firewall Software' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-firewall-software-leads-to.html
9 Dec 2016 - "This spam appears to come from multiple senders and leads to Locky ransomware:
From: Herman Middleton
Date: 9 December 2016 at 07:40
Subject: Firewall Software
Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
King Regards,
Herman Middleton
IT Support Manager

Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated. The Hybrid Analysis* and Malwr report** show that the script analysed downloads a component from welte .pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56***. That Hybrid Analysis also detections C2 traffic to:
107.181.187.97 /checkupdate [hostname: saluk1.example .com] (Total Server Solutions, US)
51.254.141.213 /checkupdate (OVH, France)
It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:
91.142.90.46 /checkupdate [hostname: mrn46.powerfulsecurities .com] (Miran, Russia)
195.123.209.23 /checkupdate [hostame: prujio .com] (Layer6, Latvia)
185.127.24.247 /checkupdate [hostname: free.example .com] (Informtehtrans, Russia)
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
185.46.11.236 /checkupdate (Agava, Russia)
178.159.42.248 /checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)
Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are at least a couple of bad /24 blocks in there.
Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24 "
* https://www.hybrid-analysis.com/sample/644a6ad0e135aa185f2b4d822509ff56cb262a6e1d0b3e1b3df4e524e4992f90?environmentId=100
Contacted Hosts
79.96.68.245
107.181.187.97
178.159.42.248
51.254.141.213
54.239.168.239
91.198.174.192
91.198.174.208

** https://malwr.com/analysis/ZGI2MDNlZTU4NDMzNDBlMGIyZDA0ZjQ1MmM2ODI0MTQ/
Hosts
79.96.68.245

*** https://virustotal.com/en/file/fb5cd48d7ea8fa3b8f3ac57a54f8f6fd4c5eee736f45dd139fbea13ab1d1597f/analysis/1481273887/

- https://myonlinesecurity.co.uk/firewall-software-malspam-delivers-locky/
9 Dec 2016 - "... an email with the subject of 'Firewall Software' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of f_license_numbers.zip which delivers Locky ransomware... One of the emails looks like:
From: Curtis Jarvis <Jarvis.Curtis@ irishcitytours .com>
Date: Fri 09/12/2016 07:22
Subject: Firewall Software
Attachment: f_license_5875331.zip
Hey emis2000, it is Curtis. You’ve asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
King Regards,
Curtis Jarvis
IT Support Manager

9 December 2016: f_license_5875331.zip: Extracts to: ~S911UGV716O1J3CSTB471C.js
Current Virus total detections 16/55*. MALWR** shows a download of an encrypted file from
http ://www .pgringette .ca/a8crrwrc2t which is converted by the script to z7dWO4eQFUHRtg.zk (VirusTotal 4/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/

** https://malwr.com/analysis/NWE4MjY5YmYzZmE3NGI2ZDlmOTg3MjEwMDhkMTFmYmM/
Hosts
69.28.199.160

*** https://www.virustotal.com/en/file/69000324d66a27e93a8a5969534047d799c6ee5cca2790beed1d02b2c1307394/analysis/1481268678/
___

Fake 'See attached' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-business-advisory-service-ltd-see-attached-i-will-call-you-in-10-mins-malspam-delivers-locky/
9 Dec 2016 - "An email spoofing the Business Advisory Service Ltd with the subject of 'See attached – I will call you in 10 mins' (random times) with a malicious Excel XLS spreadsheet attachment delivers Locky Osiris ransomware...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/spoofed-business-advisory-service-malspam-email.png?resize=1024%2C547&ssl=1

9 December 2016: Invoice_392618_final.xlsm - Current Virus total detections *
MALWR** shows a download of an encrypted file from http ://djelixir .com/34f43 which is converted by the script to XtPmJmcsvIP1.dll (VirusTotal 10/56***). Payload Security [4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
*

** https://malwr.com/analysis/MDdmOWU2YTUxYjIzNDY1ZjhjOGU0OTU2NDA1NmNmYjk/
Hosts
108.174.153.189
185.102.136.67

*** https://www.virustotal.com/en/file/1267e22c9a1d996e2a03a1a39c061030f435edb59b4224b6557975dbcc96633f/analysis/1481278691/

4] https://www.hybrid-analysis.com/sample/c76072327b2d5345eced7309b330558474186e6fc40e864498e885a9d4a486d3?environmentId=100
Contacted Hosts
108.174.153.189
185.102.136.67
176.121.14.95
31.202.128.199
52.34.245.108
54.239.168.194
___

Another 'Apple phish' ...
- https://myonlinesecurity.co.uk/your-account-information-had-been-changed-apple-phishing/
9 Dec 2016 - "... mass Apple phish today, telling you that you have added ghost00@ hotmail .com as a new rescue email address for your Apple ID and you need to verify it... received about 200 so far this morning, some of which are getting past spam filters...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/ghost00_at_hotmail_apple-phish.png?resize=1024%2C588&ssl=1

The links in the body go to:
http ://opelpart .hu/media/system/swf/o.html
which -redirects- to numerous sites including:
http ://ushindicounselling .ca/winter/Itunes/apple/
http ://volleyballsaskatoon .ca/winter/Itunes/apple/
... There will no doubt be lots of other sites active in this phishing campaign... follow-the-link [DON'T] you see a webpage looking like this screenshot (taken form a previous example):
> https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/11/29_11_2016_apple_phish_website.png?resize=1024%2C565&ssl=1 "

opelpart .hu: 87.229.45.133: https://www.virustotal.com/en/ip-address/87.229.45.133/information/
ushindicounselling .ca: 67.212.91.221
volleyballsaskatoon .ca: 67.212.91.221: https://www.virustotal.com/en/ip-address/67.212.91.221/information/
___

Phish in-the-cloud ...
- http://www.darkreading.com/endpoint/phishing-services-reap-twice-the-profit-for-attackers/d/d-id/1327673
Dec 8, 2016 - "Everything else has gone to the cloud, so why not faux emails* and their malicious payloads?... phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority..."
* http://blog.imperva.com/2016/12/can-the-phishing-menace-be-reined-in.html
Dec 6, 2016 - "Phishing is the starting point for most data breaches... cybercriminals are lowering the cost of phishing by enabling Phishing as-a-Service (PhaaS) using compromised web servers..."
> http://imperva.typepad.com/.a/6a01156f8c7ad8970c01b8d2432c51970c-800wi
___

400,000 phishing sites - every month in 2016
- https://www.helpnetsecurity.com/2016/12/07/phishing-sites-observed-2016/
Dec 7, 2016 - "84 percent of phishing sites observed in 2016 existed for less than 24 hours, with an average life cycle of under 15 hours... data collected by Webroot*:
> https://www.helpnetsecurity.com/images/posts/phishing-122016-1.jpg "

* https://www.webroot.com/blog/2016/12/07/all-phishing-scams-want-for-christmas/
Dec 7, 2016 - "... Webroot has observed an average of over 400,000 phishing sites each month... Google, PayPal, Yahoo, and Apple are heavily targeted for attacks. Cybercriminals know to impersonate sites that people trust and use regularly... Google was impersonated in 21 percent of -all- phishing sites between January and September 2016, making it the most heavily targeted. Emails to avoid:
With the holiday season in full swing and the New Year fast approaching, hackers are up to their old tricks... we should all be wary of emails containing UPS, USPS, and FedEx shipping alerts; 401k/benefit enrollment notices; and miscellaneous tax documents from now through the end of January..."

:fear::fear: :mad:

AplusWebMaster
2016-12-12, 15:23
FYI...

Fake 'Invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malwares-spam-invoice-number-947781.html
12 Dec 2016 - "This fake financial spam comes from -multiple- senders and leads to Locky ransomware:
From: AUTUMN RHINES
Date: 12 December 2016 at 10:40
Subject: Invoice number: 947781
Please find attached a copy of your invoice...

The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56*. Automated analysis of a couple of these files [1] [2]... show the macro downloading a component from miel-maroc.com/874ghv3 (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57**. All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
88.214.236.218 /checkupdate (Overoptic Systems, UK / Russia)
91.219.31.14 /checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
Recommended blocklist:
176.121.14.95
88.214.236.218
91.219.31.14 "
* https://virustotal.com/en/file/3ce3acb5e680d657c42242e58b37633d78e70b112e1d8b5decace3b7d0077759/analysis/

1] https://malwr.com/analysis/NzVmODQ1N2U3NzllNGM5NDk5ZTE0YmUwMTkwNDM5Y2U/
Hosts
5.153.23.8
176.121.14.95
88.214.236.218
91.219.31.14

2] https://malwr.com/analysis/YzViZjg5ZTVkM2EwNDVmMGEyOGQyNTE4MWU3NzMxMjA/
Hosts
5.153.23.8
176.121.14.95
91.219.31.14

** https://virustotal.com/en/file/9efdf2d7cffefebbc550cb5a1f8c7b06551cec8821fcce12c7a704718a3643df/analysis/
___

Fake 'New(910)' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-new910-leads-to-locky.html
12 Dec 2016 - "This spam leads to Locky ransomware:
From: Savannah [Savannah807@ victimdomain .tld]
Reply-To: Savannah [Savannah807@ victimdomain .tld]
Date: 12 December 2016 at 09:50
Subject: New(910)
Scanned by CamScanner
Sent from Yahoo Mail on Android

The spam appears to come from a sender within the victim's-own-domain, but this is just a simple forgery. The attachment name is a .DOCM file matching the name in the subject. Automated analysis [1] [2] indicates that it works in a similar way to this other Locky ransomware run today*."
1] https://malwr.com/analysis/ODYwMGRjMDA3OTEzNDY0Zjk5YWJhYzQ5YjQwMDJhMGU/
Hosts
208.113.172.228
176.121.14.95

2] https://www.hybrid-analysis.com/sample/3b2ffc32ebc6d1eeb2572db216aeb70daa10522df4c66f2dae5fa56b8468318e?environmentId=100
Contacted Hosts
208.113.172.228
91.219.31.14
35.163.57.6
52.222.171.57
35.160.111.237

* http://blog.dynamoo.com/2016/12/malwares-spam-invoice-number-947781.html
___

Fake 'Software License' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/software-license-malspam-delivers-locky/
12 Dec 2016 - "... an email with the subject of 'Software License' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of softlic_0600353.zip which delivers Locky ransomware... One of the emails looks like:
From: Deloris Santos <Santos.Deloris@ terebinthtreeportraits .com>
Date: Mon 12/12/2016 09:59
Subject: Software License
Attachment: softlic_0600353.zip
Hello scans, it is Deloris.
Sending you the scan of the software license agreement (Order #0600353).
It is in the attachment. Please look into it ASAP.
Best Regards,
Deloris Santos

12 December 2016: softlic_0600353.zip: ~50Y70PZ821IW1H6QS6R5K4P.wsf - Current Virus total detections 5/55*
Racco42** has posted a list of found download sites on pastebin***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/14d6c9c9b65ff7f85d8f704da5fe1027ec168cb4b9861cd4cd959fa16cf010eb/analysis/1481540340/

** https://twitter.com/Racco42/status/808280355895529473

*** http://pastebin.com/cCeYpZsd
... C2:
POST http ://185.46.11.236/ checkupdate
POST http ://91.200.14.109/ checkupdate
POST http ://93.170.104.23 /checkupdate
POST http ://95.213.224.117 /checkupdate

185.46.11.236: https://www.virustotal.com/en/ip-address/185.46.11.236/information/ - RU
91.200.14.109: https://www.virustotal.com/en/ip-address/91.200.14.109/information/ - UA
93.170.104.23: https://www.virustotal.com/en/ip-address/93.170.104.23/information/ - NL
95.213.224.117: https://www.virustotal.com/en/ip-address/95.213.224.117/information/ - RU
___

Fake 'Amazon Transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-amazon-transactions_report__by_users_from_2016-11-18_to_2016-11-20-delivers-locky-ransomware/
12 Dec 2016 - "Following on from the continual series of spoofed FedEx Locky downloaders detailed in this POST[1]... using the same method have changed to a very bad imitation of Amazon .co.uk with an email with the subject of 'Transactions_Report__by_users_from_2016-11-18_to_2016-11-20' pretending to come from EGCTechServer <nf@ ammaazon .co.uk> with a malicious word doc attachment continues to deliver Locky ransomware...
1] https://myonlinesecurity.co.uk/fedex-we-could-not-deliver-your-parcel-malspam-now-delivering-locky-ransomware/
9 Nov 2016

Screenhot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/ammazon-locky-email.png?w=1254&ssl=1

12 December 2016: Your_requested_Report_is_attached_Here.doc - Current Virus total detections 20/56*
Payload Security** contacts http ://triumphantul .top/2/ldd.php (185.101.218.162)... which actually downloads
http ://triumphantul .top/2/565.exe (VirusTotal 4/57***) which is the same Locky version that they malspammed out on Sunday 11 Dec 2016... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cb7936c00e747b6bd538dfa67f79a9f14094681b66fb07aee26780bb41f0fd0d/analysis/1481530568/

** https://www.hybrid-analysis.com/sample/8dba7ad1e4e8b7b93267caa5f43c254c535784c706f2b2d32ac9cc455be59d0e?environmentId=100

*** https://www.virustotal.com/en/file/cb7936c00e747b6bd538dfa67f79a9f14094681b66fb07aee26780bb41f0fd0d/analysis/1481450464/

185.101.218.162: https://www.virustotal.com/en/ip-address/185.101.218.162/information/
> https://www.virustotal.com/en/url/56708fdd19e90a15f2a77b7f39a4cc0560272e23820f738ef8ce6e2c29df9478/analysis/
> https://www.virustotal.com/en/url/eb79e55da8808da585526c71112bb6a96f3d742689376a7aa07007329bad496f/analysis/ | 2016-12-11
___

Fake 'Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/order-confirmation-81110319-hexstone-ltd-delivers-locky-ransomware/
12 Dec 2016 - "... an email -spoofing- Hexstone Ltd with the subject of 'Order Confirmation 81110319 Hexstone Ltd' (random numbers)... pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of Ord81110319.dzip which delivers Locky ransomware... One of the emails looks like:
From: Leonor rede <Leonor6@ fiveoaks .com>
Date: Mon 12/12/2016 16:23
Subject: Order Confirmation 81110319 Hexstone Ltd
Attachment: Ord81110319.dzip
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.

12 December 2016: Ord81110319.dzip: Extracts to: Receipt(546).jse - Current Virus total detections 12/54*
Payload Security** shows a download of an encrypted file from
http ://indigenouspromotions .com.au /874ghv3?qSzzdCEa=EIWRey which is converted by the script to fQuANqFwqs1.dll (VirusTotal 16/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2a86c0068a71ebb186ec70fea38d9127c3210e3c67cc93178796a0e877ea35a1/analysis/1481560496/

** https://www.hybrid-analysis.com/sample/2a86c0068a71ebb186ec70fea38d9127c3210e3c67cc93178796a0e877ea35a1?environmentId=100
Contacted Hosts
111.67.22.192
176.121.14.95
52.32.150.180
54.239.168.239
52.35.54.251

*** https://www.virustotal.com/en/file/77be68d55cc051d234dd24b9305e832ebc49bc8160ddc415919946f39fc0b265/analysis/
...adaa.exe

:fear::fear: :mad:

AplusWebMaster
2016-12-13, 13:17
FYI...

Fake 'documents' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/total-gas-power-documents-malspam-delivers-locky/
13 Dec 2016 - "... an email with the subject of 'Total Gas & Power documents 0/5' (random numbers) pretending to come from totadonotreply@ netsend .biz with a semi-random named zip attachment in the format of 3000566547_invoice_139920043-09.zip which delivers Locky ransomware. The dates on the emails are 12 days old...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/Total-Gas-Power-documents.png?w=1258&ssl=1

13 December 2016: 3000566547_invoice_139920043-09.zip: Extracts to: 3000566547_invoice_139920047-55.jse
Current Virus total detections 9/55*. MALWR** shows a download of an encrypted file from
http ://94.127.33.126 /knby545?bVoaEKQ=DtsfPK which is converted by the script to JWvpjx1.dll (VirusTotal 10/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/79d58e7b5b36334e1b4f2133ebbfd4811358a4ffe337dcd36bfc381e949db2f9/analysis/1481622006/

** https://malwr.com/analysis/MDgyOTYxNDdkYmQ2NDczMDkxMTc1N2M0NWQ4NDE5M2Y/
Hosts
94.127.33.126
176.121.14.95

*** https://www.virustotal.com/en/file/8a492eb139583abeb518e321bee2368cb9fc702898a40996ef61b931a563fdac/analysis/1481622948/

4] https://www.hybrid-analysis.com/sample/79d58e7b5b36334e1b4f2133ebbfd4811358a4ffe337dcd36bfc381e949db2f9?environmentId=100
Contacted Hosts
94.127.33.126
109.234.34.212
52.39.24.163
35.160.111.237
___

Fake 'Intuit invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoofed-quickbooks-intuit-invoice-from-random-companies-delivers-dridex-banking-trojan/
13 Dec 2016 - "... an email -spoofing- Intuit/QuickBooks with the subject of 'Invoice 00341 from Gas Safety Plus' (random numbers and random companies) pretending to come from the random company in subject line <notification@ global-intuit .com> with zip attachment which delivers Dridex banking Trojan... All the ones I have seen seem to be actually coming from various IP numbers on the OVH SAS network using fake, spoofed or newly registered domain identifications:
193.70.50.59
193.70.117.190
176.31.130.77
176.31.130.74
51.254.63.185
91.121.114.211
92.222.182.70
94.23.58.107 ...
Some of the subject lines & companies include:
Invoice 00476 from Gaswise (Lincoln) Ltd
Invoice 00845 from Moss Florist
Invoice 00668 from Linda Leary Estate Agents
Invoice 00475 from Urban Merchants, Your Fine Food Supplier
Invoice 00969 from Ballon Wise ...
One of the emails looks like:
From: Gas Safety Plus <notification@ global-intuit .com>
Date: Thu 01/09/2016 19:22
Subject: Invoice 00341 from Gas Safety Plus
Attachment: link-in-email body
Gas Safety Plus
Invoice 00341
Due date 14/12/2016
Balance due 335.00
View invoice
Dear Customer, Here’s your invoice. We appereciate your prompt payment. Thank’s for your business! Gas Safety Plus
Intuit. Inc. All right reserved...


13 December 2016: Invoice.zip: Extracts to: Invoice.js - Current Virus total detections 16/55*.
MALWR** shows a download from http ://195.238.172.213 /~iceskate/images/manual.pdf which is -not- a pdf but a renamed .exe file It gets renamed by the script to PPqFp2Bl32.exe and autorun (VirusTotal 9/57***). Payload Security[4]...
The -links- in the email body goes to a hacked/compromised fraudulently set up sharepoint address:
“https ://telstrastorecorio-my.sharepoint .com/personal/rebecca_telstrashopcorio_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=nlZdrO0WUpP2BvOovx5%2bkQFaMQk87jAFOPGDI79ApoA%3d&docid=0508e7d01f6e144528e3b4e23521272d1&rev=1”
... Never just blindly click on the link/file in your email..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/

** https://malwr.com/analysis/NGI1NDAyODY1ZDZlNDU2YjhmZWEwOGNiYTZkZTlhMjM/
Hosts
188.165.230.126
195.238.172.213

*** https://www.virustotal.com/en/file/4d2d9035c4169edbade6e9a05c64e2d015a0dcb088c6f2559c733907ab34f804/analysis/1481626327/

4] https://www.hybrid-analysis.com/sample/4d2d9035c4169edbade6e9a05c64e2d015a0dcb088c6f2559c733907ab34f804?environmentId=100
Contacted Hosts
82.196.5.27
109.74.9.119
192.188.58.163

telstrastorecorio-my.sharepoint .com: 104.146.164.28: https://www.virustotal.com/en/ip-address/104.146.164.28/information/
___

Fake 'fax' SPAM - leads to malware
- https://myonlinesecurity.co.uk/blank-email-fax-copia-spoofing-fax-vodafone-es-malspam-delivers-unknown-malware/
13 Dec 2016 - "... a -blank- email with the subject of 'fax copia' coming or pretending to come from 910663334@ fax.vodafone .es with a semi-random named zip attachment in the format of 201612130917585473299351.zip
(which is date_randomnumbers.zip) which delivers... Sharik Trojan... Other subjects include:
Confirmacion
datos ...
One of the emails looks like:
From: from910663334@ fax.vodafone .es
Date: Tue 13/12/2016 08:47shows
Subject: fax copia
Attachment: 201612130917585473299351.zip

Body content: totally empty/blank

13 December 2016: 201612130917585473299351.zip: Extracts to: 201612130913339837772661.pdf.exe
Current Virus total detections 6/56*. Payload Security** shows several connections which confirms Sharik...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9a199ea196bb99da6b69cac7a55487337b8cdc5b478074c373468bba3b9a9cee/analysis/1481619230/

** https://www.hybrid-analysis.com/sample/9a199ea196bb99da6b69cac7a55487337b8cdc5b478074c373468bba3b9a9cee?environmentId=100
Contacted Hosts
146.0.72.73
172.227.109.213
___

Fake 'picture' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/a-picture-for-you-malspam-delivers-locky-ransomware/
13 Dec 2016 - "... an email with the subject of 'a picture for you' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of 2016-12-1640.zip which delivers Locky ransomware. other subjects in this malspam run include:
a image for you
a photos for you ...
One of the emails looks like:
From: Delia <Delia.6@ mountainbikecup .dk>
Date: Tue 13/12/2016 15:22
Subject: a picture for you
Attachment: 2016-12-1640.zip
resized

13 December 2016:2016-12-1640.zip: Extracts to: 2016-12-14473.jse - Current Virus total detections 11/50*
MALWR** shows a download of an encrypted file from http ://jrgolfbuddy .com/knby545?MoxfoYUn=neDsPVdRB which is converted by the script to GDJpPJ1.dll (VirusTotal 9/56***). Payload Security[4]. C2 http ://176.121.14.95 /checkupdate
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f8ff859fd63911a640d6fd57232e453bd55a6c0fb36e68c88e092754dc68908b/analysis/1481643767/

** https://malwr.com/analysis/MzgwN2M0ZmZjZDZiNDVmMGE5ZTczYzQyMWYwYmQ4ZWQ/
Hosts
192.185.225.117
176.121.14.95

*** https://www.virustotal.com/en/file/fd33604dd1a4ccc3a3779b5769f5fbb58754a1f9152a72323ca6ebdc5d8d98b9/analysis/1481643297/

4] https://www.hybrid-analysis.com/sample/f8ff859fd63911a640d6fd57232e453bd55a6c0fb36e68c88e092754dc68908b?environmentId=100
Contacted Hosts
192.185.225.117
176.121.14.95
35.163.57.6
52.85.184.150
35.160.111.237
___

Fake 'Fixed invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fixed-invoices-malspam-delivers-locky/
13 Dec 2016 - "... an email with the subject of 'Fixed invoices'... pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of inv4665150.zip which delivers Locky ransomware... One of the emails looks like:
From: Julia Weiss <Weiss.Julia@ interfacialsolutions .com>
Date: Tue 13/12/2016 20:28
Subject: Fixed invoices
Attachment: inv4665150.zip
Dear [redacted],
Sorry for mistakes in the invoice. The number is 362, the amount came to $289.26.
Please check out the details in the attachment.
Best Regards,
Julia Weiss

13 December 2016: inv4665150.zip: Extracts to: ~_C4RM8B_~.wsf - Current Virus total detections 2/54*
... Payload Security**... does show locky ransomware and C2 sites... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/27d400086d315ff4ad5fc2840adaef210750436c772245c772a9f1c6536960c1/analysis/1481661940/

** https://www.hybrid-analysis.com/sample/27d400086d315ff4ad5fc2840adaef210750436c772245c772a9f1c6536960c1?environmentId=100
Contacted Hosts
104.168.87.215
54.187.5.20
213.32.113.203
52.34.245.108
52.35.54.251
91.198.174.192
91.198.174.208

:fear::fear: :mad:

AplusWebMaster
2016-12-14, 15:45
FYI...

Fake 'Confirmation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-kirklees-council-booking-confirmation-delivers-locky-ransomware/
14 Dec 2016 - "An email -spoofing- Kirklees Council with the subject of 'Booking Confirmation' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: jewell nethercote <jewell.nethercote@ luciafranca .com>
Date: Wed 14/12/2016 08:06
Subject: Booking Confirmation
Attachment: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
Booking Confirmation
This email and any attachments are confidential. If you have received it in error – notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.

14 December 2016: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
Current Virus total detections 13/56*. MALWR** shows a download of an encrypted file from
http ://eastoncorporatefinance .com/nbv364 which is converted by the script to sonmoga2.rudf (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d4ebc24ec04c625c03c98720785ff20f7daabea4ee90cdf571554090168583d9/analysis/1481706521/

** https://malwr.com/analysis/ZmQyMjMzYTkzMWU5NDIxZmI4YmVjZGJlNTBjYTEzYjY/
Hosts
217.160.231.206
176.121.14.95

*** https://www.virustotal.com/en/file/a9574969901055c2db26e0a9f63cde558d9b9be85f808bf3013888bc65cfd87b/analysis/1481706902/

4] https://www.hybrid-analysis.com/sample/d4ebc24ec04c625c03c98720785ff20f7daabea4ee90cdf571554090168583d9?environmentId=100
Contacted Hosts
217.160.231.206
176.121.14.95
185.117.72.105
52.34.245.108
52.85.184.150
35.160.111.237
___

Fake 'Certificate' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/parcel-certificate-malspam-delivers-locky-ransomware/
14 Dec 2016 - "... an email with the subject of 'Parcel Certificate' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of par_cert_5444211.zip which delivers Locky ransomware... One of the emails looks like:
From: Effie Bush <Bush.Effie@ adkime .com>
Date: Wed 14/12/2016 09:41
Subject: Parcel Certificate
Attachment: par_cert_5444211.zip
Dear hyperbolasmappera,
Please check the parcel certificate I am sending you in the attachment.
Order number is 477-F. Quite urgent, so please review it.
Best Regards,
Effie Bush

14 December 2016: par_cert_5444211.zip: Extracts to: ~_9UZONB_~.wsf - Current Virus total detections 3/54*
Payload Security** shows a download of an encrypted file from http ://ziskant .com/kqnioulnfj which is converted by the script to hIzFvc4Ek.zk (VirusTotal 4/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ec6dd032940fa6aaeba682fec6c529dedab9175411938cffc9fb4876b0628cf4/analysis/1481708404/

** https://www.hybrid-analysis.com/sample/ec6dd032940fa6aaeba682fec6c529dedab9175411938cffc9fb4876b0628cf4?environmentId=100
Contacted Hosts
62.210.89.38
185.129.148.56
86.110.117.155
213.32.113.203
35.160.111.237

*** https://www.virustotal.com/en/file/42fe0b795b7dc498f40914f66510fb934bf8341d67eda5444706fa47cbcf0dae/analysis/1481709795/
___

Fake 'e-fax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-e-fax-message-delivers-trickbot-banking-trojan/
14 Dec 2016 - "An email with the subject of 'eFax message from +611300786102 – 4 page(s), Caller-ID: +611300786102' (random numbers) pretending to come from eFax <inbound@ efax .delivery> with a malicious word doc attachment delivers Trickbot banking Trojan...

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/spoofed-e-fax-email.png?w=1308&ssl=1

14 December 2016: InboundMessage.doc - Current Virus total detections 10/53*
Payload Security** shows a download from ‘http ://cendereci .com/dasphdasodasopjdaspjdasdasa.png’ which is -not- a png (image file) but -renamed- .exe (VirusTotal 41/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b6c03e2873f0094a4ee5efe8a431e6daa4bb5e3273c6ef376aaaf6618f1c6de3/analysis/1481698402/

** https://www.hybrid-analysis.com/sample/b6c03e2873f0094a4ee5efe8a431e6daa4bb5e3273c6ef376aaaf6618f1c6de3?environmentId=100
Contacted Hosts
85.159.66.172
23.21.228.240
36.37.176.6
202.5.50.55

*** https://www.virustotal.com/en/file/a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-12-15, 12:55
FYI...

Fake 'Amount Payable' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-amount-payable-leads-to.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Lynn Drake
Date: 15 December 2016 at 09:55
Subject: Amount Payable
Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.
Best Regards,
Lynn Drake

The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js... highly obfuscated script... Typical detection rates for the script are around 16/54*. There are many different scripts, downloading a component...
(Long list of domain-names at the dynamoo URL above.)
According to this Malwr analysis**, a DLL is dropped with a detection rate of 18/55***. This Hybrid Analysis[4] shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:
86.110.117.155 /checkupdate (Rustelekom, Russia)
185.129.148.56 /checkupdate (MWTV, Latvia)
185.17.120.166 /checkupdate (Rustelekom, Russia)
MWTV is a known-bad-host, so I recommend blocking the entire /24.
Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166 "
* https://virustotal.com/en/file/bd0284afb6336c01532a17472028e191ff8905eb66473caec5d26104c56d07c7/analysis/1481796164/

** https://malwr.com/analysis/MzY2YzNhZGExZWFiNDdmODk2N2YwMjgxNzFiYTMxYjk/
Hosts
92.48.111.60

*** https://virustotal.com/en/file/d46baac92c34244c14f4b5e42c8c1c605807f5a32f1605bf21be8b10cd6d6099/analysis/1481796614/

4] https://www.hybrid-analysis.com/sample/bd0284afb6336c01532a17472028e191ff8905eb66473caec5d26104c56d07c7?environmentId=100
Contacted Hosts
92.48.111.60
185.129.148.56
86.110.117.155
52.42.26.69
52.85.184.67
52.35.54.251
___

Fake 'Order Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-order-receipt-malspam-delivers-locky-ransomware/
15 Dec 2016 - "... an email with the subject of 'Order Receipt' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format which delivers Locky ransomware... One of the emails looks like:
From: Joshua Mooney <Mooney.Joshua@ ricket .net>
Date: Thu 15/12/2016 10:54
Subject: Order Receipt
Attachment: scan9022222.zip
Dear enrico,
Thank you for making your order in our store!
The payment receipt and crucial payment information are in the attached document.
King Regards,
Joshua Mooney
Sales Manager

15 December 2016: scan9022222.zip: Extracts to: ~_4RYT3KP_~.js - Current Virus total detections 6/54*
MALWR** shows a download of an encrypted file from http ://www.bds-1 .com/gfftte3uv which is converted by the script to RJJvCX8vggvNw4PW.zk (VirusTotal 4/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/79ad91717809c863ce1c8c9012e88bfbd6090f0323d3778ffd05a43c11e78fe5/analysis/1481799202/

** https://malwr.com/analysis/NjUxOTUxM2QzYWZmNDgyOWFiYTBjYmY1YTYwZWZlNTA/
Hosts
64.71.33.107

*** https://www.virustotal.com/en/file/5eaa09a1692828877a42db04cb9b96d550632930c39dec9d5eabfef45f52d57d/analysis/1481804458/

4] https://www.hybrid-analysis.com/sample/79ad91717809c863ce1c8c9012e88bfbd6090f0323d3778ffd05a43c11e78fe5?environmentId=100
Contacted Hosts
64.71.33.107
185.17.120.166
185.129.148.56
178.209.51.223
52.42.26.69
52.85.184.195
35.160.111.237
91.198.174.192
91.198.174.208
___

One -billion- users affected - Yahoo hack
- https://www.helpnetsecurity.com/2016/12/15/one-billion-yahoo-hack/
Dec 15, 2016 - "Yahoo has revealed that it’s been the victim of -another- hack and massive data breach that resulted in the compromise of information of a -billion- users... Outside forensic experts that have been called in to help with the investigation believe that this breach happened in August 2013, and that it’s likely -not- been performed by the same attackers as the 2014 breach disclosed this September. In addition to this, the company says that attackers have accessed the company’s proprietary code, which allowed them to learn how to -forge-cookies- and to, therefore, be able to access user accounts -without- a password... Yahoo says that they were unable to identify the intrusion associated with this latest data theft, but that it seems that data associated with more than one -billion- user accounts has been stolen..."
* https://help.yahoo.com/kb/account/SLN27925.html?impressions=true
Dec 14, 2016

:fear::fear: :mad:

AplusWebMaster
2016-12-16, 13:14
FYI...

Fake 'document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-copier-your-own-email-address-attached-document-malspam-delivers-locky-ransomware-again-today/
16 Dec 2016 - "Another -blank/empty- email with the subject of 'Attached document' pretending to come from copier@ your-own-email-address with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: copier@ your-own-email-address
Date: Fri 16/12/2016 09:57
Subject: Attached document
Attachment: 3867_002.docm

Body content: Completely empty/Blank

16 December 2016: 3867_002.docm - Current Virus total detections 12/56*
Payload Security** shows a download of an encrypted file from http ://fiddlefire .net/hjg766′ which is converted by the script to loppsa2.aww ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ae1cd2f1554ac5c1cd7ca5e9a34cc46889c4998505bd4be86e688438b3d3e44e/analysis/1481882199/

** https://www.hybrid-analysis.com/sample/ae1cd2f1554ac5c1cd7ca5e9a34cc46889c4998505bd4be86e688438b3d3e44e?environmentId=100
Contacted Hosts
69.161.143.24
37.235.50.29
176.121.14.95
86.110.117.155
83.220.172.182
52.88.7.60
91.198.174.192
91.198.174.208
___

Fake 'Subscription' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/subscription-details-malspam-delivers-locky-ransomware/
16 Dec 2016 - "... an email with the subject of 'Subscription Details' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of user0989063.zip which delivers Locky ransomware... One of the emails looks like:
From: Cyril Levy <Levy.Cyril@ dragonflystudiosalon .com>
Date: Fri 16/12/2016 10:49
Subject: Subscription Details
Attachment: user0989063.zip
Dear mammoth, thank for you for subscribing to our service!
All payment and ID details are in the attachment.

16 December 2016: user0989063.zip: Extracts to: ~_P1EJYA_~.js - Current Virus total detections 4/55*
Payload Security** shows a download of an encrypted file from http ://rondurkin .com/c6w5pscmc which is converted by the script to jex1N6oXpYUpIQ.zk (VirusTotal 5/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5fc270095ad6314249b8ba7f58f0503c13c7aee05c21c69d637e20ecb231d08e/analysis/1481885511/

** https://www.hybrid-analysis.com/sample/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa?environmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

*** https://www.virustotal.com/en/file/336617cc35b116446f4a082dfa04985e9d01999abd4c72755ccc31eb46a70992/analysis/1481886225/
___

Fake 'Processing Problem' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-payment-processing-problem.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Juliet Langley
Date: 15 December 2016 at 23:17
Subject: Payment Processing Problem
Dear [redacted],
We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.
King Regards,
Juliet Langley

The name of the sender will vary as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js... the scripts download a component...
(Long list of domain-names at the dynamoo URL above.)
The malware then phones home to the following locations:
185.129.148.56 /checkupdate (MWTV, Latvia)
178.209.51.223 /checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119 /checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)
Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119 "

- https://myonlinesecurity.co.uk/payment-processing-problem-malspam-delivers-locky/
15 Dec 2016 - "... an email with the subject of 'Payment Processing Problem' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of MPay7197337.zip which delivers Locky ransomware... One of the emails looks like:
From: Kristie Soto <Soto.Kristie@ kadgraphics .com>
Date: Thu 15/12/2016 22:33
Subject: Payment Processing Problem
Attachment: MPay7197337.zip
Dear adkins,
We have to inform you that a problem occured when processing your last payment (code: 7197337-M, $454.$86).
The receipt is in the attachment. Please study it and contact us.
King Regards,
Kristie Soto

15 December 2016: MPay7197337.zip: Extracts to: ~_7XXTOQ_~.js - Current Virus total detections 3/55*
Payload Security** shows a download of an encrypted file from http ://ustadhanif .com/q0w93lkrvp
which is converted by the script to HNUsEBnh.zk (VirusTotal 6/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8a192f7378003d0eea4ab08f127021297dd4eb7f428c8375a312269bcbe43825/analysis/1481842328/

** https://www.hybrid-analysis.com/sample/8a192f7378003d0eea4ab08f127021297dd4eb7f428c8375a312269bcbe43825?environmentId=100
Contacted Hosts
208.75.151.108
37.235.50.119
52.85.184.150

*** https://www.virustotal.com/en/file/7e87fd6074f6a18791adcea5f78d6fdb54f5207e3ba0442e716bdf32b7011a18/analysis/1481843139/
___

Malvertising compromises routers instead of computers
- https://www.helpnetsecurity.com/2016/12/16/malvertising-campaign-compromises-routers/
Dec 16, 2016 - "The DNSChanger exploit kit is back and more effective than ever, and is being used in a widespread malvertising attack whose goal is to compromise small/home office routers. According to Proofpoint* researchers, the attacker’s current main goal is to change DNS records on the target router, so that it queries the attacker’s rogue DNS servers, and the users are served with ads that will earn the attackers money:
> https://www.helpnetsecurity.com/images/posts/dnschanger-attack.jpg
... Using ad-blocking software should also minimize the risk of getting hit through this and other malvertising campaigns. According to Kafeine**, the current one is successfully targeting Chrome browser users on Windows desktops and Android devices. Also, this is not the first time that attackers are successfully using steganography to deliver and run malicious code. Earlier this month, ESET researchers flagged a malvertising campaign that redirected users to the Stegano exploit kit through malicious code hidden in the pixels of the bad ads/banners."
* https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
"... Since the end of October, we have seen an improved version of the “DNSChanger EK” ** used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising..."
** http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

:fear::fear: :mad:

AplusWebMaster
2016-12-19, 13:58
FYI...

Fake 'Payslip' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/payslip-for-the-month-dec-2016-malspam-delivers-locky/
19 Dec 2016 - "An email with the subject of 'Payslip for the month Dec 2016' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: JASMINE DICKEY <jasmine.dickey@ ejmbcommercial .com>
Date: Mon 19/12/2016 09:50
Subject: Payslip for the month Dec 2016.
Attachment: Payslip_Dec_2016_5490254.doc
Dear customer,
We are sending your payslip for the month Dec 2016 as an attachment with this mail.
Note: This is an auto-generated mail. Please do not reply.

19 December 2016: Payslip_Dec_2016_5490254.doc - Current Virus total detections 11/53*
Payload Security** shows a download of an encrypted file from http ://routerpanyoso.50webs .com/8hrnv3 which is converted by the script to shtrina2.ero (VirusTotal 12/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/91b7124597531d4de057abd1b6e43e2c3ebd2e4defb3cf9485bd8b2a9c1a02fc/analysis/1482144602/

** https://www.hybrid-analysis.com/sample/91b7124597531d4de057abd1b6e43e2c3ebd2e4defb3cf9485bd8b2a9c1a02fc?environmentId=100
Contacted Hosts
162.210.101.94
193.201.225.124
46.148.26.82
188.127.237.76
176.121.14.95
52.39.24.163
52.85.184.92
91.198.174.192
13.82.139.29
91.198.174.192
91.198.174.208

*** https://www.virustotal.com/en/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/1482144877/

- http://blog.dynamoo.com/2016/12/malware-spam-payslip-for-month-dec-2016.html
19 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: PATRICA GROVES
Date: 19 December 2016 at 10:12
Subject: Payslip for the month Dec 2016.
Dear customer,
We are sending your payslip for the month Dec 2016 as an attachment with this mail.
Note: This is an auto-generated mail. Please do not reply.

The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55*. This Hybrid Analysis** clearly shows Locky ransomware in action when the document is opened. According to my usual reliable source, the various versions of this download a component...
(Long list of domain-names shown at the dynamoo URL above.)
... The malware then phones home to one of the following locations:
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
193.201.225.124 /checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76 /checkupdate (SmartApe, Russia)
46.148.26.82 /checkupdate (Infium, Latvia / Ukraine)
A DLL is dropped with a detection rate of 12/52*.
Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82 "
* https://virustotal.com/en/file/17e89651bb35aba8a89b527c3f1c8a2bca1d06e3e070c8f2e11bfaa0c0600533/analysis/1482147232/

** https://www.hybrid-analysis.com/sample/17e89651bb35aba8a89b527c3f1c8a2bca1d06e3e070c8f2e11bfaa0c0600533?environmentId=100
Contacted Hosts
193.201.225.124
188.127.237.76
46.148.26.82
176.121.14.95
52.85.184.12

*** https://virustotal.com/en/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/
___

Fake 'LogMeIn' SPAM - delivers malware
- https://myonlinesecurity.co.uk/logmein-account-notification-ip-blocked-malspam-delivers-malware/
19 Dec 2016 - "The email looks like:
From: LogMeIn.com Auto-Mailer <noreply@ ssl-logmein .com>
Date: Mon 19/12/2016 17:10
Subject: LogMeIn Account Notification – Ip blocked
Attachment: -Link-in-email-body- downloads notification_recipients_name.doc
Your IP has been blocked from using the LogMeIn website after too many failed log-in attempts.
Account holder: keith@[redacted]
Event: IP blocked
At: Mon, 19 Dec 2016 19:09:37 +0200
To clear the IP address lockout, please follow the instructions...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/offfice-enable-editing.png

19 December 2016: notification_keith.doc - Current Virus total detections 3/54*
Payload Security **. The link-in-the-email is to http ://www .celf .jp/wp-content/themes/i-max/api/get.php?id=recipients email address encoded in base 64... The domain ssl-logmein .com was registered -today- 19 December 2016 via a Chinese registrar to a Bulgarian entity (IP address listed as 1.1.1.1). The emails are actually coming via a botnet of infected/compromised computers and servers... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c56ff7309ed75a4f416e6116f5a3777e15107811085ba96f7ca7f210d6780c14/analysis/1482167739/
Trojan:W97...

** https://www.hybrid-analysis.com/sample/c56ff7309ed75a4f416e6116f5a3777e15107811085ba96f7ca7f210d6780c14?environmentId=100
Contacted Hosts
23.21.228.240
80.78.251.134
212.24.98.247

ssl-logmein .com: 1.1.1.1: https://www.virustotal.com/en/ip-address/1.1.1.1/information/
> https://www.virustotal.com/en/url/9871e5fb836e10cff16a5ec95587fdf449fd8bd8703f6f2dbbf3849f59e7a4a5/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-12-20, 13:27
FYI...

Fake 'printing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-moonbake-inc-for-printing-malspam-delivers-locky-ransomware/
20 Dec 2016 - "An email spoofing Moonbake Inc with the subject of 'for printing' coming from random sender with a malicious Excel XLS spreadsheet attachment delivers Locky... One of the email looks like:
From: HILLARY TATEHAM <hillary.tateham@ stonelawassociates .Com>
Date: Tue 20/12/2016 09:47
Subject: for printing
Attachment: Certificate_2373.xls
Hi,
For printing.
Thank you so much.
HILLARY TATEHAM Cristobal HRD/Admin Officer
Moonbake Inc. 14 Langka St., Golden Acres Talon 1
Las Piñas City, Philippines ...

20 December 2016: Certificate_2373.xls - Current Virus total detections 5/56*
Payload Security** shows a download of an encrypted file from http ://yorkshire-pm .com/hjv56 which is converted by the script to momerk2.vip (VirusTotal 9/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do. Manual analysis shows these download locations:
yorkshire-pm .com/hjv56
isriir .com/hjv56
noosnegah .com/hjv56 ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a7b6a31482ae8ff7d607390deaf57bcfd488e98b5fd5598abc1ecaac099b9603/analysis/1482227222/

** https://www.hybrid-analysis.com/sample/a7b6a31482ae8ff7d607390deaf57bcfd488e98b5fd5598abc1ecaac099b9603?environmentId=100
Contacted Hosts
103.11.101.46
91.223.180.3
188.127.239.48
193.201.225.124
54.239.168.79

*** https://www.virustotal.com/en/file/3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893/analysis/1482228007/
___

Fake 'Scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-lumax-industries-ltd-scan-malspam-delivers-locky/
20 Dec 2016 - "... an email spoofing Lumax Industries Ltd. with the subject of 'Scan' pretending to come from random companies, names and email addresses with a random named zip attachment which delivers Locky ransomware...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/spoofed-lumax-industries-email.png?w=896&ssl=1

20 December 2016: 07cff4edf9a.zip: Extracts to: r9a2aa5cdfcbabe8bbbfc598cd334abb.wsf
Current Virus total detections 9/55*. Payload Security** shows a download of an encrypted file from
http ://www.judo-hattingen .de /hjv56?lktttKC=koHaQOx which is converted by the script to pYmpJfsNiM1.dll which unfortunately the free web version of Payload security does not make available for download... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e07e2bbc8f9b23c5881d9305014cc4e6670b8a8965136e584a9cad43d3dba21e/analysis/1482248792/

** https://www.hybrid-analysis.com/sample/e07e2bbc8f9b23c5881d9305014cc4e6670b8a8965136e584a9cad43d3dba21e?environmentId=100
Contacted Hosts
91.250.102.57
176.121.14.95
193.201.225.124
52.32.150.180
52.85.184.12

:fear::fear: :mad:

AplusWebMaster
2016-12-21, 13:49
FYI...

Fake 'Secure Comm' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-commbank-secure-communication-delivers-malware/
21 Dec 2016 - "An email spoofing CommBank with the subject of 'Secure Communication' coming from < secure.message@ commbanksecureemail .com > with a malicious word doc attachment delivers Trickbot banking Trojan...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/commbank-secure-message.png?resize=1024%2C805&ssl=1

21 December 2016: Message.doc - Current Virus total detections 14/54*
Payload Security** shows a downloadfrom http ://onsitepcinc .com/images/344bzhmyVYyWz7NqRpfuunqXxjkseLhdmy.png which is -not- a png (image file) but a renamed .exe that is renamed by the script to wynrajo.exe (VirusTotal 22/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b989d3fc3596fcfbf33f4579f91366bbcddc948fb4195fb1d195c60a6762ddcf/analysis/1482306465/

** https://www.hybrid-analysis.com/sample/b989d3fc3596fcfbf33f4579f91366bbcddc948fb4195fb1d195c60a6762ddcf?environmentId=100
Contacted Hosts
65.108.116.221
78.47.139.102
36.37.176.6
201.236.219.180
144.76.249.26

*** https://www.virustotal.com/en/file/5045b95b39d1481f06a520d18d4635c3f79458830a8441f1b945103d6e79714a/analysis/1482314962/
___

Fake 'Photo' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/photo-from-random-girl-malspam-delivers-locky/
21 Dec 2016 - "... another -blank- empty email with the subject of 'Photo' from {random Girl’s name} pretending to come from names and email addresses with a semi-random named zip attachment in the format of IMG-date-WA1234.zip which delivers Locky ransomware... One of the emails looks like:
From: Glenna <Glennaherron3424@ syprotek .com>
Date: Wed 21/12/2016 09:32
Subject: Photo from Glenna
Attachment: IMG-20161221-WA4646.zip

Body content: totally blank/Empty

21 December 2016: IMG-20161221-WA4646.zip: Extracts to: A87D1FCF.wsf - Current Virus total detections 8/55*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/11261ce07393393e43e2ef5e0cabfa1d58ecb314b98028228d981f83b44ea3f5/analysis/1482312946/

** https://www.hybrid-analysis.com/sample/11261ce07393393e43e2ef5e0cabfa1d58ecb314b98028228d981f83b44ea3f5?environmentId=100
Contacted Hosts
103.232.120.79
176.121.14.95
52.42.26.69
54.240.162.130
52.35.54.251

:fear::fear: :mad:

AplusWebMaster
2016-12-22, 12:07
FYI...

Fake 'scanned copy' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scanned-copy-malspam-should-deliver-locky-ransomware/
22 Dec 2016 - "... another -blank/empty- email with the subject of 'scanned copy' pretending to come from random names and email addresses with a semi-random named zip attachment in the format of HP0000000937.zip delivers Locky ransomware... One of the emails looks like:
From: jeanne whitehorne <jeanne.whitehorne@ owdv .net>
Date: Thu 22/12/2016 03:55
Subject: scanned copy
Attachment: HP0000000937.zip

Body content: totally blank/empty

22 December 2016: HP0000000937.zip: Extracts to: JFF38A.vbs - Current Virus total detections 8/55*
Payload Security** shows a download of an encrypted file from http ://www .dvdpostal .net/result ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d8758da1d4408465de8b8231e34bf7536e7ffc0c83a46013db4f728401d9be68/analysis/1482379501/

** https://www.hybrid-analysis.com/sample/d8758da1d4408465de8b8231e34bf7536e7ffc0c83a46013db4f728401d9be68?environmentId=100
Contacted Hosts
213.0.77.6
176.121.14.95
52.88.7.60
54.240.162.173
35.160.111.237
___

Fake 'Bestbuy' SPAM - delivers malware
- https://myonlinesecurity.co.uk/your-bestbuy-item-is-due-for-delivery-on-22th-december-malspam-tries-to-deliver-malware/
22 Dec 2016 - "... an email with the subject of 'Your Bestbuy item is due for delivery on 22th December' pretending to come from random names at yahoo .com with a random named zip attachment which tries to deliver some sort of malware. This zip file extracts to another zip file before it extracts to the .js file... One of the emails looks like:
From: josecastillo2344@ yahoo .com
Date: Thu 22/12/2016 08:56
Subject: Your Bestbuy item is due for delivery on 22th December
Attachment: ECIOPZiodlxc.zip
On the morning 22th of December you’ll be delivered a window and you’ll have the possibility to track your request on its way to your address.
Please make sure someone is available to sign for your delivery.
Pack delivery info and your contact data is in the file attached to this letter.
If you will be out, it’s not a problem: you have a range of ‘in-flight’ options like changing your delivery time collecting from the nearest DPD Pickup Shop, asking us to deliver to one of your frients or arranging to have your item delivered to a safe place at your work address.

22 December 2016: ECIOPZiodlxc.zip: Extracts to: ECIOPZiodlxc.js - Current Virus total detections 3/54*
Payload Security** shows a download of an encrypted file from http ://optimastop .eu/castle/map which is currently giving me a 403 forbidden. It does show it wants to use BITS transfer and it is possible that a standard http get is blocked... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6678f9d2e65b8ef687fe40693f88d71b526a2f119b2337882a63236bd15ef285/analysis/1482399844/
Troj.Downloader.Js...

** https://www.hybrid-analysis.com/sample/6678f9d2e65b8ef687fe40693f88d71b526a2f119b2337882a63236bd15ef285?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2016-12-23, 13:52
FYI...

Tech support phone SCAM
- http://blog.dynamoo.com/2016/12/02085258899-tech-support-scam-using.html
23 Dec 2016 - "If these people ring you DO -NOT- GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do. It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They -claim- that hackers are accessing my router. I wasted 37 minutes of their time, these are some of the steps to watch out for..
1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
3. Then in order they try to get you to connect to the following services to take remote control of your PC: www .anydesk .com, www .teamviewer .com and www .supremofree .com. All of these are legitimate services, but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
4. When those didn't work they tried directing me to a proxy at hide .me/proxy and www .hide .me/proxy (the same thing I know) which is probably another candidate for blocking.
Of course, once they have access to your PC they will try to convince you that you need to -pay- them some money for technical support. Be warned, that they can render-your-PC-unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters."
___

Fake 'eFax' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-efax-from-scanner-at-your-own-email-address-malspam-delivers-unknown-malware/
22 Dec 2016 - "... another email spoofing eFax with the subject of 'You have recevied a message' pretending to come from faxscanner scanner@ your-own-email-address with a semi-random named zip attachment in the format of Message efax system-1701.zip which delivers an unknown malware. Indications are that this could be Trickbot or could be Dridex banking Trojan... One of the emails looks like:
From: Fax Scanner <scanner @ your-email-address>
Date: Thu 22/12/2016 20:51
Subject: You have recevied a message
Attachment: Message efax system-1701.zip
You have received a message on efax.
Please download and open document attached.
Scanner eFax system.

22 December 2016: Message efax system-1701.zip: Extracts to: Message efax system-2817.js
Current Virus total detections 4/53*. Payload Security** shows a download of ntntoto1].png (but doesn’t give the download url) which is renamed by the script to QE7JlpDt.exe (VirusTotal 29/56***). The js file is heavily obfuscated and almost impossible to human read and decrypt. Update: MALWR[4] gave me ‘http ://glendaleoffice .com/js/ntntoto.png’ as the download location... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dedf48735fa9bcb628d351b1d5f6f2e55d99c4afbf4705d287c21dd7c54e89e9/analysis/1482441908/

** https://www.hybrid-analysis.com/sample/dedf48735fa9bcb628d351b1d5f6f2e55d99c4afbf4705d287c21dd7c54e89e9?environmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180

*** https://www.virustotal.com/en/file/b9d9fcb7717a40eecd83918a46def475d5861ad0aa6b7eeac7eb5f5c518d9c29/analysis/

4] https://malwr.com/analysis/MGQ1ZTFiZWEwMjFlNDkyMjk3NWEwZDgwMDIxODEwMmU/
Hosts
69.67.54.86
78.47.139.102
54.243.154.49
45.76.25.15
167.114.174.158
188.40.53.51
36.37.176.6
192.189.25.143

glendaleoffice .com: 69.67.54.86: https://www.virustotal.com/en/ip-address/69.67.54.86/information/
> https://www.virustotal.com/en/url/4eb0751aaeea7e640b6957cb64cf8c24901b9d34f1917b2536a1c0fb6195d12e/analysis/

:fear::fear: :mad:

AplusWebMaster
2016-12-27, 14:57
FYI...

Fake 'USPS' SPAM - delivers Locky, Kovter, other malware
- https://myonlinesecurity.co.uk/spoofed-usps-unable-to-deliver-malspam-continues-to-deliver-locky-kovter-and-other-malware/
27 Dec 2016 - "... malware gang spoofing FedEx, USPS and every other courier, delivery or postal service, sending thousands of 'Courier was not able to deliver your parcel' and hundreds of variants or similar subjects like 'USPS issue #06914074: unable to delivery parcel'... Some subjects seen, all have random numbers, include:
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS
... malware downloaders spoofing USPS pretending to be a message saying cannot deliver the parcel. These deliver Locky ransomware and Kovter Trojans amongst others...

27 December 2016: Delivery-Details-06914074.zip: Extracts to: Delivery-Details-06914074.doc.wsf
Current Virus total detections 7/55*. Payload Security** shows a download from
http ://boardedhallgreen .com/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
which gives counter.js (VirusTotal 1/55***) that in turn downloads from
http ://baltasmenulis .lt/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01 (and 02 – 05).
The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js on your computer, that is run directly from temp internet files ). It downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site giving counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the original counter.js) pretend to be png (image files). They are actually all renamed .exe files or in the case of number 3, a -renamed- php script. Both of the innocent files are misused to run the malware. This is a very noisy malware set that contacts 4 domains and -179- hosts. View the network section on the Payload Security report[4] for more details... One of the emails looks like:
From: USPS Priority Delivery <steven.kent@ confedampa .org>
Date: Tue 27/12/2016 06:57
Subject: USPS issue #06914074: unable to delivery parcel
Attachment: Delivery-Details-06914074.zip
Dear Customer,
Your item has arrived at December 25, but our courier was not able to deliver the parcel.
You can download the shipment label attached!
Thank you for your assistance in this matter,
Steven Kent,
USPS Chief Delivery Manager.

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb/analysis/1482822876/

** https://www.hybrid-analysis.com/sample/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb?environmentId=100

*** https://www.virustotal.com/en/file/7f7a853245e8e20aea599f9bb1ed4fcf4afcaccf7dc42063820993458fb49a21/analysis/1482824922/

4] https://www.hybrid-analysis.com/sample/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb?environmentId=100#sample-network-traffic
Contacted Hosts (179)
___

Fake 'FedEx' SPAM - delivers Locky and other malware
- https://myonlinesecurity.co.uk/more-spoofed-fedex-unable-to-deliver-your-parcel-malspam-delivering-locky-and-multiple-other-malwares/
25 Dec 2016

> https://www.hybrid-analysis.com/sample/956bba1467c1f08d6f31c3c16af10b915f1e4e82241ca057dffeba4d276ede8e?environmentId=100#sample-network-traffic
Contacted Hosts (170)

:fear::fear: :mad: :mad:

AplusWebMaster
2016-12-28, 14:55
FYI...

Fake 'FedEx/USPS' SPAM - Kovter/Locky sites
- https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
28 Dec 2016 - "Following on from these [FEDEX(1)] [USPS(2)] posts describing the Spoofed FedEx and USPS (and other delivery services from time to time). I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are -reused-daily- until taken down by their hosts. -All- the sites used in this malware spreading campaign are -hacked/compromised- sites.
1] https://myonlinesecurity.co.uk/more-spoofed-fedex-unable-to-deliver-your-parcel-malspam-delivering-locky-and-multiple-other-malwares/

2] https://myonlinesecurity.co.uk/spoofed-usps-unable-to-deliver-malspam-continues-to-deliver-locky-kovter-and-other-malware/

The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file (counter.js by searching on your computer, that is run directly from temp internet files). Counter.js then downloads a different -variant- of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the -original- counter.js) pretend to be png (image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the -second- counter.js you need to change the &r=01 at the end of the url to &m=01 (or 02-05). This -second- counter.js contains -additional- sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.
I only accidentally found out about the second /3rd /4th /5th counter.js when I made a mistake in manually decoding the original wsf file (and the original counter.js) and mistyped/miscopied the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and -blocked- by an antivirus or web filter service.

25 December 2016: (Payload Security report [3]) Contacted Hosts (170)
3spension .com: 116.127.123.32: https://www.virustotal.com/en/ip-address/116.127.123.32/information/
minebleue .com: 213.186.33.87: https://www.virustotal.com/en/ip-address/213.186.33.87/information/
chaitanyaimpex .org: 43.255.154.44: https://www.virustotal.com/en/ip-address/43.255.154.44/information/
grancaffe .net: 94.23.64.40: https://www.virustotal.com/en/ip-address/94.23.64.40/information/
break-first .com: 87.98.144.123: https://www.virustotal.com/en/ip-address/87.98.144.123/information/
www .meizumalaysia .com: 103.51.41.205: https://www.virustotal.com/en/ip-address/103.51.41.205/information/
dreamoutloudcenter .org: 184.168.234.1: https://www.virustotal.com/en/ip-address/184.168.234.1/information/
megrelis-avocat .com: 213.186.33.82: https://www.virustotal.com/en/ip-address/213.186.33.82/information/

/counter/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ
/counter/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01

27 December 2016: (Payload Security report[4]) Contacted Hosts (179)
lacasadeicuochi .it: 185.2.4.12: https://www.virustotal.com/en/ip-address/185.2.4.12/information/
boardedhallgreen .com: 184.168.230.1: https://www.virustotal.com/en/ip-address/184.168.230.1/information/
www .memoodgetactive.det.nsw .edu.au: 153.107.134.124: https://www.virustotal.com/en/ip-address/153.107.134.124/information/
rebecook .fr: 213.186.33.104: https://www.virustotal.com/en/ip-address/213.186.33.104/information/
peachaid .com: 107.180.26.91: https://www.virustotal.com/en/ip-address/107.180.26.91/information/
kidsgalaxy .fr: 213.186.33.18: https://www.virustotal.com/en/ip-address/213.186.33.18/information/
baltasmenulis .lt: 185.5.53.28: https://www.virustotal.com/en/ip-address/185.5.53.28/information/
artss .org: 166.62.27.56: https://www.virustotal.com/en/ip-address/166.62.27.56/information/

/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01

28 December 2016: (Payload Security report[5]) Contacted Hosts (174)
thanepoliceschool .com: 166.62.27.146: https://www.virustotal.com/en/ip-address/166.62.27.146/information/
chimie.iset-liege .be: 213.186.33.17: https://www.virustotal.com/en/ip-address/213.186.33.17/information/
partnersforcleanstreams .org: 192.186.205.128: https://www.virustotal.com/en/ip-address/192.186.205.128/information/

/counter/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE
/counter/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01 "

3] https://www.hybrid-analysis.com/sample/956bba1467c1f08d6f31c3c16af10b915f1e4e82241ca057dffeba4d276ede8e?environmentId=100

4] https://www.hybrid-analysis.com/sample/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb?environmentId=100

5] https://www.hybrid-analysis.com/sample/db78af048f241294b13925b33a33b088642110f51d2a0f14116d902a68a97eb3?environmentId=100
___

29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
cobycaresfoundation .org: 72.47.244.92: https://www.virustotal.com/en/ip-address/72.47.244.92/information/
dev.zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/
shark1.idhost .kz: 82.200.247.240: https://www.virustotal.com/en/ip-address/82.200.247.240/information/
italysfinestdesign .it: 217.72.102.152: https://www.virustotal.com/en/ip-address/217.72.102.152/information/
salutgaudi .com: 185.2.4.20: https://www.virustotal.com/en/ip-address/185.2.4.20/information/
zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/

/counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

/counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

> 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

/counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

/counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

6] https://www.hybrid-analysis.com/sample/9d8fe4f9408d5936deaf20d03caf0a96d589a2e495ebf5f70a1d1ad499f608fc?environmentId=100

7] https://www.hybrid-analysis.com/sample/69a5826fb1cf3c06d8e7971fb7a9668e4b8c28c7bf3df120afe3fed52a9f42ef?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2016-12-29, 14:28
FYI...

Fake 'FedEx/USPS' SPAM - updates
- https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
28 Dec 2016

29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
cobycaresfoundation .org: 72.47.244.92: https://www.virustotal.com/en/ip-address/72.47.244.92/information/
dev.zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/
shark1.idhost .kz: 82.200.247.240: https://www.virustotal.com/en/ip-address/82.200.247.240/information/
italysfinestdesign .it: 217.72.102.152: https://www.virustotal.com/en/ip-address/217.72.102.152/information/
salutgaudi .com: 185.2.4.20: https://www.virustotal.com/en/ip-address/185.2.4.20/information/
zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/

/counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

/counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

> 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

/counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

/counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

6] https://www.hybrid-analysis.com/sample/9d8fe4f9408d5936deaf20d03caf0a96d589a2e495ebf5f70a1d1ad499f608fc?environmentId=100

7] https://www.hybrid-analysis.com/sample/69a5826fb1cf3c06d8e7971fb7a9668e4b8c28c7bf3df120afe3fed52a9f42ef?environmentId=100
___

Updated Sundown EK ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/
Dec 29, 2016 - "... On December 27, 2016, we noticed that Sundown was updated... The PNG files weren’t just used to store harvested information; the malware designers now used -steganography- to hide their exploit code. The newly updated exploit kit was used by multiple-malvertising-campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/12/sundown-steganography-1.jpg
... previous Sundown versions directly connected victims to the Flash-exploit-file on their landing page. In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code... we found that it included the exploit code targeting CVE-2015-2419, a vulnerability in the JScript handling of Internet Explorer. A Flash exploit for CVE-2016-4117 is also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerability, CVE-2016-0189... The Sundown exploit kit exploits vulnerabilities in Adobe Flash and JavaScript, among others... Indicators of Compromise: The following domains were used by the Sundown Exploit kit with the matching IP addresses:
xbs.q30 .biz (188.165.163.228)
cjf.0340 .mobi (93.190.143.211)
The Chthonic sample has the following SHA1 hash:
c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9
The sample also used the following C&C server:
pationare .bit"

pationare .bit: 'Could not find an IP address for this domain name.'

188.165.163.228: https://www.virustotal.com/en/ip-address/188.165.163.228/information/

93.190.143.211: https://www.virustotal.com/en/ip-address/93.190.143.211/information/

:fear::fear: :mad:

AplusWebMaster
2017-01-03, 19:38
FYI...

Fake 'FTC' SPAM - ransomware
- https://myonlinesecurity.co.uk/spoofed-ftc-consumer-complaint-notification/
3 Jan 2017 - "... an email with the subject of 'Consumer complaint notification' pretending to come from Federal Trade Commission <ftc.mvUJw@ ftc .gov.uk>... this is a ransomware version. Techhelplist* has kindly helped out and run the sample on a test system and got this very seasonal screenshot:
* https://twitter.com/Techhelplistcom/status/816316984371646469
... The domain “ftc .gov.uk” does -not- exist... The link-in-the-email goes to:
http ://govapego .com//COMPLAINT42084270.zip

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/01/ftc-1.png?resize=1024%2C574&ssl=1

3 January 2017: COMPLAINT42084270.zip: Extracts to: COMPLAINT.pdf.exe - Current Virus total detections 21/57*
Payload Security**..."
* https://www.virustotal.com/en/file/75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa/analysis/1483458092/
COMPLAINT.pdf.exe

** https://www.hybrid-analysis.com/sample/75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa?environmentId=100
Contacted Hosts
81.4.123.67: https://www.virustotal.com/en/ip-address/81.4.123.67/information/

govapego .com: 92.51.134.34: https://www.virustotal.com/en/ip-address/92.51.134.34/information/

:fear::fear: :mad:

AplusWebMaster
2017-01-04, 21:19
FYI...

Blockchain - phish
- https://myonlinesecurity.co.uk/verify-your-wallet-blockchain-phishing/
4 Jan 2017 - "... don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Blockchain website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phish will ask you fill in the html ( webpage) form that comes attached to the email. The link-in-the-email goes to
http:// 178.33.66.249 /~kudi/admin/blockchain/info/login.php .. which is an OVH German server..

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/01/blockchain1.png?fit=1361%2C998&ssl=1

If you follow through, all they want is your email address and password but none of the other information that these phishing scams usually ask for:
> https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/01/blockchain2.png?resize=1024%2C758&ssl=1 .."

178.33.66.249: https://www.virustotal.com/en/ip-address/178.33.66.249/information/
> https://www.virustotal.com/en/url/533ca4115b4d1816c812673ac07bb8e6f169ab764ccf5f6f64f1a042707ef706/analysis/
Detection: 5/68

:fear::fear: :mad:

AplusWebMaster
2017-01-05, 23:50
FYI...

Fake 'New Invoice' SPAM - Cerber ransomware
- https://myonlinesecurity.co.uk/new-invoice-2768-16-malspam-delivers-cerber-ransomware/
5 Jan 2017 - "... an email with the subject of 'New Invoice #2768-16'... pretending to come from what I assume are random companies, names and email addresses with a zip attachment containing a js file that eventually delivers Cerber ransomware... One of the emails looks like:
From: Janie Cain <asgard1234@ post .su>
Date:Thu 05/01/2017 17:25
Subject: New Invoice #2768-16
Attachment: info-inv.zip
This email is being sent in order to inform you that a new invoice has been generated for your account.
Please see the file that is attached.
The file is password protected to protect your information.
The password is 123456
Thank you.
Janie Cain

5 January 2017: info-inv.zip: Extracts to: info-inv.js - Current Virus total detections 12/54*
... Analysis by techhelplist[1] has found it to deliver Cerber ransomware. It downloads from 86.106.131.141 /10.mov which is a renamed .exe file that if you try to run manually would open windows media player instead, although the script file will run it successfully (VirusTotal 3/45**) (Payload Security ***) (MALWR [4]). This Cerber version contacts -576- hosts... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/Techhelplistcom/status/817105275580772353

* https://www.virustotal.com/en/file/83d741f46ed902d9ba9b364ea3edbb4b2e16078691d94d78c5845e3b40092c34/analysis/1483646751/

** https://virustotal.com/en/file/a7843fa467b3b912f85969e9e1a939639ae08a24b38152169509511b8d0642bb/analysis/

*** https://www.hybrid-analysis.com/sample/a7843fa467b3b912f85969e9e1a939639ae08a24b38152169509511b8d0642bb?environmentId=100
Contacted Hosts (576)

4] https://malwr.com/analysis/MTQ2NTI1ZjNjOTIxNDI0Mzk4ZDczOWYzMTg5NjBhOGI/

86.106.131.141: https://www.virustotal.com/en/ip-address/86.106.131.141/information/
> https://www.virustotal.com/en/url/92d7179d40a13f14c58f3f55c85b5fdfec770590c58b7f7853702439c2acf181/analysis/
___

Tech support SCAM - DoS on Macs
- https://blog.malwarebytes.com/101/mac-the-basics/2017/01/tech-support-scam-page-attempts-denial-of-service-via-mail-app/
Jan 5, 2017 - "... yet another 'technique' that targets Mac OS users running Safari... second variant appears to still be capable of opening up iTunes, without any prompt in Safari... IOCs:
safari-get[.]com: Could not find an IP address for this domain name
safari-get[.]net: 111.118.212.86: https://www.virustotal.com/en/ip-address/111.118.212.86/information/
> https://www.virustotal.com/en/url/4fcc11105a7e072a4ed4cf9efacaf7fbab339f1063cb94c8ddcec0f90c229831/analysis/
safari-serverhost[.]com: Could not find an IP address for this domain name
safari-serverhost[.]net: 111.118.212.86 "

:fear::fear: :mad:

AplusWebMaster
2017-01-09, 13:17
FYI...

Merry X-Mas Ransomware
- https://isc.sans.edu/diary.html?storyid=21905
2017-01-09 - "... Merry X-Mas Ransomware was first reported as distributed through malicious spam (malspam) disguised as FTC consumer complaints*...
* https://myonlinesecurity.co.uk/spoofed-ftc-consumer-complaint-notification/
3 Jan 2017
By Sunday 2017-01-08, I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as 'court attendance' notifications. The malspam was a -fake- notification to appear in court. Email headers indicate the sender's address was -spoofed- and the email came from a cloudapp .net domain associated with Microsoft:
> https://isc.sans.edu/diaryimages/images/2017-01-09-ISC-diary-image-02.jpg
The -link- from the malspam downloaded a zip archive. The zip archive contained a Microsoft Word document with a malicious macro. If macros were enabled on the Word document, it downloaded and executed the ransomware.
Flow chart of the infection process:
> https://isc.sans.edu/diaryimages/images/2017-01-09-ISC-diary-image-03.jpg
... IoCs follow:
192.185.18.204 port 80 - neogenomes .com - GET /court/PlaintNote_12545_copy.zip
81.4.123.67 port 443 - onion1 .host:443 - GET /temper/PGPClient.exe [ransomware binary]
168.235.98.160 port 443 - onion1 .pw - POST /blog/index.php [post-infection callback]
... Malspam with links to malware is a common threat. This is not an unusual method of malware distribution, and its holiday theme also fits the season... Still, we need to keep an ongoing dialog to promote awareness of this and other ransomware threats. Too many people continue to fall for it..."
[i](More detail at the isc URL above.)

192.185.18.204: https://www.virustotal.com/en/ip-address/192.185.18.204/information/

81.4.123.67: https://www.virustotal.com/en/ip-address/81.4.123.67/information/

168.235.98.160: https://www.virustotal.com/en/ip-address/168.235.98.160/information/
___

Fake 'Apple' SPAM - links to malware
- https://myonlinesecurity.co.uk/spoofed-apple-latest-security-checks-malspam-delivers-cerber-ransomware/
9 Jan 2016 - "... an email with the subject of 'Apple latest security checks' pretending to come from Support@ App .com... Link goes to ‘http ://bellinghamontap .com/apple.zip’... Attachment: Link in email...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/Apple-latest-security-check-1024x666.png

9 January 2017: apple.zip: Extracts to: apple.exe - Current Virus total detections 4/56*
Payload Security**. I am guessing from this report it is Cerber ransomware, by the number of IP addresses it contacts... The basic rule is NEVER open any attachment to an email -or- click-a-link in an email unless you are expecting it...."
* https://www.virustotal.com/en/file/501ce31d1fb6a161b960e4ddc7d2578582b3f20d37c838c42c6c4297b9ca8b7f/analysis/

** https://www.hybrid-analysis.com/sample/501ce31d1fb6a161b960e4ddc7d2578582b3f20d37c838c42c6c4297b9ca8b7f?environmentId=100
Contacted Hosts (576)

bellinghamontap .com: 192.254.185.196: https://www.virustotal.com/en/ip-address/192.254.185.196/information/
> https://www.virustotal.com/en/url/7864263c98e3cf989e7f71e52b6e9f8240299296128bfde5b98f4c825c96007e/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-01-10, 12:58
FYI...

Fake 'Certificate UPDATE' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-certificate-update-from-your-email-administrator-malspam-delivers-trickbot-banking-trojan/
10 Jan 2017 - "... an email with the subject of 'Certificate UPDATE' pretending to come from Administrator at your-own-email-address delivers Trickbot banking Trojan... One of the emails looks like:
From: Administrator <Administrator@ victim domain .tld >
Date: Tue 10/01/2017 01:25
Subject: Certificate UPDATE
Attachment: certificate.zip
**********Important – Internal ONLY**********
Your Web mail account Certificate is about to expire. Please update it.
New Certificate is in attachment. Download and launch file.
Certificate details:
Filename: Certificate.crt
Key: 6260-6233-GFPV-6072-UAAV-1048
Domain: ...
MX record: ...

10 January 2017: certificate.zip: Extracts to: Certificate_webmail.scr - Current Virus total detections 15/57*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cdb8ef5a814f40c05ae4f07a65ab993bae49bd1c117e6d7c6ef931ab0b5fa720/analysis/1484029988/

** https://www.hybrid-analysis.com/sample/cdb8ef5a814f40c05ae4f07a65ab993bae49bd1c117e6d7c6ef931ab0b5fa720?environmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79
___

Extortionists Wipe Databases, Victims Who-Pay-Up Get-Stiffed
- https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/
Jan 10, 2017 - "Tens of thousands of personal and possibly proprietary databases that were left accessible to the public online have just been -wiped- from the Internet, replaced with ransom-notes demanding payment for the return of the files. Adding insult to injury, it appears that virtually none-of-the-victims (who) have paid the ransom have gotten-their-files-back because multiple-fraudsters are now wise to the extortion attempts and are competing to replace-each-other’s-ransom notes.
At the eye of this developing data destruction maelstrom is an online database platform called MongoDB. Tens of thousands of organizations use MongoDB to store data, but it is easy to misconfigure and leave the database exposed online. If installed on a server with the default settings, for example, MongoDB allows anyone to browse the databases, download them, or even write over them and delete them..."
Shodan, a specialized search engine designed to find things that probably won’t be picked up by Google, lists the number of open, remotely accessible MongDB databases available as of Jan. 10, 2017
> https://krebsonsecurity.com/wp-content/uploads/2017/01/shodanmongo.png
... Truth 1: “If you connect it to the Internet, someone will try to hack it.”
Truth 2: “If what you put on the Internet has value, someone will invest time and effort to steal it.”
Truth 3: “Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
(More detail at the 1st krebsonsecurity URL at the top.)

:fear::fear: :mad:

AplusWebMaster
2017-01-11, 12:42
FYI...

Fake 'Document' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/document-from-random-name-at-your-own-email-address-delivers-trickbot-banking-trojan-2/
11 Jan 2017 - "An email with the subject of 'Document from Vogel' (random name) pretending to come from the same random name at your-own-email-address with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
From: Michael Vogel <Michael.Vogel@ victim domain .tld >
Date: Wed 11/01/2017 06:59
Subject: Document from Vogel
To: admin@victim domain.tld + 9 other names at my domain
Attachment: Vogel_1101_30.doc
My company sent you a document. Check it attached.
Regards,
Michael Vogel
G8 Education Limited

11 January 2017: Vogel_1101_30.doc - Current Virus total detections 9/55*
Payload Security** shows a download of what pretends to be a png (image file) but is actually a renamed .exe file from ‘http ://artslogan .com.br/images/jhfkjsdhfntnt.png’ which is renamed by the script to yatzxwe.exe and automatically run (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/da98847ac64adb9a9333cb70ac9d67240665f8d110d8f87d9e021fe8a505e369/analysis/1484121516/

** https://www.hybrid-analysis.com/sample/da98847ac64adb9a9333cb70ac9d67240665f8d110d8f87d9e021fe8a505e369?environmentId=100
Contacted Hosts
189.1.168.176
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79

*** https://www.virustotal.com/en/file/554132df407db525382baceb43fc0804839592fbd7038ffcd0e3736119d37be2/analysis/1484091723/
___

Post-holiday spam campaign delivers Neutrino Bot
- https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/
Jan 11, 2017 - "During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year... over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft Security Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/email.png
The booby-trapped document asks users to enable-macros in order to launch the malicious code:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/macro_blocked.png
If the macro executes, the final payload will be downloaded and executed. This is Neutrino bot..."
IOCs:
Malicious doc:
agranfoundation[.]org/Microsoft[.]report[.]doc: 192.185.77.168
xn--hastabakc-2pbb[.]net/Microsoft[.]report[.]doc: 176.53.17.106
ecpi[.]ro/Microsoft[.]report[.]doc: 89.42.223.64
ilkhaberadana[.]com/Microsoft[.]report[.]doc: 159.253.46.194
cincote[.]com/Microsoft[.]report[.]doc: 192.185.145.46
mallsofjeddah[.]com/Microsoft[.]report[.]doc: 192.185.191.165
dianasoligorsk[.]by/Microsoft[.]report[.]doc: 178.124.131.21
8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d
Neutrino bot:
www .endclothing [.]cu[.]cc/nn.exe: 137.74.93.42
87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe
b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b
ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111

:fear::fear: :mad:

AplusWebMaster
2017-01-12, 12:33
FYI...

Fake 'MoneyGram' SPAM - delivers Java Jacksbot
- https://myonlinesecurity.co.uk/spoofed-moneygram-urgent-request/
12 Jan 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...previously mentioned... HERE*....
* https://myonlinesecurity.co.uk/?s=java+adwind
... This version is slightly unusual... has a html attachment with -links- for you to download the file yourself.

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/spoofed-moneygram-Urgent-Request-of-Payment-Confirmation-email-.png

If you are unwise enough to open the html -attachment- you see a webpage looking like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/Urgent-Request-of-Payment-Confirmation.png
The page tries to automatically download the zip file, if that doesn’t work then the download button appears. That goes to http ://dreamsbroker .com/Requested%20Missing-Confirmation%20of%20payment.zip which extracts to 2 identical but differently named java.jar files. Received documents And Customers identification.jar and Request Missing Transaction Details and Refrence.jar

12 January 2017: Received documents And Customers identification.jar (323kb) - Current Virus total detections 24/55*
Payload Security**. These malicious attachments have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3b46aa9ba8b27a9ec21fab67426c72f94ede763cc59e5048ae9ee944bd84d443/analysis/1484201418/

** https://www.hybrid-analysis.com/sample/3b46aa9ba8b27a9ec21fab67426c72f94ede763cc59e5048ae9ee944bd84d443?environmentId=100
Contacted Hosts
83.243.41.200

dreamsbroker .com: 180.235.148.70: https://www.virustotal.com/en/ip-address/180.235.148.70/information/
___

'Phishy' sponsored tweets
- https://blog.malwarebytes.com/cybercrime/2017/01/more-phishy-sponsored-tweets/
Jan 12, 2016 - "Another day, another couple of rogue sponsored tweets [1], [2] which lead to phishing:
1] https://blog.malwarebytes.com/cybercrime/2016/10/promoted-tweet-leads-to-credit-card-phishing/
2] https://www.scmagazineuk.com/criminals-phish-credit-card-numbers-with-twitter-verification-scam/article/629182/
The account pushing the first phish has now been deleted, but it’s trivial to set up another one – and the phishing URL itself is -still- active, ready to be redeployed at a moment’s notice... site is located at
verifiedaccounts(dot)us
and – like the older versions of this scam – is all about getting yourself verified:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/sponsored-phish1.jpg
The site kicks things off by asking for username, email address, account type, phone number, year of account creation, and (finally) associated password. It’s not long before they’re sniffing around your wallet, too:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/sponsored-phish2.jpg
... We strongly advise all users of Twitter to be on their guard – just because a tweet is sponsored, doesn’t mean the content it leads to is legitimate. Be on your guard and don’t hand over login details, payment credentials, or anything else to sites -claiming- they can get you verified."

verifiedaccounts(dot)us: 192.185.128.203: https://www.virustotal.com/en/ip-address/192.185.128.203/information/
> https://www.virustotal.com/en/url/a51c493c1b46c74e0fa78819dddc1eec64f1f8b434fa3d4e84534d559caa3883/analysis/
Detection ratio: 10/68
___

More Indian tech support SCAMS
- http://blog.dynamoo.com/2017/01/scam-01254522444-fake-bt-engineer-and.html
12 Jan 2017 - "... huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. For example.. this:
One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know. The conversation goes something like this..
Victim: "But I don't get my internet from BT.."
Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."
Victim: "How do I know you're from BT?
Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."
The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
.ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
This is just something to do with how Windows handles compressed files and folders. All Windows machines should have this entry, but it looks sufficiently scary about to impress at least some victims.
>> NEVER GIVE THESE PEOPLE ACCESS TO YOUR PC.
However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims. And don't just ignore the call - report it. If you are in the UK you can report this sort of -scam- to Action Fraud* - it will certainly help law enforcement if they have an idea of how many potential victims there are."
* http://www.actionfraud.police.uk/report_fraud

:fear::fear: :mad:

AplusWebMaster
2017-01-15, 13:39
FYI...

Fake blank-body/no-subject SPAM - delivers Cerber
- https://myonlinesecurity.co.uk/empty-blank-email-asisianu-delivers-cerber-ransomware/
15 Jan 2017 - "I have been seeing these emails sporadically for the last month or so, but all previous versions have been corrupt... today’s actually has a working zip file. These arrive as a blank/empty email with no-subject pretending to come from asisianu@ pauleycreative .co.uk with a zip file containing a malicious word doc. They all actually come from asisianu at random email addresses, sometimes they spoof your-own-email-address, but always the 'From' address in the email is asisianu@pauleycreative .co.uk. This is Cerber ransomware... The email looks like:
From: asisianu@ pauleycreative .co.uk
Date: Sun 15/01/2017 06:54
Subject: none
Attachment: EMAIL_31327_info.zip

Body content: Totally empty/blank

15 January 2017: 12412.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
http ://coolzeropa .top/admin.php?f=0.dat which is renamed by the script to rcica.exe (VirusTotal 7/58**).
This also drops a full screen set of instructions on how to decrypt and pay the ransom:
_HOW_TO_DECRYPT_CDF8WC_.hta ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0db60c636c5c923b4ec5b24364cf76f3db8db76e12dab8ab1f7002c97b8b5788/analysis/1484469048/

** https://www.hybrid-analysis.com/sample/0db60c636c5c923b4ec5b24364cf76f3db8db76e12dab8ab1f7002c97b8b5788?environmentId=100
Contacted Hosts (577)

*** https://www.virustotal.com/en/file/ea02dca7a56ed149680345791bf6bc9df1e82518ea65f024e4bd0059659024d7/analysis/1484469369/

coolzeropa .top: 35.161.229.79: https://www.virustotal.com/en/ip-address/35.161.229.79/information/
84.200.34.99: https://www.virustotal.com/en/ip-address/84.200.34.99/information/

:fear::fear: :mad:

AplusWebMaster
2017-01-17, 12:39
FYI...

Blank-emails no-subject SPAM - deliver Locky and Kovter
- https://myonlinesecurity.co.uk/blank-emails-with-no-subject-delivering-locky-and-kovter/
17 Jan 2017 - "... We are starting to see Locky, Kovter delivery emails trickling in this morning. The sites and payloads are the same as described in this post:
> https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
It looks like the Locky gangs are gearing up for a mass malspam, but are getting the delivery systems fine tweaked and having a few problems. We always see errors and problems before a mass Locky onslaught. If they keep to the sites they have been using for the last month or so, it will be relatively easy to track them & block malware. The emails received so far today are totally-blank, no-subject. The zip attachment extracts to another zip before extracting to a supposedly .jse file. However these are not encoded javascript. They are just minimally obfuscated, in fact perfectly readable by a human:
From: charlie.wills@ 02glass .com
Date: Mon 16/01/2017 23:30 (arrived 07:35 utc 17/01/2017)
Subject: blank

Attachment: 38168891.zip extracts to 38168891.doc.zip extracts to 38168891.doc.jse
VirusTotal 5/54* | Payload Security**
Payload:
1bin Locky: https://www.virustotal.com/en/file/2d193757baa6dfc600931ceeb0d8ffb690d57b403633c0c6c57833e4b6d5d618/analysis/1484631951/
File name: a1.exe / Detection: 16/55

2.bin Kovter:
https://www.virustotal.com/en/file/a1f770ddd4a0dcdfd481112708586aae857060909cbc4e93a802ae4b0359d965/analysis/1484642102/
File name: 2.bin / Detection: 12/56

* https://www.virustotal.com/en/file/9bb0475d1b5945f2f703d74d2baccfafa7e8f27f3d08c03eb1a71ea8dae5eb59/analysis/1484641911/

** https://www.hybrid-analysis.com/sample/9bb0475d1b5945f2f703d74d2baccfafa7e8f27f3d08c03eb1a71ea8dae5eb59?environmentId=100
Contacted Hosts (171)

:fear::fear: :mad:

AplusWebMaster
2017-01-18, 20:31
FYI...

Fake 'ACH' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-ach-blocked-transaction-case-no-malspam-delivers-locky-ransomware/
18 Jan 2017 - "... an email spoofing ACH (Automated Clearing House) with the subject of 'Blocked Transaction Case No 255275283' coming or pretending to come from random companies, names and email addresses with rar attachment extracting to a very heavily obfuscated .JS file delivers Locky ransomware after a long convoluted download system... One of the emails looks like:
From: Eufemia Quintyne <xefiuza03040150@ photogra .com>
Date: Wed 18/01/2017 14:08
Subject: Blocked Transaction. Case No 255275283
Attachment: doc_details.rar
The Automated Clearing House transaction (ID: 058133683), recently initiated
from your online banking account, was rejected by the other financial
institution.
Canceled ACH transaction
ACH file Case ID 04123240
Transaction Amount 1624.05 USD ...

18 January 2017: doc_details.rar: Extracts to: doc_details.js - Current Virus total detections 7/54*
Payload Security** shows it drops another .js file (Payload Security ***) (VirusTotal 7/53[4]) which in turn downloads Locky ransomware from unwelcomeaz .top/2/56.exe (VirusTotal 9/55[5])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056/analysis/1484760601/

** https://www.hybrid-analysis.com/sample/0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056?environmentId=100

*** https://www.hybrid-analysis.com/sample/9dd0402e888ceb0ec00f641688836f5251cfa6d57ebe5fdbdebce79dcc4aae6f?environmentId=100
35.164.68.81
91.237.247.24
194.31.59.5
52.88.7.60
35.161.88.115

4] https://www.virustotal.com/en/file/9dd0402e888ceb0ec00f641688836f5251cfa6d57ebe5fdbdebce79dcc4aae6f/analysis/1484757035/

5] https://www.virustotal.com/en/file/ec9c06a7cf810b07c342033588d2e7f5741e7acbea5f0c8e7009f6cc7087e1f7/analysis/1484758078/

unwelcomeaz .top: 35.164.68.81: https://www.virustotal.com/en/ip-address/35.164.68.81/information/
54.149.186.25: https://www.virustotal.com/en/ip-address/54.149.186.25/information/
___

Fake 'signature required' SPAM - delivers hancitor
- https://myonlinesecurity.co.uk/spoofed-signature-required-on-the-contract-delivers-hancitor/
18 Jan 2017 - "An email pretending to come from a firm of -lawyers- with the subject of 'RE: settlement' pretending to come from a random firm of lawyers with a link-that-downloads a malicious word doc delivers hancitor [1]...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/bracewell.png

18 January 2017: contract_submit.doc - Current Virus total detections 3/53*. Payload Security**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html

* https://www.virustotal.com/en/file/dcb7054c347d0f86dc22b80312daf63b704f56866397e70a691731ab2cc453cd/analysis/1484759676/

** https://www.hybrid-analysis.com/sample/dcb7054c347d0f86dc22b80312daf63b704f56866397e70a691731ab2cc453cd?environmentId=100
Contacted Hosts
23.23.117.228
109.120.170.116
188.212.255.49
78.47.141.185

:fear::fear: :mad:

AplusWebMaster
2017-01-19, 20:49
FYI...

Fake 'Insolvency Service' SPAM - delivers Cerber
- http://blog.dynamoo.com/2017/01/malware-spam-insolvency-service.html
19 Jan 2017 - "This malware spam in unusual in many respects. The payload may be some sort of ransomware (UPDATE: this appears to be Cerber ).

Screenshot: https://3.bp.blogspot.com/-CvAb-WcwGAw/WIDKZamyZYI/AAAAAAAAJwg/WvX4puoJmcM571M8qP5VMHXIT8GpKcwtgCLcB/s1600/insolvency.png

Sample subjects are:
LSV 354EMPU31 - Investigations Inquiry Reminder
JXI 647TESR39 - Investigations Inquiry Reminder
SHV 622WYXP68 - Investigations Inquiry Notice
QPY 661APWZ41 - Investigations Inquiry Notice
FHF 338SYBV85 - Investigations Inquiry Notice
EGY 318NHAR12 - Investigations Inquiry Notification
IZJ 296CNWP92 - Investigations Inquiry Notice
All the senders I have seen come from the chucktowncheckin .com domain. Furthermore, all of the sending servers are in the same /24: 194.87.216.* .. All the servers have names like kvm42.chapelnash .com in a network block controlled by Reg .ru in Russia. The link-in-the-email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect .com e.g. 2vo4 .uk-insolvencydirect .com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:
> https://3.bp.blogspot.com/-qn0cYVJbc38/WIDNiWM0y5I/AAAAAAAAJws/vngZ3BeEgMcppeoSs17T8hRW54qbPkaSwCLcB/s1600/gov-uk-fake.png
Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js)... Hybrid Analysis* of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool). The script downloads a component from www .studiolegaleabbruzzese .com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53**. Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:
soumakereceivedthiswith .ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor .ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource .ru (does not resolve)
maytermsmodiall .ru (does not resolve)
... I recommend that you block email traffic from:
194.87.216.0/24
-and- block web traffic to
uk-insolvencydirect .com
studiolegaleabbruzzese .com
176.98.52.157
151.0.42.255 "
* https://www.hybrid-analysis.com/sample/ff060abdf02c55b91abd812c142f1c264263786b5f8faf346e860b1d2b41309e?environmentId=100
Contacted Hosts
62.149.142.206
208.118.235.148
208.67.222.222
5.58.153.190

** https://virustotal.com/en/file/ff060abdf02c55b91abd812c142f1c264263786b5f8faf346e860b1d2b41309e/analysis/
___

Verified Twitter accounts compromised ...
- https://blog.malwarebytes.com/cybercrime/2017/01/verified-twitter-accounts-compromised-get-busy-spamming/
Jan 18, 2017 - "Verified Twitter accounts tend to be a little more secure than those belonging to non-verified users due to the amount of extra hoop jumping required to get one of those ticks in the first place. A number of security requirements, including providing a phone number and setting up 2FA, are all things a would-be verified Twitter user needs to do. In theory, it should be somewhat tricky to compromise those accounts – it wouldn’t really help Twitter if their theoretically appealing verified accounts were firing out Viagra spam all day long. Brand reputation and all that. And yet…in the space of a few hours last week, we had multiple verified users hitting the 'I’ve been compromised' wall of doom and gloom... 'rogue tweets' were, in theory, being sent to a combined audience of around 200,000+ people which could have been disastrous if the links had contained malicious files. Thankfully, these links were “just” porn spam and sunglasses, but the danger for something much worse is always present where a compromise is concerned. People trust the verified ticks in the same way they probably let their guard down around sponsored tweets, and in both cases a little trust can be a bad thing... scammers are doing it, always pay attention when your favorites start firing out URLs. Links are meant to be clicked, but that doesn’t mean we have to leap before looking – Twitter works best with shortened URLs, but you can usually see where they lead:
> https://blog.malwarebytes.com/cybercrime/2015/09/obfuscated-urls-where-is-that-link-taking-you/
Whether you’re verified or not, keep your wits about you and have a hopefully stress free experience on that most popular of social networks."

:fear::fear: :mad:

AplusWebMaster
2017-01-20, 13:45
FYI...

Fake 'Western Union' SPAM - delivers java Adwind/Jacksbot
- https://myonlinesecurity.co.uk/spoofed-wupos-agent-portal-upgrade-for-all-agents-delivers-java-adwind-jacksbot/
20 Jan 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE:
> https://myonlinesecurity.co.uk/?s=java+adwind
The email looks like:
From: WU-IT Department <csc.it.westernunion@ gmail .com>
Date: Fri 20/01/2017 02:02
Subject: WUPOS Agent Portal Upgrade For All Agents
Attachment: Update Manual & Agent Certificate .pdf
Dear All,
Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union Internet United Kingdom PO Box 8252 London United Kingdom W6 0BX..."

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/WUPOS-Agent-Portal-Upgrade-For-All-Agents-email.png

The attached PDF looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/wupos_pdf.png

The link-in-the-PDF is to http ://phrantceena .com/wp-content/plugins/Update%20Manual%20&%20Agent%20Certificate%20.zip which will give you -2- identical (although named differently) java.jar files. Agent certificate & branch details..jar and Wupos manual and update file..jar ..

20 January 2017: Agent certificate & branch details..jar (323kb) Current Virus total detections 26/55*
Payload Security **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0395684b27d5d918dcbd3ec661e922be055a330c5d7b63a63b30a8f365d6d2b1/analysis/1484897128/

** https://www.hybrid-analysis.com/sample/0395684b27d5d918dcbd3ec661e922be055a330c5d7b63a63b30a8f365d6d2b1?environmentId=100
Contacted Hosts
83.243.41.200

phrantceena .com: 66.147.244.127: https://www.virustotal.com/en/ip-address/66.147.244.127/information/

:fear::fear: :mad:

AplusWebMaster
2017-01-21, 17:59
FYI...

Sage 2.0 ransomeware
- https://isc.sans.edu/diary.html?storyid=21959
2017-01-21 - "On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware I'd never seen before called 'Sage'. More specifically, it was 'Sage 2.0'... Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2]...
1] https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/

2] https://www.bleepingcomputer.com/forums/t/634747/sage-ransomware-sage-support-help-topic/

... Emails from this particular campaign generally have -no- subject lines, and they always have -no- message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I'll see a .js file instead of a Word document, but it does the same thing... attachments are often double-zipped. They contain -another- zip archive before you get to the Word document or .js file...
Example of a Word document with a malicious macro:
> https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-05.jpg
Another example of the Word document with a malicious macro:
> https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-06.jpg
The Word document macros or .js files are designed to download and install ransomware. In most cases on Friday, the ransomware was Sage 2.0... Under default settings, an infected Windows 7 host will present a UAC window before Sage continues any further. It keeps appearing until you click 'yes':
UAC pop-up caused by Sage: https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-12.jpg
The infected Windows host has an image of the decryption instructions as the desktop background. There's also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ".sage" is the suffix for all encrypted files:
Desktop of an infected Windows host: https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-13.jpg
... Following the decryption instructions should take you to a Tor-based domain with a decryptor screen. On Friday, the cost to decrypt the files was $2,000 US dollars (or 2.22188 bitcoin):
The Sage 2.0 decryptor: https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-15.jpg
... When the callback domains for Sage didn't resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses...
Below are IOCs for Sage 2.0 from Friday 2017-01-20:
Ransomware downloads caused by Word document macros or .js files:
54.165.109.229 port 80 - smoeroota .top - GET /read.php?f=0.dat
54.165.109.229 port 80 - newfoodas .top - GET /read.php?f=0.dat
84.200.34.99 port 80 - fortycooola .top - GET /user.php?f=0.dat
Post-infection traffic:
54.146.39.22 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
66.23.246.239 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
mbfce24rgn65bx3g .rzunt3u2 .com (DNS queries did not resolve)
Various IP addresses, UDP port 13655 - possible P2P traffic...
... not sure how widely-distributed Sage ransomware is. I've only seen it from this one malspam campaign, and I've only seen it one day so far. I'm also not sure how effective this particular campaign is. It seems these emails can easily be -blocked- so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals..."
(More detail at the isc URL at the top of this post.)

:fear::fear: :mad:

AplusWebMaster
2017-01-23, 16:37
FYI...

Fake 'Tiket alert' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-fbi-tiket-alert-delivers-locky-ransomware/
23 Jan 2017 - "An email spoofing the FBI with the subject of 'Tiket alert 331328222' pretending to come from random senders with a malicious word doc downloads locky ransomware... The email looks like:
From: Ngoc Trane <dpeupyl0386@ eiv .cl>
Date: Mon 23/01/2017 13:14
Subject: Tiket alert 331328222
Attachment: information.doc
From: FBI service [dpeupyl0386@ fbi .com]
Date: Mon, 23 Jan 2017 14:14:09 +0100
Subject: Tiket alert
Look at the attached file for more information.
Assistant Vice President, FBI service
Management Corporation

23 January 2017: information.doc - Current Virus total detections 5/54*
Payload Security** shows a download from http ://unwelcomeaz .top/2/56.exe (VirusTotal 3/56***).
Payload Security[4]. Last week this site[1] was delivering Locky ransomware, which is continuing today. It also looks like this Locky version is trying to download & install opera browser as well... The actual 56.exe pretends to be an adobe flash player 13 file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://myonlinesecurity.co.uk/spoofed-ach-blocked-transaction-case-no-malspam-delivers-locky-ransomware/

* https://www.virustotal.com/en/file/8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e/analysis/1485177870/

** https://www.hybrid-analysis.com/sample/8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e?environmentId=100

*** https://www.virustotal.com/en/file/c1015f4597996c25f6d6ad5929f4a24fbd79fe508ea5f45b93544b35db4e98f3/analysis/1485178446/

4] https://www.hybrid-analysis.com/sample/c1015f4597996c25f6d6ad5929f4a24fbd79fe508ea5f45b93544b35db4e98f3?environmentId=100
Contacted Hosts
46.17.40.234
52.88.7.60
54.240.162.210
35.161.88.115
91.198.174.192
91.198.174.208

unwelcomeaz .top: 35.164.68.81: https://www.virustotal.com/en/ip-address/35.164.68.81/information/
> https://www.virustotal.com/en/url/8471d7d9d949dce656afc273ad23fd3a01b830fd0d4e4008dd9206dc5de0c689/analysis/
154.16.247.115: https://www.virustotal.com/en/ip-address/154.16.247.115/information/
> https://www.virustotal.com/en/url/8471d7d9d949dce656afc273ad23fd3a01b830fd0d4e4008dd9206dc5de0c689/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-01-24, 13:25
FYI...

Fake 'Refund Unsuccessful' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/refund-unsuccessful-malspam-delivers-locky/
24 Jan 2017 - "... an email with the subject of 'Refund Unsuccessful 03246113' (random numbers) pretending to come from random companies, names and email addresses with a word doc attachment in the format of which delivers Locky ransomware... The email looks like:
From: Stefania Collyer <heg64423837@ zinchospitality .com>
Date: Tue 24/01/2017 01:53
Subject: Refund Unsuccessful 03246113
Attachment: information.doc
Your order has been cancelled, however we are not able to proceed with the
refund of $ 1371.48
All the information on your case 527312277 is listed in the document below.

Locky binary (virustotal 24/55*)
Macro (VirusTotal 26/55**)
Antivirus detections on these are still terrible, 24 hours after being submitted... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c1015f4597996c25f6d6ad5929f4a24fbd79fe508ea5f45b93544b35db4e98f3/analysis/1485240808/

** https://www.virustotal.com/en/file/8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e/analysis/
___

Fake 'DHL Shipment' SPAM - delivers Cerber
- https://myonlinesecurity.co.uk/spoofed-dhl-shipment-notification-delivers-cerber-ransomware/
24 Jan 2017 - "... an email with the subject of 'DHL Shipment Notification: 6349701436' pretending to come from DHL Customer Support <support@ dhl .com> delivers Cerber ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/DHL-Shipment-Notification.png

There are several different named attachments with this campaign. _Dhl_expr. DATE20170120.zip -EXPRESS -Date20170120.zip and probably other variants.
All extract to the same named .js file: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js...

9 January 2017: P_rek.zip: Extracts to: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js
Current Virus total detections 9/54*. Payload Security** shows a download from
http ://bonetlozano .com/kvst.exe (VirusTotal 7/56***) which from the network noise looks like Cerber ransomware, although neither Payload Security nor any Antivirus on Virus total detect it as Cerber... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/18df0fef2ac7b04f6a5f543117d0d6d6f221d27008a89128b32e2f8b826f1279/analysis/1485239971/

** https://www.hybrid-analysis.com/sample/18df0fef2ac7b04f6a5f543117d0d6d6f221d27008a89128b32e2f8b826f1279?environmentId=100
Contacted Hosts (695)

*** https://www.virustotal.com/en/file/00a3afa969a051fab57d529b123c20977a9c6f08d6cc76b5e41a700de7dafe2d/analysis/1485168150/

bonetlozano .com: 217.76.130.248: https://www.virustotal.com/en/ip-address/217.76.130.248/information/
> https://www.virustotal.com/en/url/ff74bcfc8f6cf6508e9aa9f7a4b78b5af42af03e0bb2674a6772c7045132865c/analysis/
___

Fake 'Online-Shop' SPAM - delivers malware
- https://myonlinesecurity.co.uk/bestellung-online-shop-auftr-nr-02132596-malspam-delivers/
24 Jan 2017 - "... email with the subject of 'Bestellung Online-Shop Auftr.Nr 02132596' (random numbers) coming or pretending to come from random companies, names and email addresses zip attachment containing a very heavily obfuscated JavaScript file which delivers an unknown malware... One of the emails looks like:
From: waldemar.wysocki@ gmx .de
Date: Tue 24/01/2017 10:53
Subject: Bestellung Online-Shop Auftr.Nr 02132596
Attachment: ea00ba32a5.zip
Bestellung Nr.: 02132596 Datum: 24.01.2017

24 January 2017: -Bestellpositionen[alle Preise in EUR].zip: Extracts to: -Bestellpositionen[alle Preise in EUR].pdf.js - Current Virus total detections 1/55*
Payload Security** shows a download from volleymultdom .biz/fsgdhyrer6cdve8rv7hdsvkekvhbsdjh/cfhr.exe (VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5f93d4163e04ed55e19119cfed0d129da674cff7fb45eac0e5cc8c58dc117134/analysis/1485255695/

** https://www.hybrid-analysis.com/sample/5f93d4163e04ed55e19119cfed0d129da674cff7fb45eac0e5cc8c58dc117134?environmentId=100
Contacted Hosts
162.144.125.170
212.2.153.190

*** https://www.virustotal.com/en/file/49ff8393fbccf63c2e4d47be027b371ff5ec2af459e272bf3939f599bfbc1684/analysis/

volleymultdom .biz: 162.144.125.170: https://www.virustotal.com/en/ip-address/162.144.125.170/information/
___

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-hmrc-final-payment-request-malspam-delivers-yet-another-unknown-malware/
24 Jan 2017 - "... common email template pretending to come from HMRC, threatening enforcement action to recover unpaid tax... Update: being told this is Zurgop and Zbot spy...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/hmrc-final-payment-request.png

24 January 2017: Statement of Liabilities_7.doc - Current Virus total detections 3/54*
Payload Security** shows a download from http ://sergiosuarezgil .com/adobe_upd7.exe (VirusTotal 4/56***)
Payload Security[4].. nothing gives any real clue what it is or what it does... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1f275b7ab089ca15a0d987b0c71391f6ba9c612b996ffe6cd99221c82c093836/analysis/1485264589/

** https://www.hybrid-analysis.com/sample/1f275b7ab089ca15a0d987b0c71391f6ba9c612b996ffe6cd99221c82c093836?environmentId=100
Contacted Hosts
198.20.102.131

*** https://www.virustotal.com/en/file/8ac92ec30c8632327ae276b9ddba70b7426a71d0764a2b00c6e8110e6ed81979/analysis/1485260445/

4] https://www.hybrid-analysis.com/sample/aaf6a627d92c4984762caa40e4e26c2f55f2df393d5d2a91b14a3eed7df51af1?environmentId=100
Contacted Hosts
23.63.140.108
193.104.215.58
185.162.9.59
212.227.91.231
104.87.224.175
82.192.75.161
37.252.227.51
178.77.120.104
169.50.71.245

sergiosuarezgil .com: 198.20.102.131: https://www.virustotal.com/en/ip-address/198.20.102.131/information/
> https://www.virustotal.com/en/url/e0c03de8582531ff9d7821f1a308ea0227789035e323d599c1ff36d3e65efedc/analysis/
6/64

email return URL: hmrcgsigov .org: 93.190.140.136: https://www.virustotal.com/en/ip-address/93.190.140.136/information/
Country - NL << Fraud
___

Android malware returns, gets >2M downloads on Google Play
- http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/
1/23/2017 - "A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users. HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue..."
> http://blog.checkpoint.com/2017/01/23/hummingbad-returns/

:fear::fear: :mad:

AplusWebMaster
2017-01-25, 12:33
FYI...

Fake 'DHL' SPAM - delivers banking Trojan
- https://myonlinesecurity.co.uk/spoofed-fake-dhl-prepared-commercial-invoice-delivers-ursnif-banking-trojan/
25 Jan 2017 - "... an email with the subject of 'DHL prepared commercial invoice 9500238176 902694287308' (random numbers) pretending to come from ebillingcmf.td@ DHL .COM that delivers ursnif banking Trojan... One of the emails looks like:
From: ebillingcmf.td@ DHL .COM
Date: Wed 25/01/2017 07:49
Subject: DHL prepared commercial invoice 9500238176 902694287308
Attachment: Commercial.Form.25.01.2017.CVS.zip
Attached notice amount customs charges
Dear Customer,
Attached your invoice in PDF format, dated 25/01/2017 and csv files for shipments and services provided by DHL Express.
You can also display the details of his account and the historical invoices online.
In case of substantial problems in the Annex, contact support at: support@dhl.com
We expect to receive payment within the prescribed period, as indicated on the invoice.
We send our thanks for having taken advantage of DHL Express services.
Best regards,
DHL Express

25 January 2017: Commercial.Form.25.01.2017.CVS.zip: Extracts to: Commercial.Form.25.01.2017.CVS.wsf
Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
http :// www .cp4 .de/cp4/2401.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/870502f4a13bb065499c78a7b99ce4051555007f11c8456c4cfebce7e86cde47/analysis/1485330508/

** https://www.hybrid-analysis.com/sample/870502f4a13bb065499c78a7b99ce4051555007f11c8456c4cfebce7e86cde47?environmentId=100
Contacted Hosts (16)
81.169.145.165
192.229.221.24
195.93.42.3
195.93.42.2
217.79.188.60
207.200.74.133
217.79.188.46
37.157.6.252
172.227.147.7
152.163.56.3
217.79.188.60
64.12.235.98
151.101.192.249
107.22.179.226
104.94.37.243
104.74.100.205
___

Sage 2 ransomware - spreading in UK via malspam emails
- https://myonlinesecurity.co.uk/sage-2-ransomware-now-spreading-in-uk-via-malspam-emails/
25 Jan 2017 - "... new entry to the market. Sage 2.0 ransomware. They are using the same basic email template telling you the order was cancelled but cannot give a refund. There are also 'ACH Blocked transaction' emails also spreading the same sage 2.0 ransomware. The security community has been warning about Sage2.0 ransomware for a few days now, but today is the first day we have seen malspam emails targeting UK users. All the emails so far received have contained the same zip file containing a very heavily encoded/obfuscated javascript file document_1.zip - there also appear to be 2 other files with no names inside the zip that don’t automatically extract and are probably there as padding or left over artefacts. They just appear to contain a list of txt characters, possibly a tracking identity or even the decryption key. I am attaching a couple of different document_1.zip versions to a zip file for researchers to look at P/W ”infected”
25 jan_sage2 zip. Some subjects seen include:
' Refund Unsuccessful 26485806 ( random numbers)
Blocked Transaction. Case No 15120544 ( random numbers)
Re:
Fw: '

One of the emails looks like:
Body content with 'Refund Unsuccessful' or 'FW' and 'RE:'
Your order has been cancelled, however we are not able to proceed with the
refund of $ 1460.01
All the information on your case 652661070 is listed in the document below.
Body content with 'Blocked Transaction'. 'Case No nnnn'
The Automated Clearing House transaction (ID: 085112046), recently initiated
from your online banking account, was rejected by the other financial
institution.
Canceled ACH transaction
ACH file Case ID 07677730
Transaction Amount 1436.17 USD
Sender e-mail obqeygua57341@ scaledagile .com
Reason of Termination See attached statement

25 January 2017: document_1.zip: Extracts to: doc_details_jOiqRJ.js - Current Virus total detections 7/54*
Payload Security** doesn’t show any download or file action, but the VT comments by @techhelplist[3] shows a download of sage 2.0 from http ://affections .top/ff/55.exe (VirusTotal 9/56[4]). Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/eccf08ab84cc226aee8f799d560c94d7e5b47254b22549bcdbc0f317f9e0d27c/analysis/1485324653/

** https://www.hybrid-analysis.com/sample/eccf08ab84cc226aee8f799d560c94d7e5b47254b22549bcdbc0f317f9e0d27c?environmentId=100

3] https://twitter.com/Techhelplistcom/status/824053746829291520

4] https://www.virustotal.com/en/file/b71167636e00ed97a10e0bf63270709d1dd32dac9001db1892bd9178382afd7d/analysis/1485304233/

5] https://www.hybrid-analysis.com/sample/b71167636e00ed97a10e0bf63270709d1dd32dac9001db1892bd9178382afd7d?environmentId=100
54.149.186.25: https://www.virustotal.com/en/ip-address/54.149.186.25/information/
> https://www.virustotal.com/en/url/1d6b09c66cd47489598f77aff2f7922aca3b7dfbbb2441b958fcf97a841509d1/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-01-26, 14:09
FYI...

Fake 'USPS' SPAM - delivers Sage 2 ransomware
- https://myonlinesecurity.co.uk/spoofed-fake-usps-unable-to-deliver-your-parcel-malspam-now-delivering-sage-2-ransomware/
26 Jan 2017 - "... Sage 2 ransomware has started to use the same email template that we see daily that normally delivers Locky ransomware and Kovter Trojans HERE:
> https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The only noticeable difference between the 2 campaigns (until you actually analyse the files inside the zip attachments) is the file size and file names. In the Locky/Kovter versions they were using .js files but now use lnk files... Locky /Kovter use a file name something like Delivery-Receipt-3793490.zip that extracts to another zip file Delivery-Receipt-3793490.doc..zip that eventually extracts to Delivery-Receipt-3793490.doc.lnk where the numbers change with each email received. There are numerous different download sites for the malware each day. Sage 2 ransomware uses a static named file for all emails, currently Delivery-Details.zip extracting to Delivery-Details.js - There is one download site each day... One of the emails looks like:
From: USPS Ground <uwawsne253468@ netpetar .com>
Date: Thu 26/01/2017 02:04
Subject: Delivery problem, parcel USPS #40088683
Attachment: Delivery-Details.zip
Hello,
Your item has arrived at Thu, 26 Jan 2017 03:04:09 +0100, but our courier
was not able to deliver the parcel.
You can download the shipment label attached!
All the best.
Leisha Marshman – USPS Support Agent.

26 January 2017: Delivery-Details.zip: Extracts to: Delivery-Details.js - Current Virus total detections 14/53*
Payload Security** shows a download from http ://affections .top/ff/55.exe (VirusTotal 14/56***) (Payload Security [4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/24e7c851ee5fae56949a65b9033732524d625709333cc205ed54ba7de92dad81/analysis/1485410870/

** https://www.hybrid-analysis.com/sample/24e7c851ee5fae56949a65b9033732524d625709333cc205ed54ba7de92dad81?environmentId=100

*** https://www.virustotal.com/en/file/00a244a8f833f035d3de9cc137054bef5efd31169bb82fd17cc8f45f213f3e3a/analysis/1485413961/

4] https://www.hybrid-analysis.com/sample/00a244a8f833f035d3de9cc137054bef5efd31169bb82fd17cc8f45f213f3e3a?environmentId=100
Contacted Hosts
54.211.245.199

affections .top: 54.165.5.111: https://www.virustotal.com/en/ip-address/54.165.5.111/information/
Country US / Autonomous System 14618 (Amazon.com, Inc.)
> https://www.virustotal.com/en/url/1d6b09c66cd47489598f77aff2f7922aca3b7dfbbb2441b958fcf97a841509d1/analysis/
52.203.213.69: https://www.virustotal.com/en/ip-address/52.203.213.69/information/
___

Fake 'Microsoft' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-blank-microsoft-email-delivers-an-unknown-malware/
26 Jan 2017 - "A blank/empty email pretending to come from Microsoft with a subject like 'RE: 23337 Microsoft Free 23337' with zip attachment that extracts to another zip file that in turn contains a malicious word doc...
Update: I am being told it is Ursnif banking Trojan... Update again: ... weird. This site is delivering different malware, almost at random it seems. Each visit gives a -different- file, although always the same name read.doc or read.php - currently all are 243kb but all have different file #. So far we have seen Cerber, Ursnif and the original unknown malware... The email looks like:
From: tcmf.microsoft <suard-c@ vendome .pf>
Date: Thu 26/01/2017 16:00
Subject: RE: 23337 Microsoft Free 23337
Attachment: 55554546637489.zip

Body content: totally blank/empty

> https://www.reverse.it/sample/aa8953de6e54030e4a903a8fd2729c41c4f4c284a451a86e1ec945ebf43eb919?environmentId=100
Contacted Hosts
208.67.222.222
195.5.126.248
46.150.69.43
188.27.92.82

> https://www.hybrid-analysis.com/sample/eaaea87f0dd68ae1c998c2c7a6e0584bfa2f57f69a778e4bc1b5f954486a0350?environmentId=100
Contacted Hosts (576)

26 January 2017: 55554546637489.zip: extracts to: 4446_ZIP.zip extracts to 4446.doc
Current Virus total detections 2/55*. Payload Security shows a download from
http ://vvorootad .top/read.php?f=0.dat which delivers read.doc (which is -not- a doc file, although having an icon looking like a word doc, but a renamed .exe) (VirusTotal 9/57**). Payload Security***... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/77dbd5b65f26599343aee6df4c7af7ac3ab7678a6c32cbbf2df5eebf4d06639f/analysis/1485447397/

** https://www.virustotal.com/en/file/70449b4519aeb20dd2871bed100ca3dd5f68b347c95a23edfd47e6e648bfa954/analysis/1485448703/

*** https://www.hybrid-analysis.com/sample/70449b4519aeb20dd2871bed100ca3dd5f68b347c95a23edfd47e6e648bfa954?environmentId=100

vvorootad .top: 52.203.115.53: https://www.virustotal.com/en/ip-address/52.203.115.53/information/
> https://www.virustotal.com/en/url/119f7bbc2a8f8ba821cadadf145e1b8c9592ccc49b6d8c8c599f820808f76629/analysis/
35.165.86.173: https://www.virustotal.com/en/ip-address/35.165.86.173/information/
> https://www.virustotal.com/en/url/d11134c1e38ff62f0312a3639ac180dbfd6888a73e7ad306c0667a64d8131339/analysis/
___

Spyware on a Chromebook ??
- http://www.computerworld.com/article/3161765/chrome-os/spyware-on-a-chromebook.html
Jan 25, 2017 - "... According to Google*, it means the extension 'can enable, disable, uninstall or launch themes, extensions, and apps you have installed'. Uninstall and disable other extensions? Are you kidding me? Why does Chrome even allow this? Web browsers do -not- allow a page on one website to interact with a page on another. Why does Chrome let an extension from Developer A disable or uninstall one from Developer B? Perhaps worse, is that Chrome does not warn, at installation time, about the modification to the New Tab page. This is inexcusable. And here's a sentence I never expected to write. When it comes to extensions modifying the New Tab page, Chrome on Windows is more secure than Chrome on Chrome OS..."
* https://support.google.com/chrome_webstore/answer/186213?hl=en

(More detail at the computerworld URL above.)

:fear::fear: :mad:

AplusWebMaster
2017-01-28, 17:12
FYI...

Phish - using PDF attachments
- https://blogs.technet.microsoft.com/mmpc/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/
Jan 26, 2017 - "... deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the heightened phishing activity that we have come to expect every year during the holiday season has not subsided. Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where -you- are then asked-to-divulge sensitive information...
Example 1: One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity:
> https://msdnshared.blob.core.windows.net/media/2017/01/120.jpg
When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel”. But it’s actually a link to a website:
> https://msdnshared.blob.core.windows.net/media/2017/01/PDF-example-1-screenshot-1.png
Clicking the link opens your browser and brings you to a website, where the social engineering attack continues with a message that the document is protected because it is confidential, and therefore you need to sign in with your email credentials:
> https://msdnshared.blob.core.windows.net/media/2017/01/PDF-example-1-screenshot-2.png
... Don’t open attachments or click-links in suspicious emails. Even if the emails came from someone you know, if you are not expecting the email, be wary about opening the attachment, because spam and phishing emails may spoof the sender..."
(More detail at the blogs.technet.microsoft URL at the top of this post.)

:fear::fear: :mad:

AplusWebMaster
2017-01-30, 22:07
FYI...

Netflix Scam delivers Ransomware
- http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/
Jan 29, 2017 - "Netflix has a 93 million-strong subscriber base in more than 190 countries, so it’s unsurprising that cybercriminals want a piece of the pie. Among their modus operandi: stealing user credentials that can be monetized in the underground, exploiting vulnerabilities, and more recently infecting systems with Trojans capable of pilfering the user’s financial and personal information. What other purposes can stolen Netflix credential serve? Offer them up as bargaining chip to fellow cybercriminals, for instance. Or more nefariously, use them as lure to trick certain users into installing malware (and turn a profit in the process).
If you’re planning to free ride your way into binge-watching your favorite shows on Netflix, think again. Your computer’s files may end up getting held hostage instead. We came across a -ransomware- (detected by Trend Micro as RANSOM_ NETIX.A) luring Windows/PC users with a Netflix account via a login generator, one of the tools typically used in software and account membership piracy. These programs are usually found on suspicious websites sharing cracked applications and access to premium/paid web-based services:
(The ransom note displayed as wallpaper in the affected system)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware1.jpg
(One of the ransom notes with instructions to victims)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware2.jpg
(Fake Netflix Login Generator)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware3.jpg
(The prompt window after clicking “Generate Login”)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware4.jpg
The ransomware starts as an executable (Netflix Login Generator v1.1.exe) that drops another copy of itself (netprotocol.exe) and then executed afterwards. Clicking the “Generate Login” button leads to another prompt window that purportedly has the login information of a genuine Netflix account. RANSOM_NETIX.A uses these fake prompts/windows as distraction while it performs its encryption routine on 39 file types under the C:\Users directory... The ransomware employs AES-256 encryption algorithm and appends the encrypted files with the .se extension. The ransom notes demand $100 worth of Bitcoin (0.18 BTC) from its victims... Interestingly, the ransomware terminates itself if the system is -not- running Windows 7 or Windows 10... This highlights the significance for end users to keep their subscription accounts safe from crooks. Keep to your service provider’s security recommendations. More importantly, practice good security habits: beware of -emails- you receive pretending to be legitimate, regularly update your credentials, use two-factor authentication, and download -only- from official sources... Does getting your important files encrypted worth the piracy? Netflix’s premium plan costs around $12 per month, and allows content to be streamed in four devices at the same time. Compare that with $100 you need to pay in order to get your files decrypted. Getting them back isn’t guaranteed either, as other ransomware families have shown... Bad guys need only hack a modicum of weakness for which no patch is available — the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download -or- click-ads promising the impossible. If the deal sounds too good to be true, it usually is."

:fear::fear: :mad:

AplusWebMaster
2017-02-01, 14:57
FYI...

Random subject SPAM - download .lnk files to malware
- https://myonlinesecurity.co.uk/various-subject-emails-downloading-lnk-files-using-powershell-to-download-various-malwares/
1 Feb 2017 - "... numerous versions of the emails, but they all basically function in the same way. The email has a link to a compromised site that pretends to be a doc, image or PDF file but in reality will download a .lnk file (windows shortcut file) - these run powershell & contact another site to actually download the malware. These link files have a base64 encoded section with the download link...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/item_shipped.png

... other emails read and look like:
1] https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/booking-confirmation.png

2] https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/your-order-confirmed.png

- https://www.virustotal.com/en/file/d5a614f6c2d52a020f8a8927771155123bec63e1c8af8cd1ce35472f9a28d127/analysis/
File name: confirm-purchase-ordernum-3TX0S8458483-JY.pdf
Detection ratio: 3/54
Analysis date: 2017-02-01

- https://www.hybrid-analysis.com/sample/d5a614f6c2d52a020f8a8927771155123bec63e1c8af8cd1ce35472f9a28d127?environmentId=100
Contacted Hosts
5.152.199.228

... different download locations, sometimes delivering exactly same malware from all locations and sometimes slightly different malware versions from each one... All these malicious emails are either designed to steal your Passwords, Bank, PayPal or other financial details along with your email or FTP (web space) log in credentials. Or they are -Ransomware- versions that encrypt your files and demand large sums of money to recover the files..."

:fear::fear: :mad:

AplusWebMaster
2017-02-02, 13:53
FYI...

Fake 'eFax' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-efax-you-received-a-new-efax-from-516-6128936-delivers-unknown-malware/
2 Feb 2017 - "... an email with the subject of 'You received a new eFax from 516-6128936' (numbers are normally random) pretending to come from eFax <messaging@ efax .com> with a link-that-downloads a malicious word doc... Update: I am reliably informed* it downloads Hancitor & other associated malware...
* https://twitter.com/Techhelplistcom/status/827235660352323584

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/efax-from-5166128936.png

... The download link in the body of the email is:
http ://akatsuki-eng .co.jp/api/get.php?id=dmljdGltQGRvbWFpbi5jb20= where the base64 encoded section is the recipients email address...

2 February 2017: eFax_victim.doc - Current Virus total detections 3/54**. Payload Security***... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
** https://www.virustotal.com/en/file/50d479955bdd9d0be7b72bff2e6df59208fb65ec91247d99dd771dd34f53ae4d/analysis/1486056401/

*** https://www.hybrid-analysis.com/sample/50d479955bdd9d0be7b72bff2e6df59208fb65ec91247d99dd771dd34f53ae4d?environmentId=100

akatsuki-eng .co.jp: 157.7.107.124: https://www.virustotal.com/en/ip-address/157.7.107.124/information/
> https://www.virustotal.com/en/url/a5fab0b8635f8870a028d7af945d6f39aa81f58f4f118547dd664c3289e4e687/analysis/

... Update: 3 February 2017: Today’s version has a .lnk file inside-a-zip as an attachment
(VirusTotal 3/56[1]) connects to & downloads analytics.activeadvisory .com/007.bin
but only from a Canadian IP range. The rest of the world appears blocked. (VirusTotal 6/56[2])
(Payload Security[3]). This one is delivering Urnsif banking Trojan...
1] https://www.virustotal.com/en/file/863177ba5cd57fbaf71a82600a05548541afc4e160dd0ff1f8c26f031f6474ac/analysis/

2] https://www.virustotal.com/en/file/4bd30b55b560bff8970da92dd7e892ac292f4ce41543c17c8c2929a22519e248/analysis/1486120969/

3] https://www.hybrid-analysis.com/sample/4bd30b55b560bff8970da92dd7e892ac292f4ce41543c17c8c2929a22519e248?environmentId=100
Contacted Hosts
208.67.222.222
185.77.128.246
85.17.94.33
172.86.121.117

analytics.activeadvisory .com: 149.56.201.88: https://www.virustotal.com/en/ip-address/149.56.201.88/information/
> https://www.virustotal.com/en/url/10aafd93b7081d1ee6ce30ce40f417c21d88530e1f9ca4738574f0730dfa7736/analysis/
___

Identity fraud hits record high
- https://www.helpnetsecurity.com/2017/02/02/identity-fraud-hits-record-high/
Feb 2, 2017 - "The number of identity fraud victims increased by sixteen percent (rising to 15.4 million U.S. consumers) in the last year, according to Javelin Strategy & Research*. Their study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly one-billion-dollars to $16 billion..."
> https://www.helpnetsecurity.com/images/posts/javelin-022017-1.jpg

* https://www.javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-us-victims-2016-16-percent-according-new
Feb 1, 2017

- https://krebsonsecurity.com/2017/01/shopping-for-w2s-tax-data-on-the-dark-web/
Jan 31, 2017 - "... Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS. Tax data can be -phished- directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately..."
___

Apple 'Security Measures' - phish
- https://myonlinesecurity.co.uk/apple-security-measures-phishing/
2 Feb 2017 - "... spam run apple phishing today. The bad spelling and grammar should be enough to warn anybody that it is a fake...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Apple-Security-Measures.png

The link-in-the-email goes to:
http ://www .interwurlitzer .com/mc.html which redirects you to
http ://www .bdic .ca/mardei/Itunes/apple/ where you see the typical Apple phishing page."

interwurlitzer .com: 87.229.45.133: https://www.virustotal.com/en/ip-address/87.229.45.133/information/
> https://www.virustotal.com/en/url/b3f673a5be4a48fdae3c0c149a0a2bbd5313113a4908796f68a58a61051ac7f8/analysis/
bdic .ca: 67.212.91.221: https://www.virustotal.com/en/ip-address/67.212.91.221/information/
> https://www.virustotal.com/en/url/0b430f5f53a594afa4a2c1c5538c23dc12848e15caae36ac0ea093ef7b323e95/analysis/
___

Netgear addresses 'Password Bypass' vulns in 31 Router Models
- http://www.darkreading.com/vulnerabilities---threats/netgear-addresses-password-bypass-vulns-in-31-router-models/d/d-id/1328036
Feb 1, 2017
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521
Last revised: 01/23/2017
CVSS v3 Base Score: 8.1 High

> http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
"... Firmware fixes are currently available for the following affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for your model and visit the firmware release page for instructions.."
Last Updated: 01/27/2017

:fear::fear: :mad:

AplusWebMaster
2017-02-05, 16:46
FYI...

Fake 'notice to Appear' SPAM - delivers Kovter/Locky
- https://myonlinesecurity.co.uk/spoofed-fake-new-notice-to-appear-in-court-delivers-locky-and-kovter/
5 Feb 2017 - "... start of a campaign using 'New notice to Appear in Court' as the email subject. The attachments are identical to the typical .JS, .WSF, .lnk file inside a double zip. All the sites seen so far today are the -same- sites used in the USPS, FedEx, UPS current campaigns*...
* https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The attachments all start with a zip named along the lines of Notice_00790613.zip which contain -another- zip Notice_00790613.doc.zip which in turn contains Notice_00790613.doc.js ... All of the sites are listed on THIS post**... All the sites contain the -same- Malware downloads of Kovter and Locky. They do get updated frequently during the day...
** https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The infection process is described very well by this Microsoft blog post***...
*** https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-New-notice-to-Appear-in-Court.png

5 February 2017: Notice_00790613.doc.js - Current Virus total detections 11/54[4].
Payload Security[5]. Today’s eventual downloads: Locky (VirusTotal 6/56[6]). Kovter (VirusTotal 9/57[7])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
4] https://www.virustotal.com/en/file/bd16df103c3587736f82de1e72190cc253c234ff5418d7bf01d4e34d5e562df1/analysis/1486286066/

5] https://www.hybrid-analysis.com/sample/bd16df103c3587736f82de1e72190cc253c234ff5418d7bf01d4e34d5e562df1?environmentId=100
Contacted Hosts (176)
HTTP Traffic
97.74.144.118: https://www.virustotal.com/en/ip-address/97.74.144.118/information/

50.62.117.7: https://www.virustotal.com/en/ip-address/50.62.117.7/information/

107.181.187.77: https://www.virustotal.com/en/ip-address/107.181.187.77/information/

6] https://www.virustotal.com/en/file/b620808631f1a98d03a6574badeabe685b0ceae39697776000e3ca852e5d392e/analysis/1486287187/

7] https://www.virustotal.com/en/file/8490e3376f051dc36eb1b7729c18c4c66dd9984423c545f29c9de0c863ba27d3/analysis/1486287513/
___

Many Malware Samples found on Pastebin
- https://isc.sans.edu/diary.html?storyid=22036
2017-02-05

:fear::fear: :mad:

AplusWebMaster
2017-02-06, 19:52
FYI...

Fake 'To all employee’s' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fw-to-all-employees-malspam-delivers-dridex/
6 Feb 2017 - "... an email with the subject of 'FW: To all employee’s' pretending to come from Administrator <Administrator@ administrator .delivery> with a malicious word doc attachment... not 100% certain this is Dridex, Payload Security is unable to save to webservice on the Word Macro or the downloaded .exe file. The other samples doing that today are Dridex, so it looks like the Dridex gang have added some sort of anti-sandbox protection to itself...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/to-all-employees.png

6 February 2017: EmployeeConfidential.doc - Current Virus total detections 2/54*
Payload Security** was unable to 'save to webservice'. VirusTotal comments gave me the download location:
http ://fistnote .com/images/k6kkGcHpPi7m5iJprQPxPcoiVhmT7.exe (VirusTotal 11/55***). Payload Security again was unable to save to webservice Zip file attached... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/33627c03b65a860e6854e80f58fb4872aeb02b5e10cbccd7f035b407b662701e/analysis/1486399875/

** https://www.hybrid-analysis.com/sample/33627c03b65a860e6854e80f58fb4872aeb02b5e10cbccd7f035b407b662701e?environmentId=100

*** https://www.virustotal.com/en/file/40046dffcfb7799374301b2f78baca4953ede07e8baf8452ac4068edfa1bd227/analysis/1486399137/

fistnote .com: 208.56.226.20: https://www.virustotal.com/en/ip-address/208.56.226.20/information/
> https://www.virustotal.com/en/url/1df7432b36d769b77ebabb5dc1c6b92a587802cdad2e409cc003e25d9f9a957b/analysis/
___

Fake 'Shipping info' SPAM - delivers malware via macro word docs
- https://myonlinesecurity.co.uk/spoofed-usps-shipping-information-for-parcel-delivers-hancitor-and-other-malware-via-macro-word-docs/
6 Feb 2017 - "An email with the subject of 'Shipping information for parcel 3627458' pretending to come from USPS <shipping@ usps-service .com> with a malicious word doc attachment delivers hancitor which downloads Zloader and Pony which will download -more- malware... The email looks like:
From: USPS <shipping@ usps-service .com>
Date:
Subject: Shipping information for parcel 3627458
Attachment:
Our courrier was not able to deliver your parcel because nobody was present at your address.
Someone must always be present on the delivery day, to sign for receiving the parcel.
Shipping type: USPS Next Day Box size: Large Box ( 2-5kg ) Date : Feb 6th 2017
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
Another delivery can be arranged, by calling the number on the delivery invoice we left at your address and confirming the shipping information, including the address and tracking number.
A scanned copy of the delivery invoice can also be downloaded by visiting the USPS website:
https ://tools.usps .com/web/pages/view.invoice?id=3627458&dest=submit@...
In the exceptional case that a new delivery is not rescheduled in 24 hours, the shipment will be cancelled and the package will be returned to the sender.
Thanks for shipping with USPS ...

6 February 2017: USPS_invoice_submit.doc - Current Virus total detections 4/54*
Payload Security**... The download link-in-the-body of the email is:
http ://fam-life .jp/api/get.php?id=c3VibWl0QHRoZXNweWtpbGxlci5jby51aw== where the base64 encoded section is the recipients email address. The downloaded word doc is created by adding the recipients name, or at least the bit before the @ in the email address... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ecb1b06414b3e11d0bf66d2bfca5dd61ae529c6ec73f91ea2ee57bdb2c06a49b/analysis/1486405685/

** https://www.hybrid-analysis.com/sample/ecb1b06414b3e11d0bf66d2bfca5dd61ae529c6ec73f91ea2ee57bdb2c06a49b?environmentId=100

fam-life .jp: 157.7.107.28: https://www.virustotal.com/en/ip-address/157.7.107.28/information/
> https://www.virustotal.com/en/url/80f4d13ebf6b824e06170be769d98804c2b6ccaec647d101a3461106805102da/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-02-07, 15:59
FYI...

Fake sex lure SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/get-laid-tonight-sex-lure-malspam-delivers-ransomware/
7 Feb 2017 - "The sex lures in an email always work. Curiosity is just too much for some recipients... an email with the subject of 'get laid tonight' pretending to come from Alice Olsen <Alice.Olsen@ mail .com> with a very enticingly named zip attachment 'ourSexPhoto.zip' containing an .exe file with a definite sexy or pornographic lure 'byAliceforyouOurSexPhotosiwantyou .exe'... One of the emails looks like:
From: Alice Olsen <Alice.Olsen@ mail .com>
Date: Mon 06/02/2017 22:42
Subject: get laid tonight
Attachment: ourSexPhoto.zip
Iam Thinking Of You ! My photos after our party

7 February 2017: ourSexPhoto.zip: Extracts to: byAliceforyouOurSexPhotosiwantyou.exe
Current Virus total detections 8/56*. Payload Security**... VT is differing between Sage ransomware and generic malware detections. Payload Security is inconclusive. Returns from Anti-Virus submissions vary between Generic Ransomware and Yakes Trojan... we can pretty much assume it is -ransomware- but there is some doubt which one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3428e9fb2d250ff24621f948f061f0ed12fba0a210ada1e38b83c8af5a09f0ca/analysis/1486431675/

** https://www.hybrid-analysis.com/sample/3428e9fb2d250ff24621f948f061f0ed12fba0a210ada1e38b83c8af5a09f0ca?environmentId=100
___

Fake 'Your order Canceled' SPAM - delivers sage ransomware
- https://myonlinesecurity.co.uk/your-order-canceled-fraud-malspam-delivers-sage-ransomware/
7 Feb 2017 - "... an email with the subject of 'Your order Canceled. fraud' pretending to come from Security Service <security-service@ mail .com> with a zip attachment containing an .exe file. The bad spelling should be enough to alert recipients... 'looks like a new version of Sage with updated decryption and what to do instructions... Drops a vbs file that gives -audio- alerts telling you that your files are encrypted:
“Attention! Attention! This is not a test!
All you documents, data bases and other important files were encrypted and Windows can not restore them without special software.User action is required as soon as possible to recover the file”
It also changes Bcdedit to prevent system recovery and of course deletes all shadow copies... One of the emails looks like:
From: Security Service <security-service@ mail .com>
Date: Tue 07/02/2017 18:19
Subject: Your order Canceled. fraud
Attachment:
Your order has been canceled.
Your credit card is invalid.
For an explanation of the reason you have 3 days.
By discharging is distributed 3 days, your card will be blocked.
All the details in the attached documents.

7 February 2017: Your.orderCanceled.fraud.zip Extracts to: Your.order10988322.Canceled. fraud.2017-01-15.exe
Current Virus total detections 9/57*. Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f042302d6de8e5e5cefb53820e950ecbd5f4113d565afde543a9524059b71d8d/analysis/1486490294/

** https://www.hybrid-analysis.com/sample/f042302d6de8e5e5cefb53820e950ecbd5f4113d565afde543a9524059b71d8d?environmentId=100
Contacted Hosts
91.214.114.197

:fear::fear: :mad:

AplusWebMaster
2017-02-09, 13:00
FYI...

Fake 'Confidential documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/confidential-documents-spoofed-anz-bank-delivers-trickbot-banking-trojan/
9 Feb 2017 - "... An email with the subject of 'Confidential documents' pretending to come from random names @ anz .com with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
From: Kathy.Hilton@ anz .com
Date: Thu 09/02/2017 01:45
Subject: Confidential documents
Attachment: ANZ_message00207.doc
Please review attached document.
Kathy.Hilton@ anz .com
Australia and New Zealand Bank
1800-575-892 office
1800-640-855 cell
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
CONFIDENTIAL NOTICE ...

9 February 2017: ANZ_message00207.doc - Current Virus total detections 6/54*
Payload Security**. Neither show anything definite, but searching around gave me these links to VirusTotal reports from the same campaign:
> https://virustotal.com/en/file/03f75c3d5cddbf39f6a9cad72ccc6649cec8959dd3bca87b2de80e036d054461/analysis/
Behavioural information > TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
47.18.17.114: https://www.virustotal.com/en/ip-address/47.18.17.114/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/
213.25.134.75: https://www.virustotal.com/en/ip-address/213.25.134.75/information/
> https://virustotal.com/en/file/8b90a15f656b86e0843c2b6ce93a2a70ae149b1c79c869c7bded2e3f569946a5/analysis/
> https://virustotal.com/en/file/0456c1052b86d6b7e36ca1246a7be81015762721a950fd56bb84c8bdafaf49d0/analysis/
Download sites appear to be:
- andiamoluggage .com/skin/frontend/holloway.png
- andiamoluggage .com/skin/frontend/fortis/ahjakacbakawda.png
- andiamoluggage .com/skin/install/not16.png
All of which are NOT png (image files) but renamed .exe files... Thanks to @Techhelplist[1]...
1] https://twitter.com/Techhelplistcom/status/829468826676899840
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13/analysis/1486618849/

** https://www.hybrid-analysis.com/sample/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13?environmentId=100

andiamoluggage .com: 173.254.28.82: https://www.virustotal.com/en/ip-address/173.254.28.82/information/
> https://www.virustotal.com/en/url/e3a65811fdcaa954144fea3ea0bd1684f35155bf283c860df04a76deb17b9bd0/analysis/
___

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-hmrc-final-payment-request-delivers-something-looking-like-zbot-malware/
9 Feb 2017 - "An email with the subject of 'Final payment request' pretending to come from MatthewPeters@ hmrc.gsi .gov.uk with a malicious word doc attachment delivers what looks like a Zbot variant... The email looks like:
From: MatthewPeters@hmrc.gsi.gov.uk” <info@ nestpensions63 .top>
Date: Thu, 9 Feb 2017 13:24:00 +0100
Subject: Final payment request
Attachment: debt_93498438747.doc
Date of issue 09 February 2017
Reference K2135700006
Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you.
We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe.
As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money.
For more information and how to pay us please see attached statement.
We’ll continue to add interest to the original debt until you pay in full.
Debt Management ...

9 February 2017: debt_93498438747.doc - Current Virus total detections 7/53*
Payload Security** shows a download from http ://jsmkitchensandbedrooms .co.uk/explo.exe
(VirusTotal 4/57***) - Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f/analysis/1486645244/

** https://www.hybrid-analysis.com/sample/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f?environmentId=100
94.199.185.21
172.227.109.213
185.162.9.59

*** https://www.virustotal.com/en/file/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef/analysis/1486642865/

4] https://www.hybrid-analysis.com/sample/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef?environmentId=100
Contacted Hosts
104.85.50.185
178.77.110.129
185.162.9.59

jsmkitchensandbedrooms .co.uk: 94.199.185.21: https://www.virustotal.com/en/ip-address/94.199.185.21/information/
> https://www.virustotal.com/en/url/f4ca65a193fd7b79eef486bd40e2688049454facb77b9ec2ef2cbf48f001cd55/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-02-14, 13:59
FYI...

Fake 'Xpress Money' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-xpress-money-compliant-report-malspam-delivers-java-adwind/
14 Feb 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... The email looks like:
From: elizabethst2.mel@ xpressmoney .com
Date: Mon 13/02/2017 23:45
Subject: Fwd: Reference: Xpress Money compliant report
Attachment: XPRESS MONEY UPTHRONI DATA.zip (contains 2 identical although differently named java.jar files)
Dear Agent,
The attached Compliant report was issued yesterday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked.
Regards
Nasir Usuman
Regional Compliance Manager Pakistan & Afghanistan
Global Compliance, Xpress Money ...

14 February 2017: XPRESS MONEY REFERENCES FOLLOW UP.jar.jar (287 kb) - Current Virus total detections 8/57*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af/analysis/1487047920/

** https://www.hybrid-analysis.com/sample/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af?environmentId=100
___

Fake 'Secure Message' SPAM - delivers malware
- https://myonlinesecurity.co.uk/rbc-royal-bank-secure-message-malspam-delivers-malware/
14 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from RBC Royal Bank but actually coming from a -fake- domain imitating the RBC <service@ rbcroyalbanksecuremessage .com> with a malicious word doc attachment delivers an unknown malware...
The domain in the email address rbcroyalbanksecuremessage .com was registered today by criminals using privacy protection by Godaddy and hosted on Rackspace...

rbcroyalbanksecuremessage .com: 104.130.159.40: https://www.virustotal.com/en/ip-address/104.130.159.40/information/
23.253.233.16: https://www.virustotal.com/en/ip-address/23.253.233.16/information/

The email looks like:
From: RBC Royal Bank <service@rbcroyalbanksecuremessage .com>
Date: Tue 14/02/2017 17:13
Subject: Secure Message
Attachment: SecureMessage.doc
Secure Message
This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information. Note: You should not store confidential information unless it is encrypted.
CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure...

14 February 2017: SecureMessage.doc - Current Virus total detections 4/55*
Payload Security**.. neither give any real indication what it downloads..
Update: Thanks to help from another researcher***.. It downloads
http ://sungkrorsang .com/jerohnimo.png which of course is -not- a png (image file) but a renamed .exe that the macro will rename & autorun. VirusTotal 10/59[4] | Payload Security[5]...
sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/a1b3d6504fbe577145c86b7191d5d4bd9a0486ba2c1d36145c37d4c4ff101b8e/analysis/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa/analysis/1487094048/

** https://www.hybrid-analysis.com/sample/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa?environmentId=100

*** https://twitter.com/GossiTheDog/status/831565160254996480

4] https://www.virustotal.com/en/file/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3/analysis/1487095755/

5] https://www.hybrid-analysis.com/sample/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3?environmentId=100
Contacted Hosts
78.47.139.102
47.18.17.114
213.25.134.75
219.93.24.2
192.189.25.143
___

Safeguard Account Update – phish
- https://myonlinesecurity.co.uk/hsbc-safeguard-account-update-phishing/
14 Feb 2017 - "Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http ://hsbc-verify .org.uk/ - which is a very plausible web address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc-safeguard-phishing-email.png

The link goes to http ://hsbc-verify .org.uk/ where you see a webpage like this*, which leads to a typical set of phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely:
* https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc_verify.png
... registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent people..."

hsbc-verify .org.uk: 91.218.247.93: https://www.virustotal.com/en/ip-address/91.218.247.93/information/
> https://www.virustotal.com/en/url/7f9c17276c63fe0e02de98f7ac20f058e88c3b61e507ea81d7842c425d7952f2/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-02-15, 17:17
FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-hmrc-secure-message-malspam-delivers-trickbot/
15 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from HM Revenue & Customs with a malicious word doc attachment delivers Trickbot banking Trojan... The sending domain for these malspam emails was hmrcgovsec .co.uk which was registered -today- by criminals via Godaddy. Godaddy have jumped on this very quickly & suspended the domain within a few minutes of the first batch being sent...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hmrc_secure_message_malspam-email.png

hmrcgovsec .co.uk: 172.99.114.9: https://www.virustotal.com/en/ip-address/172.99.114.9/information/

15 February 2017: SecureCommunication.doc - Current Virus total detections 4/55*
Payload Security**.. as usual nothing is showing the download location or what actual malware this is...
Update: I am reliably informed*** the download location is:
http ://fistnote .com/images/CV6amPf8jsgJeHVgLX.png which of course is renamed .exe and -not- an image file
(Payload Security[4]) (VirusTotal 9/56[5]) (VirusTotal 2/64[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fcdfe2b640fd560c2c72becd2dc27e004cd91638a47ce5845b5ec3b338c0e190/analysis/1487167293/

** https://www.hybrid-analysis.com/sample/fcdfe2b640fd560c2c72becd2dc27e004cd91638a47ce5845b5ec3b338c0e190?environmentId=100

*** https://twitter.com/GossiTheDog/status/831871728112508928

4] https://www.hybrid-analysis.com/sample/58257114a4a7bc8384933110dd8d6e3f9e0099c664cca6a9db9f903f2dd3e3b3?environmentId=100
Contacted Hosts
78.47.139.102
47.18.17.114
213.25.134.75
219.93.24.2
192.189.25.143

5] https://www.virustotal.com/en/file/58257114a4a7bc8384933110dd8d6e3f9e0099c664cca6a9db9f903f2dd3e3b3/analysis/1487168128/

6] https://www.virustotal.com/en/url/d1682a945ca3d46e9e84df11f92878e5dc9621fc19daecec8179e77882e692e5/analysis/

fistnote .com: 208.56.226.20: https://www.virustotal.com/en/ip-address/208.56.226.20/information/
> https://www.virustotal.com/en/url/d1682a945ca3d46e9e84df11f92878e5dc9621fc19daecec8179e77882e692e5/analysis/

- http://blog.dynamoo.com/2017/02/malware-spam-rbc-secure-message.html
15 Feb 2017 - "... Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings:
> https://1.bp.blogspot.com/-FqntNZLfbiY/WKS1maD9bOI/AAAAAAAAKP8/rAX1avueYc0sZWCSA3s74gAqQ1LG3sCOACLcB/s1600/fake-rbc.png
... The domain rbc-secure-message .com is -fake- and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:
64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150
I recommend you block 64.91.248.128/27 at your email gateway to be sure."
___

Personaliazed SPAM - uses hijacked domains
- http://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html
15 Feb 2017 - "This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:
Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@ localpoolrepair .com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation
Dear Mr [redacted],
Thank you for placing an order with us.
For your reference your order number is G29804772-064.
Please note this is an automated email. Please do not reply to this email.
Get your order G29804772-064 details
Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.
Delivery Address [address redacted] [telephone number redacted]
Delivery Method: Standard Delivery
Your Order Information
Prices include VAT at 20%
Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive...

The data in the spam was identifiable as being a few -years- old. The intended victim does not appear on the haveibeenpwned.com (http://haveibeenpwned.com) database. My assumption is that this information has been harvested from an undisclosed data breach. I was not able to extract the final payload, however the infection path is as follows:
http ://bebracelet .com/customerarea/notification-processing-G29804772-064.doc
--> http ://customer.abudusolicitors .com/customerarea/notification-processing-G29804772-064.doc
--> https ://customer.affiliate-labs .net/customerarea/notification-processing-G29804772-064.zip
... So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click-the-link?
Recommended blocklist (email)
188.214.88.0/24
Recommended blocklist (web)
5.152.199.228: https://www.virustotal.com/en/ip-address/5.152.199.228/information/
185.130.207.37: https://www.virustotal.com/en/ip-address/185.130.207.37/information/ - Country code - ZZ
185.141.165.204: https://www.virustotal.com/en/ip-address/185.141.165.204/information/ - Country code - ZZ "

:fear::fear: :mad:

AplusWebMaster
2017-02-16, 14:59
FYI...

Fake 'Company Complaint' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-companies-house-id-8d6ba737-775e8bdc-f95f16f3-1b460259-company-complaint-malspam-delivers-trickbot/
16 Feb 2017 - "An email with the subject of 'ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – Company Complaint' pretending to come from Companies House <no-reply@ companieshousecomplaints .uk> with a malicious word doc attachment delivers Trickbot...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/ID-8d6ba737-775e8bdc-f95f16f3-1b460259-Company-Complaint.png

If you open the word doc you see a screen looking like this*. DO NOT enable macros or content or enable editing, you -will- be infected:
* https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-companies-house-complaint-secure-document.png

16 February 2017: 8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 4/55*
Payload Security**.. Neither shows the download but it looks like the download location for the trickbot payload is
http ://www.sungkrorsang .com/hustonweare.png which is -not- an image file but a renamed .exe (VirusTotal 12/57***) (Payload Security[4])... As usual the domain sending these was registered by criminals today 16 February 2017 using Godaddy, with what are certain to be -fake- details:
canonical name: companieshousecomplaints .uk
addresses: 104.130.246.14
23.253.233.18
104.130.246.9 ..
104.239.201.9
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2/analysis/1487245555/

** https://www.hybrid-analysis.com/sample/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2?environmentId=100

*** https://www.virustotal.com/en/file/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665/analysis/1487246635/

4] https://www.hybrid-analysis.com/sample/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665?environmentId=100
Contacted Hosts
78.47.139.102
58.52.155.163
217.29.220.255
200.120.214.150
77.222.42.240

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/47ea3703624f7191b559848afef5f956cbd563ed86ba13c0ede6b3c956b0bb92/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-02-20, 16:06
FYI...

Fake 'Urgent Compliance' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-xpressmoney-western-union-urgent-compliance-status-of-transfer-malspam-delivers-java-adwind/
20 Feb 2017 - "... previously mentioned many of these HERE[1]... a slightly different subject and email content to previous ones. They can’t seem to decide if it should be Xpress money or Western Union, so they decided to have an email body with a Western Union Content but pretend to send from Xpress money. I am also getting some from Spoofed Western Union Addresses...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... The email looks like:
From: elizabethst2 .mel@ xpressmoney .com
Date: Mon 20/02/2017 00:47
Subject: Urgent Compliance, Status of transfer
Attachment: Details.zip
Dear agent,
Please kindly check the status of this transaction. The remitter
demands for the payment record, because the beneficiary denied the
payment that He didn’t receive this money.
So Please kindly check this transaction if it was paid,please arrange us the
receipt of transaction
Regards,
Senzo Dlamini
Regional Ops Executive
WesternUnion International ...

20 February 2017: Urgent Compliance.jar - Current Virus total detections 6/58*
Payload Security**.. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b/analysis/1487576150/

** https://www.hybrid-analysis.com/sample/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b?environmentId=100
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/
20 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... the email contains a genuine PDF file with an-embedded-link that downloads the java Adwind zip. The zip contains -2- different sized and named java files. The link in the pdf goes to:
http ://www.greavy .com/wp-includes/certificates/CERTIFICATE%20DETAILS%20AND%20WUPOS%20UPDATE%20MANUAL.zip
which extracts to -2- java.jar files hoping that if one fails the second will get you. Although both are detected as Java Adwind on Virus Total, the Payload Security reports does show different behaviour for each file...
New E-maual and updated payout procedures.jar (507kb) VirusTotal 6/58* | Payload Security**

WU certificate and agent updated branch details..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

The email looks like:
From: Western Union IT Dept. <wu.it-dept@ outlook .com>
Date: Mon 20/02/2017 02:37
Subject: WUPOS Agent Upgrade For All Branches.
Attachment: Details.zip
Dear All,
Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue.
Thanks & Regards, IT Department Western Union...

The pdf looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/wupos-update.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/

** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100

*** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/

4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100
Contacted Hosts
83.243.41.200

greavy .com: 180.240.134.105: https://www.virustotal.com/en/ip-address/180.240.134.105/information/
> https://www.virustotal.com/en/url/059494b4e1a329645378d93c797dbdebe5e5c428f155f8c6bf9d69b3e3aa83b4/analysis/
___

Fake 'Secure Bank Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-lloyds-bank-important-secure-bank-documents-malspam-delivers-trickbot-banking-trojan/
20 Feb 2017 - "... an email with the subject of 'Important – Secure Bank Documents'... pretending to come from Lloyds Bank <no-reply@ lloydsbanksecuredocs .com> delivers Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/lloyds-bank-secure-documents.png

20 February 2017: BACs.doc - Current Virus total detections 7/55*
I am informed about 2 known download locations for the Trickbot malware:
www .sungkrorsang .com/hostelfrost.png and wp .pilbauer .com/wp-content/uploads/lordsofsteel.png
There probably are many more. VirusTotal 11/57*... The sending email Address lloydsbanksecuredocs .com was registered by criminals -today- using Godaddy and Privacy protection. It is -not- a genuine Lloyds bank web site or web address.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2ba82eb83d32e55787f00b753be8d75b143e7a0984918010719a3ee0f0334743/analysis/1487606754/

** https://www.virustotal.com/en/file/6356ed6ca05c8f87f1ae34aa1f3c4a119c5b6e811b00cb996ba688cc6695f683/analysis/1487607471/

lloydsbanksecuredocs .com: 45.55.36.38
159.203.126.233
159.203.117.63
159.203.115.143
159.203.170.214

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/27e7a98cde7df7094f20d32db75dcfa5d9625fa9e2a73bcf2e89e9fe32184e02/analysis/

pilbauer .com: 178.217.244.53: https://www.virustotal.com/en/ip-address/178.217.244.53/information/

:fear::fear: :mad:

AplusWebMaster
2017-02-21, 14:40
FYI...

Rogue Chrome extension - tech support scam
- https://blog.malwarebytes.com/threat-analysis/2017/02/rogue-chrome-extension-pushes-tech-support-scam/
Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning:
> https://blog.malwarebytes.com/wp-content/uploads/2017/02/TSS1.png
... We detect and remove this one as Rogue.ForcedExtension.
IOCs:
Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-address/104.27.185.37/information/
104.27.184.37: https://www.virustotal.com/en/ip-address/104.27.184.37/information/
lfbmleejnobidmafhlihokngmlpbjfgo
Backend server (ad fraud/malvertising):
amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-address/104.31.70.128/information/
104.31.71.128: https://www.virustotal.com/en/ip-address/104.31.71.128/information/
qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-address/173.208.199.163/information/
Tech support scam:
microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-address/66.23.230.31/information/
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-spoofed-western-union-malspam-continues-to-deliver-java-adwind/
21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day...
1] https://myonlinesecurity.co.uk/?s=java+adwind
The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical.
2] https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Western-Union-rtra-rules.png

DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58*
Payload Security**

WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/

** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100

*** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/

4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100
Contacted Hosts
83.243.41.200
___

BoA 'Access Locked' - phish
- https://myonlinesecurity.co.uk/bank-america-phishing-scam/
21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Bank-of-America-Alert-Your-Online-Access-is-Temporarily-Locked.png

The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm
where you see a site looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/BofA_FTP_signon.png "

121.170.178.35: https://www.virustotal.com/en/ip-address/121.170.178.35/information/
> https://www.virustotal.com/en/url/317ec9b5c767caf2f0697361e99c2f8fe2254e7ee51abb1779a2954dd63e2497/analysis/
___

'TurboTax' - phish
- https://myonlinesecurity.co.uk/turbotax-important-notice-request-for-account-update-phishing/
21 Feb 2017 - "Another phishing scam, this time TurboTax:

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-Important-Notice-Request-for-Account-Update.png

The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-phishing-page.png "

whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-address/205.204.89.214/information/
> https://www.virustotal.com/en/url/293b141852f722080d51e30d062d8f5703a1646296e460b0ede687cdb8fd26d6/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-02-22, 15:23
FYI...

Fake 'Secure Bank Comm' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-canada-revenue-agency-important-secure-bank-communication-malspam-delivers-trickbot-banking-trojan/
22 Feb 2017 - "An email with the subject of 'Important – Secure Bank Communication' coming from either Canada Revenue Agency <no-reply@ secure-gc .ca> or Canada Revenue Agency <no-reply@ securegcemail .ca> with a malicious word doc attachment delivers Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/canada-revenue-agaency-secure-doc.png

22 February 2017: SecureDoc.doc - Current Virus total detections 2/55[1] 2/55[2]
Payload Security [1A] [2A] none of which are showing the download location of the actual Trickbot itself, although it is on Virus Total 20/58[3]. I am informed[4] the download location is
www .TPSCI .COM/pngg/granionulos.png -or- http ://www .sungkrorsang .com/fileFTP/granionulos.png
which of course is -not- an image file but a renamed .exe... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a/analysis/1487783258/

2] https://www.virustotal.com/en/file/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b/analysis/

1A] https://www.hybrid-analysis.com/sample/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a?environmentId=100

2A] https://www.hybrid-analysis.com/sample/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b?environmentId=100

3] https://www.virustotal.com/en/file/8dbddb55d22bff09a5286e10edc104e67dec8c864bc06a797183e9b898423427/analysis/

4] https://twitter.com/GossiTheDog/status/834453695299518464

TPSCI .COM: 203.121.180.74: https://www.virustotal.com/en/ip-address/203.121.180.74/information/
> https://www.virustotal.com/en/url/8d2abb870d46dd468b8c01246ce20f2266da858215f65b960ff1e1960a1ce0cb/analysis/

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/773bfa543ee80ce5ca0db5dda59ec2002f0de997b3d2975fb071e258e1fda633/analysis/
___

Dropbox phish
- https://myonlinesecurity.co.uk/you-have-2-new-documents-dropbox-phishing/
22 Feb 2017 - "Another phishing email, this time spoofing -Dropbox- where you land on a page with lots of different email providers and the evil scum doing these phishes will pop up the appropriate one for you to enter all your details, pretending that you can now sign into dropbox using your email address. After giving the details you get sent to the genuine DropBox site:

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing_email.png

The -link- goes to http ://www.pedraforte .net/js/index/klnkjfe/dropbox/dropbox/ (there might be other sites, there usually are with these scams) where you see a page looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing.png
Select -any- of the links and you get:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing1.png "

pedraforte .net: 192.185.217.111: https://www.virustotal.com/en/ip-address/192.185.217.111/information/
> https://www.virustotal.com/en/url/85c6b743832fca360807f9633efbab6f1ee415ab0ccafc0188e1d05ae6a5552e/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-02-27, 14:57
FYI...

Fake 'XpressMoney' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-spoofed-xpressmoney-compliant-report-delivers-java-adwind/
27 Feb 2017 - "We continue to be plagued daily by fake financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
This appears to be a newish Java Adwind version in this email... The email looks like:
From: XM.accounts@ xpressmoney .com <aproc@ xpressmoney .com>
Date: Mon 27/02/2017 00:56
Subject: Fwd: Reference: Xpress Money compliant report
Attachment: Details.zip
Dear Agent,
The attached Compliant report was issued on Thursday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked.
Regards
Nasir Usuman
Regional Compliance Manager Pakistan & Afghanistan
Global Compliance, Xpress Money ...

Email Headers: I have received -alot- of these early this morning in 2 waves. They are coming from 2 IP numbers/servers:
60.249.230.30: https://www.virustotal.com/en/ip-address/60.249.230.30/information/
Country: TW
83.243.41.200: https://www.virustotal.com/en/ip-address/83.243.41.200/information/
Country: DE
70.32.90.96: https://www.virustotal.com/en/ip-address/70.32.90.96/information/
Country: US
83.243.41.200: https://www.virustotal.com/en/ip-address/83.243.41.200/information/
Country: DE

hinet.net: Could not find an IP address for this domain name...

27 February 2017: REF.XPIN 742352XXXXXXXXX.jar (333kb) - Current Virus total detections 13/57*
Payload Security** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/071de844dd296292ebdce912c36aca0b40b510216a293dbd334614605b5377f4/analysis/1488178107/

** https://www.hybrid-analysis.com/sample/071de844dd296292ebdce912c36aca0b40b510216a293dbd334614605b5377f4?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2017-03-02, 15:05
FYI...

Fake 'debit card' – Phish
- https://myonlinesecurity.co.uk/disputed-debit-card-transactions-natwest-phishing/
2 Mar 2017 - "... many email clients, especially on a mobile phone or tablet, only show the NatWest and not the bit in <xxxx>. This one has a HTML page attachment, not even a link to the phishing site in the email body. The attachment has the -link- which goes to:
http ://www .immosouverain .be/css/supst.html which -redirects- you to the actual phishing site:
http ://planurday .in/css/WaL0eHW/4!@_1.php?s0=;87d929c328f8c62a231c1cc95057fb7087d929c328f8c62a231c1cc95057fb70

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Disputed-debit-card-transactions-NatWest.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

immosouverain .be: 5.135.218.101: https://www.virustotal.com/en/ip-address/5.135.218.101/information/

planurday .in: 78.142.63.63: https://www.virustotal.com/en/ip-address/78.142.63.63/information/

:fear::fear: :mad:

AplusWebMaster
2017-03-03, 18:52
FYI...

'Free' AV coupon leads to tech support scam
- https://blog.malwarebytes.com/threat-analysis/2017/03/free-antivirus-coupon-leads-tech-support-scam/
Mar 3, 2017 - "... This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are -redirected- to this coupon page via a similar malvertising campaign. It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they -must- perform a final call to get it completed... This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the -bogus- technician will identify severe problems that need an immediate fix... Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400. Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway)...There are other scam domains also hosted on this IP (166.62.1.15)... Instantpccare .com is familiar and related to a previous investigation* where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us. As always, please stay vigilant online when you see 'free coupons' or other similar offers. They often are the gateway to a whole of trouble..."
* https://blog.malwarebytes.com/threat-analysis/criminals/2016/05/the-hunt-for-tech-support-scammers/

> https://blog.malwarebytes.com/tech-support-scams/

166.62.1.15: https://www.virustotal.com/en/ip-address/166.62.1.15/information/

Related:
166.62.1.1: https://www.virustotal.com/en/ip-address/166.62.1.1/information/
___

Fake 'IRS Urgent' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/spoofed-irs-urgent-notification-malspam-delivers-ransomware/
3 Mar 2017 - "... an email with the subject of 'IRS Urgent Notification' pretending to come from Dick Richardson who pretends to be an IRS Tax Officer. I have seen dozens of these and they all come from random email addresses. Dick Richardson changes his job in different emails. Sometimes he is a tax officer or a Tax Specialist or Tax department manager as well as an official representative...
Update: I am reliably informed[1] this is Shade/Troldesh ransomware...
1] https://id-ransomware.malwarehunterteam.com/identify.php?case=2e0cd5425eae85fcdd94526e5ea894b2e24d5e47
Other subjects include:
Realty Tax Arrears – IRS
Please Note – IRS Urgent Message
IRS Urgent Message
Overdue on Realty Tax ...

One of the emails looks like:
From: Dick Richardson <electric@ oceanicresources .co.uk>
Date: Thu 01/09/2016 19:22
Subject: IRS Urgent Notification
Attachment: link-in-email
Dear Citizen,
My name is Dick Richardson, I am the official representative of the Internal Revenue Service, Realty Tax Department.
My office is responsible for notification of citizens, description of the tax system for them, supporting citizens on issues related to tax procedures, arrears, and payments, etc.
In the present case, I have to notify you that you have the considerable tax arrears pertaining to your property. More specifically, there is the tax debt for your realty – the realty tax. Generally, we make no actions in case of such delays for 4-6 months, but in your context, the overdue period comes to 7 months. Thereby, we must take relevant measures to remedy the situation.
Particularly for your convenience, our specialists have made the full and comprehensive report for you. It contains the full information regarding realty tax accrual, your debt (including the total amount), and the chart of overdue payments for each month of the arrears period.
Please download the report directly from the official server of the IRS, going to the link:
http ://radiotunes .co.uk/wp-content/plugins/simple-social-icons/index0.html
Please study the document at the earliest possible moment. Actually, after receiving this message, you have only 1 day to contact your taxmanager and provide them with the information you get in the report in order to resolve the problem. Differently, significant charges and fines may apply.
Best Regards,
Dick Richardson,
Realty Tax Division
Internal Revenue Service ...

Realty.tax.division.xls.zip: Extracts to: Realty.tax.division.xls.js - Current Virus total detections 5/56*
Payload Security** shows a download from
www .metropolisbangkok .com/assets/70958ae0/fonts/gcdf/templates/winscr.exe (VirusTotal 14/58***)...
There are loads of -other- sites in the body of alternative emails downloading the .js file...
The basic rule is NEVER open any attachment -or- link-in-an-email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8ddf908f8f1ba26942d5697964a6dbf3cb86e1703cf5a4903d92b54928439ff7/analysis/1488549054/

** https://www.hybrid-analysis.com/sample/8ddf908f8f1ba26942d5697964a6dbf3cb86e1703cf5a4903d92b54928439ff7?environmentId=100
Contacted Hosts (15)

*** https://www.virustotal.com/en/file/50d4b6751f288b5ad1e6d4ab10c64c609bebf5d939593e1eed4e8f1652e4efab/analysis/

radiotunes .co.uk: 192.138.189.151: https://www.virustotal.com/en/ip-address/192.138.189.151/information/
> https://www.virustotal.com/en/url/bc5a239ea549d24d2ec4fd3fed6b87f9d0beff857dcecd6e2f0052063adcf70f/analysis/

metropolisbangkok .com: 27.254.96.21: https://www.virustotal.com/en/ip-address/27.254.96.21/information/
> https://www.virustotal.com/en/url/2091891e6d3ccc2b77fef6f3fd9b4702b20e1060198b05c3d80977fe8d2833c2/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-06, 00:21
FYI...

Fake UPS, USPS, FedEx SPAM - deliver Cerber ransomware
- https://myonlinesecurity.co.uk/locky-distribution-network-now-distributing-cerber-and-kovter-via-spoofed-cannot-deliver-your-parcel-malspam/
4 Mar 2017 - "... we are noticing that the 2 different malspammed versions of spoofed/faked 'UPS, USPS, FedEx failed to deliver your parcel' malspam are now distributing Cerber ransomware instead of Locky or Sage 2 along with Kovter... I am continuing to document the 2 versions... changes and different sites used to distribute them: HERE[a] and HERE[b]...
a] https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/

b] https://myonlinesecurity.co.uk/spoofed-fake-usps-unable-to-deliver-your-parcel-malspam-now-delivering-multiple-malware/

The subjects all mention something about 'failing to deliver parcels' and includes:
Courier was not able to deliver your parcel (ID0000333437, FedEx)
Our UPS courier can not contact you (parcel #4633881)
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS
New status of your UPS delivery (code: 6622630)
Please recheck your delivery address (UPS parcel 004360910)
Status of your USPS delivery ID: 158347377
FedEx Parcel: 1st Attempt Unsuccessful
Delivery Unsuccessful, Reason: No Answer
Express FedEx Parcel #614617064, Current Status: Delivery Failed
... basically identical in the body of the email (the delivery service changes and switches between FedEx, UPS, USPS) ... The attachment is a zip file with a second zip inside it that extracts to a .js file. These have names like UPS-Parcel-ID-4633881.zip that extracts to UPS-Parcel-ID-4633881.doc.zip that extracts to UPS-Parcel-ID-4633881.doc.js...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/usps_v1_cerber.png

... Examples of this version VirusTotal [1-4/56] [2-15/59] [3-7/59] Payload Security [4] [5] [6]...

Currently the format is < site from array.top >/counter/?< variable m> where m is a long set of random looking characters hard coded in the js file. and the actual download comes from site name.top /counter/exe1.exe Yesterday was Cerber. VirusTotal [7-3/55] [8-17/59]. Payload Security[9] and /counter/exe2.exe delivers Kovter (VirusTotal 10-10/59). Currently at the time of writing all the .top sites I have listed are down and not responding. As soon as the new set of emails arrive, I will post images of them with any changes."
1] https://www.virustotal.com/en/file/7858c5aeae773b077b169ecdb48780cbd91151422cda10985621c80df577b343/analysis/1488613659/
UPS-Parcel-ID-4633881.doc.js

2] https://www.virustotal.com/en/file/509c15d7cf5a90bbdb6cc69453f2d94f96f37317fb0befeeb3b758cea23354b7/analysis/1488609050/
5d3fa709e29d.png

3] https://www.virustotal.com/en/file/0ff42f0e77f3f6ac4c15d31a92745187eb33f2e60917f501832d89aaa4804868/analysis/1488609063/
fe3be7902ac8.png

4] https://www.hybrid-analysis.com/sample/7858c5aeae773b077b169ecdb48780cbd91151422cda10985621c80df577b343?environmentId=100
UPS-Parcel-ID-4633881.doc.js
Contacted Hosts (1234)

5] https://www.hybrid-analysis.com/sample/0ff42f0e77f3f6ac4c15d31a92745187eb33f2e60917f501832d89aaa4804868?environmentId=100
fe3be7902ac8.png
Contacted Hosts (1088)

6] https://www.hybrid-analysis.com/sample/509c15d7cf5a90bbdb6cc69453f2d94f96f37317fb0befeeb3b758cea23354b7?environmentId=100
5d3fa709e29d.png
Contacted Hosts (382)

7] https://www.virustotal.com/en/file/5d254bde32d9a5da3fd83134dc194724a9186cd2839edc702b775fee286cde4f/analysis/1488510919/
Delivery-Details.js

8] https://www.virustotal.com/en/file/a5aa7057863a86bcf1a04f5f56a97197b2a7c88858792cff3a8401aee308b651/analysis/
carved_1.exe

9] https://www.hybrid-analysis.com/sample/5d254bde32d9a5da3fd83134dc194724a9186cd2839edc702b775fee286cde4f?environmentId=100
Contacted Hosts (1240)

10] https://www.virustotal.com/en/file/cf5444a209492a84d299add1c3ae115ec28e180f46a910bdaa698e21c701a58f/analysis/1488526482/
exe2[1].exe

:fear::fear: :mad:

AplusWebMaster
2017-03-06, 23:35
FYI...

Fake 'DVLA' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/spoofed-dvla-failure-of-notify-change-of-keeper-final-warning-malspam-delivers-ursnif-banking-trojan/
6 Mar 2017 - "Following on from recent parking, speeding and companies investigations malspam delivering ursnif banking Trojan, todays example spoofs the DVLA and pretends to be a warning that you will be fined if you don’t report the change of keeper. They use email addresses and subjects that will scare, persuade or entice a user to read the email and open the attachment -or- follow the links-in-the-email... Following the link-in-the-email you get sent via a passthrough/redirect site where you eventually land on the fake/spoofed DVLA site...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Failure-Of-Notify-Change-of-Keeper-Final-Warning.png

Case_10133-4.js - Current Virus total detections 5/56*. Payload Security** shows a download from
http ://djphanton .de/Tatjanapolinski/wp-admin/network/MEJMhJDp/cs.pdf which is -not- a pdf but a renamed .exe file (VirusTotal 36/58***)... The basic rule is NEVER open any attachment -or- click-on-a-link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8ddf908f8f1ba26942d5697964a6dbf3cb86e1703cf5a4903d92b54928439ff7/analysis/1488549054/

** https://www.hybrid-analysis.com/sample/8ddf908f8f1ba26942d5697964a6dbf3cb86e1703cf5a4903d92b54928439ff7?environmentId=100
Contacted Hosts
27.254.96.21
128.31.0.39
193.23.244.244
212.51.143.20
51.254.112.52
95.215.61.4
195.154.97.160
178.62.43.5
178.33.107.109
104.200.16.227
195.169.125.226
217.79.178.60
213.197.22.124
85.214.115.214

*** https://www.virustotal.com/en/file/50d4b6751f288b5ad1e6d4ab10c64c609bebf5d939593e1eed4e8f1652e4efab/analysis/

djphanton .de: 85.214.35.155: https://www.virustotal.com/en/ip-address/85.214.35.155/information/
> https://www.virustotal.com/en/url/d11b2bbcdef345deb1688c32a680ef8dbe0b2f4eae946ccfd91af5783a70bc39/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-07, 17:45
FYI...

Fake 'BENEFICIARY' SPAM - delivers java malware
- https://myonlinesecurity.co.uk/spoofed-orient-exchange-co-benficiary-remittance-confirmation-delivers-java-adwind/
7 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments... we are seeing 2 slightly different delivery methods today both spoofing Orient Exchange Co. (L.L.C.)...
The 1st email looks like:
From: a.bouazza@ bkam .ma
Date: Tue 07/03/2017 09:34
Subject: BENEFICIARY REMITTANCE CONFIRMATION
Attachment: BENFICIARY REMITTANCE CONFIRMATION.zip
Body content:
Dear agent,
Please kindly Confirm the status of this transaction.
The remitter demands for the payment record, because the beneficiary has
filed a complaint against your remitting outlet.
So Please kindly check the attached complaint form and reference of
transaction if it was paid, Please report to us with receipt of
transaction to clear your name.
Thanking You,
Orient Exchange Co. (L.L.C.)...

Version 1 (the attached zip): BENFICIARY REMITTANCE CONFIRMATION.jar (274kb) is using a 1 week old version of java adwind Trojan Current Virus total detections 14/57*: Payload Security** ...

The second version is slightly more devious and has a genuine PDF attachment that contains-a-link to dropbox
( https ://www.dropbox .com/s/jws0fszxa48c3sx/COMPLAIN%20OF%20UNPAID%20REMITTANCE.zip?dl=0) to download the zip file that contains 2 different copies of the java jar files...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/orient-exchange-dropbox-pdf.png

Version 2 (the dropbox) contains 2 identical java.jar files
BENEFICIARY COMPLAINT FORM FILED AGAINST YOUR BRANCH.jar -and-
CONFIRMATION AND REFRENCE OF THIS TRANSACTION NEEDED.jar (323kb) VirusTotal 25/56*** | Payload Security[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a00e49dbbb73742db2bd9c6631dde52f6fdafa9b17e3d0d5b272644ee42383b9/analysis/1488354204/

** https://www.hybrid-analysis.com/sample/a00e49dbbb73742db2bd9c6631dde52f6fdafa9b17e3d0d5b272644ee42383b9?environmentId=100

*** https://www.virustotal.com/en/file/cdee5a505937c68a4733d7a9798529ebbf7ea4aa3ed4ce3461aaaa8bf2cbc803/analysis/1488888491/

4] https://www.hybrid-analysis.com/sample/cdee5a505937c68a4733d7a9798529ebbf7ea4aa3ed4ce3461aaaa8bf2cbc803?environmentId=100
Contacted Hosts
83.243.41.200: https://www.virustotal.com/en/ip-address/83.243.41.200/information/
> https://www.virustotal.com/en/url/fc1507977e05efd485b1d835b0633ae7d283c9e1961b2af64883e79a5a6dc1d0/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-08, 17:37
FYI...

Fake 'invoice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/copy-invoice-581652-spoofed-onehotcookiefranchise-com-delivers-dridex-banking-trojan/
8 Mar 2017 - "An email with the subject of 'copy invoice 581652' pretending to come from Wes gatewood <Wes@ onehotcookiefranchise .com> with a malicious word doc attachment delivers what looks like Dridex banking Trojan... The email looks like:
From: Wes gatewood <Wes@ onehotcookiefranchise .com>
Date: Wed 08/03/2017 12:47
Subject: copy invoice 581652
Attachment: inv-0928(copy).doc
Hi,
Please see attached copy invoice 581652
Wes gatewood
Direct Tel: 01787 658153
Fax: 01787 658153 ...

inv-0928(copy).doc - Current Virus total detections 5/57*: Payload Security** shows a download from http ://birchwoodplaza .com/54gf3f (VirusTotal 9/59***) which I am guessing is Dridex... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/08c68e107ff841511f63f4ed144e3da8ea3d4ae7351b72ec72b5f231e5c648f6/analysis/1488977021/

** https://www.hybrid-analysis.com/sample/08c68e107ff841511f63f4ed144e3da8ea3d4ae7351b72ec72b5f231e5c648f6?environmentId=100
Contacted Hosts
72.167.131.153
107.170.0.14
37.120.172.171
81.12.229.190

*** https://www.virustotal.com/en/file/a7c602daed5e84b59974f5001d2e0faa51c0350ce8e396acf00555ac178c2306/analysis/1488970720/

birchwoodplaza .com: 72.167.131.153: https://www.virustotal.com/en/ip-address/72.167.131.153/information/
> https://www.virustotal.com/en/url/8236904c26ea72a5c6727f49d199724463c96458a652e3c2bccb0fc4656b61cf/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-13, 19:23
FYI...

Fake 'Receipt' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/receipt-of-approved-purchase/
13 Mar 2017 - "... a password protected docx file as the malware attachment, spoofing https ://www.eway .com.au/ a well known Australian Credit card Payment/processing service. Without entering the password you cannot see the content of the word doc and that will -allow- it past antivirus checks... an email with the subject of 'Receipt of APPROVED purchase' pretending to come from customer@ ewaystore .info with a malicious word doc or Excel XLS spreadsheet attachment delivers what looks like some sort of Zeus/Zbot/ Panda banking Trojan... However ewaystore .info was registered on 12 March 2017 by criminals:
- https://whois.domaintools.com/ewaystore.info

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/eway-payment-spoofed-email.png

The word doc looks like:
- https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/eway-malicious-word-doc.png

... Other subjects in this series seen so far include, some with and some without various numbers of exclamation marks:
Receipt of APPROVED payment!
Receipt of APPROVED purchase!
Receipt of APPROVED purchase
Receipt of APPROVED purchase at eWAY!!
Receipt of APPROVED purchase!! ...

Order_326794.docx ... Luckily the contact who sent me this did manage to find the download which is
http ://earlychildhoodconsulting .com.au/flash.exe (VirusTotal 8/60*). Payload Security** which in turn downloads groupcreatedt .at/pav/32.bin (VirusTotal 0/54***) which is encrypted and will be either data or needs to be decrypted by the flash.exe or the original docx file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.com/en/file/e843eded3d68d3c2741aea33092a4b25c07a2ffd8dd9beaa317f7487cb0e0420/analysis/

** https://www.hybrid-analysis.com/sample/e843eded3d68d3c2741aea33092a4b25c07a2ffd8dd9beaa317f7487cb0e0420?environmentId=100
Contacted Hosts
78.111.243.83
208.67.222.222

*** https://www.virustotal.com/en/file/67be184d19f72f5a75c66fd434c51f2cfad6aee9911c36e5dc8c5fb3e7921955/analysis/1481049239/

earlychildhoodconsulting .com.au: 192.185.163.104: https://www.virustotal.com/en/ip-address/192.185.163.104/information/
> https://www.virustotal.com/en/url/ef0c2cedfb4a73a9f3af8f4d5fe5080da768be8b875646e86a7cdf4f55aaf87c/analysis/

groupcreatedt .at: 5.105.45.139
46.98.252.42
46.119.92.41
93.113.176.105
77.122.51.2
195.211.242.109
93.78.227.231
176.99.113.116
109.87.247.145
37.229.39.217

:fear::fear: :mad:

AplusWebMaster
2017-03-15, 12:59
FYI...

Fake 'payment receipt' SPAM - delivers malware
- https://myonlinesecurity.co.uk/attached-is-the-copy-of-your-payment-receipt-malspam-delivers-malware/
15 Mar 2017 - "... an email with the subject of 'Document:36365' coming from random companies, names and email addresses with a semi-random named zip attachment which delivers what looks like Dridex banking Trojan ... One of the emails looks like:
From: Susie <Susie@ novayaliniya .com>
Date: Wed 15/03/2017 09:35
Subject: Document:36365
Attachment: document_3332.zip
Attached is the copy of your payment receipt.
Susie

document_3332.zip: Extracts to: file_356.js - Current Virus total detections 0/56*
MALWR** shows a download of a txt file from http ://mercurytdsconnectedvessel .com/hjg6657 which is renamed by the script to hjg6657.exe (VirusTotal 8/61***) MALWR[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dab922858071ff630b1318437e475b09abfad2fa04fd43c476e146f92ddc9b79/analysis/

** https://malwr.com/analysis/NDA3MGE5Yjk3M2I5NDUyYThmNzEzNDE1MjE0NWM0ZjQ/

*** https://www.virustotal.com/en/file/6a1cd455f09b4317a52c34527c2b5ab76d7e8735464a1d91811e1dbc0bce3d80/analysis/1489573275/

4] https://malwr.com/analysis/OGM5NDVmMTkwNjczNGUzNmI0N2Y1MzNkNmZkZDRlODQ/

mercurytdsconnectedvessel .com: 66.135.46.202: https://www.virustotal.com/en/ip-address/66.135.46.202/information/
> https://www.virustotal.com/en/url/08e783bfbf0f9077e33f20af13fe54515fd6edbf937296548ef72ab49e255bf7/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-16, 12:54
FYI...

Fake 'Returned Sendout Transaction' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-ahalia-money-exchange-returned-sendout-transaction-delivers-java-adwind/
16 Mar 2017 - "... This appears to be a newish Java Adwind version in this email, see below for details. The zip/Rar file contains -2- different sized and differently named java.jar files that both are slightly different Adwind versions...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Returned-Sendout-Transaction.png

Benficiary details.jar (497kb) - Current Virus total detections 19/58*
Transaction Report.jar (267kb) - Current Virus total detections 18/59**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b43155bc09dd23ea8d06824eb7ec52bd68fad4366f02a25f851ab77a7ced2e50/analysis/1489657794/

** https://www.virustotal.com/en/file/84004dc6758b1a09538114ad3e10891da62f151275b35b3e1f03781bb1e4e2be/analysis/1489657804/
___

Fake 'new message' SPAM - delivers sharik, smoke trojan
- https://myonlinesecurity.co.uk/youve-got-a-new-message-in-your-nest-mailbox-malspam-delivers-sharik-smoke-trojan/
15 Mar 2017 - "An email with the subject of 'You’ve got a new message in your NEST mailbox' pretending to come from do_not_reply@ nestpensions .org.uk with a malicious word doc attachment delivers smoke, dofoil, sharik Trojan... Nest Pensions are the UK Government workplace pension services that helps employers to provide a pension for all employees. These emails are coming via a -lookalike- email address info@nestpensions_randomnumber .top. The contact who forwarded me the details received several, all from different nestpensions_nnn .top. The email looks like:
Subject: You’ve got a new message in your NEST mailbox
Attachment: 0239478234862465.doc
There’s a new message in your NEST mailbox.
We’re confirming that payment of 6822.95 will be taken by Direct Debit in accordance with your agreed terms.
Please see the details in attached file.
What do you need to do now?
Please log into www .nestpensions .org.uk. Some messages may have important documents attached for you to read.
Where to go for help
We provide online support and answers to frequently asked questions at www .nestpensions .org.uk/help
Regards
Richard Hardy NEST Employer Services Manager ...

0239478234862465.doc - Current Virus total detections 6/56*. Payload Security** shows a download from
http ://robertefuller .com/adobe1403.exe (VirusTotal 6/61***). Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b8d717681630ccf3f0e6adecfb14bb7cc1f62f9158369b83d6826fe816a8cb96/analysis/1489594975/

** https://www.hybrid-analysis.com/sample/b8d717681630ccf3f0e6adecfb14bb7cc1f62f9158369b83d6826fe816a8cb96?environmentId=100
Contacted Hosts
81.29.88.131
92.122.180.80
139.59.64.134

*** https://www.virustotal.com/en/file/52825855f3ba0bae260ae186f34f202aa26cd74c865dac788fa71c7589dafb36/analysis/1489591624/

4] https://www.hybrid-analysis.com/sample/52825855f3ba0bae260ae186f34f202aa26cd74c865dac788fa71c7589dafb36?environmentId=100
Contacted Hosts
192.150.16.117
139.59.64.134

robertefuller .com: 81.29.88.131: https://www.virustotal.com/en/ip-address/81.29.88.131/information/
> https://www.virustotal.com/en/url/293a27fe59c6c606632d4e1731992bbbea695a273fdb91896413c1a4dd3b6784/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-18, 15:53
FYI...

Update to Fake 'FedEx, UPS and USPS' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/why-you-should-k-i-s-s-keep-it-simple-stupid/
18 Mar 2017 - "A quick update to the never ending spoofed emails from 'FedEx, UPS and USPS cannot deliver your parcel' malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix... noticed a slight change today where it looks like the “apprentice” coding the javascript file in the email -attachment- has tried to be too clever and resulted in a spectacular fail. Instead of the usual “counter.js” or “counter.txt ” that gives the current download sites and what malware to download & run it just gives the php interpreter file that they bundle with the malware downloads...
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR* | Payload Security**. If “var m” ends in a character( a-z, A-Z) you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 (when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files...
* https://malwr.com/analysis/ZGYzZTdhZWUzODY0NDY2ZmExMDUwZGY2NGQzNjNkMmU/
Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128

** https://www.hybrid-analysis.com/sample/2cc8d4c4592912ea3fa9a6557f9ef79f55c5a93f586da9ff94b03946486f0fa7?environmentId=100
Contacted Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128

... all sites are downloading a 0 byte harmless empty file but if you do a little bit of simple editing of the javascript file and correct the apprentice’s mistake by removing the last digit to leave a character you get MALWR*** | Payload Security[4] -both- showing crypted files and nemucod ransomware at work.
Direct downloads of the malware 1.exe (Locky) VirusTotal 13/62[5] | 2.exe (kovter) VirusTotal 16/62[6]
Currently counter/txt is nemucod ransomware, which delivers a very heavily obfuscated javascript file...
*** https://malwr.com/analysis/YzY4YjU2OWFhOGE0NDFkNDg1MTQ1ZDBhMTQ3NTZhNmU/
Hosts
184.168.58.126
50.63.219.1

4] https://www.hybrid-analysis.com/sample/0efe306d96b5436dd53805abdf84c2042e4bb2878f8512b52561a1f82e0d8db9?environmentId=100
Contacted Hosts (423)

5] https://www.virustotal.com/en/file/5efb5369e00cec615c8ad1bd78d1b02c9505c2cfd462823a669ef478f9769fbb/analysis/1489825684/

6] https://www.virustotal.com/en/file/3c8c5595179d17122ccd5459078ddcad08480ebbf8c98ee67406da3661dbc5d6/analysis/1489825694/

... you end up with this txt file on your desktop (and normally the same as a html desktop background) the bitcoin address and the download decryptor links are individual to each javascript attachment. -Every- email attachment has a randomly hard coded address, which is embedded inside the Var “m” in the javascript..."

:fear::fear: :mad:

AplusWebMaster
2017-03-20, 12:46
FYI...

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-western-union-sendout-transaction-report-download-via-fake-dropbox-site-delivers-java-adwind/
20 Mar 2017 - "... a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically... The link-in-the-email does not go to dropbox but to a compromised website being used to spread this malware https ://www.opelhugg .com/components/Sendout Report.zip... As usual with these, the zip contains -2- differently named and different size java.jar files...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/spoofed-WU-Sendout-Transaction-Report.png

beneficiary and mtcn details.jar (272kb) - Current Virus total detections 15/59* MALWR**
Sender’s copy of pending transaction..jar (501kb) - Current Virus total detections 20/58***. MALWR[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/59c780bdc4529af33c424ff32f3ad2dd578d3974fb3207ea7b4da6624bff3812/analysis/1489993883/

** https://malwr.com/analysis/MzdiYzJkNDdmMjY3NDNkMjg0MTEwMTZkN2JjYTBmNTY/

*** https://www.virustotal.com/en/file/33a19f65230870a33619ac626c59d5a7262f2c6679dc4126ea490ec53139c3c8/analysis/1489993897/

4] https://malwr.com/analysis/ZTk2NTBkZjdiMTZiNGNhNzk1OTNiYjdhMTgyNzExMDM/

opelhugg .com: 208.83.210.25: https://www.virustotal.com/en/ip-address/208.83.210.25/information/
> https://www.virustotal.com/en/url/aa6fc5b78ac403b3b0a9c4191e341a74a299ca8e0ce0cb9d42b7287889c38ffe/analysis/
___

Fake 'Your order' SPAM - delivers Ramnit
- http://blog.dynamoo.com/2017/03/more-highly-personalised-malspam-using.html
20 Mar 2017 - "... comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).
From: customerservice@ newshocks .com [mailto:customerservice@ newshocks .com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details
Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:
[Name and address redacted]
If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks...

The newshocks .com domain used in the "From" field matches the sending server of rel209.newshocks .com (also mail.newshocks .com) on 185.141.164.209. This appears to be a legitimate but -unused- domain belonging to a distributor of car parts. The link-in-the-email goes to clipartwin .com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit* or similar. This is using another -hijacked- but apparently legitimate web server. I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient..."
* https://www.hybrid-analysis.com/sample/5ca9540ca46b036d8409656a5200e1adee0f8d1bba68c045974407e20df6f710?environmentId=100
Contacted Hosts
180.149.132.47
185.117.74.77
52.9.172.230

185.141.164.209: https://www.virustotal.com/en/ip-address/185.141.164.209/information/

newshocks .com: 143.95.232.95: https://www.virustotal.com/en/ip-address/143.95.232.95/information/

clipartwin .com: 198.54.115.198: https://www.virustotal.com/en/ip-address/198.54.115.198/information/
___

Twitter app spams... and Amazon surveys
- https://blog.malwarebytes.com/cybercrime/2017/03/twitter-app-spams-fappening-bait-amazon-surveys/
Mar 20, 2017 - "... dodgy download links and random Zipfiles claiming to contain stolen nude photos and video clips, but today we’re going to look at one specific -spam- campaign aimed at Twitter users. The daisy chain begins with multiple links claiming to display stolen images of Paige, a well known WWE wrestler, caught up in the latest dump of files. With regards to two specific messages, we saw close to -300- over a 24 hour period (and it’s possible there were others we didn’t see). These appear to have been the most common:
> https://blog.malwarebytes.com/wp-content/uploads/2017/03/app-spam.jpg
... The Bit(dot)ly link, so far clicked close to 7,000 times, resolves to the following:
twitter(dot)specialoffers(dot)pw/funnyvideos/redirect(dot)php
That smoothly segues into an offered Twitter App install tied to a site called Viralnews(dot)com:
> https://blog.malwarebytes.com/wp-content/uploads/2017/03/app-install.jpg
... there’s one final -redirect- URL (a bit(dot)do address) which leads to an Amazon themed survey gift card page. Suffice to say, filling this in hands your personal information to marketers – and there’s no guarantee you’ll get any pictures at the end of it (and given the images have been stolen without permission, one might say the people jumping through hoops receive their just desserts in the form of a large helping of “nothing at all”)... it’s time to return to the app and see what it’s been up to on the Twitter account we installed it on:
> https://blog.malwarebytes.com/wp-content/uploads/2017/03/twitter-spam-pile.jpg
Automated spam posts, complete with yet more pictures used as bait. As freshly leaked pictures and video of celebrities continue to be dropped online, so too will scammers try to make capital out of image-hungry clickers. Apart from the fact that these images have been taken without permission so you really shouldn’t be hunting for them, anyone going digging on less than reputable sites is pretty much declaring open season on their computers. Do yourself a favor and leave this leak alone..."

:fear::fear: :mad:

AplusWebMaster
2017-03-21, 23:23
FYI...

Canada/U.K. hit by Ramnit Trojan - malvertising
- https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2017/03/canada-u-k-hit-ramnit-trojan-new-malvertising-campaign/
Mar 21, 2017 - "Over the last few days we have observed an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously -redirect- users to the RIG exploit kit. This particular campaign abuses the ExoClick ad network (ExoClick was informed and took action to stop the fraudulent advertiser based on our reports) and, according to our telemetry, primarily targets Canada and the U.K. The ultimate payloads we collected during this time period were all the Ramnit information stealer (banking, FTP credentials, etc.) which despite a takedown in 2015 has rebounded and is quite active again... The payloads we collected via our honeypot were all the Ramnit Trojan, which is interesting considering the traffic flow from the TDS (Canada, U.K. being the most hits recorded in our telemetry)...
IOCs...
RIG EK IPs:
188.225.38.209
188.225.38.186
188.225.38.164
188.225.38.131
5.200.52.240"
(More detail at the malwarebytes URL above.)
___

'Important Notification' - phish
- https://myonlinesecurity.co.uk/your-email-address-has-been-transmitting-viruses-phishing-scam/
21 Mar 2017 - ".. my webmail is being blocked for spreading viruses, or so this -phishing- scam wants me (and you) to believe...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/webmail-blocked.png

The link goes to http ://ostelloforyou.altervista .org/modules/007008.php where it -redirects- to a page looking like a typical webmail login page on a Cpanel server http ://transcapital .com.ge/language/hgfghj/webmail/index.php where after you insert an email address and password are bounded on to a genuine Cpanel webmail login page on http ://jattours .com:2095/ which appears to be an innocent site picked at random and doesn’t give any indication of actually being hacked or compromised:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/webmail-login.png "

ostelloforyou.altervista .org: 104.28.14.157: https://www.virustotal.com/en/ip-address/104.28.14.157/information/
> https://www.virustotal.com/en/url/d6d0a19a4090f185e5a3bc538f0c21837c77b54b88fc5d8d6975c9fd1b55395f/analysis/
104.28.15.157: https://www.virustotal.com/en/ip-address/104.28.15.157/information/
> https://www.virustotal.com/en/url/d6d0a19a4090f185e5a3bc538f0c21837c77b54b88fc5d8d6975c9fd1b55395f/analysis/

transcapital .com.ge: 213.157.215.229: https://www.virustotal.com/en/ip-address/213.157.215.229/information/
> https://www.virustotal.com/en/url/43b67ccc26997a8dd72dffc44a9c6b0292dfa3bbfdf100d8c54db3463d99300d/analysis/

jattours .com: 192.163.250.41: https://www.virustotal.com/en/ip-address/192.163.250.41/information/

:fear::fear: :mad:

AplusWebMaster
2017-03-22, 15:27
FYI...

Fake 'Energy bill' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoofed-your-gb-energy-supply-bill-00077334-is-attached-delivers-dridex-banking-trojan/
22 Mar 2017 - "A blank-empty-email with the subject of 'Your GB Energy Supply bill 00077334 is attached' pretending to come from szaoi <szaoi@ 21cn .com> with a malicious word doc attachment delivers Dridex banking Trojan... The email looks like:
From: szaoi <szaoi@ 21cn .com>
Date: Wed 22/03/2017 11:14
Subject: Your GB Energy Supply bill 00077334 is attached
Attachment: bill 000309573.docm

Body content: totally blank/Empty

bill 000309573.docm - Current Virus total detections 11/59*. Payload Security** | Malwr***

Manual analysis shows a download of an encrypted file from one of these locations:
palmcoastcondo .net/de3f3
shadowdalestorage .com/de3f3
lpntornbook .com/de3f3
precisioncut .com.au/de3f3
... which is converted by the macros to polivan2.exe (VirusTotal 12/62[4]) (Payload Security[5]) (MALWR[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b402f364df9c53de6d08be12b555cc53508c541177c69175fcbbe2bb7e13d434/analysis/1490183915/

** https://www.hybrid-analysis.com/sample/b402f364df9c53de6d08be12b555cc53508c541177c69175fcbbe2bb7e13d434?environmentId=100
Contacted Hosts
52.0.119.245
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190

*** https://malwr.com/analysis/NGI1MzE5ODMwNDhjNGFiYWFlNmIzN2VkMjIzZjFkY2Q/
Hosts
52.0.119.245

4] https://www.virustotal.com/en/file/faad1c3dc5b263f9c367646cfd9ae4b08dfb4b4c6cb5c2dfdf06d7d5510db007/analysis/1490184702/

5] https://www.hybrid-analysis.com/sample/faad1c3dc5b263f9c367646cfd9ae4b08dfb4b4c6cb5c2dfdf06d7d5510db007?environmentId=100
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190

6] https://malwr.com/analysis/NWYwZGFlNjU0MGYzNDY4YTgwMGQyMDliZDRkZmRiMjM/
__

'Blank Slate' campaign pushing Cerber ransomware
- https://isc.sans.edu/forums/diary/Blank+Slate+malspam+still+pushing+Cerber+ransomware/22215/
2017-03-22 - "Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, I've seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. I've also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part of the 'Blank Slate' campaign. Why call it Blank Slate? Because the emails have -no- message text, and there's nothing to indicate what, exactly, the attachments are. Subject lines and attachment names are vague and usually consist of random numbers. An interesting aspect of this campaign is that the file attachments are double-zipped. There's a zip archive within the zip archive. Within that second zip archive, you'll find a malicious JavaScript (.js) file -or- a Microsoft Word document. These files are designed to infect a computer with ransomware...
> https://isc.sans.edu/diaryimages/images/2017-03-22-ISC-diary-image-09.jpg
... Potential victims must open an attachment from a -blank- email, go through -two- zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable-macros..."
(More detail at the isc URL at the top.)

:fear::fear: :mad:

AplusWebMaster
2017-03-23, 13:40
FYI...

Word file targets -both- Windows and Mac OS X
- https://blog.fortinet.com/2017/03/22/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windows
Mar 22, 2017 - "... new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X -and- Microsoft Windows systems...
When the Word file is opened, it shows notifies victims to enable-the-Macro security option, which allows the malicious VBA code to be executed...
IoCs: URL:
hxxps ://sushi.vvlxpress .com:443/HA1QE
hxxps ://pizza.vvlxpress .com:443/kH-G5
hxxps ://pizza.vvlxpress .com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/
hxxps ://sushi.vvlxpress .com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/ "
(More detail at the fortinet URL above.)

vvlxpress .com: 184.168.221.63: https://www.virustotal.com/en/ip-address/184.168.221.63/information/
> https://www.virustotal.com/en/url/d790ebf690d0693051a9638a8ab4a6d0c14270c312ff2bc0dd32e7f8f775a0d7/analysis/

- https://www.helpnetsecurity.com/2017/03/23/malicious-word-windows-mac/
Mar 23, 2017 - "... The malicious Word file is currently flagged by nearly half of the malware engines used by VirusTotal*..."
* https://www.virustotal.com/en/file/06a134a63ccae0f5654c15601d818ef44fba578d0fdf325cadfa9b089cf48a74/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-24, 14:45
FYI...

Fake 'Photos' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/photos-from-georgia-delivers-dridex-banking-trojan/
24 Mar 2017 - "... still not seeing the full volume of malware we have been used to seeing, but it is coming in steadily. They have gone back to an old favorite with an email pretending to be from some girl with a simple message saying 'photos' and a simple body content saying 'last 2'. I have only seen 1 copy so far and mine said it came from Georgia. I am pretty sure that almost any girls name will be used, it was in previous runs of this nature... Manual analysis shows a download of an encrypted file from one of these locations:
golongboard .pl/b723dd?
taddboxers .com/b723dd?
dfl210 .ru/b723dd?
naturalcode-thailand .com/b723dd? which is converted by the script to tRIVqu.exe3 and autorun by the script
(VirusTotal 6/62*)...
* https://www.virustotal.com/en/file/78ee97f3112d4a97f413e141ad095528cd04e394e391a7901374746e224bc178/analysis/1490356510/

One of the emails looks like:
From: Georgia
Date: Thu 01/09/2016 19:22
Subject: photos
Attachment: IMG_67727.zip

last 2

IMG_67727.zip: Extracts to: IMG_7339.vbs and a simple text file with loads of random characters.
Current Virus total detections 7/57**: Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/0afbbab640817eee396abd4c4aa1ca65066ad8f6a55b6fce78a09d3b7b426883/analysis/1490355913/

*** https://www.hybrid-analysis.com/sample/0afbbab640817eee396abd4c4aa1ca65066ad8f6a55b6fce78a09d3b7b426883?environmentId=100
Contacted Hosts
185.23.21.169
8.8.247.36
192.99.108.183
107.170.0.14
37.120.172.171

golongboard .pl: 185.23.21.17: https://www.virustotal.com/en/ip-address/185.23.21.17/information/
185.23.21.169: https://www.virustotal.com/en/ip-address/185.23.21.169/information/
> https://www.virustotal.com/en/url/d2268f417725efb7d1d5fdcaf3f95a1916a23d26986c73bc930b4fad8032c5be/analysis/
taddboxers .com: 107.180.55.17: https://www.virustotal.com/en/ip-address/107.180.55.17/information/
> https://www.virustotal.com/en/url/a85322cce57ce5d7f92286849eb8f9b040ff758b941b2c6aed3da9d7c6ed425d/analysis/
dfl210 .ru: 194.63.140.43: https://www.virustotal.com/en/ip-address/194.63.140.43/information/
> https://www.virustotal.com/en/url/77c056daa2986114184c1103b7c767ed21302ec2cd2869da668ae2fb7fc23923/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-25, 13:40
FYI...

Fake 'Unusual sign-in' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/cerber-and-locky-ransomware-delivered-via-fake-chrome_update-exe
24 Mar 2017 - "... a change to one of the common Cerber -ransomware- delivery methods today... 'pretends to be from Adobe, The body content is all about an unusual sign in activity on your Microsoft account and the -link- goes to a spoofed/fake Chrome download site where the malware payload is a -fake- Google chrome installer...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/unusual-sign-in-activity.png

... Remember many email clients, especially on a mobile phone or tablet, only show the 'Name' in the 'From': and not the bit in <domain .com>. That is why these scams and phishes work so well...

chrome_update.exe - Current Virus total detections 19/61*. Payload Security**.. MALWR***...
The link in the email goes to http ://chromebewfk .top/site/chrome_update.html where you see this
-fake- Google Chrome download page... numerous other sites involved in this campaign, some delivering
Cerber and some Locky ransomware. One other site I have found is:
voperforseanx .top/site/chrome_update.html ...
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/spoofed-chrome-download-site.png
... They also display a -fake- Chrome 'terms & conditions' pop up when you press the 'download now':
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/fake-chrome-installer.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1deb727ed389a37a83a04ca1fa6c5350dbba840bfc521b7abcce905c7a1f3d2c/analysis/1490381016/

** https://www.hybrid-analysis.com/sample/1deb727ed389a37a83a04ca1fa6c5350dbba840bfc521b7abcce905c7a1f3d2c?environmentId=100
Contacted Hosts (1088)

*** https://malwr.com/analysis/ZGM2YmQ1MmJiM2U2NDQyOWE5ZTdhMzRlYmI3MDkyZDk/

chromebewfk .top: 47.90.205.113: https://www.virustotal.com/en/ip-address/47.90.205.113/information/
> https://www.virustotal.com/en/url/2afafc8e5f3f03ebd64a77d50905f5c3e7134609d9c4ef588ef5f20f95b973c5/analysis/
voperforseanx .top: 47.90.205.113:
> https://www.virustotal.com/en/url/e42d9bbea07ec68fb36d3f68adeaccbf008a449c0fb9705cb66a4815c9dd8a75/analysis/

35.187.59.173: https://www.virustotal.com/en/ip-address/35.187.59.173/information/
> https://www.virustotal.com/en/url/2afafc8e5f3f03ebd64a77d50905f5c3e7134609d9c4ef588ef5f20f95b973c5/analysis/
> https://www.virustotal.com/en/url/e42d9bbea07ec68fb36d3f68adeaccbf008a449c0fb9705cb66a4815c9dd8a75/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-27, 18:02
FYI...

Fake 'Xpress Money' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/xpress-money-un-respondedoutstanding-claims-delivers-java-adwind/
27 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments... This is more unusual than previous ones because the attachment is an -html- file rather than a zip file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/xpress_money_PDF.png

If you open the attached html file you get a page saying:
e UN-responded/outstanding claims as of march 24th, Pending At Your Branch 2089/234. Download Secured File Here
The -link- behind the download here goes to http ://www.ctraxa .net/wp-content/plugins/akismet/XPRESS%20MONEY.pdf .. where you get a genuine PDF with yet-another-link-embedded:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/xpress_money_PDF.png

... which downloads the zip from http ://www.ctraxa .net/wp-content/plugins/akismet/XPINZ%20&%20UN-respondedoutstanding%20claims%20as%20of%20march%2024th.zip .. which contains -2- identical although different named java.jar files...

Complain Refrence.jar and Sendout Reference.jar (480kb) - Current Virus total detections 39/59*
Payload Security** ...

I have also been informed about -other- sites involved in this massacre scam today including:
http ://locandinadellavalle.altervista .org/wp-content/themes/metro-style/ruhiut/outstanding%20claims%20as%20of%20March%2024,2017.zip... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f6d7e99ac151b90a0258af19d272ac163ae0631a050e46d8370169e8302388c2/analysis/1490614148/

** https://www.hybrid-analysis.com/sample/f6d7e99ac151b90a0258af19d272ac163ae0631a050e46d8370169e8302388c2?environmentId=100

ctraxa .net: 212.193.234.99: https://www.virustotal.com/en/ip-address/212.193.234.99/information/
> https://www.virustotal.com/en/url/74840c0c06f581f9377f4a05dcace9ecfb995c7dd72e647bf90f798ce503afcc/analysis/

locandinadellavalle.altervista .org: 104.28.2.143: https://www.virustotal.com/en/ip-address/104.28.2.143/information/
> https://www.virustotal.com/en/url/3d1d8d3890e27eaaf8105bebc277a22200844a515e4a6798f5f21eaf6c7ce27e/analysis/
104.28.3.143: https://www.virustotal.com/en/ip-address/104.28.3.143/information/
> https://www.virustotal.com/en/url/f889e28da0aa149a7b68cd2cc4b25ab3d74b3238d3e61ffe9f5162271fb4a77f/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-28, 16:33
FYI...

Fake 'Important matter' SPAM - delivers unknown malware
- https://myonlinesecurity.co.uk/disturbing-important-matter-malspam-delivers-unknown-malware/
28 Mar 2017 - "This email was forwarded to me by a contact who works for a public service agency. I have redacted the actual recipients domain and any email address. There is a 'Charmaine' [redacted] living at the address listed according to google searches. I am sure that there will be a lot of other emails with other real details that will really scare the recipients into opening these emails and being infected. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain .com >. That is why these scams and phishes work so well... The email looks like:
From: Antony Gfroerer <antongfoufou@ wanadoo .fr>
Date: Tue, 28 Mar 2017 09:37:38 +0000
To: Charmaine [redacted] <c*********@ [redacted]>
Subject: Charmaine
Attachment: victim.dot (renamed from recipients name)
Hello, Charmaine!
I am disturbing you for a very important matter. Though we are not familiar, but I have considerable ammount of information concerning you. The matter is that, most probably mistakenly, the data of your account has been sent to me.
For example, your address is:
5 [redacted] Lane
Perth
Perthshire and Kinross
PH2 [redacted]
I am a lawful citizen, so I decided to personal details may have been hacked. I pinned the file – victim.dot that that was emailed to me, that you could find out what information has become accessible for fraudsters. File password is – 2131
I look forward to hearing from you,
Antony Gfroerer ...

victim.dot - Current Virus total detections 0/55*. Payload Security** is unable to analyse as an unsupported format. MALWR*** shows nothing... I am informed that they download:
galaxytown .net/store/read.gif -and- effeelle .eu/img/logo.gif which appear to be genuine gif files from the headers, although they refuse to display as any sort of image file and must contain some sort of embedded -malware- content... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d47cadd8d1b73d414f352fac548649117778b29b0a0b03020c4930221596bcdd/analysis/1490695414/

** https://www.hybrid-analysis.com/sample/d47cadd8d1b73d414f352fac548649117778b29b0a0b03020c4930221596bcdd?environmentId=100
Contacted Hosts
62.149.140.45: https://www.virustotal.com/en/ip-address/62.149.140.45/information/
> https://www.virustotal.com/en/url/fa46a04e28de9865b6cde24ddf77023c8e2a16ad065684e48cd9f65a3dca3c34/analysis/

*** https://malwr.com/analysis/NDQ3MDg1OGZhYzgxNGYxNzkxZDVmZjlhNWUyNDViYjQ/

galaxytown .net: 67.225.216.115: https://www.virustotal.com/en/ip-address/67.225.216.115/information/
> https://www.virustotal.com/en/url/7b69c320d888727c1119eec3b438e95ae0b0d366e340cd445f706d2ccf198912/analysis/
___

'Message from IT' - Phish
- https://myonlinesecurity.co.uk/important-message-from-it-sector-office-365-phishing/
28 Mar 2017 - "... slightly different than many others and much more involved and complicated. It pretends to be a message from IT support to update webmail to use Office 365 / Outlook web access...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Important-message-from-IT-Sector.png

This email has a genuine PDF attachment:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/O365_upgrade.png
If you follow the link inside the pdf you see a webpage looking like this:
[ http ://radioclassicafm .com.br/lr/barracuda/barracuda/index.html ]
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/baracuda_signin1.png
After you input your email address and password, you get told -incorrect- details and -forwarded- to an almost identical looking page where you can put it in again:
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/webmail_baracuda_login.png
Then you get sent to an imitation of the Google Verification page where they ask for either your phone number or alternative email address...
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/spoofed_google_verify.png
Then you get a 'success' page... All of these emails use Social engineering tricks to persuade you to open the -attachments- that come with the email..."

radioclassicafm .com.br: 216.172.173.156: https://www.virustotal.com/en/ip-address/216.172.173.156/information/
> https://www.virustotal.com/en/url/2fd63ec317dcd5cc46a1f328e73417c57a3889af277ce93f08422453713bbdc8/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-03-30, 12:48
FYI...

Fake 'Payment Receipt' SPAM - delivers malware
- https://myonlinesecurity.co.uk/payment-receipt-79159-malspam-delivers-malware/
30 Mar 2017 - "... -blank- or -empty- body emails today with the subject of 'Payment Receipt 79159'
(almost certainly random numbers) coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment, that does -not- match the subject line which delivers what some AV are calling nymaim Trojan, while others are just giving heuristic detections. This starts with a zip Receipt28765.zip which extracts to PaymentReceipt.zip which extracts to PaymentReceipt86654.exe which has an icon making it look like a PDF file... One of the emails looks like:
From: donotreply@ yuku .biz
Date: Thu 30/03/2017 06:15
Subject: Payment Receipt 79159
Attachment: ea00ba32a5.zip

Body content: Totally empty/blank

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Payment-Receipt-79159.png

Receipt28765.zip: Extracts to: PaymentReceipt86654.exe - Current Virus total detections 18/61*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/55ec6f583047cddc172eb1008fb44927de748c1a30f3bee65ba8239ac3990089/analysis/1490851299/

** https://www.hybrid-analysis.com/sample/55ec6f583047cddc172eb1008fb44927de748c1a30f3bee65ba8239ac3990089?environmentId=100
Contacted Hosts
84.200.69.80: https://www.virustotal.com/en/ip-address/84.200.69.80/information/
> https://www.virustotal.com/en/url/b672c93aca4f510282ef199d84877053954cc42599623de31429f4d8b673e11e/analysis/
___

Fake 'Confirmation' SPAM - delivers malware
- https://myonlinesecurity.co.uk/confirmation-letter-enclosed-please-see-attachment-malspam-delivers-malware/
30 Mar 2017 - "... an email with the subject of 'uk_confirmation_ph489329718.pdf' (random numbers) coming or pretending to come from info@ random companies and email addresses with a semi-random named zip attachment...
Update: I am being reliably informed it is QuantLoader* which is dropping various malwares including Dridex banking Trojan [1] [2] [3]...
* https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground

1] https://www.virustotal.com/en/file/6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd/analysis/

2] https://www.virustotal.com/en/file/59bebe69c6273edf9f4a2d2841f8624dc295c8d3fcb668960c1ca5b954e871fe/analysis/

3] https://www.virustotal.com/en/file/f503d9077dce8092bd99f79c5db8e1a8f30a2df0828cab63cb764dcb5d111771/analysis/

One of the emails looks like:
From: info@criticare-anaesthesia .co.uk
Date: Thu 30/03/2017 12:15
Subject: uk_confirmation_ph489329718.pdf
Attachment: uk_confirmation_ph489329718.zip
Confirmation letter enclosed. Please see attachment.

uk_confirmation_ph489329718.pdf.zip :Extracts to: uk_confirmation_ph954869378.exe - Current Virus total detections 15/60**. Payload Security***. Nothing is definite on what these are but it looks vaguely like a zeus/Zbot variant.
Update: now getting a -second- run with same file names that Clam AV on the mailserver is detecting as Win.Trojan.Ag-3 and quarantining VirusTotal 10/62[4] | Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1/analysis/1490873262/

*** https://www.hybrid-analysis.com/sample/ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1?environmentId=100

4] https://www.virustotal.com/en/file/1814d47adfe7a34cd2e5b2a9d6841a32677764c8498012f3ff13a5772ba9107e/analysis/1490874947/

5] https://www.hybrid-analysis.com/sample/1814d47adfe7a34cd2e5b2a9d6841a32677764c8498012f3ff13a5772ba9107e?environmentId=100
Contacted Hosts
8.8.247.36
81.12.229.190
107.170.0.14
37.120.172.171

:fear::fear: :mad:

AplusWebMaster
2017-03-31, 14:46
FYI...

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-western-union-daily-cash-report-malspam-delivers-java-adwind/
31 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Daily-Cash-Report.png

Western Union Cash Report Reference.jar (478kb) - Current Virus total detections 15/59*: MALWR**
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5ac4dc97394533f5e49fd18c92c7ce49e620404ffa2986ace0a15f6925f48a23/analysis/1490914940/

** https://malwr.com/analysis/YmJlMjM2OGRmNGI3NGJhMWIwOWFlYTExMzRjZmM4ZmU/
___

> https://myonlinesecurity.co.uk/spoofed-western-union-refund-delivers-java-adwind/
30 Mar 2017
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/western-union-refund.png
"... links in the email go to http ://www.ctraxa .net/wp-content/plugins/akismet/views/Western Union Refund Transaction.zip ..."
ctraxa .net: 212.193.234.99: https://www.virustotal.com/en/ip-address/212.193.234.99/information/
> https://www.virustotal.com/en/url/dea6930dacb24f1126f1899be0632e77a585ae5b8240613155e009f5c43a0df2/analysis/
2017-03-31
___

Fake 'GameStop' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-gamestop-co-uk-help-gamestop-order-no-327609-malspam-delivers-malware/
31 Mar 2017 - "... an email with the subject of '[GameStop] Order No.327609' (random numbers) pretending to come from “GameStop .co.uk Help” with a semi-random named zip attachment which delivers malware. The attachment extracts to -2- files: First a long set of random characters and numbers .exe that has an icon of a PDF file and a genuine PDF with just a few numbers in it called info.pdf...
Update: First indications are that is a plain and simple Dridex banking Trojan, not the Quantloader intermediary...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/GameStop-Order-No.32760.png

066525-960519-20170331-105353-2f0134f7-23cd-f947-1b65-f1a530c28254.zip:
Extracts to: 156910-268936-20161128-151851-de121ee8-6954-4911-80aa-8255b6b023cb.exe
Current Virus total detections 11/62*. Payload Security** | MALWR***
... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02/analysis/1490951595/

** https://www.hybrid-analysis.com/sample/4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02?environmentId=100

*** https://malwr.com/analysis/ODM1MzkzM2VjNTg3NDA4NThmMjgwYjdmM2IyMDhhZDI/
___

Fake 'Payment Request' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/payment-request-malspam-spoofing-hedley-ellis-ltd-delivers-dridex/
31 Mar 2017 - "... a 'Payment Request' email coming from random email addresses. The payload is the -same- as this slightly earlier campaign spoofing GameStop .co.uk*. The file -names- are different but the content is
-identical- with -same- SHA-256 hash numbers. All the copies I have seen -spoof- Hedley & Ellis Ltd, Newark Road, Peterborough, PE1 5UA in the email body, but have totally random senders with the email address in the email body...
* https://myonlinesecurity.co.uk/spoofed-gamestop-co-uk-help-gamestop-order-no-327609-malspam-delivers-malware/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/payment-request.png

... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exact same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

:fear::fear: :mad:

AplusWebMaster
2017-04-04, 13:48
FYI...

Fake 'Contract' SPAM - delivers trojan
- https://myonlinesecurity.co.uk/malspam-with-your-full-private-details-with-password-protected-word-docs-delivering-malware/
4 Apr 2017 - "... malspam emails with password protected word doc attachments. They come with various subjects and themes, but they all contain -genuine- information about the recipient. Some like this one, only have the recipients full Name, Address and email address but some also contain genuine phone numbers, either landline or mobile numbers. An email with the subject of '[recipients name] Contract EFKP030417GD' pretending to come from random senders with a malicious word doc attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Contract-EFKP030417GD.png

victim.EFKP030417GD.doc - eventually downloads Ursnif (virustotal 10/60*) see VT comments for full details...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.com/en/file/2e013cc6c8419e26df4ec35edfcb5017f38b661e98534e2fddfd3bc21120c689/analysis/1491230132/
03EF8.exe

Ursnif: http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
"... banking Trojan..."
___

Fake 'DHL Delivery' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/more-spoofed-dhl-delivery-malspam-delivers-malware/
4 Apr 2017 - "... an email with the subject of 'DHL Delivery' coming or pretending to come from DHL Express UK. These do look very realistic and if you are expecting a delivery today (many recipients will be) you can be very easily fooled by it... from the various reports are connections to various well known websites and webmail services like Google, Facebook, Yahoo, Nirsoft .com and what looks like attempted logins. The javascript file is basically -obfuscated- by simple reversing the url strings embedded in the file, so for example these reverse encoded strings embedded in the js file...
/6863daolnwod/se.aicnelapnerarpmoc//:ptth
/7184daolnwod/moc.leuftnuocsidupe//:ptth
/4372daolnwod/moc.puorgcmc//:ptth
/4819daolnwod/ku.oc.nimdagcc.www//:ptth
/8522daolnwod/xm.moc.zenitramoderfla.www//:ptth
Transform to:
http ://www .alfredomartinez .com.mx/download2258/ : 162.144.80.161: https://www.virustotal.com/en/ip-address/162.144.80.161/information/
> https://www.virustotal.com/en/url/cb8d8c3a5b7eb38f6a6da9efde417eaef89007d471c88445fc0320dbf2a67052/analysis/
http ://www .ccgadmin .co.uk/download9184/ : 193.238.80.70: https://www.virustotal.com/en/ip-address/193.238.80.70/information/
> https://www.virustotal.com/en/url/8dfb0fbcfcb39f30bf81a32c574c1578ae461ce663889a3777ccb57252315435/analysis/
http ://cmcgroup .com/download2734/ : 216.218.207.100: https://www.virustotal.com/en/ip-address/216.218.207.100/information/
> https://www.virustotal.com/en/url/d4db227d76a09425b6804453ceba93f2fcaad40dace46365a7a4929e8490798c/analysis/
http ://epudiscountfuel .com/download4817/ : 69.175.87.139: https://www.virustotal.com/en/ip-address/69.175.87.139/information/
> https://www.virustotal.com/en/url/250c707fc522d3b1ac6013b2345d3fc5330723030c92a7e1b6089ad1e7e38783/analysis/
http ://comprarenpalencia .es/download3686/ : 149.202.107.130: https://www.virustotal.com/en/ip-address/149.202.107.130/information/
> https://www.virustotal.com/en/url/debd8cc211552c83c170359856727c8ac768f375b23fbbbdb814f46cb32dd5f9/analysis/
...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dhl-delivery-malspam-email.png

The link in the email goes to http ://atvicon .com/OXF31666g/ where you see an open directory. Selecting index.php gives you the download of the .js file (VirusTotal 12/56*). The payload Security report** of this .js file shows lots of other urls associated with this malware & downloads, some of which give an immediate download of the .js file. The Payload Security report shows a download of a file named 2tlj63ijo.exe (VirusTotal 28/61***) (Payload Security[4]) ... my -manual- download gave me (VirusTotal 8/62[5]) Payload Security[6] ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/48f1261ea47b780a32f7dcf5212f2dc6336ca19007cc17fc6e01b38374bbcce7/analysis/1491300071/
DHL__Report__5238760711__Di__April__04__2017.js

** https://www.hybrid-analysis.com/sample/48f1261ea47b780a32f7dcf5212f2dc6336ca19007cc17fc6e01b38374bbcce7
Contacted Hosts
216.218.207.100
87.106.105.76
67.205.128.122

*** https://www.virustotal.com/en/file/063afc48e24de77e7a388f1332ea851b2457b4a00463d6c3745682b98a276f92/analysis/
2tlj63ijo.exe

4] https://www.hybrid-analysis.com/sample/063afc48e24de77e7a388f1332ea851b2457b4a00463d6c3745682b98a276f92?environmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122

5] https://www.virustotal.com/en/file/534a3697b3803796d2caa1cdf866ea34900c0e01392c964613d0004188e61c84/analysis/1491300282/
5960.exe

6] https://www.hybrid-analysis.com/sample/534a3697b3803796d2caa1cdf866ea34900c0e01392c964613d0004188e61c84?environmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122

atvicon .com: 67.222.136.31: https://www.virustotal.com/en/ip-address/67.222.136.31/information/
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-western-union-awd09678-mtcn-18-funds-verification-on-142017-delivers-java-adwind/
4 Apr 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... Unlike today’s slightly earlier Java Adwind malspam spoofing Bank of Bahamas*, this one does have a new Java Adwind version at the end of the complicated delivery chain...
* https://myonlinesecurity.co.uk/spoofed-bank-of-the-bahamas-international-notification-of-funds-transfer-delivers-java-adwind/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/AWD09678-MTCN-18-Funds-Verification-on-1_4_2017.png

These contain a genuine PDF that has a link to the site to download a zip file. First the pdf looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/mtcn_wu_pdf.png
The link today goes to:
http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.htm
where you see this page with instructions trying to make you think it is genuine with yet another download link:
http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.zip

> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/spoofedWU_downloadpage.png

AWD020025 MTCN 25 Funds Verification.jar (478kb) Current Virus total detections 11/58*: MALWR**
details.jar (119kb) Current Virus total detections 5/55***: Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/365fab7253231748ea6ddde9ccba59589d2c98717a43df604dc68988e6397df6/analysis/1491283408/
AWD020025 MTCN 25 Funds Verification.jar

** https://malwr.com/analysis/N2JkYTE4ZmZhN2IyNGFmNWJjMGY4ZDQwYmE2NTFiOGU/

*** https://www.virustotal.com/en/file/830aaeccfa79f9cee2eded1c6d7bfb987d936776cf28f511c33086d008a419f7/analysis/1476250143/

4] https://www.hybrid-analysis.com/sample/830aaeccfa79f9cee2eded1c6d7bfb987d936776cf28f511c33086d008a419f7?environmentId=100

publikasi-fbio .ukdw .ac.id: 119.235.252.122: https://www.virustotal.com/en/ip-address/119.235.252.122/information/
> https://www.virustotal.com/en/url/c087b04720db120a6e0a73a59ca8e38d1bda8c5be50a59f2048071e297f1f960/analysis/
___

'Quota Exceeded' - Phish
- https://myonlinesecurity.co.uk/spoofed-webmail-alert-victimvictimdomain-com-quota-exceeded-please-add-now-phishing/
4 Apr 2017 - "... phishing attempts for email credentials...:

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Quota-Exceeded-Please-Add-Now.png

If you follow the -link- inside-the-email you see a webpage looking like this:
http ://maharajasweet .com/flash/bestdomain/?email=victim@domain.com :
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/maharahjasweet_webmail_phish.png

... recognize familiar details like our email address or domain name... look at the -real- address in the URL bar at the top of the page:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/maharahjasweet_webmail_phish2.png
After you input your email address and password, you get a 'success' page:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/success.png

... whether it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking log in details... the final IP address outside of your network in the Received: fields can be trusted as others can be -spoofed- ..."

maharajasweet .com: 209.200.238.28: https://www.virustotal.com/en/ip-address/209.200.238.28/information/
> https://www.virustotal.com/en/url/28e5fd3ae8dce697de8fd6f7d7d60785f1271b369dc8163a78caa51861e05373/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-04-07, 00:39
FYI...

Malvertising on iOS - VPN app
- https://blog.malwarebytes.com/threat-analysis/2017/04/malvertising-on-ios-pushes-eyebrow-raising-vpn-app/
April 6, 2017 - "... we discovered this -scareware- campaign that pushes a ‘free’ VPN app called 'My Mobile Secure' to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is 'infected with viruses':
> https://blog.malwarebytes.com/wp-content/uploads/2017/04/scareware_.png
... Apple has released an update to their mobile operating system (iOS 10.3.1*) to avoid so-called “browser lockers” via incessant JavaScript popups that prevented users from closing the offending page. Having said that, social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material:
* https://support.apple.com/HT207688
... According to their website, MobileXpression is a market research panel designed to 'understand the trends and behaviors of people using the mobile Internet'. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc... Free does not mean Open Source or risk-free for that matter. But the fact of the matter is that people tend to gravitate towards free products, especially if those are pushed aggressively via hungry advertisers. For this reason, users should pay even more attention before installing a free app:
> https://blog.malwarebytes.com/wp-content/uploads/2017/04/privacy1.png
... data should never be collected in the first place because some very unfortunate things can happen once it is logged in a database. Haven’t there been enough data breaches lately to be seriously concerned with what kind of data a company may collect (inadvertently or not)? Choosing the right VPN application these days has become very challenging due to the renewed interest in online privacy (there are other reasons people buy VPNs as well, such as to bypass geo-restrictions from services like Netflix, the BBC, etc). It’s important to take the time to review the companies behind those products, their policies, and real reviews, not -fake- or sponsored ones. At the end of the day, you are placing your data and trust in someone else’s hands.
Kudos to CloudFlare for terminating the scareware domain in less than five minutes.
IOCs:
onclkds .com: 206.54.163.50
xml.admetix .com: 173.239.53.20
clk1005 .com: 173.192.117.80
inclk .com: 108.168.157.87
browserloading .com: 52.3.189.94
52.21.139.228
52.4.167.240
giveawaywins .com: 104.31.67.144
104.31.66.144
securecheckapp .com: 192.64.119.233

206.54.163.50: https://www.virustotal.com/en/ip-address/206.54.163.50/information/
> https://www.virustotal.com/en/url/6820d310f0e72989332ae0a0efeb3fa9421793436dfe0d7b5c56b3d5a2ad21a9/analysis/
173.239.53.20: https://www.virustotal.com/en/ip-address/173.239.53.20/information/
> https://www.virustotal.com/en/url/6fd4dcbdd98c7ac718b0af7f8686f4ad5625d80591ce70ce0321f13ac98d9603/analysis/
173.192.117.80: https://www.virustotal.com/en/ip-address/173.192.117.80/information/ <<<
108.168.157.87: https://www.virustotal.com/en/ip-address/108.168.157.87/information/
> https://www.virustotal.com/en/url/6375cd19b37139b6964acde515e22bef57329df0e6b16a1efd30f48f4a6f3683/analysis/
52.29.11.13: https://www.virustotal.com/en/ip-address/52.29.11.13/information/ <<<
104.31.67.144: https://www.virustotal.com/en/ip-address/104.31.67.144/information/ <<<
104.28.17.3: https://www.virustotal.com/en/ip-address/104.28.17.3/information/ <<<
192.64.119.233: https://www.virustotal.com/en/ip-address/192.64.119.233/information/ <<<
..."

:fear::fear: :mad:

AplusWebMaster
2017-04-07, 14:30
FYI...

Fake 'Customer Statement' SPAM - deliverers malware
- https://myonlinesecurity.co.uk/spoofed-hedley-ellis-ltd-customer-statement-malspam-deliverers-malware/
7 Apr 2017 - "An email with the subject of pretending to come from random companies with a zip file that extracts to another zip that eventually extracts to a malicious word doc attachment delivers malware probably Dridex banking Trojan. Currently Payload Security has a massive backlog so analysis is pending...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/customer-statement.png

Statement_SE8743.docm - Current Virus total detections 8/58* MALWR**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1f595dee4cd691174acf1898b62248cfd37aeebdad65c580f4c983277381b7d1/analysis/1491553437/

** https://malwr.com/analysis/Nzg2ZDExM2Q4ODU2NGM0ODkwNzRlMzc3MTg1MGM4NjQ/
Hosts
195.114.1.135
___

Fake '.JPG' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/emailing-pic9744891-jpg-malspam-delivers-dridex/
7 Apr 2017 - "... an email with a subject saying something like 'Emailing: PIC9744891.JPG' (random numbers and file extensions... Gif, JPG, Tiff, Png or any other image or doc file extension). They all come from random senders. The zip attachment extracts to another zip file that eventually extracts to the VBS dropper...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dridex-malspam.png

PIC9390310.vbs - Current Virus total detections 5/56* - MALWR** shows a download of an encrypted file from
http ://staciedunlop .com/87hcwc? which is converted by the script to KhtLPsv.exe (VirusTotal 14/61***)
Each VBS file has 4-or-5 embedded urls that download the encrypted text file that gets converted to the Dridex payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3e7a64418e00bc72f5b3f13abe53012958fa857e4a3163dec32c11d90b36f411/analysis/1491567450/

** https://malwr.com/analysis/YzY3OGY0MWU1ZGZkNDBkYTljYjQxYzRjNjhmYTJlOWQ/
Hosts
64.69.93.68

*** https://www.virustotal.com/en/file/4d8d30b4b5d8390e9da1a27503ad90fe73ea63f1c103bc5a5bab208413b7539b/analysis/1491568169/

staciedunlop .com: 64.69.93.68: https://www.virustotal.com/en/ip-address/64.69.93.68/information/
> https://www.virustotal.com/en/url/8753d9816cb7123155430fd25d7add3a66ea2227285e66909ecf359393a3af59/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-04-08, 20:35
FYI...

'Paypal Update acct info' – Phish
- https://myonlinesecurity.co.uk/paypal-update-account-information-phishing-with-a-difference/
8 Apr 2017 - "We see lots of phishing attempts for PayPal details. This one is slightly different than many others and much more involved and complicated. This one has an html -attachment- that contains the phishing acts... They ask you to give all the usual details... The whole HTML file is -encrypted- ...
Update: ... by numerous contacts on Twitter, eventually it has been discovered that
http ://www.accunetix .net/80f78664.php is the phishing drop site...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/spoofed-paypal-Update-account-information.png

The html form looks like this (reduced in size to fit on one screenshot):
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/paypal-phishing-html-atatchment.png

... Watch for -any- site that invites you to enter ANY personal or financial information..."

accunetix .net: 94.102.60.170: https://www.virustotal.com/en/ip-address/94.102.60.170/information/
> https://www.virustotal.com/en/url/a9ba2392cf67c310fd60f00c0278e7b5758a90a343619c219a27d563eed6c62d/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-04-10, 13:30
FYI...

Fake 'Scanned image' SPAM - delivers Cerber
- https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-pretending-to-come-from-noreply-your-own-email-address-delivers-cerber-ransomware/
10 Apr 2017 - "... An email with the subject of 'Scanned image from MX-2600N' pretending to come from noreply@ your own email address with a zip file attachment that extracts to another zip file then a malicious word doc delivers Cerber ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Scanned-image-from-MX-2600N.png

20170410_294152.docm - Current Virus total detections 11/58*: Payload Security** shows a download of an encrypted txt file from http ://villa-kunterbunt-geseke .de/nkjv78v which is transformed by the macro script to redchip2.exe (VirusTotal 8/61***). Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/58c52566376771654ec4bd135c92ee7fe03795b1dc4f81e0609f4252f803e889/analysis/1491816739/

** https://www.hybrid-analysis.com/sample/58c52566376771654ec4bd135c92ee7fe03795b1dc4f81e0609f4252f803e889?environmentId=100
Contacted Hosts
85.114.146.10

*** https://www.virustotal.com/en/file/14230d3e19cbef146e83bc7e6bed4f08eb8857a8a11765a09dece6458cf998d5/analysis/1491816149/

4] https://www.hybrid-analysis.com/sample/14230d3e19cbef146e83bc7e6bed4f08eb8857a8a11765a09dece6458cf998d5?environmentId=100
Contacted Hosts
194.9.25.17

villa-kunterbunt-geseke .de: 85.114.146.10: https://www.virustotal.com/en/ip-address/85.114.146.10/information/
> https://www.virustotal.com/en/url/2e40aa2c7decc084db19eafa6df0fc1cd037e36031a783e9fdc68ecfa6c1ec24/analysis/
___

Fake 'scan data' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/scan-data-malspam-pretending-to-come-from-noreply-your-own-email-address-tries-to-deliver-malware/
10 Apr 2017 - "... an email with the subject of 'scan data' pretending to come from noreply@ your own email address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/scan-data-malspam.png

... several antiviruses on VirusTotal 8/56* declare this as 'a malicious PDF file'. PDF examiner** declares this 'a suspicious.embedded doc file' and 'suspicious.warning: object contains JavaScript' | Payload Security***...
ScanData155328.docm (VirusTotal 10/57[4]) (Payload Security [5]) | MALWR[6]. This contacts:
super-marv .com/874hv... It looks like it should download an -encrypted- txt file that is converted to redchip2.exe... Update: this one is Dridex... An alternative pdf gave me Payload Security[7] which downloaded redchip2.exe from
hiddencreek .comcastbiz .net/874hv (Virustotal 10/61[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f7481d98d9477e74473e47341e2b7a95ffe4807f8f58f8db42582e9f50c51151/analysis/1491827466/
[See 'File detail']

** https://www.malwaretracker.com/pdfsearch.php?hash=8009ae9232ae700f52bfa06d241b8f27

*** https://www.hybrid-analysis.com/sample/f7481d98d9477e74473e47341e2b7a95ffe4807f8f58f8db42582e9f50c51151?environmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11

4] https://www.virustotal.com/en/file/b0c9d7430608595b6927553cb7d4d342d5f1f823db7a8885636707dc0ba1de7c/analysis/1491829510/
ScanData155328.docm

5] https://www.hybrid-analysis.com/sample/b0c9d7430608595b6927553cb7d4d342d5f1f823db7a8885636707dc0ba1de7c?environmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11

6] https://malwr.com/submission/status/ODI4NWRmNGFlMWRjNDg0MzhjMjY0MjU3NWQxMmRhM2Q/
Hosts
143.95.251.11

7] https://www.hybrid-analysis.com/sample/c077af50c8913d7564025940e2bddb4a45a9573717ece82a0394e98ca079108e?environmentId=100
Contacted Hosts
194.9.25.17
216.87.186.165
185.44.105.92
64.79.205.100
185.25.184.214

8] https://www.virustotal.com/en/file/1072e9f512abaafc1f510b31bcf56fd668f9f7cf558984052720aa85d311bca7/analysis/1491828872/
redchip2.exe

hiddencreek .comcastbiz .net: 216.87.186.165: https://www.virustotal.com/en/ip-address/216.87.186.165/information/

:fear::fear: :mad:

AplusWebMaster
2017-04-11, 14:58
FYI...

Fake 'RBS' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-rbs-fw-important-bacs-documents-malspam-delivers-malware/
11 Apr 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from RBS BACs <GRGBACspaymentsdelivery@ rbsdocuments .co.uk> with a malicious word doc spreadsheet attachment delivers malware... it appears to be Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/rbs_bacs.png

RBS_BACs_11042017.doc - Current Virus total detections 3/54*. Payload Security currently is not responding for me. MALWR** shows nothing relevant.
I am informed that it uses PowerShell to download http ://hitecmetal .com.my/images/NGVN4LNyaCV6amPf8jsgJeHVgLX.png which of course is -not- a png but a renamed .exe file (VirusTotal 11/60***) which even more suggests ursnif or Trickbot banking Trojans... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/34bf5438747f58b604643de3853b30b7badb6f8e02bc9a64bd9914a1cbe08b40/analysis/1491904361/

** https://malwr.com/analysis/ZGRhZGUwZDBmNzY1NDRiMjhkZDFiNDQ0MzZhMjVhNTQ/

*** https://www.virustotal.com/en/file/26a251a7cb0e201226b5445b96de8c83b1f50f8ab431cff894de13976fbea801/analysis/1491905198/
kxecz.exe

hitecmetal .com.my: 110.4.45.192: https://www.virustotal.com/en/ip-address/110.4.45.192/information/
___

Fake 'scanned file' SPAM - delivers malware
- https://myonlinesecurity.co.uk/scanned-file-with-pdf-attachment-malspam-drops-malicious-word-macro-delivers-malware/
11 Apr 2017 - "... an email that has a multitude of subjects all along the line of 'scanned file/image document/image etc. pretending to come from totally random senders with a pdf attachment. This PDF does have an embedded word doc inside... Payload Security Hybrid Analysis... is currently down. I assume this will turn out to be Dridex in the same way it did yesterday*...
* https://myonlinesecurity.co.uk/scan-data-malspam-pretending-to-come-from-noreply-your-own-email-address-tries-to-deliver-malware/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/image-data.png

20170411414556.pdf - Current Virus total detections 10/57*. MALWR**...
Update: ... the word macro content shows downloads of -encrypted- txt files from:
medjobsmatch .com/kjv783r
outoftheboxpc .org/kjv783r
jenya.kossoy .com/kjv783r
Which MALWR*** managed to decode as redchip2.exe (VirusTotal 8/61[4]) which although not being detected as Dridex is either likely to be Dridex or Kegotip... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d44b673cdd4d6bba91595693a3cbf4bc20b8214aaa9347691ddf02e2ca89e8e8/analysis/1491908876/

** https://malwr.com/analysis/OGUxZGU5YzQyODMyNDQwYTk1NmFkNjJlMjg1NmQ4Yjg/

*** https://malwr.com/analysis/NjNkM2JiMGY2ZGNhNGRjMzgzMDUwMjk1ZmM5MGZmZmU/
Hosts
23.229.143.7

4] https://www.virustotal.com/en/file/6739c782d114307deaac42120a7061f51f9e74a86f1e60664997a269784143f2/analysis/1491910444/

medjobsmatch .com: 23.229.143.7: https://www.virustotal.com/en/ip-address/23.229.143.7/information/

outoftheboxpc .org: 216.87.186.17: https://www.virustotal.com/en/ip-address/216.87.186.17/information/

jenya.kossoy .com: 64.111.126.118: https://www.virustotal.com/en/ip-address/64.111.126.118/information/
___

Fake Google Maps listings redirect Users to fraudulent sites
- https://www.bleepingcomputer.com/news/google/thousands-of-fake-google-maps-listings-redirect-users-to-fraudulent-sites-each-month/
Apr 10, 2017 - "... This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as 'abusive' and added to Google Maps between June 2014 and September 2015. Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles. In most cases, the scheme was simple. A customer in need of a locksmith or electrician would search Google Maps for a local company. If he navigated to the website of a fake business or called its number, a call center operator posing as the business' representative would send over an unaccredited contractor that would charge much more than regular professionals. If a customer's situation were urgent, the contractor would often charge more than the initial agreed upon price. Researchers said that 40.3% of all the listings for fake companies they found focused on on-call services, such as locksmiths, plumbers, and electricians, were customers were desperate to resolve issues... To list a business card on Google Maps, companies must go through a series of checks that involves Google mailing a postal card, or making a phone call to the business headquarters. After analyzing over 100,000 fake listings, researchers said miscreants registered post office boxes at UPS stores and used the same address to register tens to hundreds of listings per address. They did the same thing for their phone contact, by buying cheap VoIP numbers from providers such as Bandwidth .com, Level 3, Twilio, or Ring Central... The research team discovered that crooks managed to hijack 0.5% of Google Maps' outbound traffic for the studied period... Google also says it currently detects and disables around 85% fake listings before they ever appear on Google Maps..."
> https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45976.pdf
[ 9 pages ]

:fear::fear: :mad:

AplusWebMaster
2017-04-12, 14:27
FYI...

Fake 'resume' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spear-phishing-fake-resume-malspam-leads-to-malware/
12 Apr 2017 - "An email with the subject of 'Greetings' come from a random name and email address that says it is a resume applying for employment with a malicious word doc attachment delivers malware... Update: I am very reliably informed this is a Zyklon HTTP bot* which is being used in DDOS attacks against a wide variety of sites and is a password and other credential stealer, including all windows, office and many other software licencing keys, as well as email credentials, website passwords and any other password that you can think of...
* https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/zyklon-http-botnet/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/sarah-resume.png

Sarah-Resume.doc - Current Virus total detections 7/57**. Payload Security*** shows a download using PowerShell from
http ://185.165.29.36 /11.mov which is -renamed- by the macro to k4208.exe
(VirusTotal 7/61[4]) (Payload Security[5]) and autorun and in turn drops iTunes.exe and autorun
(VirusTotal 5/61[6]) (Payload Security[7])... The word doc has a slightly different instruction message than we usually see:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/content-locked.png
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/358087e8d96e739f87410a091aff4c19bd11867de7f817442f7729b653e3e749/analysis/1491973686/

*** https://www.hybrid-analysis.com/sample/358087e8d96e739f87410a091aff4c19bd11867de7f817442f7729b653e3e749?environmentId=100
Contacted Hosts
185.165.29.36
78.47.139.102
76.73.17.194
154.35.32.5
86.59.21.38
194.109.206.212
84.146.168.11
91.121.230.210
185.66.250.141
192.87.28.82
163.172.29.21
178.162.194.82
130.230.113.235

4] https://www.virustotal.com/en/file/a5b2039a87203757d42aabbe70bec613487073845a0f0b71e9d959b4fc3ed448/analysis/1491963473/

5] https://www.hybrid-analysis.com/sample/a5b2039a87203757d42aabbe70bec613487073845a0f0b71e9d959b4fc3ed448?environmentId=100
Contacted Hosts (20)

6] https://www.virustotal.com/en/file/594b8f9905fed1a58242fa82085a9a74067bfbf48dfbd26182ac4711f29c2826/analysis/1491963495/

7] https://www.hybrid-analysis.com/sample/594b8f9905fed1a58242fa82085a9a74067bfbf48dfbd26182ac4711f29c2826?environmentId=100
Contacted Hosts (13)
___

Ransomware variants - emails
- https://isc.sans.edu/diary.html?storyid=22290
2017-04-12 - "... malicious spam (malspam) on Tuesday morning 2017-04-11. At first, I thought it had limited distribution. Later I found several other examples, and they were distributing yet another ransomware variant... The ransomware is very aware of its environment, and I had use a physical Windows host to see the infection activity...:
> https://isc.sans.edu/diaryimages/images/2017-04-12-ISC-diary-image-01.jpg
... I collected 14 samples of the malspam on Tuesday 2017-04-11. It started as early as 14:12 UTC and continued through at least 17:03 UTC. Each email had a -different- subject line, a -different- sender, -different- message text, and a -different-link- to click:
> https://isc.sans.edu/diaryimages/images/2017-04-12-ISC-diary-image-02.jpg
... -All- are subdomains of ideliverys .com on 47.91.88.133 port 80. The domain ideliverys .com was registered the-day-before on Monday 2017-04-10...
As usual, humans are the weakest link in this type of infection chain. If people are determined to bypass all warnings, and their systems are configured to allow it, they will become infected. Unfortunately, that's too often the case. I don't believe the situation will improve any time soon, so we can expect these types of malspam campaigns to continue..."
(More detail at the first ISC URL at the top.)

ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/16f98d707498f5c24e9a47c48a03bb9644a94ac3ce41b069a74c2b4d26cf9d0f/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-04-13, 13:15
FYI...

Fake 'USPS, UPS, DHL, FEDEX' SPAM - delivers mole ransomware
- https://myonlinesecurity.co.uk/more-usps-delivery-messages-delivering-mole-ransomware/
12 Apr 2017 - "... USPS, UPS, DHL, FEDEX and all the other delivery companies being spoofed and emails pretending to be from them delivering all sorts of malware, usually via zip attachments containing JavaScript files. I saw this post on Sans Security blog*... and expected that I would soon see them...they started to flood in today.
* https://isc.sans.edu/diary.html?storyid=22290
There are a multitude of different subjects. Some of then ones I received today are:
' Official notice regarding your order
IMPORTANT USPS MONEYBACK INFO IN REGARDS TO YOUR PARCEL
AUTOMATED notice in regards to your parcel’s status
WARNING: INFO ABOUT A LATEST REFUND '
These subjects today are different to the unusual subjects we see listed in the sans blog post.
Typical senders -imitating- USPS include:
USPS Delivery <huo4@ doverealty .net>
USPS Express Delivery <ooyyomq57575452@ avensonline .org>
USPS Priority Parcels <rejunwuj75324281@ vki-interiors .com>
USPS Ground Support <heyluogf13136286@ parcerianet .com.br> ...
... these -all- use various subdomains of ideliverys .com... you see what looks like a word online website and you are invited to download then latest 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/spoofed-word-online-plugin.png

plugin.exe - Current Virus total detections 29/60**. Payload Security***.. I assume this is the same mole ransomware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/8e210658f17a265f0c595b4f63ee7ba3db4c83f64c93f522e74e57e6fc547b11/analysis/

*** https://www.hybrid-analysis.com/sample/8e210658f17a265f0c595b4f63ee7ba3db4c83f64c93f522e74e57e6fc547b11?environmentId=100

ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/16f98d707498f5c24e9a47c48a03bb9644a94ac3ce41b069a74c2b4d26cf9d0f/analysis/

- https://myonlinesecurity.co.uk/changes-to-fake-usps-delivery-messages-delivering-malware/
13 Apr 2017 - "... USPS, UPS, DHL, FEDEX SPAM... a -hybrid- campaign mixing elements of all the previous campaigns...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/OFFICIAL-USPS-REFUND-INFO.png

... These all use various subdomains of maildeliverys .com to divert to
http ://tramplinonline .ru/counter/1.htm where you see what looks like a word online website and you are invited to download then -latest- 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/fake_word_online_trampoline.png
... this is where the hybrid element comes into play. Once you press download, you get a zip file plugin.zip which extracts to plugin.js ... starts with the first site in the array (var ll) and then downloads these (if the first site cannot be contacted or the file is missing) it moves on to next site and so on, eventually giving -3- malware files.
/counter/exe1.exe (mole ransomware) VirusTotal 6/62[1]
/counter/exe2.exe delivers kovter/powerliks VirusTotal 7/62[2]
/counter/exe3.exe VirusTotal 0/61[3] | VirusTotal 3/62[4] (first one possibly corrupt)
Today’s sites are:
forum-turism .org.ro/images/layout
boorsemsport .be/templates/yoo_aurora/less/uikit
eurostandard .ro/pics/size1
alita .kz/tmp/installation/language/cs-CZ
sportbelijning .be/libraries/joomla/application/web
tramplinonline .ru
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/3b5b19ebe8d8b6c7e5b2ffd2cc194fad1ae6c9eade7646f48c595bd154f4b1e1/analysis/1492102514/

2] https://www.virustotal.com/en/file/21bac708477ed069d14995691b1fd1649911e651e3ea0648be71d17e2251bf84/analysis/1492110707/

3] https://www.virustotal.com/en/file/9662c98044245c3a8abf8087cc881df6392f993d76fe2abea099f985c129debf/analysis/1492110713/

4] https://www.virustotal.com/en/file/ba1327106fa0bf82050cf1a1b9c0c119eb0ded63931af4127e5d541dfa2c6850/analysis/1492109005/

maildeliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/715942ae80d2b0edc6b2d00f7505a82bfe5144a4d150fcd5a0851f53d2e6b637/analysis/

tramplinonline .ru: 92.242.42.146: https://www.virustotal.com/en/ip-address/92.242.42.146/information/
> https://www.virustotal.com/en/url/aa5e9096e80a2da27edb02c8fe53eb547d54253f09395298ad99564db2cf991e/analysis/
___

Kelihos.E Botnet – Takedown
- http://blog.shadowserver.org/2017/04/12/kelihos-e/
April 12, 2017 - "On Monday April 10th 2017, The US Department of Justice (DOJ) announced* a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The Kelihos botnet (and its predecessor Waledec) was one of the most active spamming botnets. Earlier versions of the malware were also involved in delivering trojan horses, stealing user credentials and crypto currency wallets, and in crypto currency mining. The Kelihos botnet was made up of a network of tens of thousands of infected Windows hosts worldwide. It used its own peer-to-peer (P2P) protocol, along with backup DNS domains, to provide resilient command and control (C2) facilities... The Kelihos.E botnet takedown occurred on Friday April 8th 2017, with 100% of the peer-to-peer network being successfully taken over by law enforcement and C2 traffic redirected to our sinkholes, C2 backend server infrastructure being seized/disrupted, as well as multiple fallback DNS domains being successfully sinkholed under US court order..."
* https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0
April 10, 2017 - "The Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software..."

:fear::fear: :mad:

AplusWebMaster
2017-04-14, 14:09
FYI...

Fake 'MONEY GRAM' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/urgent-money-gram-confirmation-delivers-java-adwind/
14 Apr 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... Slight change to previous examples today where these are being addressed to tamuna.khaduri@ basisbank .ge or mdzirkvelishvili@ tbcbank .com .ge ... looks like random names @ random bank .ge and BCC to the actual recipient... coming via compromised accounts on Godaddy...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/URGENT-MONEY-GRAM-CONFIRMATION.png

URGENT MONEYGRAM CONFIRMATION.jar (479kb) - Current Virus total detections 19/59*. MALWR** ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8d5331d5929f6229a9b401a2c34f69df095a0aea6f90936d4f7831f70c11f0a1/analysis/1492148381/

** https://malwr.com/analysis/YzRlZjM3NzZiOGE3NGIxNmFjMWJhNWMyNTc3NGYyYTI/

:fear::fear: :mad:

AplusWebMaster
2017-04-15, 18:39
FYI...

DropBox – Phish
- https://myonlinesecurity.co.uk/congratulations-kindly-login-to-view-the-documents-on-dropbox-phishing/
15 Apr 2017 - "... phishing attempts for email credentials...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dropbox-phish-email.png

If you follow the -link- you see a webpage looking like this:
http ://magioangeles .com/mo/DropBoxPhoto/
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dropbox-phish.png

Select -any- of the email services and you get:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dropbox-phish1.png

Then you get sent to a signup page on the genuine dropbox site..."

magioangeles .com: 209.133.208.250: https://www.virustotal.com/en/ip-address/209.133.208.250/information/
> https://www.virustotal.com/en/url/bb4db2cc7b3b5af6c240d600702bea46a551b2adcca7e5d37badbe8896adeda0/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-04-16, 18:21
FYI...

Fake 'order proforma invoice' SPAM - delivers 'RAT'
- https://myonlinesecurity.co.uk/request-for-1st-new-order-proforma-invoice-malspam-delivers-luminosity-link-r-a-t/
16 Apr 2017 - "... -fake- 'Request for 1st new order proforma invoice' -scam- delivers luminosity link Remote Access Tool Trojan* which is being heavily misused...
* http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Request-for-1st-new-order-proforma-invoice.png

... The -link-in-the-email-body- goes to
http ://bit .ly/2oWFVzK which directs to
http ://www .internationalconfirmation .com/re-direct-live.php which downloads the malware from
http ://redbulconfirm .host/LIST%20OF%20ORDERS%20FOR%20PROFORMA%20INVOICE .JPG .com...

LIST OF ORDERS FOR PROFORMA INVOICE.JPG .com - Current Virus total detections 16/60*. Payload Security** which is describing it as luminosity link Trojan... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c67e5fa32be281f1d29410c20d290c7dabc798f1194ce67f1a7445aabf5d46e4/analysis/1492341398/

** https://www.reverse.it/sample/c67e5fa32be281f1d29410c20d290c7dabc798f1194ce67f1a7445aabf5d46e4?environmentId=100
Contacted Hosts
192.166.218.230

internationalconfirmation .com: 69.65.33.119: https://www.virustotal.com/en/ip-address/69.65.33.119/information/

redbulconfirm .host: 68.65.122.167: https://www.virustotal.com/en/ip-address/68.65.122.167/information/

:fear::fear: :mad:

AplusWebMaster
2017-04-17, 15:59
FYI...

Fake 'ftc refund' SPAM - leads to malware
- http://blog.dynamoo.com/2017/04/malware-spam-re-re-ftc-refund.html
17 Apr 2017 - "This -fake- FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC -fine- but this is almost definitely a coincidence:
From: Federal Trade Commission [secretary@ ftccomplaintassistant .com]
Date: 17 April 2017 at 15:25
Subject: RE: RE: ftc refund
It seems we can claim a refund from the FTC.
Check this out and give me a call.
https ://www .ftc .gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ ftccomplaintassistant .com ...

The link-in-the-email actually goes to a URL beginning http ://thecomplete180 .com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 ... this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56*. The Word document itself tries to persuade victims to 'enable macros', which would be a -bad- idea:
> https://3.bp.blogspot.com/-ory5Evv0t80/WPUCJIlBA7I/AAAAAAAALLo/FcFZSQ_6p7s5Y9oQKW7QaskxibGOZnW-ACLcB/s1600/fake-word.png

* https://www.virustotal.com/en/file/c884712b924af42a0c22c387a5ed811e03f9c0748a0625c19c143f33b0834452/analysis/1492451191/
Automated analysis [1] [2] shows network traffic:
1] https://malwr.com/analysis/YTBlYzI1MDVkMzJhNDYzZWE1M2RiMjE3OTUxNzYwN2I/
Hosts
54.235.135.158
212.116.113.108
186.202.127.62
87.118.126.207

2] https://www.hybrid-analysis.com/sample/c884712b924af42a0c22c387a5ed811e03f9c0748a0625c19c143f33b0834452?environmentId=100
Contacted Hosts (18)

... This gives us a pretty useful minimum blocklist:
178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36 "
___

Many PayPal Phish
- https://myonlinesecurity.co.uk/dont-be-blocked-paypal-phishing/
17 Apr 2017 - "... -lots- of phishing attempts for Paypal login account credentials... These definitely do
-not- come from a “Trusted Sender”. The spelling and grammar mistakes in the email are more than enough to raise red flags...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dont-be-blocked.png

... If you follow-the-link when you use Internet Explorer you start with:
http : //www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
https: //indimedia .co.uk/kasfolio/iceage3overlay/english/pp/
you see a webpage looking like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/bitchboots.png

BUT if you use Firefox or Google Chrome, then you get:
http ://www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/ which -redirects- to:
https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/login?cmd=_signin&dispatch=8b262247e1b6f7c468c785df9&locale=en_GB and gives the typical PayPal phishing page
(you get a different random dispatch= number each time):
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/indimedia-pp_phish.png

... Where pressing 'continue' takes you to the usual 'give me your credit card, bank account, address, phone number' and any other information they can think of, to be able to totally steal your identity and all financial accounts..."

indimedia .co.uk: 216.222.194.4: https://www.virustotal.com/en/ip-address/216.222.194.4/information/

> https://www.virustotal.com/en/url/b689a6429a3b08f586cc442f49594a0abc4fd5d34aa419f6c0a510638ac9184e/analysis/

> https://www.virustotal.com/en/url/29fc4e7223454f454aeaddd9434bc98e951cb37443c2726c723699fc1d82b0f8/analysis/

asclepiade .ch: 213.221.153.48: https://www.virustotal.com/en/ip-address/213.221.153.48/information/
> https://www.virustotal.com/en/url/9061890f9293bf824dc5afc278a37e022ac44a3725b75bd2c85f32673c80830a/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-04-18, 22:23
FYI...

'Protected View Mode' for MS Word docs
> https://www.askwoody.com/2017/what-every-windows-customer-should-know-about-last-weeks-deluge-of-malware/
April 17, 2017 - "... 'Protected View Mode' is enabled by default in Word 2010 and later, but Word 2007 and earlier -don’t- have Protected View... See screenshot:
> https://www.askwoody.com/wp-content/uploads/2017/04/Protected-view-768x45.jpg
If you click 'Enable Editing', the malware fires automatically — you don’t need to do anything more.
If you open an attached DOC from Gmail, it’s harmless, -unless- you download the file, -then- open the DOC in Word and -then- click 'Enable Editing'. Moral of the story: Use Gmail*. Failing that, don’t click 'Enable Editing'..."
* https://mail.google.com/mail/#inbox

>> https://www.howtogeek.com/302740/how-to-open-office-files-without-being-hacked/
April 13, 2017

:fear::fear:

AplusWebMaster
2017-04-19, 13:18
FYI...

Fake 'USPS' SPAM - delivers Zbot via fake Word online sites
- https://myonlinesecurity.co.uk/more-usps-delivering-zbot-zeus-panda-via-fake-word-online-sites/
19 Apr 2017 - "... Today they have changed slightly again and now just have a link-to-a-site where you download a single executable file that pretends to be a plugin that allows you to read the documents online. Today (so far) are all Zbot/Panda Banking Trojans
plugin_office_update_KB093211.exe (VirusTotal 7/61*) | Payload Security**...
* https://www.virustotal.com/en/file/b7fdf7b6e6dbdcdd92d18d452597d88760a169b30a4ffa720ca5b4638033c6fd/analysis/1492568116/

** https://www.hybrid-analysis.com/sample/b7fdf7b6e6dbdcdd92d18d452597d88760a169b30a4ffa720ca5b4638033c6fd?environmentId=100

Typical senders imitating USPS include:
USPS Ground Support <zmesat742@ hetaudabazar .com>
USPS Support Management <cykobezr0@ okamacr .com>
USPS TechConnect <oysvuadv78382@ thewons .com>
USPS Delivery <yrok10507057@ taviexport .com>
USPS Support Management <gywer6@ nicolasprioux .com>
USPS TechConnect <kapifa78036@ hashmkt .com>
USPS Home Delivery <vyfhob22148305@ seedtech .co.in>
USPS Priority Parcels <lameipgo65@ mtpub .com>
USPS Priority <yhqez882670@ affection .org>
There are a multitude of different subjects. Some of the ones I received today are:
WARNING: TROUBLE WITH YOUR ITEM
ATTENTION REQUIRED: DETAILS ABOUT A IMPENDING REFUND
URGENT USPS MONEYBACK INFORMATION CONCERNING YOUR PARCEL
WARNING: you’re legally obliged to review the status of your parcel
URGENT: notification of delay of your parcel
Official letter concerning your order
Major problems reported to the USPS customer support
WARNING: INFORMATION ON YOUR IMPENDING REFUND
IMMEDIATE ACTION REQUIRED: your shipment’s been postponed
URGENT USPS MONEYBACK INFO CONCERNING YOUR SHIPMENT
AUTOMATED letter regarding your shipment’s location
OFFICIAL USPS REFUND INFO
Official notice from USPS
WARNING: ISSUES WITH YOUR SHIPMENT
USPS USER URGENT NEW INFO CONCERNING YOUR PACKAGE
WARNING: PROBLEMS WITH YOUR ORDER
OFFICIAL USPS system statement
USPS official notice: major trouble with your parcel
USPS customer support team notice: your shipment has been postponed

Screenshots: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/fake-USPS-email1.png

> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/fake-USPS-email2.png

> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/fake-USPS-email3.png

All have links-in-the-email body to a -fake- word online website and you are invited to download the latest plugin version to read the documents online:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/fake-word-online-plugin.png

... The basic rule is NEVER open any attachment (or -link-) in an email, unless you are expecting it..."
___

Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-copy-of-your-123-reg-invoice-delivers-dridex-banking-trojan/
19 Apr 2017 - "An email with the subject of 'Copy of your 123-reg invoice (123-230044839)' [random numbers] pretending to come from no-reply@ 123-reg .co.uk with a malicious pdf attachment that contains an embedded word doc delivers Dridex banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/123_reg-fake-invoice.png

123-230044839-reg-invoice.pdf - Current Virus total detections 10/57*. Payload Security** shows a download from
http ://jeanevermore .com/6gfd43 that is converted by the macro to redchip2.exe (VirusTotal 10/61***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2e9c00a2068a594bef50ac27c0f90e4640689fb6ef1173641220f57b09c47e18/analysis/1492601252/

** https://www.hybrid-analysis.com/sample/2e9c00a2068a594bef50ac27c0f90e4640689fb6ef1173641220f57b09c47e18?environmentId=100
Contacted Hosts
216.117.150.240
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119

*** https://www.virustotal.com/en/file/760390f07cefafadece0638a643d69964433041abeab09b65bfcdb922c047872/analysis/1492594268/

- http://blog.dynamoo.com/2017/04/malware-spam-copy-of-your-123-reg.html
19 Apr 2017 - "This -fake- financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.
From no-reply@ 123-reg .co.uk
Date Wed, 19 Apr 2017 17:19:51 +0500
Subject Copy of your 123-reg invoice ( 123-093702027 )
Hi [redacted],
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team...

The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf). This PDF file appears to drop an Office document according to VirusTotal results 12/56*. Hybrid Analysis** shows the document dropping a malicious executable with a detection rate of 15/61***. It appears to contact the following IPs (some of which contain legitimate sites):
216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)
The general prognosis seems to be that this is dropping the Dridex banking trojan.
Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119 "
* https://virustotal.com/en/file/4967148f495f69f4441f22e2c3dcaf304f3e283b545cb1c4819d0343545c12fe/analysis/1492608695/

** https://www.hybrid-analysis.com/sample/4967148f495f69f4441f22e2c3dcaf304f3e283b545cb1c4819d0343545c12fe?environmentId=100

*** https://www.virustotal.com/en/file/760390f07cefafadece0638a643d69964433041abeab09b65bfcdb922c047872/analysis/
___

Malicious Excel Sheets...
- https://isc.sans.edu/diary.html?storyid=22322
2017-04-19 - "... found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros:
> https://isc.sans.edu/diaryimages/images/xls1.png
... the macro was, as usual, to download the malicious PE file, to store it on the disk and to execute it. The PE file has a VT score of 10/60[1]. This is not the first time that I saw this way of passing data to the macro. It’s easy to configure campaigns with many URLs and samples without touching the macro. I had a bunch of 400 malicious Excel sheets to inspect... bad guys also use data stored in the document itself and access it from the VBA code. I also saw a few times white text on white background in Word documents..."
(More detail at the isc URL above.)
1] https://www.virustotal.com/en/file/3626729fe8a77f74f4f6da58d5fb474d9c774dff3494063c5f8b4fc50f908585/analysis/1491843226/

:fear::fear: :mad:

AplusWebMaster
2017-04-20, 18:27
FYI...

Malvertising campaign - drops ISFB banking Trojan
- https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/
April 20, 2017 - "We have been witnessing a series of malvertising attacks that keep a low profile with decoy websites and strong IP address filtering... There have been similar uses of -fake- façades as a gateway to exploit kits. For instance, Magnitude EK is known to use gates that have to do with Bitcoin, investment websites and such, as detailed in this Proofpoint blog entry*...
* https://www.proofpoint.com/us/threat-insight/post/magnitude-actor-social-engineering-scheme-windows-10
... In this particular case, the threat actor stole the web template from “Capital World Option“, a company that provides a platform for trading binary options. Participants must predict whether the price of an asset will rise or fall within a given time frame, which defines whether or not they will make money. Binary options have earned a bad reputation though and some countries have even banned them. Below is a screenshot of the legitimate website that is being impersonated. There are some differences between the real one and the fakes; the former is using SSL and was registered a while ago. Also, some of the website functionality is not working properly with the decoy versions.
Legitimate site: https://blog.malwarebytes.com/wp-content/uploads/2017/04/real2.png
---
Decoy site that ripped all the branding: https://blog.malwarebytes.com/wp-content/uploads/2017/04/fake.png
---
Those -fake- sites are only meant to be viewed if you are not a target of this particular malware campaign. In other words, if you load the infection chain from the malvertising call and see the site, you will not be infected. Infections happen when the fraudulent server forwards victims directly to a second gate, without showing them any of the site’s content. The same threat actor has registered -many- different domains all purporting to be lookalikes using a similar naming convention...
Conclusion: This particular campaign focused on a very specific malvertising chain leading to the RIG exploit kit and – as far as we could tell – dropping the same payload each time, no matter the geolocation of the victim. Banking -Trojans- have been a little bit forgotten about these days as they are overshadowed by ransomware. However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform -wire-transfers- unbeknownst to their victims or even the banks they are targeting...
IOCs: ...
‘Binary options’ IP addresses:
217.23.1.65
217.23.1.66
217.23.1.67
217.23.1.104
217.23.1.130
217.23.1.187
217.23.1.200 ..."
(More detail at the malwarebytes URL at the top.)

:fear::fear: :mad:

AplusWebMaster
2017-04-21, 19:39
FYI...

Fake 'Payment Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-return-of-locky-ransomware-with-fake-receipts-malspam/
21 Apr 2017 - "... an email with the subject of 'Payment Receipt 2724' or something similar pretending to come from random companies with a pdf attachment containing an embedded malicious word macro enabled doc which will download an encrypted txt file that is -transformed- into the Locky ransomware file redchip2.exe... Some of the subjects include (all have random numbers):
Receipt 435
Payment Receipt 2724
Payment-2677
Payment Receipt_739
Payment#229

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Payment-Receipt.png

P2724.pdf - Current Virus total detections 9/57*. Payload Security** shows it drops an embedded macro enabled word doc (VirusTotal 12/59***) ... which downloads from
sherwoodbusiness .com/9yg65 which is an encrypted-text-file that is converted-by-the-macro to redchip2.exe
(Payload Security[4] (VirusTotal 6/62[5]). There are loads of other download locations for the encrypted txt file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d6aa22aee572dd90161ba793b8afba27dbf50df4d23b2921d131626671e8d966/analysis/1492775465/

** https://www.reverse.it/sample/d6aa22aee572dd90161ba793b8afba27dbf50df4d23b2921d131626671e8d966?environmentId=100
Contacted Hosts
216.117.141.38

*** https://www.virustotal.com/en/file/52db4cca867773fdce9cd8d6d4e9b8ea66c2c0c4067f33fd4aaf6bfa0c5e4d62/analysis/1492775793/

4] https://www.reverse.it/sample/4ebc124c7e19c2a87f911e9972f365f6fd0ef1532981a828b085e0a6bac2e310?environmentId=100

5] https://www.virustotal.com/en/file/4ebc124c7e19c2a87f911e9972f365f6fd0ef1532981a828b085e0a6bac2e310/analysis/1492775821/
redchip2.exe

sherwoodbusiness .com: 216.117.141.38: https://www.virustotal.com/en/ip-address/216.117.141.38/information/
> https://www.virustotal.com/en/url/352f4311708a954a673ad033dc059acdb27b1d31f706a4feb5b8861a2402a0d3/analysis/

Embedded docs in PDF files can infect you
> https://myonlinesecurity.co.uk/embedded-documents-in-pdf-files-that-can-easily-infect-you/
22 Apr 2017

:fear::fear: :mad:

AplusWebMaster
2017-04-24, 15:32
FYI...

Fake 'Scan Data' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-continues-using-pdf-files-with-embedded-macro-word-docs/
24 Apr 2017 - "... another mass malspam onslaught with 2 separate emails with the subject of 'Scan Data' or '12345678.pdf' (random numbers) pretending to come from random email addresses at your-own-email-domain with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware... See HERE[1] for safe settings to stop these from working...
1] https://myonlinesecurity.co.uk/embedded-documents-in-pdf-files-that-can-easily-infect-you/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/scan-data-locky.png

Scan_066379.pdf - Current Virus total detections 13/55*. Payload Security** - drops 744951.doc
(Virustotal 12/57***) - (Payload Security[4]) shows a download from
http ://dorsetcountymaintenance .co.uk/87tgyu which is converted by the macro to redchip2.exe
(VirusTotal 10/59[5]) (Payload Security [6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3abc2b10b5d1c51d4abdaff9c0da723b83ecd1729067e5665f0bc54816e4145d/analysis/1493033052/

** https://www.reverse.it/sample/3abc2b10b5d1c51d4abdaff9c0da723b83ecd1729067e5665f0bc54816e4145d?environmentId=100
Contacted Hosts
188.65.115.102

*** https://www.virustotal.com/en/file/a0b759d4d69909e555dbaaac4ae5a4a7c1278fdcf568ffd5b419fd1f9daafd08/analysis/1493033505/

4] https://www.hybrid-analysis.com/sample/a0b759d4d69909e555dbaaac4ae5a4a7c1278fdcf568ffd5b419fd1f9daafd08?environmentId=100
Contacted Hosts
188.65.115.102

5] https://www.virustotal.com/en/file/cc7b5b726f8b968d4b5bbc5ba0c73d8b8a868980318b4fd547006d65b01c6c3f/analysis/1493034283/
redchip2.exe

6] https://www.hybrid-analysis.com/sample/cc7b5b726f8b968d4b5bbc5ba0c73d8b8a868980318b4fd547006d65b01c6c3f?environmentId=100

dorsetcountymaintenance .co.uk: 188.65.115.102: https://www.virustotal.com/en/ip-address/188.65.115.102/information/
> https://www.virustotal.com/en/url/10e6929b48e57e371b317bc45a5d7f7a41fc454a8ca391337f0d06365a124a1e/analysis/
___

Locky ransomware comeback - Necurs botnet
- https://www.helpnetsecurity.com/2017/04/24/locky-necurs/
April 24, 2017 - "The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims:
> https://www.helpnetsecurity.com/images/posts/necurs-locky.jpg
The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousands upon thousands of emails in the last three or four days*...
* http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
... In the first part of the spam campaign, the emails contain no text except in the Subject line, which simply says 'Receipt' or 'Payment', followed by random numbers. Those numbers are seen again in the name of the attached PDF file... Later, the emails were made to look like they contained a scanned image in PDF format... In both cases, the attached PDF contains embedded Word documents with macros... there is currently no way to decrypt the files without paying the ransom..."

- https://isc.sans.edu/diary.html?storyid=22334
2017-04-23 - "... The PDF contains JavaScript to extract the malicious Word document and launch Word. The user is prompted before this action takes place, but if you want to mitigate this, you can -disable- JavaScript. If you use Adobe Reader version 15.009.20069 or later, then the extracted Word document is marked with a mark-of-web, regardless if the containing PDF document is marked as such:
> https://isc.sans.edu/diaryimages/images/20172304-014929.png
... After applying Microsoft's patch for CVE-2017-0199, a downloaded HTA is no longer executed, but it is -still- downloaded without user interaction..."

Cisco - Threat Outbreak Alerts
> https://tools.cisco.com/security/center/publicationListing.x#~Threats
April 24, 2017 - Email Messages Distributing Malicious Software...

Locky has reemerged - borrowing attack techniques from Dridex
- http://www.zdnet.com/article/the-godfather-of-ransomware-returns-locky-is-back-and-sneakier-than-ever/
April 24, 2017
___

Interpol finds nearly 9,000 infected servers in SE Asia
- http://www.reuters.com/article/us-singapore-interpol-cyber-idUSKBN17Q1BT
Apr 24, 2017 - "An anti-cybercrime operation by Interpol and investigators from seven southeast Asian nations revealed nearly 9,000 malware-laden servers and hundreds of compromised websites in the ASEAN region, Interpol said on Monday. Various types of malware, such as that targeting financial institutions, spreading ransomware, launching Distributed Denial of Service (DDoS) attacks and distributing spam were among the threats posed by the infected servers, the operation showed... Experts from seven private firms also participated in the operation run out of the Singapore-based Interpol Global Complex for Innovation (IGCI), with China providing some cyber intelligence, the international police body said on its website*...
* https://www.interpol.int/News-and-media/News/2017/N2017-051
DDoS attacks have always been among the most common on the Internet, making use of hijacked and virus-infected computers to target websites until they can no longer cope with the scale of data requested. The operation also identified nearly 270 websites infected with a malware code, among them several government websites that may have contained citizens' personal data, Interpol added..."

:fear::fear: :mad:

AplusWebMaster
2017-04-25, 14:09
FYI...

Fake 'confirmation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-locky-onslaught-continues-with-blank-pdf-attachments-containing-embedded-macro-word-docs/
25 Apr 2017 - "... another 2 mass malspam onslaughts with different email subjects. The first is 'confirmation_12345678.pdf' (random numbers) pretending to come from info@ random .tld with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware. The second is a -blank- email with the subject of 'paper', coming from random names, companies and email addresses. In all cases the alleged sending address is -spoofed- ... In both campaigns the PDF appears totally to be a -blank- page but still contains the embedded macro word doc that will infect you when opened. These macro enabled word docs embedded into PDF files can easily infect you, -IF- you have default PDF settings set in Adobe Reader. See HERE[1] for safe settings to stop these working...
1] https://myonlinesecurity.co.uk/embedded-documents-in-pdf-files-that-can-easily-infect-you/
... 2 distinct malspam approaches today. First coming from 'scanner' (or other MFD, like scan, Epson, Printer, canon etc ) @ your-own-email-domain with a subject of 'scan data'. The second comes from totally random names @ your-own-email-domain with a subject of '12345678.pdf' (random numbers) and has a completely -empty- email body...

Screenshot1: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/locky_confirmation.png

Screenshot2: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/locky_paper.png

6446165b2.pdf - Current Virus total detections 13/56*. Payload Security** drops 216616.docm downloads from
http ://parallelsolutions .nl/jhg67g which is converted by the macro to pitupi2.exe
(VirusTotal 23/59***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e59e4a3dc7956f9c4ef1bf9b5b97aaea700823e86459cbc29c05b282be111cfb/analysis/1493096091/

** https://www.hybrid-analysis.com/sample/e59e4a3dc7956f9c4ef1bf9b5b97aaea700823e86459cbc29c05b282be111cfb?environmentId=100
Contacted Hosts
159.253.0.19

*** https://www.virustotal.com/en/file/a592bb700028529e0fe828be1a7cf5c1726cb7fe08a4d2c92fcea89cbcf0902a/analysis/1493096408/
pitupi2.exe

4] https://www.hybrid-analysis.com/sample/a592bb700028529e0fe828be1a7cf5c1726cb7fe08a4d2c92fcea89cbcf0902a?environmentId=100

parallelsolutions .nl: 159.253.0.19: https://www.virustotal.com/en/ip-address/159.253.0.19/information/
> https://www.virustotal.com/en/url/6dc227a6f917655d9f8aaac160fda74a705439594eb8729e3ade3534ba08c163/analysis/
___

Phish attacks responsible for 3/4 of all malware
- https://www.helpnetsecurity.com/2017/04/25/phishing-attacks-malware/
April 25, 2017 - "With phishing now widely used as a mechanism for distributing ransomware, a new NTT Security reveals that 77% of all detected ransomware globally was in four main sectors – business & professional services (28%), government (19%), health care (15%) and retail (15%):
> https://www.helpnetsecurity.com/images/posts/nttsecurity-042017-2.jpg
While technical attacks on the newest vulnerabilities tend to dominate the media, many attacks rely on less technical means. According to the GTIR, phishing attacks were responsible for nearly three-quarters (73%) of all malware delivered to organizations, with government (65%) and business & professional services (25%) as the industry sectors most likely to be attacked at a global level. When it comes to attacks by country, the U.S. (41%), Netherlands (38%) and France (5%) were the top three sources of phishing attacks. The report also reveals that just 25 passwords accounted for nearly 33% of all authentication attempts against NTT Security honeypots last year. Over 76% of log on attempts included a password known to be implemented in the Mirai botnet – a botnet comprised of IoT devices, which was used to conduct, what were at the time, the largest ever distributed denial of service (DDoS) attacks. DDoS attacks represented less than 6% of attacks globally, but accounted for over 16% of all attacks from Asia and 23% of all attacks from Australia. Finance was the most commonly attacked industry globally, subject to 14% of all attacks. The finance sector was the only sector to appear in the top three across all of the geographic regions analysed, while manufacturing appeared in the top three in five of the six regions. Finance (14%), government (14%) and manufacturing (13%) were the top three most commonly attacked industry sectors:
> https://www.helpnetsecurity.com/images/posts/nttsecurity-042017-1.jpg
... NTT Security summarizes data from over 3.5 -trillion- logs and 6.2 -billion- attacks for the 2017 Global Threat Intelligence Report (GTIR)*..."
* https://www.nttcomsecurity.com/us/gtir-2017/
___

Phish: PayPal Credit Service Security Check
- https://security.intuit.com/index.php/home/alerts/655-fw-activity-alert-paypal-credit-service-security-check
24 April 2017 - "People are reporting receiving -fake- emails as found below. Please be aware that the From address as well as the Subject line may change; however, the content with in the body of the email will stay the same with the exception of a change to the malicious URL link, which may have many different variations. Below is an example of the email people are receiving:
> https://security.intuit.com/images/2017-04-24_14-51-41.png
... end of the -fake- email..."

:fear::fear: :mad:

AplusWebMaster
2017-04-26, 14:36
FYI...

Fake 'DHL' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/fake-spoofed-dhl-shipment-notification-delivers-some-sort-of-unknown-malware/
26 Apr 2017 - "... email with the subject of 'DHL Shipment Notification: 1104749373' pretending to come from DHL Customer Support <support@ dhl .com> with a semi-random named zip attachment in the format of Pickup EXPRESS.Date2017-04-26.zip which delivers or tries to deliver some sort of malware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/DHL-Shipment-Notification-1104749373.png

Pickup EXPRESS.Date2017-04-26.zip: Extracts to: Pickup DOMESTIC EXPRESS Date2017-04-26.pdf.js
Current Virus total detections 4/57*. Payload Security** | JoeSandbox*** all of which do show a connection to 47.91.74.140 80 horcor .com which looks to be connected to or hosted by Chinese online company Alibaba.
Payload Security shows an attempt to contact http ://horcor .com/gate.php?ff1 (ff1 – ff12) in turn via get requests BUT only when you expand the wscript.exe section and examine the script calls... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e9e469993c7e256fe99d84a99c74c4580a917fa8980db032b3441a293ae6d8c8/analysis/1493200305/

** https://www.hybrid-analysis.com/sample/e9e469993c7e256fe99d84a99c74c4580a917fa8980db032b3441a293ae6d8c8?environmentId=100
Contacted Hosts
47.91.74.140

*** https://jbxcloud.joesecurity.org/analysis/259442/1/html

horcor .com: 47.91.74.140: https://www.virustotal.com/en/ip-address/47.91.74.140/information/
___

JavaScript Malspam Campaigns
Multiple malicious JavaScript spam campaigns active in the wild
- https://www.zscaler.com/blogs/research/javascript-malspam-campaigns
April 25, 2017 - "... multiple active malspam campaigns with links to malicious JavaScript payloads in the wild. These JavaScript files when opened by the end user will trigger download and execution of malware executables belonging to various Dropper and Backdoor Trojan families. We have seen over 10,000 instances of malicious JavaScript payloads from these campaigns in last two weeks. The JavaScript files are highly obfuscated to avoid detection and on first look shared similarity to Angler EK's landing page. Two URL formats are commonly being used at this time, one with just alphanumeric characters in path and the other with string ‘.view’ in the path. The examples for these URLs are seen below:
http ://yountstreetglass [.]com/TRucDEpdoO4jsaFaF4wCTxl8h/
http ://unbunt [.]com/view-report-invoice-0000093/w0ru-bb26-w.view/
The javascript files have names which try to masquerade as bills and receipts of various services like DHL, UPS and Vodafone to name a few... When we opened the JavaScript, we observed that it was heavily obfuscated with random strings and numbers assigned to variables, which makes very little sense...
Conclusion: We should always be cautious when clicking on links or handling e-mail attachments received from an unknown sender. Threat actors keep changing their obfuscation techniques in an attempt to evade detection methods used by security engines. It is increasingly important to have multiple security layers to block these kinds of attacks..."
(More detail at the zscaler URL above.)

yountstreetglass .com: 107.180.2.25: https://www.virustotal.com/en/ip-address/107.180.2.25/information/
> https://www.virustotal.com/en/url/675e06468e5e2cc36e595c9c688d41b1bba8442c4add2fec27b7d3cc3c3364d9/analysis/

unbunt .com: 5.153.24.46: https://www.virustotal.com/en/ip-address/5.153.24.46/information/
> https://www.virustotal.com/en/url/173b1f33972760bfc9c4c638f77ea631b0cdfe917082b4a72a3b5739026a3e79/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-04-28, 16:25
FYI...

Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-trickbot-banking-trojan-delivered-by-fake-hmrc-secure-email-communication-malspam-emails/
28 Apr 2017 - "An email with the subject of 'Secure email communication' pretending to come from HM Revenue & Customs <GSRPCommunication@ govsecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine HMRC domains... So far we have found
govsecure .co.uk
gov-secure .co.uk
... they are registered via Godaddy as registrar and the emails are sent via City Network Hosting AB Sweden 89.46.82.3, 89.46.82.2, 89.42.141.46, 89.40.217.178, 89.40.217.179, 89.40.217.185 ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/spoofed-HMRC-secure-email-communication.png

Unsuccessful_Payments_Documents.doc - Current Virus total detections 3/56*. Payload Security** shows a download via powershell from http ://elevationstairs .ca/fonts/60c5776c175c54d2.png which of course is
-not- an image file but a renamed .exe (VirusTotal 8/61***) (Payload Security [4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ea6f0f070be09b214ee2bb50dbfef624f5971b8733bdd523103f8a8ab8763647/analysis/1493381297/

** https://www.hybrid-analysis.com/sample/ea6f0f070be09b214ee2bb50dbfef624f5971b8733bdd523103f8a8ab8763647?environmentId=100
Contacted Hosts
70.33.246.140
107.22.214.64
184.160.113.13
217.31.111.153

*** https://www.virustotal.com/en/file/f7a0492425d3012143ad11a6b54f6c80c52bc53531e8e0a7bf4031c9eae9a8ef/analysis/1493382383/

4] https://www.hybrid-analysis.com/sample/f7a0492425d3012143ad11a6b54f6c80c52bc53531e8e0a7bf4031c9eae9a8ef?environmentId=100

elevationstairs .ca: 70.33.246.140: https://www.virustotal.com/en/ip-address/70.33.246.140/information/
> https://www.virustotal.com/en/url/e86df51b952a65380429931377b6d7b5a51eb7f56dd0375a4331679178c2c048/analysis/
___

Intrusions - Multiple Victims across Multiple Sectors
- https://www.us-cert.gov/ncas/alerts/TA17-117A
April 27, 2017 - "... Overview:
The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.
Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.
NCCIC will update this document as information becomes available.
For a downloadable copy of this report and listings of IOCs, see:
> https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C.xlsx
IOCs (.xlsx)
61.97.241.239 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/61.97.241.239/information/
103.208.86.129 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/103.208.86.129/information/
109.237.108.202 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/109.237.108.202/information/
109.237.111.175 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/109.237.111.175/information/
109.248.222.85 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/109.248.222.85/information/
95.47.156.86 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/95.47.156.86/information/
162.243.6.98 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/162.243.6.98/information/
160.202.163.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/160.202.163.78/information/
86.106.102.3 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/86.106.102.3/information/
110.10.176.181 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/110.10.176.181/information/
185.133.40.63 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/185.133.40.63/information/
185.14.185.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/185.14.185.189/information/
95.183.52.57 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/95.183.52.57/information/
185.117.88.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/185.117.88.78/information/
185.117.88.77 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/185.117.88.77/information/
185.117.88.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/185.117.88.82/information/
109.237.108.150 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/109.237.108.150/information/
211.110.17.209 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/211.110.17.209/information/
81.176.239.56 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/81.176.239.56/information/
151.236.20.16 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/151.236.20.16/information/
107.181.160.109 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/107.181.160.109/information/
151.101.100.73 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/151.101.100.73/information/
158.255.208.170 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/158.255.208.170/information/
158.255.208.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/158.255.208.189/information/
158.255.208.61 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/158.255.208.61/information/
160.202.163.79 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/160.202.163.79/information/
160.202.163.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/160.202.163.82/information/
160.202.163.90 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/160.202.163.90/information/
160.202.163.91 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/160.202.163.91/information/
185.117.88.81 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/185.117.88.81/information/
185.141.25.33 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/185.141.25.33/information/
31.184.198.23 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/31.184.198.23/information/
31.184.198.38 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/31.184.198.38/information/
92.242.144.2 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/92.242.144.2/information/
183.134.11.84 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-address/183.134.11.84/information/

> https://www.helpnetsecurity.com/2017/04/28/long-standing-attack-campaign/
April 28, 2017
___

Mac's - OSX.Dok malware intercepts web traffic
> https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/
April 28, 2017 - "Most Mac malware tends to be unsophisticated. Although it has some rather unpolished and awkward aspects, a new piece of Mac malware, dubbed 'OSX.Dok', breaks out of that typical mold. OSX.Dok, which was discovered by Check Point*, uses sophisticated means to monitor — and potentially alter — all HTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of capturing account credentials for any website users log into, which offers many opportunities for theft of cash and data. Further, OSX.Dok could modify the data being sent and received for the purpose of -redirecting- users to malicious websites in place of legitimate ones...
* http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
Distribution method: OSX.Dok comes in the form of a file named Dokument.zip, which is found being -emailed- to victims in -phishing- emails. Victims primarily are located in Europe...
Removal: Removal of the malware can be accomplished by simply removing the two aforementioned LaunchAgents files, but there are many leftovers and modifications to the system that -cannot- be as easily reversed...
Consumers: Malwarebytes Anti-Malware for Mac will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.
Businesses: The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server. If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them."
(More detail at the malwarebytes -and- checkpoint URL's above.)

:fear::fear: :mad:

AplusWebMaster
2017-05-01, 14:50
FYI...

Fake 'MoneyGram' SPAM - delivers new java Adwind
- https://myonlinesecurity.co.uk/new-guidelines-from-moneygram-malspam-delivers-a-brand-new-java-adwind-version/
1 May 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... Today’s has a slightly different subject and email content to previous ones...
1] https://myonlinesecurity.co.uk/?s=java+adwind

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/New-Guidelines-From-MoneyGram.png

Updated Guidelines from MG.jar (480 kb) - Current Virus total detections 2/58*. MALWR **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f1b44b5fd4f7e595cc4aea006504286add9f7c0997f7d1540172af9e3e0d46fa/analysis/1493604843/

** https://malwr.com/analysis/YmU5OTliZjNmYjQ3NDk3N2I1NTMyOTA1NTM5MWZjMjE/

:fear::fear: :mad:

AplusWebMaster
2017-05-02, 14:23
FYI...

Fake 'DHL' SPAM - js script
- http://blog.dynamoo.com/2017/05/malware-spam-dhl-shipment-458878382814.html
2 May 2017 - "... another -fake- DHL message leading to an evil .js script.
From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
To: [redacted]
Subject: DHL Shipment 458878382814 Delivered
You can track this order by clicking on the following link:
https ://www .dhl .com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother
Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.
All weights are estimated.
The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.
This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.
Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.

In this case the link goes to parkpaladium .com/DHL24/18218056431/ and downloads a file
DHL-134843-May-02-2017-55038-8327373-1339347112.js . According to Malwr* and Hybrid Analysis** the script downloads a binary from
micromatrices .com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38 - UK2, UK) and then subsequently attempts communication with
75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)
The dropped binary has a VirusTotal detection rate of 10/60***.
Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220 "
* https://malwr.com/analysis/ODdmNWU5YmFjMjNlNDRjZjkyOGVmMjQyOTA1ZjM3MjM/
Hosts
77.92.78.38
79.170.95.202

** https://www.hybrid-analysis.com/sample/5d557b2dfac6b3a67f1d03667fcf7abfb0af4deb2394f05a8fd19336b0964f81?environmentId=100
Contacted Hosts
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220

*** https://virustotal.com/en/file/33f310fa91d0fcf03b09c2bd97e0cabd6b8aa79ad43cc22ce61fb652fad888f8/analysis/1493719562/
mlgih3wgw.exe
___

Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-companies-house-secure-email-message-malspam-delivers-trickbot-banking-trojan/
2 May 2017 - "An email with the subject of 'Secure email message' pretending to come from Companies House but actually coming from a look alike domain <noreply@ cp-secure-message .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/spoofed-companies-house-secure-message.png

SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** shows a download from
http ://gestionbd .com/fr/QMjJrcCrHGW9sb6uF.png which of course is -not- an image file but a renamed .exe file that gets renamed to Epvuyf.exe and autorun (VirusTotal 8/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7/analysis/1493724795/

** https://www.hybrid-analysis.com/sample/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7?environmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustotal.com/en/file/c7a3123a5cff9c78e2fd926c6800a6c6431c8bca486ce11319a9a8f6fa83945c/analysis/1493725297/
Epvuyf.exe

gestionbd .com: 216.138.226.110: https://www.virustotal.com/en/ip-address/216.138.226.110/information/
> https://www.virustotal.com/en/url/60154eaa5028672df85caf0541bb5c537943b2b4f4d14a4d2305b3a0e8215290/analysis/
___

Cerber Ransomware - evolution
- http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-ransomware-evolution/
May 2, 2017 - "... enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries:
Top countries affected by Cerber:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/04/cerber6-1.jpg
Infection chain of Cerber Version 6:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/04/cerber6-2.jpg
Adding a time delay in the attack chain enables Cerber to elude traditional sandboxes, particularly those with time-out mechanisms or that wait for the final execution of the malware. Other JS files we saw ran powershell.exe (called by wscript.exe) whose parameter is a PowerShell script — the one responsible for downloading the ransomware and executing it in the system:
Sample Cerber 6-carrying spam email posing as a public postal service agency:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/04/cerber6-4.jpg
... Cerber was updated with the capability to integrate the infected system into botnets, which were employed to conduct distributed denial of service (DDoS) attacks. By July, a spam campaign was seen abusing cloud-based productivity platform Office 365 through Office documents embedded with a malicious macro that downloads and helps execute the ransomware. Exploit kits are also a key element in Cerber’s distribution. Cerber-related malvertising campaigns were observed in 2016 diverting users to Magnitude, Rig, and Neutrino — which has since gone private — exploit kits that target system or software vulnerabilities. This year, we’re seeing relatively new player Sundown exploit kit joining the fray... Cerber’s distribution methods remain consistent, we’ve seen newer variants delivered as self-extracting archives (SFX package) containing malicious Visual Basic Script (.VBS) and Dynamic-link library (.DLL) files that execute a rather intricate attack chain compared to other versions... it’s one of the signs of things to come for Cerber. It is not far-fetched for Cerber to emulate how Locky constantly changed email file attachments in its spam campaigns by expanding arrival vectors beyond JS files and PowerShell scripts — from JScript to HTML Application (.HTA) and compressed binary files (.BIN) — and exploiting file types that aren’t usually used to deliver malware... we’re currently seeing .HTA files being leveraged by a campaign that uses Cerber as payload. Our initial analysis indicates that the campaign, which we began monitoring by the third week of April, appears to be targeting Europe. We also found the same campaign attacking two Latin American countries. This campaign is notable for displaying Cerber’s ransom note in the local language of the infected system. It uses an .HTA file to show the online message/ransom note as well as detect the local language to be displayed...
Cerber’s evolution reflects the need for organizations and end users to be aware of today’s constantly evolving threats. End users risk losing money and their important personal files to ransomware; it also threatens organizations’ business operations, reputation, and bottom line. While there is no silver bullet against ransomware, keeping systems up-to-date, taking caution against unsolicited and suspicious emails, regularly backing up important files, and cultivating a culture of cybersecurity in the workplace are just some of the best practices for defending against ransomware. IT/system administrators and information security professionals can further defend their organization’s perimeter by incorporating additional layers of security against suspicious files, processes, applications, and network activity that can be exploited and leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers..."
(More detail at the trendmicro URL above.)

:fear::fear: :mad:

AplusWebMaster
2017-05-04, 14:38
FYI...

Fake 'PAYMENT' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-payment-for-message-malspam-using-cve-2017-0199-word-rtf-embedded-ole-link-exploit/
4 May 2017 - "An email with the subject of 'PAYMENT FOR YAREED' (I am assuming random names) coming from random names and email addresses with a malicious word doc attachment delivers some sort of malware via the CVE-2017-0199 word/rtf embedded ole -link- exploit...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/payment-for-yareed.png

PO NO- YAREED-2017.doc (30kb) - Current Virus total detections 16/56*. Payload Security** shows a download of an hta file from
http ://alguemacultural .com/enessss.hta (VirusTotal 0/52***) (Payload Security[4])
The smaller second word doc also contacts the -same- location & downloads the -same- file
PO NO- YAREED-2017.doc (7kb) - Current Virus total detections 16/55[5] | Payload Security[6]
... The hta file is an executable html file that internet explorer -will- run... which is an encoded powershell script... which when decoded looks like this which downloads the genuine putty.exe from
https ://the.earth .li/~sgtatham/putty/0.68/w32/putty.exe which is -renamed- to nextobad.exe and autorun...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ac0c4b55b64960a3f12d15b187a1c3b02133386403273e49fede5410a6a08364/analysis/1493869646/

** https://www.hybrid-analysis.com/sample/ac0c4b55b64960a3f12d15b187a1c3b02133386403273e49fede5410a6a08364?environmentId=100
Contacted Hosts
174.136.152.24

*** https://www.virustotal.com/en/file/929085964ac7790c053459956b14ffd1989cf5c0747a2492a9022175a5f1cdd0/analysis/1493870176/

4] https://www.hybrid-analysis.com/sample/929085964ac7790c053459956b14ffd1989cf5c0747a2492a9022175a5f1cdd0?environmentId=100
Contacted Hosts
46.43.34.31

5] https://www.virustotal.com/en/file/8cbcef785070fae647fb8da14f00163a092baaeae6400edf8bfff38826fb56fd/analysis/1493869660/

6] https://www.hybrid-analysis.com/sample/8cbcef785070fae647fb8da14f00163a092baaeae6400edf8bfff38826fb56fd?environmentId=100
Contacted Hosts
174.136.152.24

alguemacultural .com: 174.136.152.24: https://www.virustotal.com/en/ip-address/174.136.152.24/information/
> https://www.virustotal.com/en/url/fcbb860aca0712315319a6ddd6c8310c2b05a7f78deb4c1672a409e42e78dfbf/analysis/

the.earth .li: 46.43.34.31: https://www.virustotal.com/en/ip-address/46.43.34.31/information/
> https://www.virustotal.com/en/url/873212d4f1d1fda21d5fc17058d4344e708dbcf787fcb94901dca4fa6beffaa1/analysis/
___

Fake 'document' SPAM - delivers malware
- https://myonlinesecurity.co.uk/open-the-attachment-to-view-the-document-malspam-delivers-a-multitude-of-malware/
4 May 2017 - "... An email with the subject using -random- characters pretending to come from somebody that the recipient knows with a-link-to -download- a malicious word doc that delivers some sort of multi-stage malware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/DRQ-03681348.png

ZPDML-36-45320-document-May-04-2017.doc - Current Virus total detections 7/56*. Payload Security** shows a download from -numerous- different locations via powershell which gives 23905.exe (VirusTotal ***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/040e61e10a7a85c23041c1f0e4635dd2ea9307787eb17e88f80372529e9209d5/analysis/1493873579/

** https://www.hybrid-analysis.com/sample/040e61e10a7a85c23041c1f0e4635dd2ea9307787eb17e88f80372529e9209d5?environmentId=100
Contacted Hosts
188.65.115.184
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235

*** https://www.virustotal.com/en/file/98e6c8b2db8590098026d3cc6a2e989fe0ad5ea7dcc2be117da686ed6947db4a/analysis/1493852073/

4] https://www.hybrid-analysis.com/sample/98e6c8b2db8590098026d3cc6a2e989fe0ad5ea7dcc2be117da686ed6947db4a?environmentId=100
Contacted Hosts
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220
139.59.33.202
___

Fake 'BACs Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-lloyds-bank-important-bacs-documents-malspam-delivers-trickbot-banking-trojan/
4 May 2017 - "An email with the subject of 'Important BACs Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <secure@ lloydsbankdocuments .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/lloyds-bank-Important-BACS-documents.png

BACs.doc - Current Virus total detections 6/56*. Payload Security** shows a download from
http ://www .247despatch .co.uk/grabondanods.png which of course is -not- an image file but a renamed .exe file that gets renamed to Gehsp.exe and autorun (VirusTotal 12/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7f4d124186af002f309d6cd3a8f338c145f56f7c5ffab5af2fb1b1f293c4e61c/analysis/1493896398/

** https://www.hybrid-analysis.com/sample/7f4d124186af002f309d6cd3a8f338c145f56f7c5ffab5af2fb1b1f293c4e61c?environmentId=100
Contacted Hosts
91.102.64.132
50.19.97.123
200.116.206.58
91.247.36.80
91.219.28.71
91.247.36.79

*** https://www.virustotal.com/en/file/10e93082a97d64e3215c9338142cfbd3bc95c533c5cb5aa7e0b7a7f4ec1b3ef7/analysis/1493896665/

247despatch .co.uk: 91.102.64.132: https://www.virustotal.com/en/ip-address/91.102.64.132/information/
> https://www.virustotal.com/en/url/891c5026c6cde34775e46e566f6eaba20377e7be30f78ffee77565a387496ed9/analysis/
___

Fake multiple subjects/attachments SPAM - delivers Trojan via js files
- https://myonlinesecurity.co.uk/massive-malspam-campaign-delivering-ursnif-banking-trojan-via-js-files/
4 May 2017 - "... There have been numerous -different- subjects and campaign themes... some of them here:
'Our reference: 733092244' pretending to come from Eli Murchison <Hughchaplin@ yahoo .de>
'Hotel booking confirmation (Id:022528)' pretending to come from Booking <noreply@ sgs.bookings .com>
'DHL Shipment Notification : 0581957002' pretending to come from DHL Customer Support <support@ dhl .com>
'Re: img' pretending to come from seisei-1@ yahoo .de
'scan' pretending to come from stephen@ arrakis .es
Some of the file attachment names, -all- extracting to .js files, include:
reservation details 9I2XIIWTM.zip (VirusTotal [1]| Payload Security[2])
info-DOMESTIC_EXPRESS Pickup Date2017-05-04.zip (VirusTotal [3]| Payload Security[4])
img-A34401586965107279 jpeg.zip (VirusTotal [5]| Payload Security[6])
CCPAY9196902168.zip (VirusTotal [7]| Payload Security[8])
Scan P.1 0967945763.zip which is slightly different because it extracts -2- different .js files
(VirusTotal[9]| Payload Security[10]) (VirusTotal[11]| Payload Security[12])

Screenshots[1]: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/Hotel-booking-confirmation-Id-022528.png

2] https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/Our-reference-733092244.png

3] https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/DHL-Shipment-Notification-0581957002.png

4] https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/re_img.png

5] https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/birch_scan.png

-All- of these download the -same- malware from
http ://horcor .com/ese.tf -or-
http ://www .nemcicenadhanou .cz/nvdtime.prs which are -renamed- .exe files that are -renamed- to an .exe file and autorun (VirusTotal[13]| Payload Security[14])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/492a3e850bc98fb78038ae391b55fe6b4e675c06d89462ba65f8d86fd4bd966f/analysis/1493904287/

2] https://www.hybrid-analysis.com/sample/492a3e850bc98fb78038ae391b55fe6b4e675c06d89462ba65f8d86fd4bd966f?environmentId=100

13] https://www.virustotal.com/en/file/cbe692191547918894975784a02015b409923cfcda0ddb82b9331fecaa8e39f6/analysis/1493900783/

14] https://www.hybrid-analysis.com/sample/cbe692191547918894975784a02015b409923cfcda0ddb82b9331fecaa8e39f6?environmentId=100

horcor .com: 47.91.92.64: https://www.virustotal.com/en/ip-address/47.91.92.64/information/
> https://www.virustotal.com/en/url/aac5bd53e5e0237b314ed5bb3f666e5aa7715a31ee4c0f635dd7f98e0719d426/analysis/
Malicious site

nemcicenadhanou .cz: Could not find an IP address for this domain name. [May have been taken down...]

:fear::fear: :mad:

AplusWebMaster
2017-05-08, 16:09
FYI...

Fake 'Payment Advice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-hsbc-payment-advice-delivers-malware/
8 May 2017 - "... an email with the subject of 'FW: Payment Advice – Advice Ref:[G32887529930] / Priority payment / Customer Ref:[03132394]' pretending to come from HSBC Advising Service <050717.advisingservice@ mail .com>....

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-HSBC-Payment-Advice-email.png

Payment_Advice.zip: Extracts to: Payment_Advice.scr - Current Virus total detections 32/62*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e03a5b3a345ea4ccc2b7253fc01835cd7d712ec606bd2a4f884f68c9ccdbb07a/analysis/1494218279/

** https://malwr.com/analysis/ZGM1MWIxNzhhNGM5NDIxZDk2MDE1MzQwYTlmZGRkMzQ/
___

Fake 'update your mailbox' - phish
- https://myonlinesecurity.co.uk/fake-live-com-update-your-mailbox-phishing-scam/
8 May 2017 - "... pretends to be a message from 'Email Support' to 'Update Your Mailbox'. Of course these do -not- come from Microsoft or Live .com but are -spoofed- to appear to come from them...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/email-support-phishing-email.png

If you follow the link inside the email you see a webpage looking like this:
http ://www.mir-holoda .by/pic/fanc/en-gb/?email=jeremiah@ thespykiller .co.uk (where the email address the email was sent to is automatically inserted):
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/mailbox1.png

After you input your password, you first get get told “checking details” then “incorrect details” and forwarded to an almost identical looking page where you can put it in again:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/mailbox2.png

> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/mailbox3.png

> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/mailbox4.png

... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

mir-holoda .by: 91.149.189.125: https://www.virustotal.com/en/ip-address/91.149.189.125/information/
> https://www.virustotal.com/en/url/5d762b4dce094fdbe50e4bc6c622a32f5b6e5ac28365f1cee12f46cd98248c26/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-10, 21:55
FYI...

Fake 'Loan Program' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/fake-hsbc-bank-24086-loan-program-notification-malspam-delivers-hancitor/
10 May 2017 - "... an email with the subject of 'HSBC Bank – 24086 Loan Program Notification' coming from noreply9@ creditsupport .gdn which delivers what looks like hancitor malware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/HSBC-Bank-24086-Loan-Program-Notification.png

report_24086.7z: Extracts to: order_case_713b0e2.js - Current Virus total detections 2/57*. Payload Security** shows a download from
http ://dacsanmiennuiphiabac .com/me.php?ff1 which delivers iscsmcbu .exe (VirusTotal 5/61***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dbc536576aa3fc0d7eebe6bc22b631bc5c6f3adefdd350e785492607c4c3c146/analysis/1494433995/

** https://www.hybrid-analysis.com/sample/dbc536576aa3fc0d7eebe6bc22b631bc5c6f3adefdd350e785492607c4c3c146?environmentId=100
Contacted Hosts
103.28.38.73

*** https://www.virustotal.com/en/file/9e85a91495ef258342536997a44057c250e52807264efac1452c01b4decd58a8/analysis/1494423788/

dacsanmiennuiphiabac .com: 103.28.38.73: https://www.virustotal.com/en/ip-address/103.28.38.73/information/
> https://www.virustotal.com/en/url/ca603998b34bec960422028efbf9b26c0d72319a5020f065e9a96593af3acaab/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-11, 13:55
FYI...

Fake 'pdf attachment' SPAM - delivers Locky/Dridex
- https://myonlinesecurity.co.uk/more-malware-via-embedded-word-macro-docs-in-pdf-attachments/
11 May 2017 - "... well used email template with subjects varying from with literally hundreds if not thousands of subjects. These generally deliver either Locky ransomware or Dridex banking Trojan.
File_69348406
PDF_9859
Scan_2441975
Document_11048
Copy_9762
They -all- have a pdf attachment that drops a word doc with macros... all downloads from these locations which delivers an encrypted txt file that should be converted by the macro to a working.exe file but Payload security.... doesn’t seem able to convert it...
wipersdirect .com/f87346b
tending .info/f87346b
julian-g .ro/f87346b
I am being told this is a -new- ransomware called jaff ransomware*...
* https://twitter.com/siri_urz/status/862586080507424769
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

wipersdirect .com: 108.165.22.125: https://www.virustotal.com/en/ip-address/108.165.22.125/information/
> https://www.virustotal.com/en/url/4af19b101d71b3b1793bb5a9891255f9e9cb9b2c7350456b16c27e7fdc049ec3/analysis/

tending .info: 80.75.98.151: https://www.virustotal.com/en/ip-address/80.75.98.151/information/

julian-g .ro: 86.35.15.215: https://www.virustotal.com/en/ip-address/86.35.15.215/information/
> https://www.virustotal.com/en/url/460550031840544495007293738e401fc1ac5c196d7a208dc8943b797e182654/analysis/
___

Fake 'DHL Statements' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/fake-dhl-statements-x-requests-required-delivers-malware/
11 May 2017 - "... an email with the subject of '6109175302 Statements x Requests Required' (random numbers) pretending to come frombgyhub@ dhl .com with a zip attachment containing -2- differently named .js files which delivers some sort of malware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/6109175302-Statements-x-Requests-Required.png

TYPE OF GOODS_DECLARATION.zip: Extracts to: DECLARATION (FORM).PDF.js -and- TYPE OF GOODS DOC.pdf.js
Current Virus total detections [1] [2]: Payload Security [3] [4] shows a download from one or both of these locations:
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs which is renamed and autorun by the script (VirusTotal [5]) (Payload Security[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/36bd26e5331c26f7bc94e5ffa51dfd4db9356d74d885aa5f24d4c3b629b0ff1d/analysis/1494487534/

2] https://www.virustotal.com/en/file/a8aebcff27ec13c63f315e59a1c07d43775c06fc0470d684325c59ec7a938311/analysis/1494487531/

3] https://www.hybrid-analysis.com/sample/36bd26e5331c26f7bc94e5ffa51dfd4db9356d74d885aa5f24d4c3b629b0ff1d?environmentId=100

4] https://www.hybrid-analysis.com/sample/a8aebcff27ec13c63f315e59a1c07d43775c06fc0470d684325c59ec7a938311?environmentId=100

5] https://www.virustotal.com/en/file/292ee7922f4a74818cef9a92587352ba04e2ba54bd294158082cf7f43b68ffea/analysis/1494488118/

6] https://www.hybrid-analysis.com/sample/292ee7922f4a74818cef9a92587352ba04e2ba54bd294158082cf7f43b68ffea?environmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-address/85.13.146.159/information/
> https://www.virustotal.com/en/url/45d1936234889a3bc28f34ba8da1789fd891160d0c08d7d71ffd3053e16cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-address/217.29.53.99/information/
> https://www.virustotal.com/en/url/5d6c48a266adfa6f7500bb3522887b1efe787ebe6c69ec9cc556ceb476f0680e/analysis/
___

Malware spam with 'nm.pdf' attachment
- http://blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html
11 May 2017 - "Currently underway is a malicious spam run with various subjects, for example:
Scan_5902
Document_10354
File_43359
Senders are random, and there is -no- body text. In -all- cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED -or- 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].
The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58[5].
Putting the .docm file back into Hybrid Analysis and Malwr [6] [7] shows the same sort of results, namely a download from:
easysupport .us/f87346b ...
UPDATE: A contact pointed out this Hybrid Analysis[X] which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which -matches- this Tweet[8] about something called "Jaff ransomware".
That report also gives two other locations to look out for:
trialinsider .com/f87346b
fkksjobnn43 .org/a5/
This currently gives a recommended blocklist of:
47.91.107.213
trialinsider .com
easysupport .us "
1] https://virustotal.com/en/file/e148fd38f2958aa8b0a3f64dae50f917e2d7f8ccf43c1f3dcdc6a2d43f4825e5/analysis/1494492097/

2] https://virustotal.com/en/file/0ee0b1352929433076754e60b81e02f52210221587014192f0b5eb8ce764754e/analysis/1494492251/

3] https://www.hybrid-analysis.com/sample/e148fd38f2958aa8b0a3f64dae50f917e2d7f8ccf43c1f3dcdc6a2d43f4825e5?environmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us
- https://www.virustotal.com/en/ip-address/198.58.93.28/information/
> https://www.virustotal.com/en/url/233771fefa810f782c9e468c7780d0a90938a961c81e547fd28e35556abde188/analysis/

4] https://www.hybrid-analysis.com/sample/0ee0b1352929433076754e60b81e02f52210221587014192f0b5eb8ce764754e?environmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us

5] https://virustotal.com/en/file/60446bc37e8930607008e6cae80015c2a6619f202ad1d73eab21ef9efd1765ed/analysis/1494492613/

6] https://www.hybrid-analysis.com/sample/60446bc37e8930607008e6cae80015c2a6619f202ad1d73eab21ef9efd1765ed?environmentId=100
198.58.93.28 - easysupport .us

> https://www.virustotal.com/en/url/233771fefa810f782c9e468c7780d0a90938a961c81e547fd28e35556abde188/analysis/

7] https://malwr.com/analysis/NjE5YjEyNDYxZjhlNDY4NDkzYmU5MWY1NjU5ZDViNzk/

8] https://twitter.com/malwrhunterteam/status/862597006363152385

X] https://www.hybrid-analysis.com/sample/5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211?environmentId=100
Contacted Hosts
107.154.168.227 - trialinsider .com
47.91.107.213 - fkksjobnn43 .org

trialinsider .com: 107.154.161.227: https://www.virustotal.com/en/ip-address/107.154.161.227/information/
> https://www.virustotal.com/en/url/5c3659006e0f307c18555e19eedf1c125be901eac71c90a81749085d1224291a/analysis/
107.154.168.227: https://www.virustotal.com/en/ip-address/107.154.168.227/information/
> https://www.virustotal.com/en/url/5c3659006e0f307c18555e19eedf1c125be901eac71c90a81749085d1224291a/analysis/

fkksjobnn43 .org: 47.91.107.213: https://www.virustotal.com/en/ip-address/47.91.107.213/information/
> https://www.virustotal.com/en/url/71dee4e8158ad9b66af439babc58cbd7f426efe533eecf43259d7d920a24e012/analysis/
___

Fake 'DHL' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/more-fake-dhl-fwd-dhl-redelivery-confirmation-malspam-delivering-ursnif-banking-trojan/
11 May 2017 - "... an email with the subject of 'Fwd: DHL Redelivery Confirmation #574068024996' (random numbers) pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Ursnif banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-DHL-redelivery.png

request-redelivery-2017053299810.pdf.js - Current Virus total detections 1/57*. Payload Security** shows a download from one of both of these locations
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is -renamed- and autorun by the script (VirusTotal 9/62***) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/28c866cf8ba31738592d0cfde6f2069b6e7888be190169fbd1037ccb27f430e6/analysis/1494500118/

** https://www.hybrid-analysis.com/sample/28c866cf8ba31738592d0cfde6f2069b6e7888be190169fbd1037ccb27f430e6?environmentId=100

*** https://www.virustotal.com/en/file/292ee7922f4a74818cef9a92587352ba04e2ba54bd294158082cf7f43b68ffea/analysis/1494488118/

4] https://www.hybrid-analysis.com/sample/292ee7922f4a74818cef9a92587352ba04e2ba54bd294158082cf7f43b68ffea?environmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-address/85.13.146.159/information/
> https://www.virustotal.com/en/url/45d1936234889a3bc28f34ba8da1789fd891160d0c08d7d71ffd3053e16cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-address/217.29.53.99/information/
> https://www.virustotal.com/en/url/5d6c48a266adfa6f7500bb3522887b1efe787ebe6c69ec9cc556ceb476f0680e/analysis/
___

Fake 'invoice' SPAM - using docs with embedded ole objects
- https://myonlinesecurity.co.uk/ursnif-banking-trojan-delivered-by-fake-invoices-using-word-docs-with-embedded-ole-objects/
11 May 2017 - "... banking Trojans. This one is using a different delivery method to try to throw us off track... this has a word docx attachment that contains an embedded ole object that when you click on the blurry image in the word doc, thinking you are opening an invoice you actually open & run the embedded hidden .js file. This pretends to be an invoice coming from random senders:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-invoice-word-doc-with-embedded-ole-object.png

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/gozi-invoice.png

7398219046.docx - Current Virus total detections 2/58*. Payload Security** shows the dropped .js file but doesn’t make it available for download. I had to get that manually (VirusTotal 1/55***) (Payload Security[4]) which shows
the same connections and download from one or both of these locations
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is renamed and autorun by the script (VirusTotal 9/62[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/70cf3c05dcba5b3cfaa1e00fed8b954606b797bdc88346338a3c231b5a2561d4/analysis/1494509580/

** https://www.hybrid-analysis.com/sample/70cf3c05dcba5b3cfaa1e00fed8b954606b797bdc88346338a3c231b5a2561d4?environmentId=100

** https://www.virustotal.com/en/file/654f98019add4fb6f3da484335a7ade915ee4d00dc99c0cdba37d9191620ed48/analysis/1494508789/

4] https://www.hybrid-analysis.com/sample/292ee7922f4a74818cef9a92587352ba04e2ba54bd294158082cf7f43b68ffea?environmentId=100

5] https://www.virustotal.com/en/file/292ee7922f4a74818cef9a92587352ba04e2ba54bd294158082cf7f43b68ffea/analysis/1494488118/

6] https://www.hybrid-analysis.com/sample/292ee7922f4a74818cef9a92587352ba04e2ba54bd294158082cf7f43b68ffea?environmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-address/85.13.146.159/information/
> https://www.virustotal.com/en/url/45d1936234889a3bc28f34ba8da1789fd891160d0c08d7d71ffd3053e16cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-address/217.29.53.99/information/
> https://www.virustotal.com/en/url/5d6c48a266adfa6f7500bb3522887b1efe787ebe6c69ec9cc556ceb476f0680e/analysis/
___

New ‘Jaff’ ransomware via Necurs ...
- https://blog.malwarebytes.com/cybercrime/2017/05/new-jaff-ransomware-via-necurs-asks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malwarebytes.com/wp-content/uploads/2017/05/email.png
...
> https://blog.malwarebytes.com/wp-content/uploads/2017/05/Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malwarebytes.com/wp-content/uploads/2017/05/encrypted.png
... the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."

:fear::fear: :mad:

AplusWebMaster
2017-05-12, 15:57
FYI...

Fake 'Scanned image' SPAM - delivers jaff ransomware
- https://myonlinesecurity.co.uk/scanned-image-malspam-with-pdf-attachment-delivers-jaff-ransomware/
12 May 2017 - "An email with the subject of 'Scanned image' coming or pretending to come from random email addresses with a pdf attachment that contains an embedded malicious word doc delivers jaff ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/scanned-image_pdf.png

20170512605164.pdf - which drops N5OSUHX.docm - Current Virus total detections [pdf*] [docm**]:
Payload Security [pdf...] [docm(4)] shows a download of an encrypted txt file from
http ://trebleimp .com/77g643 which is converted to by the macro to ratchet20.exe ... It also shows a connection to
http ://h552terriddows .com/a5/ which gives a created message...
>> Update: managed to get the ratchet20.exe file via:
> https://jbxcloud.joesecurity.org/analysis/268338/1/html - (VirusTotal [5]) (Payload Security[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/07c7f31f49a80220787f67a8f7de5966509cde051927a880e6eb411b39b8221f/analysis/1494559929/

** https://www.virustotal.com/en/file/4c4580f7b858d06afd0eb9505cca1d5a5ae9600682ac485a267335797deb8a6b/analysis/1494562144/

4] https://www.hybrid-analysis.com/sample/4c4580f7b858d06afd0eb9505cca1d5a5ae9600682ac485a267335797deb8a6b?environmentId=100
Contacted Hosts
27.254.44.204
47.91.107.213

5] https://www.virustotal.com/en/file/03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47/analysis/1494559081/

6] https://www.hybrid-analysis.com/sample/03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47?environmentId=100

trebleimp .com: 27.254.44.204: https://www.virustotal.com/en/ip-address/27.254.44.204/information/
> https://www.virustotal.com/en/url/69cbfee07b358b46f10821bb118b13399ee6b1e1e9b62b01d33ac34c7774c8ba/analysis/

h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-address/47.91.107.213/information/
> https://www.virustotal.com/en/url/5244852243c67bbc8ffdac22cf4ca2a7009209f4872ec7091f8948edcdcfcafd/analysis/
___

New ‘Jaff’ ransomware via Necurs ...
- https://blog.malwarebytes.com/cybercrime/2017/05/new-jaff-ransomware-via-necurs-asks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malwarebytes.com/wp-content/uploads/2017/05/email.png
...
> https://blog.malwarebytes.com/wp-content/uploads/2017/05/Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malwarebytes.com/wp-content/uploads/2017/05/encrypted.png
... the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
___

U.K. Hospitals Hit - Widespread Ransomware Attack
- https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/
May 12, 2017 - "At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware... there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft:
Ransom note left behind on computers infected with the Wanna Decryptor ransomware strain.
Image: BleepingComputer
> https://krebsonsecurity.com/wp-content/uploads/2017/05/wanna-580x285.png
In a statement*, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks... According to CCN-CERT, that flaw is MS17-010**, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another..."
* https://www.digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack

** https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
March 14, 2017

:fear::fear: :mad:

AplusWebMaster
2017-05-15, 13:35
FYI...

Indicators Associated With WannaCry Ransomware
- https://www.us-cert.gov/ncas/alerts/TA17-132A
Last revised: May 15, 2017 - "... According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours... Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010* (link is external) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails...
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
March 14, 2017
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans...
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinize -links- contained in -e-mails- and do -not- open -attachments- included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust.
- Enable automated patches for your operating system and Web browser..."
(More detail at the us-cert URL at the top of this post.)

WannaCry/WannaCrypt Ransomware Summary
- https://isc.sans.edu/diary.html?storyid=22420
2017-05-15
___

> http://blog.talosintelligence.com/2017/05/wannacry.html#more
May 12, 2017 - "... Umbrella* prevents DNS resolution of the domains associated with malicious activity..."
* https://umbrella.cisco.com/
... aka 'OpenDNS' - FREE:
>> https://www.opendns.com/setupguide/#/?new=home-free

Test -after- setups: https://welcome.opendns.com/
___

Fake 'invoice' SPAM - delivers pdf attachment jaff ransomware
- https://myonlinesecurity.co.uk/more-fake-invoice-malspam-with-pdf-attachments-deliver-malware/
15 May 2017 - "An email pretending to be an invoice coming from random senders with a PDF attachment that drops a malicious macro enabled word doc...
Update: confirmed as Jaff ransomware (VirusTotal 5/61*) (Payload Security**)...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-invoice_with-pdf-atatchment-malspam.png

... An alternative docm file that was extracted confirms it to be jaff ransomware downloads
ecuamiaflowers .com/hHGFjd encrypted txt (Payload Security[3]) (VirusTotal 13/56[4]) JoeSandbox[/5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/41bce3e382cee06aa65fbee15fd38f7187fb090d5da78d868f57c84197689287/analysis/1494846406/

** https://www.hybrid-analysis.com/sample/41bce3e382cee06aa65fbee15fd38f7187fb090d5da78d868f57c84197689287?environmentId=100
Contacted Hosts
47.91.107.213

3] https://www.hybrid-analysis.com/sample/061d0e161fd6e5755a2b024f8e527bbc8d458760a22b8df9967b99b0aa050387?environmentId=100
Contacted Hosts
107.180.14.32
47.91.107.213

4] https://www.virustotal.com/en/file/fdc0da7eb321a1f23dd2ee439c1b31b45e54e4789ae319c75fe6909c60e10496/analysis/1494844454/

5] https://jbxcloud.joesecurity.org/analysis/271421/1/html

ecuamiaflowers .com: 107.180.14.32: https://www.virustotal.com/en/ip-address/107.180.14.32/information/
> https://www.virustotal.com/en/url/b5250b9eba2fa4bace46c58e1c659b512dfbef4e5247fd11f2cc9eee13685814/analysis/

h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-address/47.91.107.213/information/
> https://www.virustotal.com/en/url/5ca6385dbb9dc26d5cccb686c56b5006e0932e61f0be7c39857f883ed3b42c85/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-16, 14:11
FYI...

Fake 'invoice' SPAM - downloads Cerber ransomware
- https://myonlinesecurity.co.uk/blank-email-with-fake-invoice-attachment-tries-to-deliver-malware/
16 May 2017 - "... an empty/blank email with the subject of 'Re: invoice 28769' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment that contains another zip that in turn contains a .js file... downloads Cerber ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/invoice28769.png

... I am reliably informed[1] that with a couple of minor fixes to correct the malware developers mistakes this downloads Cerber ransomware from
hxxp ://mdnchdbde .pw/search.php which delivers a file 1 (VirusTotal 6/59*) (Payload Security**)... 'certain that they will fix it in the next malspam run. These criminal gangs often send a small spam run out to “test the waters” and when they don’t get any expected result they double check & fix the errors ready for the next spam run.

262647732.zip: extracts to 27000_packed.zip: which in turn Extracts to: 27000.js
Current Virus total detections 0/57[3]: Payload Security[4] Joebox[5] - none of the online sandboxes managed to get any download location or malware content from the .js file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/Techhelplistcom/status/864350538112016385

* https://www.virustotal.com/en/file/6d20e82b54867ce147d8fad74f0724bff14964034dc7e25954656f93a4dde861/analysis/1494912080/

** https://www.hybrid-analysis.com/sample/6d20e82b54867ce147d8fad74f0724bff14964034dc7e25954656f93a4dde861?environmentId=100
Contacted Hosts (1088)

3] https://www.virustotal.com/en/file/0f46fbe418228d613f1f327b66eb09726fe8d903abdc1e3f2b774c61e7ff8909/analysis/1494910036/

4] https://www.hybrid-analysis.com/sample/0f46fbe418228d613f1f327b66eb09726fe8d903abdc1e3f2b774c61e7ff8909?environmentId=100

5] https://jbxcloud.joesecurity.org/analysis/271922/1/html

mdnchdbde .pw: 35.163.27.202: https://www.virustotal.com/en/ip-address/35.163.27.202/information/
> https://www.virustotal.com/en/url/990f49f52cf2d78b1f679d73fe2ce9e4820537da3266013a5643fe4ac77f809c/analysis/
___

Fake 'pdf attachments' SPAM - delivers Jaff ransomware
- https://myonlinesecurity.co.uk/pdf-pretending-to-come-from-your-own-email-address-delivers-jaff-ransomware/
16 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Emailing: 2650032.pdf' (random numbers) pretending to come from random names at your-own-email-address that delivers Jaff ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/Emailing-2650032_pdf.png

2650032.pdf - Current Virus total detections 8/54*: Payload Security**... drops EYRCUD.docm
(VirusTotal 8/59***) (Payload Security[4])... downloads an encrypted txt file from
http ://personalizar .net/Nbiyure3 which is converted by the script to galaperidol8.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/81263bf1012dc78c945d651d9c4b07c435292eeb23429d4fc8204c8606a2d565/analysis/1494926923/

** https://www.hybrid-analysis.com/sample/81263bf1012dc78c945d651d9c4b07c435292eeb23429d4fc8204c8606a2d565?environmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213

*** https://www.virustotal.com/en/file/4702be698c3cdf98fa0a04a850da0e4259ca0a314b5594ab3320481211e0acfd/analysis/1494927173/

4] https://www.hybrid-analysis.com/sample/4702be698c3cdf98fa0a04a850da0e4259ca0a314b5594ab3320481211e0acfd?environmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213

personalizar .net: 81.88.57.70: https://www.virustotal.com/en/ip-address/81.88.57.70/information/
> https://www.virustotal.com/en/url/2e5edab5b3ad92d75f5d066bc6ef435045ec9e077915b19dd3505581741774c2/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-17, 15:06
FYI...

Fake 'Secure Message' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-bankline-rsa-you-have-received-a-new-bankline-secure-message-delivers-trickbot/
17 May 2017 - "An email with the subject of 'You have received a new Bankline Secure Message' pretending to come from Bankline RSA but actually coming from a look-a-like domain Bankline RSA <SecureMessage@ banklinersa .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-bankline-secure-message.png

... criminals sending these have registered various domains that look like genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today banklinersa .co.uk. As usual they are registered via Godaddy as registrar and for a change the emails are sent via rackspace hosting not the usual citynetwork AB in Sweden. They are currently using IP numbers 104.130.29.210, 172.99.115.203, 172.99.115.216, 172.99.115.23, 104.239.169.15, 104.130.29.243, 104.130.29.245, 172.99.115.29...

SecureMessage.doc - Current Virus total detections 4/56*. Payload Security** downloads from
http ://ocysf .org/wp-content/GktpotdC7dyTH1aoroa.png which of course is -not- an image file but a renamed .exe file that gets -renamed- to a .exe and autorun (VirusTotal 10/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e2c6710d4d1b9aa22073404195644b43318b75fd35812dcb485407d92aaa4c68/analysis/1495019899/

** https://www.hybrid-analysis.com/sample/e2c6710d4d1b9aa22073404195644b43318b75fd35812dcb485407d92aaa4c68?environmentId=100
Contacted Hosts
50.87.146.185
107.22.214.64
95.104.2.225
192.157.238.15

*** https://www.virustotal.com/en/file/be8c214422ab283871308e1f5d6717b967c94399610a4a8f0639511a7a417132/analysis/1495019988/

ocysf .org: 50.87.146.185: https://www.virustotal.com/en/ip-address/50.87.146.185/information/
> https://www.virustotal.com/en/url/a2298a1f90996a32e704328b97f03835486a020fae99d4bd20b068e1e26d6f8a/analysis/
___

Adobe account - Phish
- https://myonlinesecurity.co.uk/adobe-account-phishing-scam-using-text-data-urls/
17 May 2017 - "... 'thought this was going to be some newer malware delivery method, but it is only -phishing- for email credentials, which of course is also extremely serious and very bad.
NOTE: This phishing scam only works in Google Chrome. Internet Explorer will not open data:text/html urls and gives a 'cannot display' page message. Firefox refuses to display anything - just a white screen with the original url in the address bar...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/Bank-Details-Adobe-phishing-email.png

This email has a genuine PDF attachment that contains a blurred out image of an invoice with the prompt to view the Secured PDF Online Document on Adobe:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/invoice1246_pdf.png
-If- you click on the blurred image you get a pop up warning about links. When you follow the link inside the pdf it sends you to http ://tiny .cc/tis7ky which immediately -redirects- to
http ://qualifiedplans .com/administrator/components/com_smartformer/plugins/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/phmho/
where it downloads/opens a data:text url that displays a web page on your computer -not- an external site looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/timed_out.png
After you press OK you get what looks-like an Adobe Business sign in page with what looks-like a download button. I inserted the usual set of fake details & pressed download, expecting some sort of malware to appear, but no it just -bounced- me on to the genuine Adobe page while your stolen data is sent to http ://setas2016 .com/image/catalog/Katalog/files/pageConfig/PDF3/index/adobe.php
With a bit of digging around We have discovered the compete phish is also hosted on http ://setas2016 .com/image/catalog/Katalog/files/pageConfig ...
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/adobe_sign_in.png
The data:text/html file is available for download via Payload Security*. It is in the extracted files section named urlref_httptiny .cctis7ky ..."
* https://www.hybrid-analysis.com/sample/55c88958e5bf3b9f8c940ce3bbd2e5e0a7e437f56402e0b6b807191af30d913f?environmentId=100

setas2016 .com: 87.118.140.114: https://www.virustotal.com/en/ip-address/87.118.140.114/information/
> https://www.virustotal.com/en/url/498ea046d242d364205e97ef0ef563ddeb40319ce43a2dc51b316f2d3b57fab9/analysis/
___

ICS-ALERT-17-135-01A
Indicators Associated With WannaCry Ransomware (Update A)
> https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01A
Original release date: May 15, 2017 | Last revised: May 16, 2017
"... updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site..."
(More detail at the URL above.)

:fear::fear: :mad:

AplusWebMaster
2017-05-18, 14:49
FYI...

Fake 'UPS' SPAM - delivers banking Trojan
- https://myonlinesecurity.co.uk/fake-parcel-delivery-services-malspam-with-word-doc-attachment-delivers-ursnif-banking-trojan/
18 May 2017 - "... some are being delivered with the word -doc- attachment, but about half are just getting the email body with an -HTML- attachment which has the same details as the email body and no word doc attachment... the details with an email with the subject of 'Fwd: UPS Worldwide Saver Notification' pretending to come from various random names @ yahoo. es -or- .de -or- .pt -or- from random@ hotmail .es -or- de . We are also seeing a sprinking from other free webmail services like web .de with a malicious word doc attachment with a random number delivers ursnif banking Trojan. I am also seeing other parcel delivery companies like TNT and unnamed delivery services also being imitated and -spoofed- in this campaign. The TNT ones are zips with word docs inside. -All- of them today are using embedded OLE objects rather than macros to deliver Ursnif banking and password stealing Trojans.
Update: Now seeing some coming through with zip attachments containing .js files
Some subjects include:
TNT Express – Documents – RL54413826 ( random numbers)
Order Processed
Export Scan
Fwd: UPS Worldwide Saver Notification ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-UPS-worldwide-saver.png

These word docs contain 2 images of what pretend to be another word doc and an xls file both pretending to be invoices, However they are embedded ole objects and drop 2 different named but identical .js files when clicked on:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/doc60_embedded-ole-objects.png
The TNT version has a slightly different email content and word attachment, although still downloading from the -same- urls as other versions:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/tnt-delivery-doc.png
...

doc60 for clearance.doc - Current Virus total detections 0/58*. Payload Security** drops a js file
(VirusTotal 1/22***) (Payload Security[4]) downloads from one of these 2 locations:
http ://dacera .net/horizont.cv -or- http ://raimco .com/case.sub
and gets converted/renamed to a working .exe file (VirusTotal 9/61[5])

TNT version: RL82670483822.zip extracts to RL02993847001.doc VirusTotal 0/57[6]| Payload Security[7]

Zip/JS version: QPABA0MCY0D2.zip extracts to 1A029837T2990101.pdf.js VirusTotal 3/57[8]|
Payload Security[9] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b680d7c0332996ba5150f745b9e38f151ce5e2b9663caa2254220a0186d94c46/analysis/1495100198/

** https://www.hybrid-analysis.com/sample/b680d7c0332996ba5150f745b9e38f151ce5e2b9663caa2254220a0186d94c46?environmentId=100
Contacted Hosts
2.17.22.36

*** https://www.virustotal.com/en/file/caab7e0c49e00fa2bdb7f20b71b958511d67bb7c848ac6242aa3f18d856d1fd3/analysis/1495100566/

4] https://www.hybrid-analysis.com/sample/caab7e0c49e00fa2bdb7f20b71b958511d67bb7c848ac6242aa3f18d856d1fd3?environmentId=100
Contacted Hosts
54.149.71.19
77.104.189.47

5] https://www.virustotal.com/en/file/87162ca45eff456bf8f458528c935e1d7d3aa5c54e9ed8ba056c6fcee518889a/analysis/

6] https://www.virustotal.com/en/file/22d53473f03b071382a3a4b4e97a6c20ebd2999cd4a5b996a6d6def0cfa80900/analysis/1495101803/

7] https://www.hybrid-analysis.com/sample/22d53473f03b071382a3a4b4e97a6c20ebd2999cd4a5b996a6d6def0cfa80900?environmentId=100

8] https://www.virustotal.com/en/file/1ce3c23856b4092e02fc8e73f1486c6bbb8401164d4d8b9972afa6f7a2c1d63b/analysis/1495102966/

9] https://www.hybrid-analysis.com/sample/1ce3c23856b4092e02fc8e73f1486c6bbb8401164d4d8b9972afa6f7a2c1d63b?environmentId=100

dacera .net: 54.149.71.19: https://www.virustotal.com/en/ip-address/54.149.71.19/information/
> https://www.virustotal.com/en/url/cb0061668a0dff45222af87020b2b42aec5fe198113049aa77b797da93949b60/analysis/

raimco .com: 77.104.189.47: https://www.virustotal.com/en/ip-address/77.104.189.47/information/
> https://www.virustotal.com/en/file/87162ca45eff456bf8f458528c935e1d7d3aa5c54e9ed8ba056c6fcee518889a/analysis/

dacera .net/horizont.cv
> https://www.virustotal.com/en/url/cb0061668a0dff45222af87020b2b42aec5fe198113049aa77b797da93949b60/analysis/

raimco .com/case.sub
> https://www.virustotal.com/en/url/8f1fd5ba3208b4ae0ff05c19fd70e3172b654ae007eab3690f9db2eb94bec432/analysis/
___

Fake 'FedEx' SPAM - delivers -kovter- malware
- https://myonlinesecurity.co.uk/big-changes-in-fedex-fake-delivery-emails-now-using-macros/
18 May 2017 - ""An email with the subject of 'FedEx Parcel #262844740, Delivery Unsuccessful' pretending to come from FedEx Customer Service <tamawuv52640888@ soie. in> (random email addresses) with a malicious word doc attachment delivers multiple malware... 'used to seeing these -fake- FedEx and other parcel delivery services emails, but they usually contain zip files and js files. It is -unusual- to have word macro attachments...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-fedex-delivery.png

The instructions and image in the macro laden word doc have also -changed- from previous versions:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/info-delivery-doc.png

info_delivery.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
http ://regereeeeee .com/gate2.php?ff1 which appears to be a massive encrypted txt file (833kb) which appears to drop -kovter- (b215.exe ***) (VirusTotal 14/61[4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0c0460a6c234300c13c65bc1e63f9930a9b86df6ed68dde1645b557c0cdc2b00/analysis/

** https://www.hybrid-analysis.com/sample/0c0460a6c234300c13c65bc1e63f9930a9b86df6ed68dde1645b557c0cdc2b00?environmentId=100
Contacted Hosts (424)

*** https://www.hybrid-analysis.com/sample/0c0460a6c234300c13c65bc1e63f9930a9b86df6ed68dde1645b557c0cdc2b00?environmentId=100#dropped-file-details-74eea724091a2638d3d4c395c5c0183af2e4be850
Contacted Hosts (424)

4] https://www.virustotal.com/en/file/8cc15559738d4198bf23610eef12b8f3c0fa4c94cf4f61ab86c0a499c3edb736/analysis/1495118313/

regereeeeee .com: 13.58.26.56: https://www.virustotal.com/en/ip-address/13.58.26.56/information/
> https://www.virustotal.com/en/url/ae8fe9ac43a95d008b76226c21ece255ca4b563d91bda084b37747ea8aa5b9d4/analysis/

> https://www.virustotal.com/en/url/956df4c2ea3411d248ad47467b7839ce0ef653716586e0ccbf72a3ae9049c005/analysis/
___

WannaCry Fact Sheet
- https://www.us-cert.gov/ncas/current-activity/2017/05/17/ICS-CERT-Releases-WannaCry-Fact-Sheet
Last revised: May 18, 2017
>> https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
"... Systems that have installed the MS17-010 patch* are -not- vulnerable to the exploits..."
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
March 14, 2017

:fear::fear: :mad:

AplusWebMaster
2017-05-21, 21:24
FYI...

Fake 'blank' SPAM - doc/js attachment delivers ransomware
- https://myonlinesecurity.co.uk/blank-email-with-zip-attachment-containing-a-word-doc-with-ole-embedded-js-delivers-globeimposter-2-0-ransomware/
21 May 2017 - "An empty/blank email with no subject pretending to come from jhavens@ mt .gov with a zip file that contains malicious word doc with an embedded OLE object delivers GlobeImposter 2.0 ransomware...
The email looks like:
From: jhavens@ mt .gov
Date: Sun 21/05/2017 13:34
Subject: none
Attachment: 625855442530.zip
Body content:
totally blank/empty

625855442530.zip - extracts to 1.doc - Current Virus total detections 0/56*. Payload Security**
- drops a js file... (BR16E2~1 .JS) - VirusTotal 2/56[3] | Payload Security[4] downloads from
http ://oldloverfg .top/admin.php?f=2 which gave yez348746.tae (VirusTotal 12/61[5]) | Payload Security[6]
While encrypting your files the js file drops this html file with instructions how to pay the ransom & retrieve your files. They are charging 1 bitcoin which is currently approx. $2000 USD...
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/GlobeImposter-ransom-note.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/73344f56cbd115c785632bae76ddfd1371399a5ba2bd06af0397ba5c000217fe/analysis/1495370663/

** https://www.hybrid-analysis.com/sample/73344f56cbd115c785632bae76ddfd1371399a5ba2bd06af0397ba5c000217fe?environmentId=100
Contacted Hosts
47.91.93.208

3] https://www.virustotal.com/en/file/6807d2478b30321c1b2c08ab945607c67b649ed18bf2b528cf67aac293eca67c/analysis/1495370901/

4] https://www.hybrid-analysis.com/sample/6807d2478b30321c1b2c08ab945607c67b649ed18bf2b528cf67aac293eca67c?environmentId=100
Contacted Hosts
47.91.93.208

5] https://www.virustotal.com/en/file/cfbb13916e4f200de551e43e67b5ca03ba3e21b6e9a3afcde30b36391fd2df1e/analysis/1495371343/

6] https://www.hybrid-analysis.com/sample/cfbb13916e4f200de551e43e67b5ca03ba3e21b6e9a3afcde30b36391fd2df1e?environmentId=100

oldloverfg .top: 47.91.93.208: https://www.virustotal.com/en/ip-address/47.91.93.208/information/
> https://www.virustotal.com/en/url/5eccf26ce11bc9434918f3924546e11626ec496fd6a9a84f599c9c6f53f94e46/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-22, 17:18
FYI...

Fake 'Invoice' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/copy-of-invoice1234567-coming-from-noreply-delivers-jaff-ransomware/
22 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice 43412591' (random numbers) pretending to come from noreply@ random companies that delivers Jaff ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/Copy-of-Invoice-43412591.png

43412591.PDF - Current Virus total detections 13/56*. Payload Security** - drops QDLCPQKK.doc
(VirusTotal 10/58[3]) (Payload Security [4]) downloads an encrypted txt file from
http ://primary-ls .ru/jhg6fgh which is converted by the script to buzinat8.exe (VirusTotal 7/58[5])
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
primary-ls .ru\jhg6fgh
brotexxshferrogd .net\af\jhg6fgh
herrossoidffr6644qa .top\af\jhg6fgh
joesrv .com\jhg6fgh
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7f966606c28752e0ab7a45b07c48f078e6f7ec8ea8070c7af64a66c9f0897bec/analysis/1495454756/

** https://www.hybrid-analysis.com/sample/7f966606c28752e0ab7a45b07c48f078e6f7ec8ea8070c7af64a66c9f0897bec?environmentId=100
Contacted Hosts
141.8.195.87
217.29.63.199

3] https://www.virustotal.com/en/file/f4dca1321b56559bbf9333887a038f5019465479fc1a6bdf51da4ec956b7ac71/analysis/1495455867/

4] https://www.hybrid-analysis.com/sample/f4dca1321b56559bbf9333887a038f5019465479fc1a6bdf51da4ec956b7ac71?environmentId=100
Contacted Hosts
141.8.195.87
217.29.63.199

5] https://www.virustotal.com/en/file/3105bf7916ab2e8bdf32f9a4f798c358b4d18da11bcc16f8f063c4b9c200f8b4/analysis/1495455099/

primary-ls .ru: 141.8.195.87: https://www.virustotal.com/en/ip-address/141.8.195.87/information/
> https://www.virustotal.com/en/url/7908b737a84f6f013db363161b24ff43d24e5a702fad8ec056543925c724d7c3/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-24, 16:17
FYI...

Jaff ransomware gets a makeover: fake -invoice- theme
- https://isc.sans.edu/forums/diary/Jaff+ransomware+gets+a+makeover/22446/
2017-05-24 - "Since 2017-05-11, a new ransomware named 'Jaff' has been distributed through malicious spam (malspam) from the 'Necurs botnet':
> https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/
This malspam uses PDF -attachments- with 'embedded Word documents' containing -malicious- macros. Victims must open the PDF attachment, -agree- to open the embedded Word document, then -enable- macros on the embedded Word document to -infect- their Windows computers:
> https://isc.sans.edu/diaryimages/images/2017-05-24-ISC-diary-image-01.jpg
Prior to -Jaff- we've seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push
-Locky- ransomware. Prior to that, this type of malspam was pushing -Dridex-. With all the recent news about
-WannaCry- ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now... The emails: This specific wave of malspam used a -fake- invoice theme... I collected -20- emails... these emails -all- have PDF attachments, and each one contains an embedded Word document. The Word document contains malicious-macros designed to -infect- a Windows computer:
> https://isc.sans.edu/diaryimages/images/2017-05-24-ISC-diary-image-05.jpg
The embedded Word document with malicious macros:
> https://isc.sans.edu/diaryimages/images/2017-05-24-ISC-diary-image-06.jpg
Follow the entire infection chain, and you'll see minimal network traffic compared to other types of malware. The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host... My infected host asked for 0.35630347 bitcoin as a ransom payment:
> https://isc.sans.edu/diaryimages/images/2017-05-24-ISC-diary-image-14.jpg
... Much of this malspam is easy to spot among the daily deluge of spam most organizations receive. However, this PDF attachment/embedded Word doc scheme is likely an attempt to bypass spam filtering... as long as it's profitable for the criminals behind it, we'll continue to see this type of malspam..."
> http://www.malware-traffic-analysis.net/2017/05/24/index.html
(More detail at the isc URL at the top of this post.)

:fear::fear: :mad:

AplusWebMaster
2017-05-25, 15:09
FYI...

Fake 'receipt' SPAM - delivers Jaff ransomware
- https://myonlinesecurity.co.uk/more-jaff-ransomware-delivered-via-fake-receipts-or-payments-emails/
25 May 2017 - "... emails with pdf attachments that drops a malicious macro enabled word doc is an email with various subjects along the line of 'receipt, payment, payment receipt' etc. (random numbers) pretending to come from donotreply@ random email addresses and companies that delivers Jaff ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/receipt-4830.png

P4830.pdf - Current Virus total detections 12/56*. Payload Security** drops ELMIRJX.doc
(VirusTotal 4/23[3]) (Payload Security[4]) downloads an encrypted txt file from
http ://dreamybean .de/TrfHn4 which should be converted by the script to bruhadson8.exe (unfortunately payload security is showing this as a tiny data file, so something is going wrong there and there must be an anti-analysis element to the malware). There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dc799fd5ae8f2fcbb6379ab278beddb3c950fe8abf5de0bbfa59b0982c59b75d/analysis/1495710733/

** https://www.hybrid-analysis.com/sample/dc799fd5ae8f2fcbb6379ab278beddb3c950fe8abf5de0bbfa59b0982c59b75d?environmentId=100
Contacted Hosts
81.169.145.160

3] https://www.virustotal.com/en/file/bf474a90606cf73b51a77b63a345087f3fa6a3fd542b99e5ec5eb718283659d4/analysis/1495710997/

4] https://www.hybrid-analysis.com/sample/bf474a90606cf73b51a77b63a345087f3fa6a3fd542b99e5ec5eb718283659d4?environmentId=100
Contacted Hosts
81.169.145.160

dreamybean .de: 81.169.145.160: https://www.virustotal.com/en/ip-address/81.169.145.160/information/
> https://www.virustotal.com/en/url/6f3a3ef9554d621bc9c5a7e24c473455dddd54b57ad8082c211e481083f61cf5/analysis/
> https://www.virustotal.com/en/url/ad85e02bdec57fe77621afe0bdd47963fdc203c209cd16d3f61cb804645675f3/analysis/
___

Fake 'Reminder' SPAM - RTF file exploits deliver malware
- https://myonlinesecurity.co.uk/fake-bookatable-com-and-efaxcorporatexx-top-malspam-using-cve-2017-0199-exploits-to-deliver-malware/
25 May 2017 - "... RTF files this time using the CVE-2017-0199* vulnerability that was fixed in April 2017** and again extra added protections by the May 2017 security updates***. If you haven’t got round to applying these essential patches yet, then go & do it NOW...
* https://nvd.nist.gov/vuln/detail/CVE-2017-0199

** https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

*** https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/bc365363-f51e-e711-80da-000d3a32fc99

... email with the subject of '2nd Reminder Final Demand – Notice of Legal Intention' pretending to come from creditcontrol@ bookatable .com with a malicious word doc attachment eventually delivers sharik/smoke loader after a convoluted download system involving .hta files and PowerShell...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/spoofed-bookatable-email.png

294616_05152017.rtf - Current Virus total detections 28/57[1]. Payload Security[2] downloads an HTA file from
http :// 185.162.8.231 :64646/logo.doc (VirusTotal 0/57[3]) which in turn uses powershell to download
http :// 185.162.8.231 :64646/00001.exe (VirusTotal 48/59[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/cccb5e19651e18a6ca1642ec337be70972efe160778a2407136af031ca9242e9/analysis/1494977406/

2] https://www.hybrid-analysis.com/sample/cccb5e19651e18a6ca1642ec337be70972efe160778a2407136af031ca9242e9?environmentId=100
Contacted Hosts
185.162.8.231: https://www.virustotal.com/en/ip-address/185.162.8.231/information/
> https://www.virustotal.com/en/url/e89ff0aa66e4f19e7b890d347544e6fde5e612325717f2ac7e40665ed658fd1a/analysis/
> https://www.virustotal.com/en/url/241fef9fa9409bcdee983762f79b0a85c6a5c7bb2278132dd6fe0b41c12655f4/analysis/

3] https://www.virustotal.com/en/file/da3d701231291863ccbc3ddc3beb21e75eec5e95dc833ed6a29b298d812fb8d9/analysis/1494854940/

4] https://www.virustotal.com/en/file/587c83d84f1be1f23cf2bca8cdc8d5646e236123cacba454f467a205d7c06e1a/analysis/1495445391/

5] https://www.hybrid-analysis.com/sample/587c83d84f1be1f23cf2bca8cdc8d5646e236123cacba454f467a205d7c06e1a?environmentId=100
Contacted Hosts
185.141.25.27
193.104.215.58

:fear::fear: :mad:

AplusWebMaster
2017-05-27, 16:07
FYI...

Fake 'DHL' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/fake-dhl-tracking-number-for-shipment-malspam-delivers-ransomware/
27 May 2017 - "... an email with the subject of 'DHL Tracking Number for shipment 97 93745 186' (random numbers) pretending to come from DHL Corporation with a link in email body to download a file...
Update: Thanks to Antelox* we now have an unpacked version of the malware which is being detected as a corebot / zbot variant (VirusTotal 10/59**) ... Microsoft describes this as TrojanProxy: Win32/Malynfits.A***...
* https://twitter.com/Antelox/status/868414436264071168
... after lots of different tweets and conversations, found this from Brad (MalwareTraffic) confirming corebot with a nice writeup by him:
> http://www.malware-traffic-analysis.net/2017/05/26/index.html

** https://www.virustotal.com/en/file/c3fb54d87b8ff8b5b315be7c1f369accb55e7066efaae03e02cf007f3bd16eb2/analysis/1495880747/

*** https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanProxy:Win32/Malynfits.A&ThreatID=-2147245786

Screenshots(a): https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/dhlmailsystem_IE.png

(b): https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/dhlmailsystem.png

invoice-0063827410370260857-000001870346531780753154078347.pdf.js - Current Virus total detections 5/56[1]
Payload Security[2] shows a download of various files from the same server one being auvrq.exe
(VirusTotal 20/61[3]) (Payload Security[4])... The link in email body (in the working versions) goes to
http ://dhlmailsystem .com/documentdir/777126146374729609489374827 where you get slightly different behaviour depending on what browser you use to visit. If you use Internet Explorer or Google Chrome, you get a zip file containing a .js file. Using Firefox you get the .js file itself... you first see a page like this (b) with a message saying 'preparing download' with a countdown marker. When it reaches 0 the message becomes a -link- saying “click here to download if not started automatically” and the malware file is delivered... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/eb20f58ad1f75f7f30456a0a82e985cd9cea5fd0d7c50d76b7ee06a9b7a1b10f/analysis/1495836615/

2] https://www.hybrid-analysis.com/sample/eb20f58ad1f75f7f30456a0a82e985cd9cea5fd0d7c50d76b7ee06a9b7a1b10f?environmentId=100
Contacted Hosts
89.223.27.247

3] https://www.virustotal.com/en/file/ca072304403d9d128c6793ddb1b00e302e7cdecdc995aa0105e7428478dbbb20/analysis/1495865017/

4] https://www.hybrid-analysis.com/sample/ca072304403d9d128c6793ddb1b00e302e7cdecdc995aa0105e7428478dbbb20?environmentId=100

dhlmailsystem .com: 89.223.27.247: https://www.virustotal.com/en/ip-address/89.223.27.247/information/
> https://www.virustotal.com/en/url/7d2440e65ee50a7d9d0a8689c1a718969d1192730f293d5d2ca3072593672a6e/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-30, 15:28
FYI...

Fake 'documents' SPAM - xls attachment delivers malware
- https://myonlinesecurity.co.uk/documents-malspam-delivers-unknown-malware/
30 May 2017 - "An email with the subject of 'documents' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment delivers malware... Some subjects in this malspam campaign include ...
inv. payment
documents

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/document-austin.png

61759684.xls - Current Virus total detections 6/56*: Payload Security** wasn’t able to decode or decrypt the macro but a very quick & easy manual examination shows downloads from
http ://cautiousvirus .com/mbtrf.exe (VirusTotal 7/60[3]) (Payload Security[4])... The macro in the xls document is trivially encoded by using reverse strings... Opening the XLS attachment gives this -fake- invoice:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/61759684_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/50092ee9d229d7f533a314eaa160eedfcae177dce504c73c14febcab6fd783a4/analysis/1496135720/

** https://www.hybrid-analysis.com/sample/50092ee9d229d7f533a314eaa160eedfcae177dce504c73c14febcab6fd783a4?environmentId=100

3] https://www.virustotal.com/en/file/2cd90d07f9b6078b4b82b1d2b83407714ecc7ff8818b28d7ab2e0cecbe14f973/analysis/

4] https://www.hybrid-analysis.com/sample/2cd90d07f9b6078b4b82b1d2b83407714ecc7ff8818b28d7ab2e0cecbe14f973?environmentId=100

cautiousvirus .com: 54.91.240.28: https://www.virustotal.com/en/ip-address/54.91.240.28/information/
> https://www.virustotal.com/en/url/3841856e46947862726bb6fb3ecc8ef691ce47382962431495e342c5f27c12c0/analysis/
___

Fake 'Notification' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-spoofed-hm-land-registry-notification-of-direct-debit-of-fees-delivers-malware/
30 May 2017 - "An email with the subject of 'Notification of direct debit of fees' pretending to come from HM Land Registry but actually coming from a look-alike domain... with a malicious word doc attachment... -spoof- of a well known company, bank or public authority delivering malware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/HM-Land-Registry-Notification-of-direct-debit-of-fees.png

Opening the word doc (in protected mode where it is safe) gives this which tries to convince you it is genuine:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-landregistry-doc.png

apl053017_045894595.doc - Current Virus total detections 5/56*. Payload Security** shows a download from
http ://200.7.105.13 /jpon13.exe (VirusTotal 7/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2f3ffa32dcdca3bf267a1b3cd1182c31527d5ee71c8d854fb1c082717729eaf3/analysis/1496147244/

** https://www.hybrid-analysis.com/sample/2f3ffa32dcdca3bf267a1b3cd1182c31527d5ee71c8d854fb1c082717729eaf3?environmentId=100
Contacted Hosts
200.7.105.13
184.87.218.172
185.141.25.27

*** https://www.virustotal.com/en/file/7ba3071a7b47a91a7a3804151c69c47568039f80f551f6bb17c9b96a42295c5d/analysis/1496137829/

200.7.105.13: https://www.virustotal.com/en/ip-address/200.7.105.13/information/
> https://www.virustotal.com/en/url/58a16c071617c90559da60f4979899191b8c5b18f63f6185f40b2c78b87137cb/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-05-31, 15:08
FYI...

Fake 'Flash Update' - malware
- https://myonlinesecurity.co.uk/fake-flash-player-alerts-from-legitimate-websites/
31 May 2017 - "... I was reading a page on my local newspaper... 'got a divert and a big red warning:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/05/fake-flash.png
... the page I was diverted to (a -fake- flash player update page) is
https ://izaiye-interactive .net/6141452444727/01296f4851adb85de3a1ad2335c429c8/52ebc0f94a7674f6db533556c202e52f.html
... They are using a ssl prefix HTTPS but there is -no- padlock in the url to confirm this. An HTA file is automatically downloaded (or attempted to be) (VirusTotal 6/55*) (Payload Security**) - if allowed to run unfettered this hta file would download and autorun:
https ://izaiye-interactive .net/6141452444727/1496218715917605/FlashPlayer.jse
(VirusTotal [3]) (Payload Security[4])... similar attack recently documented:
> https://myonlinesecurity.co.uk/fake-flashplayer-update-via-exploit-using-adverts-on-legit-site/
9 Apr 2017
...izaiye-interactive .net was registered yesterday on 30 May 2017 using what are obviously -fake- registrants details via PUBLICDOMAINREGISTRY .COM and hosted on 206.221.189.43 reliablesite .net ..."
* https://www.virustotal.com/en/file/42347dfa5665aa651648ebd17c4c796a05d388b809c67a7d7ea858db432c30fa/analysis/1496218758/
FlashPlayer.hta

** https://www.hybrid-analysis.com/sample/42347dfa5665aa651648ebd17c4c796a05d388b809c67a7d7ea858db432c30fa?environmentId=100
Contacted Hosts
206.221.189.43

3] https://www.virustotal.com/en/file/d40790df3b7ecfa168f7a48996aa46f3590e77d15f5763b2db01a42d0c7fdef9/analysis/1496219889/
FlashPlayer.jse

4] https://www.hybrid-analysis.com/sample/d40790df3b7ecfa168f7a48996aa46f3590e77d15f5763b2db01a42d0c7fdef9?environmentId=100
Contacted Hosts
206.221.189.43
192.35.177.195
109.120.179.92
84.42.243.20
215.88.149.224
132.121.74.105
209.17.219.21

izaiye-interactive .net: Could not find an IP address for this domain name. (May have been taken down.)

206.221.189.43: https://www.virustotal.com/en/ip-address/206.221.189.43/information/
> https://www.virustotal.com/en/url/776bf3622d1c403494fb20d4251cf87a4a23eef0a639edad0d597606ae90607d/analysis/

> https://www.virustotal.com/en/url/66f18d4009af9f35808c5c83963d3d1d8a83edcaddb8b104db63afe4a8e94594/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-06-01, 17:45
FYI...

Fake 'FedEx USPS UPS' SPAM - delivers Kovter and ransomware
- https://myonlinesecurity.co.uk/fake-fedex-usps-ups-delivery-notifications-continue-to-deliver-kovter-and-ransomware/
1 Jun 2017 - "... malware via the “cannot deliver your parcel notifications” or “check where your parcel is”
-spoofing- FedEx, DHL, UPS, USPS etc. have changed the delivery method. The emails are still very similar to the ones we are used to seeing with this sort of subject line:
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS
Delivery Status Notification
... What has changed is the -attachment- to the emails contains the malware. These now contain an HTML attachment that when opened displays a webpage on your computer that pretends to be a Microsoft Word online website and says you need to download the 'MSOffice365 Webview Plugin update', with a -blurry-image- of scrambled writing in the background with this message prominantly displayed:
'This document cannot be read in your browser. Download and install latest plugin version':
> https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/06/fedex_msoffice_webview.png?ssl=1

Email screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/06/fedex-delivery-status-notification.png?ssl=1

... 'previously described in THIS post from Mid April 2017* which shows the obfuscated/encoded nature of the files and how to decode/de-obfuscate them... At that time they linked to a remote website using the -fake- MSOffice365 scam. These malware gangs use a mix-and-match of different techniques to try to stay one step ahead of researchers and antivirus companies and gain more victims:
* https://myonlinesecurity.co.uk/changes-to-fake-usps-delivery-messages-delivering-malware/
... Infection chain from 31 May 2017:
1. FedEx-Delivery-Details-ID-8AXP4QH0.doc.html attachment (VirusTotal 2/56[1]) (Payload Security[2])
2. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.zip extracts to:
3. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js (VirusTotal 8/55[3]) (Payload Security[4])
Counter.js (VirusTotal 5/56[5]) which downloads 2 files pretending to be png (image files that are -renamed- .exe files) 1.exe currently Cerber -Ransomware- (VirusTotal 8/61[6]) (Payload Security[7]) 2.exe currently Kovter
(VirusTotal 12/60[8]) (Payload Security[9]). The 5 sites embeded in the original webview plugin.js are:
leadsfunnel360 .com
khushsingh .com
kskazan .ru
moodachainzgear .com
thegreenbook .ca
... where you get counter.js ... that when decrypted gives these 5 sites:
sharplending .com
moodachainzgear .com
buildthenewcity .biz
valdigresta .com
leadsfunnel360 .com
... Where <sitename)/counter/?1 gives the Cerber ransomware and <sitename)/counter/?2 gives Kovter... the js files try to contact the sites in order they are listed. It then tries each combination of sitename/counter/etc. and if any site fails to respond, then moves to next site in the list and continues to do that until the counter.js & the actual malware files are downloaded-and-run on the victim’s computer... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/68bbe1e4ca5a73a688912dbe70fc0f71f23aaadb740bbdb549b653a451c11e03/analysis/1496239829/
FedEx-Delivery-Details-ID-8AXP4QH0.doc.html

2] https://www.hybrid-analysis.com/sample/68bbe1e4ca5a73a688912dbe70fc0f71f23aaadb740bbdb549b653a451c11e03?environmentId=100

3] https://www.virustotal.com/en/file/4c41433bb61c08ae41cb63e044727eae7f77a67c0d36ac2b4f4169582c1a2557/analysis/1496240000/
Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js

4] https://www.hybrid-analysis.com/sample/4c41433bb61c08ae41cb63e044727eae7f77a67c0d36ac2b4f4169582c1a2557?environmentId=100
Contacted Hosts (1279)

5] https://www.virustotal.com/en/file/0d79c25c977bd6426fd2f668ed593ce6aadd44c44471eafac748d14df19b9bed/analysis/1496296754/
COUNTER[1].js

6] https://www.virustotal.com/en/file/0ef132a2d414724cf03bb3cb4e847744e19db83f81f2889288f87b36d0255862/analysis/1496240581/
60[1].png

7] https://www.hybrid-analysis.com/sample/0ef132a2d414724cf03bb3cb4e847744e19db83f81f2889288f87b36d0255862?environmentId=100
Contacted Hosts (1089)

8] https://www.virustotal.com/en/file/7c2c5c9611c74abdcee6db6062da1473a320fd69fb57ddf0372db7e7a581fdaf/analysis/1496240649/
11.exe

9] https://www.hybrid-analysis.com/sample/7c2c5c9611c74abdcee6db6062da1473a320fd69fb57ddf0372db7e7a581fdaf?environmentId=100
Contacted Hosts (413)

leadsfunnel360 .com: 50.63.124.1: https://www.virustotal.com/en/ip-address/50.63.124.1/information/
> https://www.virustotal.com/en/url/a1feb792fa60ab1bed24bcfccacce56f1d6925071604b460503eb097643cfb18/analysis/
khushsingh .com: 72.167.131.40: https://www.virustotal.com/en/ip-address/72.167.131.40/information/
> https://www.virustotal.com/en/url/a47845457ae46ed9bad801f11b3c53dae7c5b0905e52c356079cd856ac03101d/analysis/
kskazan .ru: 87.236.19.130: https://www.virustotal.com/en/ip-address/87.236.19.130/information/
> https://www.virustotal.com/en/url/a48dde6668592ed32b8f1e29cbe4044b29f0425b5b1dd4b127740278660213ca/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustotal.com/en/ip-address/173.201.92.128/information/
> https://www.virustotal.com/en/url/240d9e2615aaa937298ae2f3dee0625e181754d70b174bc238c2d92484e5fc14/analysis/
thegreenbook .ca: 50.62.160.59: https://www.virustotal.com/en/ip-address/50.62.160.59/information/
> https://www.virustotal.com/en/url/5e4dabe972f2bdeeed3f465d7ef2270571f550bd182e1715de60b53c842d1d29/analysis/

sharplending .com: 184.168.55.1: https://www.virustotal.com/en/ip-address/184.168.55.1/information/
> https://www.virustotal.com/en/url/5ff4e097fb3d66be30d2353f839b2c10972ef043d818321a374c86eb0e1ff398/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustotal.com/en/ip-address/173.201.92.128/information/
> https://www.virustotal.com/en/url/240d9e2615aaa937298ae2f3dee0625e181754d70b174bc238c2d92484e5fc14/analysis/
buildthenewcity .biz: 50.62.114.1: https://www.virustotal.com/en/ip-address/50.62.114.1/information/
> https://www.virustotal.com/en/url/daf3f2a1bbb43e2506f7492fd02c6c97607137efc94972b5d0f7551831fb047e/analysis/
valdigresta .com: 64.202.169.211: https://www.virustotal.com/en/ip-address/64.202.169.211/information/
> https://www.virustotal.com/en/url/bfa6df342561655d24acf0532db06fac6ae698da0cf864ae002a9fcfa671b8b0/analysis/
leadsfunnel360 .com: 50.63.124.1: https://www.virustotal.com/en/ip-address/50.63.124.1/information/
> https://www.virustotal.com/en/url/a1feb792fa60ab1bed24bcfccacce56f1d6925071604b460503eb097643cfb18/analysis/

:fear::fear::fear: :mad:

AplusWebMaster
2017-06-02, 15:54
FYI...

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-invoice-drops-word-docm-with-macros-delivers-dridex-banking-trojan/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice INV-0790' (random numbers) pretending to come from random names and email address that delivers Dridex banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/invoice-inv-0790.png

Invoice INV-0790.pdf - Current Virus total detections 12/56*. Payload Security** drops 231GEOHJWMQN935.docm
(VirusTotal 10/59[3]) (Payload Security[4]) downloads an encrypted txt file from
http ://lanphuong .vn\hH60bd which is converted by the script to miniramon8.exe
(VirusTotal 8/62[5]) (Payload Security[6]).
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
lanphuong .vn\hH60bd
newserniggrofg .net\af\hH60bd
resevesssetornument .com\af\hH60bd
mountmary .ca\hH60bd
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d1fd17c76c4458c45e7edd077ed8afab3ae2589fa2e81e6d593c7d8f5cc2846d/analysis/1496395482/

** https://www.hybrid-analysis.com/sample/d1fd17c76c4458c45e7edd077ed8afab3ae2589fa2e81e6d593c7d8f5cc2846d?environmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147

3] https://www.virustotal.com/en/file/7a2fa7f00357502a9691d262b5b7a26db99d5009f29396b9c07fc365b409df48/analysis/1496395712/

4] https://www.hybrid-analysis.com/sample/7a2fa7f00357502a9691d262b5b7a26db99d5009f29396b9c07fc365b409df48?environmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147

5] https://www.virustotal.com/en/file/ffb6cf0788bc9fef9314085cf23fbdf87bfde9c3b78f014d5fd3e76d769cc82c/analysis/1496396221/

6] https://www.hybrid-analysis.com/sample/ffb6cf0788bc9fef9314085cf23fbdf87bfde9c3b78f014d5fd3e76d769cc82c?environmentId=100
Contacted Hosts
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147

lanphuong .vn: 112.213.85.78: https://www.virustotal.com/en/ip-address/112.213.85.78/information/
> https://www.virustotal.com/en/url/1bb202d0d3d8b94a47196abe6e54bd10533b79e4d30657905f4c1000d440a0ad/analysis/
___

Fake 'Message' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/more-dridex-banking-trojan-delivered-via-pdf-message-from-km_c224e-pretending-to-come-from-copier-at-your-own-email-address/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is a blank/empty email with the subject of 'Message from KM_C224e' pretending to come from a -copier- at your email address that delivers Dridex banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Message-from-KM_C224e.png

The payload & websites are exactly the -same- as described in today’s earlier Dridex malspam run using fake invoices*..."
* https://myonlinesecurity.co.uk/fake-invoice-drops-word-docm-with-macros-delivers-dridex-banking-trojan/
2 Jun 2017

:fear::fear: :mad:

AplusWebMaster
2017-06-05, 16:08
FYI...

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoofed-john-miller-invoice-pretending-to-come-from-somebody-named-holmes-delivers-dridex-banking-trojan/
5 Jun 2017 - "... emails with random numbered -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice' pretending to come from a random first name Holmes at random email addresses but the body of the email imitates John Miller Ltd...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/invoice_John-Miller_-Holmes.png

... the PDF actually having some content that makes it almost look real:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/invoice_129303_pdf.png

A4 Inv_Crd 21297.pdf - Current Virus total detections 9/56*. Payload Security**
drops Invoice_129302.docm (VirusTotal 8/59[3]) (Payload Security[4]) downloads an encrypted txt file from
http ://spaceonline .in\8yfh4gfff which is converted by the script to miniramon8.exe (VirusTotal 13/61[5])...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/771808725251417389c0274ae12df50de998341df9da022a3847c6cea7398edd/analysis/1496654801/

** https://www.hybrid-analysis.com/sample/771808725251417389c0274ae12df50de998341df9da022a3847c6cea7398edd?environmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177

3] https://www.virustotal.com/en/file/bda736fe0d8fe841d9efae96ff00b79e3cac730e8cfac14ba23c1d340749a196/analysis/1496654938/

4] https://www.hybrid-analysis.com/sample/bda736fe0d8fe841d9efae96ff00b79e3cac730e8cfac14ba23c1d340749a196?environmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177

5] https://www.virustotal.com/en/file/c7dc1e2d1dbda6e287675160f1e96f6514b8a6f10017a1e4b76c7591c3785e97/analysis/

spaceonline .in: 111.118.212.86: https://www.virustotal.com/en/ip-address/111.118.212.86/information/
> https://www.virustotal.com/en/url/e3d58bf6f4a099d7087557e3a1fa885e141b21e848a3adcc9835481a2dcc915b/analysis/
___

- http://blog.dynamoo.com/2017/06/malware-spam-john-miller-limited-invoice.html
5 Jun 2017 - "This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does -not- match the company being spoofed, and varies from message to message.

Screenshot: https://3.bp.blogspot.com/-mxosSM7W0uo/WTUk6vYWvOI/AAAAAAAALqA/p_xzIj40-G002U07MruQaudiFufUbW5ZgCLcB/s1600/john-miller.png

The attachment currently has a detection rate of about 9/56*. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis** shows the malicious file downloading a component from cartus-imprimanta .ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other -variants- possibly exist. A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61***. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:
192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)
The payload is not clear at this time, but it will be nothing good.
Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177 "
* https://virustotal.com/en/file/d9a96d193f63cefb3380ed5a7ec10e401dd46ca0d9e11a6a019574e058c89fcc/analysis/1496654625/

** https://www.hybrid-analysis.com/sample/d9a96d193f63cefb3380ed5a7ec10e401dd46ca0d9e11a6a019574e058c89fcc?environmentId=100
Contacted Hosts
176.126.200.56
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177

*** https://virustotal.com/en/file/c7dc1e2d1dbda6e287675160f1e96f6514b8a6f10017a1e4b76c7591c3785e97/analysis/1496655625/

cartus-imprimanta .ro: 176.126.200.56: https://www.virustotal.com/en/ip-address/176.126.200.56/information/
> https://www.virustotal.com/en/url/3d620daa824fb9b8f9d71285af66a101e57d0066bc85c2b6859f4baab6570dc3/analysis/
___

'WakeMed' Phish
REAL 'WakeMed': http://www.wakemed.org/contact-us
Raleigh, NC 27610

FAKE/Phish: https://myonlinesecurity.co.uk/wakemed-service-desk-your-mailbox-has-been-login-some-where-else-very-poor-attempt-at-phishing/
5 June 2017

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/WakeMed-SERVICE-DESK.png

"... If you follow the link you see a very badly designed webpage, complete with spelling errors, obviously created by a non English speaker, looking like this:
(from: http ://itupdat.tripod .com/)
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/tripod_phish.png

... the spam -email- is a -compromised- (may be spoofed) Canadian Nova Scotia Department of Education address... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

itupdat.tripod .com: 209.202.252.101: https://www.virustotal.com/en/ip-address/209.202.252.101/information/
> https://www.virustotal.com/en/url/53de7c16b5444d3ad9b34d64c2b86de1f68208b74edfc163827452b7c580ddb7/analysis/

ccrsb .ca: 142.227.247.226: https://www.virustotal.com/en/ip-address/142.227.247.226/information/
___

Police dismantle crime network - online payment SCAMS
- https://www.helpnetsecurity.com/2017/06/05/police-dismantle-organised-crime-network/
June 5, 2017 - "The Polish National Police, working in close cooperation with its law enforcement counterparts in Croatia, Germany, Romania and Sweden, alongside Europol’s European Cybercrime Centre (EC3), have smashed a Polish organised crime network suspected of online payment scams and money laundering... Operation MOTO on 29-31 May 2017 resulted in 9 arrests including the criminal network’s masterminds, as well as 25 house searches in Poland. The perpetrators were advertising online cars as well as construction or agricultural machinery/vehicles, but never delivered the advertised goods to interested buyers, despite having received advance fee payments..."

:fear::fear: :mad:

AplusWebMaster
2017-06-07, 14:21
FYI...

Fake 'Invoice' SPAM - pdf attachments drop malware
- https://myonlinesecurity.co.uk/more-fake-invoice-pdf-that-drop-a-word-macro-delivering-banking-malware/
7 Jun 2017 - "... emails with -pdf- attachments that drop a malicious macro enabled word doc... email with the subject of '32_Invoice_2220' (random numbers at start and end of invoice) pretending to come from random names and email addresses that delivers what looks like either Dridex or Emotet banking malware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/jaff_invoice.png

001_8951.pdf - Current Virus total detections 12/54*: Payload Security** drops 690UICEBVOFF735.docm
... downloads an encrypted txt file from
http ://micolon .de/7gyb3ds which is converted by the script to krivokor8.exe
(VirusTotal 8/61[3]) (Payload Security[4])...
* https://www.virustotal.com/en/file/2f1385e0ace957053bd323296d9460a32561bdf682cf4358147ef0599c25eb96/analysis/1496825964/
001_0673.pdf

** https://www.hybrid-analysis.com/sample/2f1385e0ace957053bd323296d9460a32561bdf682cf4358147ef0599c25eb96?environmentId=100
Contacted Hosts
81.169.145.167
37.120.182.208
194.87.234.99
192.157.238.15
185.23.113.100
178.33.146.207

3] https://www.virustotal.com/en/file/79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c/analysis/
krivokor8 - Copy.exe

4] https://www.hybrid-analysis.com/sample/79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c?environmentId=100
Contacted Hosts
216.218.206.69

The -macros- in this example are very different to the ones we have previously seen. There are 3 hardcoded (slightly obfuscated) download sites in -each- macro (The first I examined had these 3):
micolon .de/7gyb3ds
essentialnulidtro .com/af/7gyb3ds
suskunst .dk/7gyb3ds
Thanks to Racco42[5], -other- download sites found include:
5] https://twitter.com/Racco42/status/872384811301834752
http ://adproautomation .in/7gyb3ds
http ://camberwellroofing .com.au/7gyb3ds
http ://caperlea .com/7gyb3ds
http ://choralia .net/7gyb3ds
http ://chqm168 .com/7gyb3ds
http ://essentialnulidtro .com/af/7gyb3ds
http ://luxcasa .pt/7gyb3ds
http ://micolon .de/7gyb3ds
http ://musee-champollion .fr/7gyb3ds
http ://mytraveltrip .in/7gyb3ds
http ://saheser .net/7gyb3ds
http ://sanftes-reiten .de/7gyb3ds
http ://shopf3 .com/7gyb3ds
http ://shreekamothe .com/7gyb3ds
http ://spocom .de/7gyb3ds
http ://sumbermakmur .com/7gyb3ds
http ://surgideals .com/7gyb3ds
http ://suskunst .dk/7gyb3ds
http ://sutek-industry .com/7gyb3ds
http ://svagin .dk/7gyb3ds
http ://xinding .com/7gyb3ds ...
... Malware IP's: https://pastebin.com/arUi7B1H
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake blank/empty SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-trickbot-with-blank-emails-using-scan_1234-doc-attachments-as-a-delivery-lure/
7 Jun 2017 - "... an email with a blank/empty subject as well as a completely empty email body pretending to come from random senders with a malicious word doc attachment delivers Trickbot... One of the email looks like:
From: random senders
Date: Wed 07/06/2017 13:15
Subject: none
Attachment: SCAN_0636.doc

Body content: Totally Blank/Empty

SCAN_0636.doc - Current Virus total detections 12/59*. Payload Security** downloads an encrypted txt file from
http ://beursgays .com\7gyb3ds
Still delivering the same krivokor8.exe (VirusTotal 9/61[3]) (Payload Security[4]) which is Trickbot banking Trojan.
So far We have found these additional sites:
essentialnulidtro .com\af\7gyb3ds
martos .pt\7gyb3ds
castvinyl .ru\7gyb3ds ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bcee9ddb70f58b195e396b9961787b0b0e4b89015e7ee35021d57b24a5355c2f/analysis/1496837651/

** https://www.hybrid-analysis.com/sample/bcee9ddb70f58b195e396b9961787b0b0e4b89015e7ee35021d57b24a5355c2f?environmentId=100
Contacted Hosts
178.237.37.40
50.19.227.215
185.86.150.185

3] https://www.virustotal.com/en/file/79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c/analysis/

4] https://www.hybrid-analysis.com/sample/79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c?environmentId=100
Contacted Hosts
216.218.206.69

beursgays .com: 178.237.37.40: https://www.virustotal.com/en/ip-address/178.237.37.40/information/
> https://www.virustotal.com/en/url/f9a17664d43b918fd7dbc5b379a18332cf8035949b3fd0ef229369c163c3e378/analysis/

essentialnulidtro .com: 119.28.85.128: https://www.virustotal.com/en/ip-address/119.28.85.128/information/
> https://www.virustotal.com/en/url/42ad08edf2c675971395ac0c4493a65fb82c4807e6c585c59f55b49ae4f21088/analysis/

martos .pt: 91.198.47.86: https://www.virustotal.com/en/ip-address/91.198.47.86/information/
> https://www.virustotal.com/en/url/1c2d414ca41bb10a86a7145aea780e0bab045d15053e6cf3db77f4de2a62aefd/analysis/

castvinyl .ru: 89.111.176.244: https://www.virustotal.com/en/ip-address/89.111.176.244/information/
> https://www.virustotal.com/en/url/ff66a36d4aaf384a327be56df45e036d5d5fea22f179e64d142ad5a945bf690f/analysis/
___

Fake 'Message' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/message-from-km_c224e-with-zip-attachment-delivers-new-version-of-cerber-ransomware/
7 Jun 2017 - "... using 'Message from KM_C224e'... using the same subject and email template but with a zip attachment containing an .exe file... pretends to come from copier @ your-own-email-domain... Confirmed: this is JAFF ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Message-from-KM_C224e_-zip-version.png

SKM_C224e03215953284.zip: Extracts to: SKM_C224e9930.exe - Current Virus total detections 12/61*
Payload Security** | MALWR***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dd6e62e4c82170b42b515e4c25cba3c2cc95b44c032c844208de77172cac084d/analysis/1496843658/

** https://www.hybrid-analysis.com/sample/dd6e62e4c82170b42b515e4c25cba3c2cc95b44c032c844208de77172cac084d?environmentId=100
Contacted Hosts
52.15.162.35

*** https://malwr.com/analysis/ZmE3YjMxMDg2OTIzNDdhZThkYjFiZGQxZTI4NzZlOTM/
Hosts
52.15.162.35: https://www.virustotal.com/en/ip-address/52.15.162.35/information/
> https://www.virustotal.com/en/url/7fde870e06d4b120395012c1e6e4982099de4e2f7e63460dfb13ba9823d1b9a6/analysis/
___

Office365 - Phish
- https://myonlinesecurity.co.uk/fake-o365-message-important-upgrade-is-required-phishing/
7 Jun 2017 - "... pretends to be a message from Microsoft Office365 saying 'your mailbox is full'...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/O365_upgrade_phishing-email.png

-If- you follow the link in the email, you first get sent to:
http ://ronaldsinkwell .com.br/js/Office365/Secure/ where you get an immediate -redirection- ... and you see a webpage looking like this:
http ://www .ftc-network .com/js/Microsoft/Office365/ :
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/ftc_network_O365_phishing.png

... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

ronaldsinkwell .com.br: 192.185.214.91: https://www.virustotal.com/en/ip-address/192.185.214.91/information/
> https://www.virustotal.com/en/url/9a54419ca96ecf5e89deeb51b3449b7f66f76dada043f009674090e1c9caff52/analysis/

ftc-network .com: 103.13.240.186: https://www.virustotal.com/en/ip-address/103.13.240.186/information/
> https://www.virustotal.com/en/url/b03b700f8b81ce95e9dc5e6d7fd1aab429d5fc43c6ca0b51bd3e322200fd1b26/analysis/

:fear::fear::fear: :mad:

AplusWebMaster
2017-06-08, 16:24
FYI...

Fake 'eFax' SPAM - delivers smoke/sharik/dofoil and Trickbot
- https://myonlinesecurity.co.uk/fake-efax-message-from-0300-200-3835-2-pages-malspam-delivers-smoke-sharik-dofoil-and-trickbot/
7 June 2017 - "An email with the subject of 'eFax message from 0300 200 3835' – 2 pages pretending to come from efax but actually coming from a look-alike-domain eFax <message@ mail.efaxcorporate254 .top> with a malicious word doc attachment...
mail.efaxcorporate254 .top was registered on 5 June 2017 via publicdomainregistry .com using what are obviously -fake- details and hosted on a Russian server 185.186.141.227. Other -variants- of the domain are hosted on other IPs in the ‘109.248.200.0 – 109.248.203.255′ and ‘185.186.140.0 – 185.186.143.255’ ranges. Other -variants- of this were registered between 1st and 5th June 2017...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/eFax-message-from-0300-200-3835-2-pages.png

FAX_20170607_1496754696_302.doc - Current Virus total detections 7/57* Payload Security** shows a download from
http ://5.149.250.240 /jun7.exe gets -renamed- to Pvmzgo.exe and autorun (VirusTotal 35/61[3]) Payload Security[4]. The malware on http ://5.149.250.240 is being updated at frequent intervals (currently still using jun7.exe) but I have seen 2 different versions since I originally posted... VirusTotal 10/59[5] 14/61[6] Payload Security[7]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fc34f8d73639adce0e1120732f8ac3a0083a7ad850f086d5028d40a2fd7895ee/analysis/1496851706/

** https://www.hybrid-analysis.com/sample/fc34f8d73639adce0e1120732f8ac3a0083a7ad850f086d5028d40a2fd7895ee?environmentId=100
Contacted Hosts
5.149.250.240
185.159.128.150

3] https://www.virustotal.com/en/file/4757c2667dc61f0ee30258b226a04ba811a42f3182053aa34ce75e7295b87736/analysis/

4] https://www.hybrid-analysis.com/sample/4757c2667dc61f0ee30258b226a04ba811a42f3182053aa34ce75e7295b87736?environmentId=100
Contacted Hosts
95.101.187.176
185.159.128.150

5] https://www.virustotal.com/en/file/415a75cd01a4b00385c974b59bbbd3e5211a985bf2560d7639d464fd5a56e9e6/analysis/1496866638/
jun7_exe

6] https://www.virustotal.com/en/file/421e9f43cfe87ac8a10d6c6b841ba2584ba54d77bfe24225ed313aa9ea674aa9/analysis/1496899315/
jun7.exe

7] https://www.hybrid-analysis.com/sample/421e9f43cfe87ac8a10d6c6b841ba2584ba54d77bfe24225ed313aa9ea674aa9?environmentId=100
Contacted Hosts
212.227.91.231
193.104.215.58
185.159.128.150

> Update 8 June 2017: -another- run of same email...
fax_20170608_96784512_336.doc - Current Virus total detections 5/55[8]. Payload Security[9] shows a download from
http ://185.81.113.94 /jun8.exe gets -renamed- to Gqkdau.exe and autorun
(VirusTotal 14/61[10]) Payload Security[11]...
8] https://www.virustotal.com/en/file/3a6924693b76675d25cacc6b8b20520c7c2c9fafa6a2a4da8f8cf9cf77c1bc52/analysis/1496913428/

9] https://www.hybrid-analysis.com/sample/3a6924693b76675d25cacc6b8b20520c7c2c9fafa6a2a4da8f8cf9cf77c1bc52?environmentId=100
Contacted Hosts
185.81.113.94
185.159.128.150
192.150.16.117

10] https://www.virustotal.com/en/file/d986808e01a4c8c6b8ec0d4acc09a88f9393774fd1cf7bb45fbdf9b64b076b4b/analysis/1496924193/
jun8.exe

11] https://www.hybrid-analysis.com/sample/d986808e01a4c8c6b8ec0d4acc09a88f9393774fd1cf7bb45fbdf9b64b076b4b?environmentId=100
Contacted Hosts
185.81.113.94: https://www.virustotal.com/en/ip-address/185.81.113.94/information/
> https://www.virustotal.com/en/url/faae387b57aa87604780d50bb7beb3f5f4d0408d40b6787fc1937e82be5b40e6/analysis/
185.81.113.94 /jun8.exe
___

More Fake 'eFax' SPAM - delivers malware via ole rtf exploit
- https://myonlinesecurity.co.uk/another-fake-efax-email-delivers-malware-via-ole-rtf-exploit/
8 Jun 2017 - "Another -fake- eFax email... subject of 'eFax message from 116 – 921 – 1271' – 5 pages pretending to come from eFax Inc <noreply@ efax .com> with a zip attachment containing a malicious word doc...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/eFax-message-from-116-921-1271-5-pages.png

QSVN19945204621.zip extracts to pxsmnxd.doc - Current Virus total detections 11/57*. Payload Security**...
... 'found an embedded ole object in the rtf file. It will be using a recent rtf exploit... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f3c979b258f1067f3a413da83621ad1ce4b4b0ac8600a3c977574142600cac8a/analysis/1496924661/
pxsmnxd.doc

** https://www.hybrid-analysis.com/sample/f3c979b258f1067f3a413da83621ad1ce4b4b0ac8600a3c977574142600cac8a?environmentId=100
Contacted Hosts
5.196.42.122: https://www.virustotal.com/en/ip-address/5.196.42.122/information/
> https://www.virustotal.com/en/url/7f0fc1b7bead5f61300bec48ee0d74624cb0122032b62caee39e01fc0de9a263/analysis/

:fear::fear::fear: :mad:

AplusWebMaster
2017-06-09, 16:05
FYI...

Fake 'Credit Note' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-anna-mills-baby-bottles-wholesale-limited-copy-credit-note-malspam-delivers-malware/
9 Jun 2017 - "... an email with the subject of 'Copy Credit Note' coming or pretending to come from Anna Mills anna.mills@ random email addresses with a semi-random named zip attachment which contains another zip file which delivers a wsf file eventually delivering what looks like emotet banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/anna_mills.png

1763904.zip extracts to AA-213-RR.zip: Extracts to: AA-213-RR.wsf - Current Virus total detections 11/55*
Payload Security** shows a download of an encrypted file from
http ://sellitni .com/hjgf677??RqtfrQRDh=FirlRSoaCC which is converted by the script to emsjwIjFro1.exe
(VirusTotal 22/61[3]) which suggests it might be emotet banking malware (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/af53c0b99e2189a59ef7c6204519baee8876472e7e438c5304300972fff4de3d/analysis/1496999598/
AA-213-RR.wsf

** https://www.hybrid-analysis.com/sample/af53c0b99e2189a59ef7c6204519baee8876472e7e438c5304300972fff4de3d?environmentId=100
Contacted Hosts
188.165.220.204: https://www.virustotal.com/en/ip-address/188.165.220.204/information/
> https://www.virustotal.com/en/url/1229db156990ff1072ac4346e5885124d6b5ae33c138ab91fbf2a6b89236be34/analysis/

3] https://www.virustotal.com/en/file/e7e4903ad38c1de9e7314e5cde375fe2d76c898a985fd205ffadc8f816af0ba0/analysis/

4] https://www.hybrid-analysis.com/sample/e7e4903ad38c1de9e7314e5cde375fe2d76c898a985fd205ffadc8f816af0ba0?environmentId=100

:fear::fear: :mad:

AplusWebMaster
2017-06-12, 22:46
FYI...

Fake 'invoice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/more-invoice-malspam-delivers-malware-using-wsf-files/
12 Jun 2017 - "... an email with the subject of 'Invoice PIS0120650' (random numbers) coming or pretending to come from NoReplyMailbox @ random companies, names and email addresses with a zip attachment which matches the subject that contains another zip file, containing a WSF file which eventually delivers what looks like it will turn out to be either Dridex or Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Invoice-PIS0120650.png

InvoicePIS0120650.zip: extracts to LZTFBQLX6G.zip which Extracts to: LZTFBQLX6G.wsf
Current Virus total detections 12/56*. Payload Security** shows a download of an encrypted file from
http ://ythongye .com/8yhf2ui? which is converted by the script to wvHyIX1.exe
(VirusTotal 19/60[3]) Payload Security[4]... found 4 -different- WSF files amongst the 150 zips received:
LZTFBQLX6G.wsf - Current Virus total detections 12/56[5]
IZ7JAG6.wsf - Current Virus total detections 11/55[6]
MVUN1W9FO1.wsf - Current Virus total detections 14/56[7]
TOTAHZEQT.wsf - Current Virus total detections 14/56[8]
Manual examination of the various WSF scripting files received shows these download Locations for the malware
(obfuscated in the WSF file using base64 encoding & extra padding):
78tguyc876wwirglmltm .net/af/8yhf2ui > 119.28.85.128
e67tfgc4uybfbnfmd .org/af/8yhf2ui > 119.28.85.128
sacrecoeur.bravepages .com/8yhf2ui? > 66.219.202.10
ythongye .com/8yhf2ui? > 103.249.108.128
sheekchilly .com/8yhf2ui? > 103.21.59.174
lamartechnical .com/8yhf2ui? > 216.97.233.44
syrianchristiancentre .org/8yhf2ui? > 103.21.58.130
skveselka .wz.cz/8yhf2ui > 185.64.219.7
svadba-tamada .de/8yhf2ui > 81.169.145.148
aacom .pl/8yhf2ui? > 193.239.206.248
smartzaa .com/8yhf2ui? > 103.21.58.252
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d9351db902a8f3031d0ee410f4682f6896fa8dac8ccfe21d6a6c92f46844ae20/analysis/1497289622/
LZTFBQLX6G.wsf

** https://www.hybrid-analysis.com/sample/d9351db902a8f3031d0ee410f4682f6896fa8dac8ccfe21d6a6c92f46844ae20?environmentId=100
Contacted Hosts
103.249.108.128

3] https://www.virustotal.com/en/file/c305ebba4a998304919ada152c3eb3fe4037baa4526a9c16959b43c754743277/analysis/

4] https://www.hybrid-analysis.com/sample/d9351db902a8f3031d0ee410f4682f6896fa8dac8ccfe21d6a6c92f46844ae20?environmentId=100
Contacted Hosts
103.249.108.128

5] https://www.virustotal.com/en/file/d9351db902a8f3031d0ee410f4682f6896fa8dac8ccfe21d6a6c92f46844ae20/analysis/1497289622/

6] https://www.virustotal.com/en/file/8a4c8f7795eaa63ad5aed612ba6e3d81fe205a98b3edf7bc3a8f00a7977b2d4a/analysis/1497281678/

7] https://www.virustotal.com/en/file/e21fd27d3bac1e96920e7d8fa5430b2a02bba93683b6f71de072da6ad2b0ab83/analysis/1497294665/

8] https://www.virustotal.com/en/file/0411fe66e423186a0bce645fb814958e70d460f1bd1528e107a9a81ec51cfc14/analysis/1497294745/

:fear::fear: :mad:

AplusWebMaster
2017-06-14, 14:37
FYI...

Fake 'Emailing' SPAM - delivers pdf malware
- https://myonlinesecurity.co.uk/malspam-with-pdf-attachments-dropping-macro-excel-xls-files-deliver-malware/
14 Jun 2017 - "... an email with the subject of 'Emailing: 288639672' (random numbers) pretending to come from random names and email address that delivers some sort of malware. Over the last couple of weeks these have switched between Jaff ransomware, Dridex banking Trojans and Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/emailing-288639672.png

288639672.pdf Current Virus total detections 11/56*. Payload Security** drops 000049764694.xlsm
(VirusTotal 11/56[3]) (Payload Security[4]). JoeSandbox[5]: downloads an encrypted txt file from
http ://mailblust .com\98tf77b which is converted by the script to fungedsp8.exe (VirusTotal 8/60[6])..
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
mailblust .com\98tf77b > 162.251.85.92
78tguyc876wwirglmltm .net\af\98tf77b > 119.28.85.128
randomessstioprottoy .net\af\98tf77b > 119.28.85.128
3456group .com\98tf77b > 69.49.96.24
... Other sites found so far have been posted HERE:
- https://twitter.com/coldshell/status/874943588412653568
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3938fef25270abd0cc415693d8920e2f547253d05e53bc724f9832d040cd4aa3/analysis/1497432816/

** https://www.hybrid-analysis.com/sample/3938fef25270abd0cc415693d8920e2f547253d05e53bc724f9832d040cd4aa3?environmentId=100
Contacted Hosts
162.251.85.92

3] https://www.virustotal.com/en/file/3938fef25270abd0cc415693d8920e2f547253d05e53bc724f9832d040cd4aa3/analysis/1497432816/

4] https://www.hybrid-analysis.com/sample/9ee95b5f2ed81a04448ec296b2527275a815ec829bd13c04bcf988d062e320fc?environmentId=100
Contacted Hosts
162.251.85.92

5] https://jbxcloud.joesecurity.org/analysis/291764/1/html

6] https://www.virustotal.com/en/file/7712fcc54a22e33f49f1394bce603a397adf418695cdfe2503cf77fe5678e395/analysis/1497433869/
___

'Google Drive' - Phish
- https://myonlinesecurity.co.uk/important-document-google-drive-email-credential-phishing-scam/
14 Jun 2017 - "... phishing attempts for email credentials... pretends to be a message saying 'log in to Google Drive' to get some documents that have been sent to you...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/IMPORTANT-DOCUMENT-google-drive-phishing.png

If you follow the link (all are identical) you see a webpage looking like this:
https ://www.mealcare .ca/gdrive/drive/drive/auth/view/share/ - but it is HTTPS so it is “safe“. That is nothing you give to the criminal can be intercepted, so your email log in details can’t be stolen by another criminal on the way. Remember a green padlock HTTPS does NOT mean the site is safe. All it means is secure from easy interception between your computer and that site:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/mealcare_google_phish1.png

After you select 'click here' on this identical copy of the Google drive page (if you are not looking at the url bar) you get:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/mealcare_google_phish2.png

After you input your details you get sent to a 404 not found page on Morgan Stanley website. I can only assume the phisher tried to link originally to a genuine pdf on Morgan Stanley who quickly removed it:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/mealcare_morgan_stanley_404.png ..."

mealcare .ca: 77.104.162.117: https://www.virustotal.com/en/ip-address/77.104.162.117/information/
> https://www.virustotal.com/en/url/1f8bf1c44fc217ceac3cde829867f2b602880ba3924da27cbee2112ecffc8939/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-06-15, 15:17
FYI...

Fake 'Moneygram' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/fw-moneygram-maintenance-schedule-from-20th-june-2017-malspam-delivers-java-adwind/
15 Jun 2017 - "... a slightly different subject and email content to previous ones... These have a genuine PDF attachment with a -link- in it that downloads a zip containing the malware. The link goes to
https ://www.domingosdandreaimoveis .com.br/wp-admin/images/Moneygram.transactions.12thJune.2017.zip
which is almost certainly a compromised wordpress site...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Fw-Moneygram-Maintenance-Schedule-From-20th-June-2017.png

The pdf looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/moneyschedule_pdf.png

Moneygram.transactions.12thJune.2017.jar (474kb) - Current Virus total detections 21/55*. Payload Security**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ccce9185b82e21f52fc01efc7def531b85d9047c6ea68e4d72e5422067de999a/analysis/1497502711/

** https://www.hybrid-analysis.com/sample/ccce9185b82e21f52fc01efc7def531b85d9047c6ea68e4d72e5422067de999a?environmentId=100
Contacted Hosts
185.120.144.148

domingosdandreaimoveis .com.br: 187.45.187.122: https://www.virustotal.com/en/ip-address/184.95.37.110/information/

:fear::fear: :mad:

AplusWebMaster
2017-06-16, 16:33
FYI...

Fake Email account notice – Phish
... 'Your Mailbox Will Be Terminated'
- https://myonlinesecurity.co.uk/your-mailbox-will-be-terminated-phishing-for-email-credentials/
16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Your-Mailbox-Will-Be-Terminated-ans@thespykiller.co_.uk-.png

If you follow the link you see a webpage looking like this:
https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
(you can put any email address at the end of the link & get the same page with email already filled in).
The red countdown continues to decrease in time while the page is open:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/spoofed_email_update.png

... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/spoofed_email_update2.png

... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

deadsocial .com: 184.154.216.243: https://www.virustotal.com/en/ip-address/184.154.216.243/information/
> https://www.virustotal.com/en/url/71588e2727ffcb33e8c37f31375a77eed4d1a9aa178e16a115833e2e7b9b24c7/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-06-20, 13:47
FYI...

Fake DHL SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-dhl-commercial-invoice-malspam-delivers-malware/
20 Jun 2017 - "An email with the subject of 'Commercial Invoice' pretending to come from export@ dhl-invoice .com with a malicious Excel XLS spreadsheet attachment delivers some sort of malware... I am being told that -other- subjects in this malspam run -spoofing- DHL include: 'DHL Commercial Invoice' and 'DHL poforma invoice'. There appear to be several different -spoofed- senders @dhl-invoice .com...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/fake-dhl-commercial-invoice-malspam-email.png

dhl_commercial_invoice_.xls - Current Virus total detections 5/55*. Payload Security** shows a download from
http ://travel-taxi .net/test/edf.exe (VirusTotal 51/62[3]), (Payload Security[4]).
Other download locations -embedded- in other versions of the macro include
http ://okinawa35 .net/m/iop.exe
The XLS file looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/dhl_commercial_invoice_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b6cc986a29dec82b64f35ceca9d9528b92801fb7571e9736c69fef83a2701409/analysis/1497948303/

** https://www.hybrid-analysis.com/sample/b6cc986a29dec82b64f35ceca9d9528b92801fb7571e9736c69fef83a2701409?environmentId=100
Contacted Hosts
202.218.50.130

3] https://www.virustotal.com/en/file/1c950172857b52c45d8a480acd3d14b5cc1877acf0bef9aaad55ff73990fe217/analysis/

4] https://www.hybrid-analysis.com/sample/88843cbfb7e327ca6b04b2a6a17a79df5484694b5f38de06a51f8ddde3301522?environmentId=100

travel-taxi .net: 203.183.93.149: https://www.virustotal.com/en/ip-address/203.183.93.149/information/
> https://www.virustotal.com/en/url/2b5ef80e8ec740f64c2736d601182d3ddac39146c339bbbbf39fe736284fc1d5/analysis/

okinawa35 .net: 202.218.50.130: https://www.virustotal.com/en/ip-address/202.218.50.130/information/
> https://www.virustotal.com/en/url/8b87cdd68a154ba1e7cbf091f945031d748438b782edded483613d417c83fd1c/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-06-21, 20:11
FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-return-of-locky-with-fake-invoice-emails/
21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Copy-of-Invoice-79898702.png

79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/49184047c840287909cf0e6a5e00273c6d60da1750655ad66e219426b3cf9cd8/analysis/
INV-09837592.exe

** https://www.hybrid-analysis.com/sample/49184047c840287909cf0e6a5e00273c6d60da1750655ad66e219426b3cf9cd8?environmentId=100

*** https://www.virustotal.com/en/file/b546fad0209bbf800c11565c4720fdb2685966242d2ff162f7be556dd037a6a1/analysis/1498057764/
_005C0000.mem

1] https://twitter.com/mpvillafranca94/status/877544503720247296

- http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
> https://1.bp.blogspot.com/-O9IsDuPG5CQ/WUrZvGUQC2I/AAAAAAAABGU/xd8ggmw2doQ7iK2tb_5ztyE62QP4DqvegCLcBGAs/s1600/image3.jpg
___

Fake 'Receipt to print' SPAM - delivers malware
- https://myonlinesecurity.co.uk/receipt-to-print-malspam-delivers-malware/
21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/receipt-to-print.png

Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
Manual examination and basic decoding of the WSF file shows these download locations:
tag27 .com/08345ug? > 162.210.102.220
78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
malamalamak9 .net/08345ug? > 74.122.121.8
randomessstioprottoy .net/af/08345ug > 119.28.86.18
shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fa88fa362c3deebf0a05983e92ecdfcc5e77097c1803c23706766a03e6852c71/analysis/1498051603/

** https://www.hybrid-analysis.com/sample/fa88fa362c3deebf0a05983e92ecdfcc5e77097c1803c23706766a03e6852c71?environmentId=100
Contacted Hosts
162.210.102.220
119.28.86.18
74.122.121.8

*** https://www.virustotal.com/en/file/14b933fc72e99e0002d6614ab869bd41d3b1ce28dc1f0817b33b9b70126ea45e/analysis/1480617465/

:fear::fear: :mad:

AplusWebMaster
2017-06-26, 13:11
FYI...

Fake 'INVOICE' SPAM - delivers malware
- https://myonlinesecurity.co.uk/confirm-order-and-revise-invoice-malspam-uses-cve-2017-0199-rtf-exploit-to-deliver-malware/
26 Jun 2017 - "An email with the subject of '*CONFIRM ORDER AND REVISE INVOICE*' pretending to come from admin@ random company with a malicious word doc attachment. This word doc is actually an RTF file that uses what looks like the CVE-2017-0199 exploit...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/CONFIRM-ORDER-AND-REVISE-INVOICE.png

Order Ref-22550.doc - Current Virus total detections 16/56*. Neither MALWR nor JoeSandbox could get any malicious content from it. Payload Security is still -down- this morning for maintenance that was hoped to be done over the weekend.
Update: after a bit of manual editing & investigating I was able to find the download location:
https ://dev.null .vg/OtoGQj9.hta (VirusTotal 13/56**) ( MALWR***) which should deliver
http ://allafrance .com/ziko.exe but is currently giving me a 404... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cf3dcb347fc0ca6345c594aea3a2ac92f46ed512fff5f5ffff0787fa17c9bd6d/analysis/1498451330/
Order Ref-22550.doc

** https://www.virustotal.com/en/file/f9460741322906d86b32f6381a03cf8658463cf75a4696fdc20c5604d0f538b5/analysis/1498457573/
OtoGQj9.hta

*** https://malwr.com/analysis/ZDI4ZWFmYjRmZDg2NDNkODg2ODQ4NmYzMjAzNjBkNjY/

dev.null .vg: 104.27.187.29: https://www.virustotal.com/en/ip-address/104.27.187.29/information/
> https://www.virustotal.com/en/url/22c9b23023cf5e07066b14eb23b216ae40eaa45f52cdebb65f3da722aaa09263/analysis/
104.27.186.29: https://www.virustotal.com/en/ip-address/104.27.186.29/information/
> https://www.virustotal.com/en/url/22c9b23023cf5e07066b14eb23b216ae40eaa45f52cdebb65f3da722aaa09263/analysis/

allafrance .com: 85.14.171.25: https://www.virustotal.com/en/ip-address/85.14.171.25/information/
> https://www.virustotal.com/en/url/0980580a95a00d80bf048fe64e4790fc20523df30c2f5c8dc9b2ddb692b7eb4e/analysis/
___

Fake 'invoice' SPAM - links to malware doc file
- https://myonlinesecurity.co.uk/more-invoice-malspam-with-links-to-download-word-doc-deliver-malware/
26 Jun 2017 - "... An email with the subject of 'Cust # 880767-00057' [redacted] pretending to come from Jackie Fill <vs1.kirchdorf@ eduhi .at> (probably random senders) with a -link- that downloads a malicious word doc. The subject and the link that appears in body of the email has the recipients name in it but the actual link doesn’t. The link in this case went to
http ://facyl .com.br/Invoices-payments-and-questions-JBQHL-933-907247/ where it downloaded a macro enabled word doc (the link is very slow & does time out)...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Cust-880767-00057.png

Invoice-NUVKHC-227-980463.doc - Current Virus total detections 9/56*... Joesandbox** shows connections to numerous sites where a malicious file is downloaded using PowerShell, including:
http ://carbeyondstore .com/cianrft/ > 72.52.246.64
http ://motorgirlstv .com/kdm/ > 202.191.62.208
http ://nonieuro .com/xauqt/ > 216.104.189.202
http ://pxpgraphics .com/espzyurt/ > 69.65.3.206
http ://studiogif .com.br/jedtvuziky/ > 192.185.216.153
Eventually giving an .exe file (VirusTotal 10/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dc39a7c3de4a13ca1ddd43b16f161430a017d82d347bb06e622ac246d301ff78/analysis/1498480442/

** https://jbxcloud.joesecurity.org/analysis/297919/1/html

*** https://www.virustotal.com/en/file/b1acddd9b84a282e89f4a87e36ddfa00774627941ecfdb86f122bd7356622fe2/analysis/1498478920/

facyl .com.br: 187.45.187.130: https://www.virustotal.com/en/ip-address/187.45.187.130/information/
> https://www.virustotal.com/en/url/f8f644d3bb005d384235e3f96ee7559e86f7672c20ace5681af4245b66cb44e5/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-06-27, 18:16
FYI...

Fake 'Fattura' SPAM - delivers xls attachment malware
- https://myonlinesecurity.co.uk/more-italian-fattura-malspam-delivering-banking-trojans/
27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
Update: I am 100% assured* that this is Trickbot banking Trojan...
* https://twitter.com/_operations6_/status/879680802136707073

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Fattura_it_spam1.png

Attachment: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Fattura_it_spam2.png

The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Italian-Fattura-fake-invoice-xls.png

FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/df501864f4a6338f0d646e0e5143ac30b06dbed92b15b312d9fdd914a9cc9395/analysis/
1_FATTURA num. 5999 del 27-06-2017.xls

2] https://www.hybrid-analysis.com/sample/df501864f4a6338f0d646e0e5143ac30b06dbed92b15b312d9fdd914a9cc9395?environmentId=100
Contacted Hosts
46.173.218.138

3] https://www.virustotal.com/en/file/85adc0dde125d2c96e388c4a03139bf056d9bacf55a4f957b2c237b83ef619f8/analysis/
nvidia4.dvr

3eee22abda47 .faith: 46.173.218.138: https://www.virustotal.com/en/ip-address/46.173.218.138/information/
> https://www.virustotal.com/en/url/a0e0edc904eb4c26c61458c62849af16df4eaccf0792aa90055ca1962dcfeca1/analysis/
___

Protect Your Cloud - from Ransomware
> http://www.darkreading.com/cloud/9-ways-to-protect-your-cloud-environment-from-ransomware/d/d-id/1329221
6/27/2017
___

Multiple Petya Ransomware Infections Reported
- https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported
June 27, 2017

- http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
June 27, 2017 - "... a new malware variant has surfaced..."

- https://www.helpnetsecurity.com/2017/06/27/petya-ransomware/
June 27, 2017

- http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD
Jun 27, 2017 | 4:35pm EDT

- http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/
27 June 2017 • 8:50pm GMT

:fear::fear: :mad:

AplusWebMaster
2017-06-29, 15:18
FYI...

Fake 'UPS cannot deliver' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/
29 Jun 2017 - "The 'UPS failed to deliver' messages have come back... it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the nemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom. Thanks to Michael Gillespie* a well known anti-ransomware campaigner for his assistance and pointing me in the right direction about the new nemucod ransomware version...
* https://twitter.com/demonslay335
If you get infected by this or any other ransomware please check out the ID Ransomware service** which will help to identify what ransomware you have been affected by and offer suggestions for decryption...
** https://id-ransomware.malwarehunterteam.com/index.php

The emails are the same as usual (you only have to look through this blog and search for UPS[1] or FedEx[2] or USPS[/3]... hundreds of different examples and subjects)...
1] https://myonlinesecurity.co.uk/?s=UPS

2] https://myonlinesecurity.co.uk/?s=fedex

3] https://myonlinesecurity.co.uk/?s=usps

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/ups_unable_to_deliver.png

... there is a difference in the .js files that are coming in the (attachment) zips... The initial js looks very similar to previous but has much longer vars (var zemk) that is used to download the other files...
Showing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.
This ransom note (or something similar with different links) gets displayed on the victim’s desktop:
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/nemucod_ransomware_instructions.jpg

The original js downloads 3 files - 1 is Kovter as usual, the second is unknown and there is a massive 6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php files together are needed to run the downloaded php counter files to encrypt the computer...
4] https://www.hybrid-analysis.com/sample/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e?environmentId=100
Contacted Hosts (406)

5] https://jbxcloud.joesecurity.org/analysis/300085/1/html
UPS-Delivery-005156577.doc.js

6]https://www.virustotal.com/en/file/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e/analysis/1498629470/
UPS-Delivery-005156577.doc.js
Detection ratio: 9/55

... The Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the line:
7] https://www.virustotal.com/en/file/21efa5573721890cdcf9481f613ccb7d633733f05bc29cfeae402802e382cc92/analysis/1498630707/
da40c167cd75d.png
Detection ratio: 25/62

8] https://www.hybrid-analysis.com/sample/21efa5573721890cdcf9481f613ccb7d633733f05bc29cfeae402802e382cc92?environmentId=100
Contacted Hosts (398)

... Sites involved in this campaign found so far this week:
resedaplumbing .com > 166.62.58.18
modx.mbalet .ru> 95.163.101.104
artdecorfashion .com > 107.180.0.125
eventbon .nl > 109.106.167.212
elita5 .md > 217.26.160.15
goldwingclub .ru > 62.109.17.210
www .gloszp .pl > 87.98.239.19
natiwa .com > 115.84.178.83
desinano .com.ar > 190.183.59.228
amis-spb .ru > 77.222.61.227
perdasbasalti .it > 94.23.64.3
120.109.32.72: https://www.virustotal.com/en/ip-address/120.109.32.72/information/
calendar-del .ru > 77.222.61.227
indexsa.com .ar > 190.183.59.228 ..."
___

'Blank Slate' - malspam campaign -ransomware-
- https://isc.sans.edu/forums/diary/Catching+up+with+Blank+Slate+a+malspam+campaign+still+going+strong/22570/
Last Updated: 2017-06-29 - "'Blank Slate' is the nickname for a malicious spam (malspam) campaign pushing -ransomware- targeting Windows hosts... Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign. Today's Blank Slate malspam was pushing Cerber and GlobeImposter ransomware... -fake- Chrome pages sent victims zip archives containing malicious .js files designed to infect Windows hosts with ransomware... potential -victims- must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations..."
(More detail at the isc URL above.)
___

- https://www.bitdefender.com/news/massive-goldeneye-ransomware-attack-affects-users-worldwide-3330.html?icid=overlay|c|all-pages|goldeneye
Update 6/28 08.00 GMT+3 - "There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction..."

:fear::fear::fear: :mad:

AplusWebMaster
2017-07-05, 18:56
FYI...

Fake 'Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-lloyds-bank-important-account-documents-malspam-delivers-trickbot-banking-trojan/
5 Jul 2017 - "An email with the subject of 'Important Account Documents' pretending to come from Lloyds bank but actually coming from a look-a-like domain Lloyds Bank Documents <no-reply@ lloydsbankdocs .co.uk> with a malicious word doc attachment... So far we have only found 1 site sending these today:
lloydsbankdocs .co.uk
As usual they are registered via Godaddy as registrar and the emails are sent via IP 37.46.192.51 which doesn’t have any identifying details except AS47869 Netrouting in Netherlands...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/lloyds-Important-Account-Documents.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/lloyds-bank-account-docs.png

AccountDocs.doc - Current Virus total detections 7/57*. Payload Security** shows a download from
http ://pilotosvalencia .com/sergollinhols.png which of course is -not- an image file but a -renamed- .exe file that gets renamed to fsrtat.exe and autorun (VirusTotal 14/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c3729c71f8dc237fe137638cc82acc0579567dd5e36b878c88379bef593a43f6/analysis/

** https://www.hybrid-analysis.com/sample/c3729c71f8dc237fe137638cc82acc0579567dd5e36b878c88379bef593a43f6?environmentId=100
Contacted Hosts
81.169.217.4
167.114.174.158
197.248.210.150

*** https://www.virustotal.com/en/file/27a36aaa4a6a1325b299e74a6f8656f99fb280b776de0236a722d39871270a11/analysis/
___

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-nat-west-bank-customer-message-malspam-delivers-banking-trojan/
5 July 2017 - "... delivering banking Trojans is an email with the subject of 'Customer message' pretending to come from 'Nat West Bank' but actually coming from a series of look alike domains - NatWest Bank Plc <alert@ natwest-serv478 .ml> with a malicious word doc attachment... criminals sending these have registered various domains that look-like-genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate-the-bank or some message sending service... we have found 6 but it is highly likely there could be hundreds, because they are -free- domains that don’t need any checkable registration details:
natwest-serv478 .ml > 81.133.163.165
natwest-serv347 .ml > 185.100.68.185
natwest-serv305 .ml > 72.21.246.90
natwest-serv303 .ml > 47.42.101.137
natwest-serv505 .ml > 98.191.98.153
natwest-serv490 .ml > 128.95.65.99
These are registered via freenom .com as registrar and the emails are sent via a series of what are most likely compromised email accounts or mail servers:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/natwest_ip_spam_list.png

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/natwest-customer-message.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/message_payment283_doc.png

message_payment283.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
http ://armor-conduite .com/34steamballons.png which of course is -not- an image file but a renamed .exe file that gets renamed to nabvwhy.exe and autorun (VirusTotal 16/62***) which is a slightly different -Trickbot- payload... An alternative download location is
http ://teracom .co.id/34steamballons.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8a8696f6b93b30c56d03a47e8efe6c24eb20a530702392378cb20a0e26878242/analysis/1499266638/
message_payment283.doc

** https://www.hybrid-analysis.com/sample/8a8696f6b93b30c56d03a47e8efe6c24eb20a530702392378cb20a0e26878242?environmentId=100
Contacted Hosts
202.169.44.149
94.42.91.27

*** https://www.virustotal.com/en/file/d741d1ca437459e68b861c0c3954087e61978f2d5449d79556e04342f508ff7f/analysis/
nabvwhy.exe

armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/936b95051f8294bf1f4bf1625d4066a754f5144e5f27dfcacfcd75e172d62e47/analysis/

teracom .co.id: 202.169.44.149: https://www.virustotal.com/en/ip-address/202.169.44.149/information/
> https://www.virustotal.com/en/url/9cc07c51d1f715913c18c4789cc3135511be0f6f464d42d114c41d4ee16add04/analysis/
___

'AdGholas' malvertising ...
- https://blog.malwarebytes.com/cybercrime/2017/07/adgholas-malvertising-thrives-shadows-ransomware-outbreaks/
July 5, 2017 - "... other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific -malvertising- gang of the moment, dubbed 'AdGholas'... A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the -malvertising- operators are able to quickly roll out and activate a -fake- advertising infrastructure for a few days before getting banned...
> https://blog.malwarebytes.com/wp-content/uploads/2017/06/certs.png
... We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of -redirect- is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity...
IOCs:
AdGholas:
expert-essays[.]com
jet-travels[.]com
5.34.180.73
162.255.119.165
Astrum Exploit Kit:
uniy[.]clamotten[.]com
comm[.]clamotten[.]com
comp[.]computer-tutor[.]info
lexy[.]computer-tutor[.]info
sior[.]ccnacertification[.]info
kvely[.]our-health[.]us
nuent[.]mughalplastic[.]com
mtive[.]linksaffpixel[.]com
cons[.]pathpixel[.]com
sumer[.]pathlinkaff[.]com
nsruc[.]ah7xb[.]com
ction[.]ah7xb[.]com
nstru[.]onlytechtalks[.]com
const[.]linksaffpixel[.]com
quely[.]onlytechtalks[.]com
coneq[.]modweave[.]com
94.156.174.11 ..."
(More detail at the malwarebytes URL above.)
___

Fake 'invoice' SPAM - delivers java adwind malware
- https://myonlinesecurity.co.uk/fake-invoices-spreading-java-adwind/
4 Jul 2017 - "... fake 'invoices' rather then their more usual method of fake 'MoneyGram' or 'Western Union money transfer' reports or updates...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/due-invoices.png

Payment Dunmore 27.26.170001.jar (566kb) - Current Virus total detections 12/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cd3f13e77a4fd4b2aa1ea4651f3793527fe0e8a74901d8fbf29590563a6d8004/analysis/1499145423/

** https://malwr.com/analysis/ZTI2MTE2MjIwYzBlNGNmNGIxMWMwZTBiNWE0NmNlNGE/

:fear::fear: :mad:

AplusWebMaster
2017-07-06, 13:18
FYI...

Fake 'wire request' SPAM - delivers banking trojan
- https://myonlinesecurity.co.uk/fake-bank-of-america-the-wire-request-is-unsuccessful-malspam-delivers-chthonic-banking-trojan/
6 Jul 2017 - "An email with the subject of 'The wire request is unsuccessful!' pretending to come from Billing Support using random senders & email addresses with a malicious word doc attachment delivers Chthonic banking trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/billing-support.png

printed_ty_0717.doc - Current Virus total detections 12/58*. Payload Security** shows a download from
http ://185.117.73.105 /bofasup.exe (VirusTotal 13/57***)... alternative doc detections [1] [2]. Other download locations include: (there are 3 download locations hard coded in the macro):
http ://185.45.192.116 /bofasup.exe
http ://185.117.72.251 /bofasup.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0b50c759aa614d2e40740c8581f0ba3ef4a24521c4a1e0e2a707e274d7392e3e/analysis/1499318502/

** https://www.hybrid-analysis.com/sample/0b50c759aa614d2e40740c8581f0ba3ef4a24521c4a1e0e2a707e274d7392e3e?environmentId=100

*** https://www.virustotal.com/en/file/d73aeebb8835a93472062ae7619abc19ccc09646b38312b16e7f8cfa9a7ee397/analysis/
bofasup.exe

1] https://www.virustotal.com/en/file/b11691b10e71dd7a2bb8519aa55e0d747bf537fd1e2326823697c61a108a3968/analysis/
printed_copy_da_0717.doc
Detection ratio: 13/57

2] https://www.virustotal.com/en/file/882e41a5859363452385058da9d1c723406272d1bda5cfd9046115dfc4945e63/analysis/1499319821/
copy_wt_0717.doc
Detection ratio: 11/57
___

Fake 'eFax' SPAM - malicious doc/xls attachment
- https://myonlinesecurity.co.uk/more-faked-e-fax-messages-spoofing-nest-pensions-delivers-malware/
6 Jul 2017 - "... spoofed eFax message from 1 month ago[1], the same gang are using a similar range of fake e-faxcorporatexxx.top domains to send these malspam emails. Today’s comes with the usual typical subject of 'eFax message from “0300 200 3822” – 2 page(s)' coming from eFax <message@ e-faxcorporate102 .top> with a malicious word doc attachment which delivers some sort of malware...
1] https://myonlinesecurity.co.uk/fake-efax-message-from-0300-200-3835-2-pages-malspam-delivers-smoke-sharik-dofoil-and-trickbot/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/efax_nest.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/securemessagedoc_nest.png

SecureMessage.doc - Current Virus total detections 6/57*... Joesandbox** shows a download from
http ://5.149.252.155 /parcelon13.exe (VirusTotal 15/63***)...
This email attachment contains what appears to be a genuine word doc -or- Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2d1416850ad33c23e9b4076f3f7f36b215d64c6259f0bd2d211ae043f8a3b85c/analysis/1499264264/
SecureMessage.doc

** https://jbxcloud.joesecurity.org/analysis/304760/1/html

*** https://www.virustotal.com/en/file/cf8f3cd568c449d06786092be1b41eccf2da6b7f9b37b17d2263589cec6cc3c3/analysis/1499306577/

e-faxcorporate102 .top: 46.8.221.104: https://www.virustotal.com/en/ip-address/46.8.221.104/information/

:fear::fear: :mad:

AplusWebMaster
2017-07-07, 15:36
FYI...

Fake 'BACs documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-royal-bank-of-scotland-important-bacs-documents-malspam-delivers-trickbot-banking-trojan/
7 Jul 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from Royal Bank of Scotland but actually coming from a look-a-like domain <Secure.Delivery@ rbsdocs .co.uk> with a -link- to a malicious zip attachment containing a .js file... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine Bank domains. Normally there are 3 or 4 newly registered domains that -imitate- the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today:
rbsdocs .co.uk > 160.153.162.130
As usual they are registered via Godaddy as registrar and hosted by Godaddy on ip 160.153.162.130 but the emails are being sent via host Europe 85.93.88.125...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/rbs_bacs_trickbot.png

Rbs_Account_BACs.js - Current Virus total detections 1/57*. Payload Security** shows a download from
http ://mutfakdolabisitesi .com/grandsergiostalls.png which of course is -not- an image file but a renamed .exe file that gets renamed to qkY5ijY.exe and autorun (VirusTotal 12/64***)... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2ab8e06ea8d83b593f2c9af2ec271db8fff9c1ebb0b3b4e3e716fc0bbb541e8d/analysis/1499423876/
Rbs_Account_BACs.js

** https://www.hybrid-analysis.com/sample/2ab8e06ea8d83b593f2c9af2ec271db8fff9c1ebb0b3b4e3e716fc0bbb541e8d?environmentId=100
Contacted Hosts
46.235.11.61
50.19.227.215
37.120.182.208
78.47.139.102

*** https://www.virustotal.com/en/file/bda60d94fd4092faf98918f64a1dfcc2deac79e6e3b7e928b554467a553ab36e/analysis/1499422646/

mutfakdolabisitesi .com: 46.235.11.61: https://www.virustotal.com/en/ip-address/46.235.11.61/information/
> https://www.virustotal.com/en/url/f932d62e40e113b3b1ca8cf44a96702fd779f4f31f312199fa533ac9233eb157/analysis/

rbsdocs .co.uk: 160.153.162.130: https://www.virustotal.com/en/ip-address/160.153.162.130/information/
> https://www.virustotal.com/en/url/8d40e21121f3c44b1ac65df27bab92b9886695c375ce26c958d6a75646e8dfec/analysis/
___

'Facebook Lottery' - Scam
- https://myonlinesecurity.co.uk/facebook-lottery-scam/
7 Jul 2017 - "'Oh look I have won the Facebook Lottery', or might have done if there actually was such a thing. Unfortunately it is all a big scam. If you were unwise enough to reply, all you would get is a request for a sum of money for Post & packing and the transfer fee for the money. To make it more attractive than usual, apart from the just over $1m money they are giving you a Facebook cap, tee shirt and wallet, 'Wow! how exciting!'. To show how clueless or how they don’t filter or check email addresses they send to, this was sent to a spam-trap-email address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/facebook-lottery.png

Email Headers:
124.153.79.193 - mailgw.notvday .in...
188.207.76.172 - static.kpn .net...

:fear::fear: :mad:

AplusWebMaster
2017-07-10, 13:39
FYI...

Fake 'Delivery Status' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emails-pretending-to-be-email-bounce-messages/
10 July 2017 - "We were notified of a new ransomware version* last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a -fake- 'Delivery Status Notification, failed to deliver' email bounce message. The .js file in the email attachment is a PowerShell -script- and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent 'UPS failed to deliver'** nemucod ransomware versions...
* https://twitter.com/SecGuru_OTX/status/884136470910562304

** https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/powershell_ransomware_email-1.png

There is also a section in the script... causes a fake pop up message making the victim think that the file isn’t running properly:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/allocated_resource_not_found-1.png

After the file has run and encrypted your files, you get a message left called _README-Encrypted-Files .html:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/powershell_ransomware_note.jpg

As well as encrypting the usual image, music, video and document files this also encrypts databases files, email, and very unusually many executable file types. It also encrypts your bitcoin wallet and other similar financial files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300c/analysis/1499666506/
Readable Msg-j8k5b798d4.js

2] https://www.reverse.it/sample/7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300c?environmentId=100
Readable Msg-j8k5b798d4.js

The sender domain is also the C2 http ://joelosteel .gdn/pi.php currently hosted by digitalocean .com on 165.227.1.206 ..."

joelosteel .gdn: 165.227.1.206: https://www.virustotal.com/en/ip-address/165.227.1.206/information/
> https://www.virustotal.com/en/url/66b4cc6442c3c104324961b5e93fd2667c44c830a5b4753f336e8f0acb66e150/analysis/
___

Fake 'Secure Communication' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/yet-another-spoofed-hm-revenue-customs-secure-communication-malspam-delivering-trickbot-banking-trojan/
10 Jul 2017 - "An email with the subject of 'Secure Communication' pretending to come from HM Revenue & Customs but actually coming from a look-alike-domain < Secure.Communication@ hrmccommunication .co.uk > with a malicious word doc attachment... delivering Trickbot banking Trojan... a very important site involved in today’s campaign with images being hosted on www .libdemvoice .org/wp-content/uploads/2012/06/HMRC-logo-300×102.jpg... they have been hosting an HMRC logo since 2012...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/hmrc_10_july.png

HMRC3909308823743.doc - Current Virus total detections 6/57*. Payload Security** shows a download from one of these 2 locations:
http ://pilotosvalencia .com/grazlocksa34.png -or- http ://ridderbos .info/grazlocksa34.png
which of course is -not- an image file but a renamed .exe file that gets renamed to Sonqa.exe and
autorun (VirusTotal 10/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/91d47bdb1c6ac1a3ecf9c1c51970a6064429b58c712ef16a9f3f6d2e3d64e56c/analysis/1499682599/

** https://www.hybrid-analysis.com/sample/91d47bdb1c6ac1a3ecf9c1c51970a6064429b58c712ef16a9f3f6d2e3d64e56c?environmentId=100
Contacted Hosts
81.169.217.4
107.22.214.64
93.99.68.140
195.133.197.179

*** https://www.virustotal.com/en/file/9a65584bf2ff7992fd0aa7bf4d3f793feb5a1e0ebc92f0f03ef2d1014ff8c9cf/analysis/

pilotosvalencia .com: 81.169.217.4: https://www.virustotal.com/en/ip-address/81.169.217.4/information/
> https://www.virustotal.com/en/url/4711fc8c24153906afa17cefe3278667882420bdcdf101e58decee449cb1a61a/analysis/

ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-address/84.38.226.82/information/
> https://www.virustotal.com/en/url/e6f22b29807251837b4c016e2818cc1ab859cb2099ee59f2877f15677765e526/analysis/

libdemvoice .org: 104.28.31.9: https://www.virustotal.com/en/ip-address/104.28.31.9/information/
104.28.30.9: https://www.virustotal.com/en/ip-address/104.28.30.9/information/

:fear::fear: :mad:

AplusWebMaster
2017-07-11, 17:09
FYI...

JAVA_ADWIND - Trend Micro telemetry
> http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat/
July 11, 2017 - "... our telemetry for JAVA_ADWIND... the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware...
JAVA_ADWIND detections from January to June, 2017:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/07/jrat-adwind-spam-1.jpg
... a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be fetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:
hxxps ://nup[.]pw/DJojQE[.]7z
hxxp ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/9aHiCq[.]dll ...
... it appears to have the capability to check for the infected system’s internet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be -abused- to evade static analysis from traditional antivirus (AV) solutions...
Indicators of Compromise:
Files and URLs related to Adwind/jRAT:
hxxp ://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
hxxp ://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
hxxps ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/Qcaq5e[.]jar ..."

nup .pw: 149.210.145.237: https://www.virustotal.com/en/ip-address/149.210.145.237/information/
> https://www.virustotal.com/en/url/9d8a0a3a93a2ea74775e2d2d1832aff2aba3be888f6c06d6649a2d88bc5a6033/analysis/

employersfinder .com: 198.38.91.121: https://www.virustotal.com/en/ip-address/198.38.91.121/information/
> https://www.virustotal.com/en/url/ffe4697f64f76aa0b65b6c857be3bc06403a6f02a20e17f79fcbfda358c59e9e/analysis/

ccb-ba .adv.br: 50.116.112.205: https://www.virustotal.com/en/ip-address/50.116.112.205/information/
> https://www.virustotal.com/en/url/713850fd5c7795642781621f6199574d1d117a6ace1fbec47cab9b5aafb30c44/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-07-13, 15:22
FYI...

Fake 'Confidential Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-lloyds-bank-confidential-documents-malspam-delivers-trickbot-banking-trojan/
13 July 2017 - "An email with the subject of 'Confidential Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsconfidential .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/lloyds-bank-confidential-documents-email.png

... they are asking you to insert an authorisation code or password... (but) there is -no- option in this word doc to do that. The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/protected_doc.png

Protected.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
http ://armor-conduite .com/geroi.png which of course is -not- an image file but a renamed .exe file that gets renamed to Tizpvu.exe and autorun (VirusTotal 9/63***). An alternative download location is
http ://kgshrestha .com.np/geroi.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/689758d11e57287c809250a14b38fa2833b2c7895a7823562fca85e87c740b84/analysis/1499942591/

** https://www.hybrid-analysis.com/sample/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7?environmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustotal.com/en/file/3c72d0913352a946707fb18c96195ea96b3e0d6992bf3087f6152c45d7da9a70/analysis/1499942505/

armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/ff1c905fd57f862c2a43b6655b736d4365552f83d00429b46b30760efc6ee1d6/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-address/74.200.89.84/information/
> https://www.virustotal.com/en/url/26820b8fda91468c682966cb0f4ac8affeedcbca89e774b4fa8f6fa35b9ffcb1/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-07-14, 18:05
FYI...

Fake 'Secure message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-sage-outdated-invoice-malspam-delivers-trickbot/
14 Jul 2017 - "An email with the subject of 'Secure email message. pretending to come from Sage Invoice but actually coming from a look-a-like domain <noreply@ sage-invoice .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/sage-outdated-invoice.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/sageInvoice_doc.png

SageInvoice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
http ://ridderbos .info/sergiano.png which of course is -not- an image file but a renamed .exe file that gets renamed to Pmkzc.exe and autorun (VirusTotal 8/61***)... An alternative download location is
http ://kgshrestha .com.np/sergiano.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9594c4a60d67b58d48f8d235c5a03a26e2435a791cfdb89f6892fcb81954b435/analysis/1500038647/

** https://www.hybrid-analysis.com/sample/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7?environmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustotal.com/en/file/c7a3123a5cff9c78e2fd926c6800a6c6431c8bca486ce11319a9a8f6fa83945c/analysis/1493725297/

ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-address/84.38.226.82/information/
> https://www.virustotal.com/en/url/91c2e0b61fcc9f75fbf27ac806476769eba4e15a1b1a601ba09e3407ba29cb3b/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-address/74.200.89.84/information/
> https://www.virustotal.com/en/url/dafa2c67b4bff847f757f77a4528bbf1bafa0e523750216652e29cbeee1b4263/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-07-18, 14:59
FYI...

Fake 'payment slip' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-swift-copy-notification-payment-slip-malspam-with-an-ace-attachment-delivers-malware-and-a-jrat-trojan/
18 Jul 2017 - "... an email with the subject of 'payment slip' ... pretending to come from random companies, names and email addresses with an ACE attachment (ACE files are a sort of zip file that normally needs special software to extract. Windows and winzip do not natively extract them) which delivers some malware... it has some indications of fareit Trojan. This also has a jrat java.jar file attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/payment-slip.png

> Attachments: bank detailes copy.xls.ace -and- TT COPY MBUNDU GISA 740,236 USD.jar

bank detailes copy.xls.ace: Extracts to: bank detailes copy.xls.exe - Current Virus total detections 6/63*
Payload Security**

TT COPY MBUNDU GISA 740,236 USD.jar - Current Virus total detections 2/59[3]. Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a5f148a406a891cfe40078626e39a6aa7bf5ae466ab3531901da32daf869fd28/analysis/1500351301/

** https://www.hybrid-analysis.com/sample/a5f148a406a891cfe40078626e39a6aa7bf5ae466ab3531901da32daf869fd28?environmentId=100
HTTP Traffic
104.69.49.57

3] https://www.virustotal.com/en/file/a681b9cfc23a94321fb19f95a7baf6068412e3dcc70ffea95e1380b0a79e7698/analysis/

4] https://www.hybrid-analysis.com/sample/a681b9cfc23a94321fb19f95a7baf6068412e3dcc70ffea95e1380b0a79e7698?environmentId=100
Contacted Hosts
174.127.99.198

:fear::fear: :mad:

AplusWebMaster
2017-07-19, 14:58
FYI...

Fake blank-subject SPAM - downloads Trickbot
- https://myonlinesecurity.co.uk/trickbot-downloaded-via-vbs-email-blank-subject-noreply/
18 July 2017 - "... Trickbot downloaders... from noreply@ random email addresses (all spoofed). Has a -blank- subject line and a zip attachment containing a VBS file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/trickbot_vbs_email.png

doc00042714507507789135.zip extracts to: doc000799723147922720821.vbs - Current Virus total detections 9/57*.
Payload Security* shows a download of an encrypted text file from
http ://pluzcoll .com/56evcxv? which is converted to nbVXsSxirbe.exe (VirusTotal 31/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9033a377113f80beedde5575de1fe832bb0e49b9bc6e33851b26e8c8a47fd6d8/analysis/1500373606/

** https://www.hybrid-analysis.com/sample/9033a377113f80beedde5575de1fe832bb0e49b9bc6e33851b26e8c8a47fd6d8?environmentId=100
Contacted Hosts
210.1.58.190
107.20.242.236

*** https://www.virustotal.com/en/file/4ac28bbfa2db1c230a18b95f488d94c719822dd17dd19feb31f3c620294f838c/analysis/

pluzcoll .com: 210.1.58.190: https://www.virustotal.com/en/ip-address/210.1.58.190/information/
> https://www.virustotal.com/en/url/b5476713e1d816ae4f3f91f789a7335cb9dda67277760818da4e5b8761419e51/analysis/
___

Fake 'Invoices' SPAM - deliver Trickbot
- https://myonlinesecurity.co.uk/multiple-campaigns-delivering-trickbot-banking-trojan/
19 July 2017 - "... pdf attachments that drops a malicious macro enabled word doc that delivers Trickbot...
today we have seen 3 different campaigns and subjects all eventually leading to the same Trickbot payload..."
___

Fake 'RFQ' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-rfq-quotation-from-sino-heavy-machinery-co-ltd-delivers-java-adwind/
19 July 2017 - "... emails containing java adwind or Java Jacksbot attachments...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/RFQ-Quotation-from-Sino-Heavy-Machinery-Co-Ltd.png ..."
___

Bots - searching for Keys & Config Files
- https://isc.sans.edu/diary/22630
2017-07-19 - "... yesterday, I found a -bot- searching for... interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files... Each file was searched with a different combination of lower/upper case characters... This file could contain references to hidden applications (This is interesting to know for an attacker)..."
(More detail at the isc URL above.)

:fear::fear: :mad:

AplusWebMaster
2017-07-20, 17:05
FYI...

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/efax-message-from-8473365403-1-pages-caller-id-44-020-3136-4931-malspam-delivers-trickbot-banking-trojan/
20 July 2017 - "... Trickbot malspams... an email with the subject of 'eFax message from 8473365403' – 1 page(s), Caller-ID: 44-020-3136-4931 pretending to come from eFax but actually coming from a look-a-like domain <message@ efax-download .com> with a malicious word doc attachment... they are registered via Godaddy as registrar hosted on 160.153.16.19 and the emails are sent via AS8972 Host Europe GmbH 85.93.88.109. These are registered with what are obviously -fake- details...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/eFax-download_spam_email.png

... The -link- in the email body goes to
https ://efax-download .com/pdx_did13-1498223940-14407456340-60
where you see page like this with-a-link to download the actual malware binary
https ://efax-download .com/14407456340-60.zip. extracting to 14407456340-60.exe
The page tries initially to automatically download 14407456340-60.pdf.exe (VirusTotal 3/64*).
Payload Security[2]...
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/efax-download.png

DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/75dbcf889fb1a2714d5ccc4889cc5e782504b0d7127b619efad978b3bc7fc37a/analysis/1500552776/
14407456340-60.pdf.exe

** https://www.hybrid-analysis.com/sample/75dbcf889fb1a2714d5ccc4889cc5e782504b0d7127b619efad978b3bc7fc37a?environmentId=100

efax-download .com: 160.153.16.19: https://www.virustotal.com/en/ip-address/160.153.16.19/information/
> https://www.virustotal.com/en/url/7a3bb8b741c387eb57d10b345c4a7db6231156d8f209eb850186d85bab7c7ed5/analysis/
___

Fake various subjects SPAM - deliver Trickbot, fake flashplayer
- https://myonlinesecurity.co.uk/trickbot-via-vbs-files-various-subjects-and-a-fake-flashplayer-from-pastebin-adverts/
20 July 2017 - "... Trickbot banking Trojan campaign comes in an email with varying subjects including:
paper
doc
scan
invoice
documents
Scanned Document
receipt
order
They are all coming from random girls names at random email addresses. There is a zip attachment containing a VBS file...
Download sites found so far are listed on:
- https://pastebin.com/MGAVB1uz // Thanks to Racco42*

* https://twitter.com/Racco42
> Beware - for some reason the pastebin link is giving me -diverts- to a scumware site trying to download a -fake-flashplayer-hta-file (VirusTotal 17/58[1]) (Payload Security [2])
https ://uubeilisthoopla .net/85123457821940/be74be7a58e47c2837f71295a31d1533/24c3df3c0fe3c937281c3d8d7427e1da.html
which downloads
https ://uubeilisthoopla .net/85123457821940/1500548202679984/FlashPlayer.jse
(VirusTotal 4/58[3]) (Payload Security [4])...
1] https://www.virustotal.com/en/file/25822bd5a94779301001ba485bcbb49f087b5f56c07e4e9803284af24174f3c7/analysis/1500548514/
FlashPlayer.hta

2] https://www.hybrid-analysis.com/sample/25822bd5a94779301001ba485bcbb49f087b5f56c07e4e9803284af24174f3c7?environmentId=100
Contacted Hosts
209.126.113.203

3] https://www.virustotal.com/en/file/09921777f2aaf0fef2c90b2aea909b506e07bb4500ab92f38731061da27604d0/analysis/1500549163/
FlashPlayer.jse

4] https://www.hybrid-analysis.com/sample/09921777f2aaf0fef2c90b2aea909b506e07bb4500ab92f38731061da27604d0?environmentId=100
Contacted Hosts
209.126.113.203
192.35.177.195

uubeilisthoopla .net: 209.126.113.203: https://www.virustotal.com/en/ip-address/209.126.113.203/information/
> https://www.virustotal.com/en/url/150a6725f9328a9202f13b35d6e01979111c83281a93900f9f59828d18720942/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-07-21, 18:42
FYI...

Fake 'Voice Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-unlimitedhorizon-co-uk-voice-message-attached-from-01258895166-name-unavailable-malspam-delivers-trickbot-banking-trojan/
21 Jul 2017 - "... coming via the Necurs -botnet- is an email with the subject of 'Voice Message Attached from 01258895166' – name unavailable [random numbered] pretending to come from vm@ unlimitedhorizon .co.uk with a zip attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/voice_message_unlimited-horizon.png

01258895166_6382218_592164.zip: Extracts to: 01258861149_20170411_185381.wsf
Current Virus total detections 2/58*. Payload Security** shows a download from
http ://avocats-france-maroc .com/sdfgdsg1? which gave a js file (VirusTotal 7/57[3]) (Payload Security[4]) which contacts a list-of-sites and should download an encrypted text file which is converted by the js file to the Trickbot binary. However, Payload Security[4] couldn’t get anything. The sites I can see in -this- js file are:
aprendersalsa .com/nhg67r? – artegraf .org/nhg67r? – asheardontheradiogreens .com/nhg67r?
asuntomaailma .com/nhg67r?... It will probably be similar to an earlier Trickbot version...
Thanks to Racco42[5] who has found the download sites and payload - PasteBin[6].
> Caution: we have been seeing fake flashplayer downloads & diverts via malicious ads on pastebin...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f1071e7982786be807a4ee9b7f9ea7bfac4cbb21ae5d5ca1852e5a7513ea80d3/analysis/1500641858/
01258861149_20170411_185381.wsf

** https://www.hybrid-analysis.com/sample/f1071e7982786be807a4ee9b7f9ea7bfac4cbb21ae5d5ca1852e5a7513ea80d3?environmentId=100
Contacted Hosts
158.69.133.237

3] https://www.virustotal.com/en/file/1a00bc332853ad2a98c1853c072049eff587daf17b922112facd2a0383a02023/analysis/1500641867/
sdfgdsg1.js

4] https://www.hybrid-analysis.com/sample/1a00bc332853ad2a98c1853c072049eff587daf17b922112facd2a0383a02023?environmentId=100

5] https://twitter.com/Racco42/status/888392692761284608

6] Updated > https://t.co/eD7MtOxind

avocats-france-maroc .com: 158.69.133.237: https://www.virustotal.com/en/ip-address/158.69.133.237/information/
> https://www.virustotal.com/en/url/94f926b13078b35e95526eafc1aebec94b07c554611ba41dbed2e3bb2877d9e6/analysis/

aprendersalsa .com: 207.7.94.54: https://www.virustotal.com/en/ip-address/207.7.94.54/information/
> https://www.virustotal.com/en/url/2ed7c6412bb75cdc00e785c9d81eda7eb2a769bb771fcdcab374779a4b05646f/analysis/

artegraf .org: 185.58.7.72: https://www.virustotal.com/en/ip-address/185.58.7.72/information/

asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-address/199.30.241.139/information/
> https://www.virustotal.com/en/url/1b71d09764438ddfeab17b8bb0a7003439d126672c1929b83176efa9a8282dc5/analysis/

asuntomaailma .com: 185.55.85.4: https://www.virustotal.com/en/ip-address/185.55.85.4/information/
___

Malicious Chrome extensions / Facebook fraud - more
- https://www.helpnetsecurity.com/2017/07/21/stealthy-botnet/
July 21, 2017 - "ESET* researchers have unearthed a botnet of some 500,000 infected machines engaged mostly in ad-related fraud by using malicious Chrome extensions, but also Facebook fraud and brute-forcing Joomla and WordPress websites..."
* https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
20 Jul 2017 - "... a huge botnet that they monetize mainly by installing malicious browser extensions** that perform ad injection and click fraud. However, they don’t stop there. The malicious Windows services they install enable them to execute anything on the infected host. We’ve seen them being used to send a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them.
Figure 1 shows the full Stantinko threat from the infection vector to the final persistent services and related plugins:
> https://www.welivesecurity.com/wp-content/uploads/2017/07/stantinko-infographics-blog-01.png
... Stantinko stands out in the way it circumvents antivirus detection and thwarts reverse engineering efforts to determine if it exhibits malicious behavior. To do so, its authors make sure multiple parts are needed to conduct a complete analysis. There are always -two- components involved: a loader and an encrypted component. The malicious code is -concealed- in the encrypted component that resides either on the disk or in-the-Windows-Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed. Moreover, Stantinko has a powerful resilience mechanism. After a successful compromise, the victim’s machine has two malicious Windows services installed, which are launched at system startup. Each service has the ability to reinstall the other in case one of them is deleted from the system. Thus, to successfully uninstall this threat, both services must be deleted at the same time. Otherwise, the C&C server can send a new version of the deleted service that isn’t detected yet or that contains a new configuration..."
** https://www.helpnetsecurity.com/images/posts/stantinko-1.jpg
(More detail at the welivesecurity URL above.)

(IOC's): https://github.com/eset/malware-ioc/tree/master/stantinko

:fear::fear::fear: :mad:

AplusWebMaster
2017-07-25, 14:49
FYI...

Weather .com, Fusion expose Data via Google Groups Config Error
> http://www.darkreading.com/vulnerabilities---threats/weathercom-fusion-expose-data-via-google-groups-config-error--/d/d-id/1329449
7/24/2017 - "Major companies have publicly exposed messages containing sensitive information due to a user-controlled configuration error in Google Groups. Researchers at RedLock Cloud Security Intelligence (CSI) discovered Google Groups belonging to hundreds of companies inadvertently exposed personally identifiable information (PII) including customer names, passwords, email and home addresses, salary compensation details, and sales pipeline data. Internal messages also exposed business strategies, which could create competitive risk if in the wrong hands, explains RedLock*...
* https://blog.redlock.io/google-groups-misconfiguration
The Weather Company, the IBM-owned operator of weather .com and intellicast .com, is among the companies affected. Fusion Media Group, parent company of Gizmodo, The Onion, Jezebel, Lifehacker, and other properties made the same mistake... The companies that leaked data accidentally chose the sharing setting 'public on the Internet', which enabled -anyone- on the Web to access -all- information contained in their messages. RedLock advises all companies using Google Groups to ensure 'private' is the sharing setting** for 'Outside this domain-access to groups'. RedLock's CSI team routinely checks various cloud infrastructure tools for threat vectors, and monitors publicly available data to detect misconfigurations that could cause security incidents..."
** https://blog.redlock.io/hs-fs/hubfs/Blogs/GoogleGroupsSetting.png
___

Petya decryptor for old versions released
- https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/
Last updated: July 25, 2017 - "Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project... Based on the released key, we prepared a decryptor that is capable of unlocking all the legitimate versions of Petya...
WARNING: During our tests we found that in some cases Petya may -hang- during decryption, or cause some other problems potentially -damaging- to your data. That’s why, before any decryption attempts, we recommend you to make an additional backup...
It -cannot- help the victims of pirated Petyas, like PetrWrap or EternalPetya (aka NotPetya)..."
(More detail at the malwarebytes URL above.)

Related:
- https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/

- https://blog.malwarebytes.com/cybercrime/2017/07/the-key-to-the-old-petya-has-been-published-by-the-malware-author/

:fear::fear: :mad:

AplusWebMaster
2017-07-26, 14:28
FYI...

Fake 'No Subject' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-telstra-bill-malspam-delivers-trickbot-banking-trojan-via-multi-stage-download/
26 Jul 2017 - "Another Trickbot campaign overnight... Pretends to be a bill coming from notifications@ in.telstra .com.au.... You get a wsf file in zip to start with. That has a hardcoded single site in the file. That downloads a .js file which has 4 or sometimes 5 hardcoded urls which download an encrypted txt file that is converted by the js file to a working Trickbot binary. The name & reference number in the email is random...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/spoofed_telstra_email.png

May-July2017.zip: Extracts to: QPX_ 18941124638_411385.wsf - Current Virus total detections 4/57*.
Payload Security** downloads from dodawanie .com/?1 (or one of the other stage 2 sites listed in this pastebin[3]
(VirusTotal 5/577[4]) (Payload Security[5]) which -cannot- examine the file because it is seen as txt. However that downloads of an encrypted file from one of the stage 3 sites listed in this pastebin report[6] which is converted by the script to an .exe file (VirusTotal 17/63[7]) (Payload Security[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/adff69837675f282bdb5992834bd348629314d8fb35aaa1d0244a1d97535cbc6/analysis/1501020013/
QPX_ 18941124638_411385.wsf

** https://www.hybrid-analysis.com/sample/adff69837675f282bdb5992834bd348629314d8fb35aaa1d0244a1d97535cbc6?environmentId=100
Contacted Hosts
74.125.104.72
185.23.21.13

3] https://pastebin.com/RvHqTC7y

4] https://www.virustotal.com/en/file/9a7e9d7db15ca6f5555f41f3329d2b81bd579b53874583110fd792e5b1817fd3/analysis/1501026192/

5] https://www.hybrid-analysis.com/sample/9a7e9d7db15ca6f5555f41f3329d2b81bd579b53874583110fd792e5b1817fd3?environmentId=100

6] https://pastebin.com/RvHqTC7y

7] https://www.virustotal.com/en/file/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13/analysis/1501041870/
C.exe

8] https://www.reverse.it/sample/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13?environmentId=100
Contacted Hosts
216.58.198.196
216.58.198.206

dodawanie .com: 185.23.21.13: https://www.virustotal.com/en/ip-address/185.23.21.13/information/
> https://www.virustotal.com/en/url/6274213a74e20ad7e760c663cb3d2e31af05651fbaeb4bf43b94ac3983c30a84/analysis/
___

Fake 'Account secure documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-hsbc-account-secure-documents-malspam-delivers-trickbot/
26 Jul 2017 - "An email with the subject of 'Account secure documents' pretending to come from HSBC but actually coming from a look-alike-domain <noreply@ hsbcdocs .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/HSBC_Account-Secure-Documents_email.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/hsbc_PaymentAdvice_doc.png

PaymentAdvice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
https ://kartautoeskola .com/test/images/logo.png which is -not- an image file but a renamed .exe file
that gets -renamed- to warrantyingresalesdioxide.exe and autorun (VirusTotal 1/63***) Payload Security[4]...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/51fc6482d1ab80010ebfe25d5b2a81c556235f4f541631589be49b3d9ac366af/analysis/1501070044/
PaymentAdvice.doc

** https://www.hybrid-analysis.com/sample/91c4d946a68b9a02e500e12611119063e49c4b1b0a2bfd4b586dd39a525b9361?environmentId=100

*** https://www.virustotal.com/en/file/91c4d946a68b9a02e500e12611119063e49c4b1b0a2bfd4b586dd39a525b9361/analysis/1501067853/
vaqqamsxhmfqdrakdrchnwhcd.exe

4] https://www.hybrid-analysis.com/sample/91c4d946a68b9a02e500e12611119063e49c4b1b0a2bfd4b586dd39a525b9361?environmentId=100

kartautoeskola .com: 69.160.38.3: https://www.virustotal.com/en/ip-address/69.160.38.3/information/
> https://www.virustotal.com/en/url/946eccce7a67ef88790093d566f30e61c5a004610e50520b8393f166b31cfe4b/analysis/
___

BEC attacks more costly than Ransomware...
- http://www.darkreading.com/vulnerabilities---threats/bec-attacks-far-more-lucrative-than-ransomware-over-past-3-years/d/d-id/1329414
7/20/2017 - "... cybercriminals walked away with $5.3 billion from business email compromise (BEC) attacks compared with $1 billion for ransomware over a three-year stretch, according to Cisco's 2017 Midyear Cybersecurity Report released*...
* https://engage2demand.cisco.com/cisco_2017_midyear_cybersecurity_report
... Cisco's Martino says targeted cybersecurity -education- for employees can help prevent users from falling for BEC -and- ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus-email comes across the transit of the CEO asking for a funds transfer it can be detected... Regular software patching also is crucial. When spam-laden-malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized... a balanced defensive and offensive posture, with not just firewalls and antivirus but -also- including measures to hunt down possible attacks through data collection and analysis..."

:fear::fear: :mad:

AplusWebMaster
2017-07-27, 13:50
FYI...

Fake 'Invoice notification' SPAM - delivers malware
- https://myonlinesecurity.co.uk/invoice-notification-with-id-number-40533-delivers-malware/
27 Jul 2017 - "An email with the subject of 'Invoice notification with id number: 40533' pretending to come from random senders with a link-in-the-email to a malicious word doc delivers... malware... possibly Emotet banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/Invoice-notification-with-id-number-40533.png

GOCNX8263762.doc - Current Virus total detections 7/57*. Payload Security** shows a download from one of the sites listed below where a random named .exe is delivered (VirusTotal 13/62[/3]) (Payload Security[4]).
The delivery sites are all compromised sites:
http ://petruchio .org/zbmcicj/
http ://danjtec .it/ldcgtgkew/
http ://radiosmile .hu/q/
http ://ihealthcoach .net/paqdauulaq/
http ://btsound .com/erepr/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/65c861a58ff17e389c04f000ddabd5421765dd4bf5aac666e6aa1b4934b15d27/analysis/1501132650/
URQTN6370102.doc

** https://www.hybrid-analysis.com/sample/65c861a58ff17e389c04f000ddabd5421765dd4bf5aac666e6aa1b4934b15d27?environmentId=100

3] https://www.virustotal.com/en/file/9674118de8b6b86a6e9905552cb2ae912129ca6879b586747e17734b0911e4df/analysis/1501134465/

4] https://www.hybrid-analysis.com/sample/9674118de8b6b86a6e9905552cb2ae912129ca6879b586747e17734b0911e4df?environmentId=100

petruchio .org: 64.90.44.242: https://www.virustotal.com/en/ip-address/64.90.44.242/information/
> https://www.virustotal.com/en/url/b6ccac87c23dee04bcd80e6fd68286836d14dc09853e0f7c39a846908938ad51/analysis/

danjtec .it: 5.135.157.47: https://www.virustotal.com/en/ip-address/5.135.157.47/information/
> https://www.virustotal.com/en/url/dfeb4f31a70d1becd0dc6a8d5153546a2b12c534dee9b19fd63f37518ab7e8d0/analysis/

radiosmile .hu: 92.61.114.191: https://www.virustotal.com/en/ip-address/92.61.114.191/information/
> https://www.virustotal.com/en/url/a390683649b5e7892b6118daaa398734c8a24185a08e1fffd53e7f642d260d5f/analysis/

ihealthcoach .net: 66.59.64.111: https://www.virustotal.com/en/ip-address/66.59.64.111/information/
> https://www.virustotal.com/en/url/8acdd40854adbe5d82e6ebf99d96955124f050b4a92bc4fdc37ef8d6ccada823/analysis/

btsound .com: 74.220.199.25: https://www.virustotal.com/en/ip-address/74.220.199.25/information/
> https://www.virustotal.com/en/url/246fb50a9e8134aa5e7667a49b2e5ea33dc1698d419f8495be3da35a0591b72d/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-07-31, 15:07
FYI...

Fake 'Invoice' SPAM - leads to malware/Trojan
- https://myonlinesecurity.co.uk/emotet-geodo-delivered-via-fake-invoices-using-updated-word-docs-with-encoded-sections/
31 July 2017 - "Following on from THIS* -fake- invoice email is a -newer- version with a different word doc at the end of the link-in-the-email. Today’s email with the subject of 're: Invoice 622806' pretending to come from senders with a known connection to the recipient. The link-in-the-email leads to a malicious word doc that eventually delivers Emotet/Geodo banking Trojan...
* https://myonlinesecurity.co.uk/invoice-notification-with-id-number-40533-delivers-malware/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/invoice-622806.png

ZDFRRI208.doc - Current Virus total detections 1/58[1]. Payload Security[2] doesn’t show any download... Twitter contacts Malwarehunterteam[3] and Antelox[4] have found some of the associated download urls and payload...
Theses word docs are using various tricks that make it difficult for the online sandboxes to decode/analyse, find the download sites and download the eventual payload. The url so far found is
http ://macsys.ca/ZQRZCy/ but... there are others.
1] https://www.virustotal.com/en/file/6bf1ec3bc2f0a97bdca700f02a99db02543fc00e6e9e88bbc444e56c4f74dfc5/analysis/1501480309/
BNCKKK930.doc

2] https://www.hybrid-analysis.com/sample/6bf1ec3bc2f0a97bdca700f02a99db02543fc00e6e9e88bbc444e56c4f74dfc5?environmentId=100

3] https://twitter.com/malwrhunterteam/status/891913205047590913

4] https://twitter.com/Antelox/status/891914028246638592

Update: another contact[5] has found the complete list[5a] (pastebin[6])
http ://macsys .ca/ZQRZCy/ > 216.177.130.19
http ://paulplusa .com/jUiYKJFIuj/ > 216.97.239.25
http ://josephconst .com/cByNSVwsK/ > 67.228.48.40
http ://cs-skiluj.sanfre .eu/PSArDr/ > 185.5.98.24
http ://itdoctor .ca/jgaeQ/ > 67.205.112.177

5] https://twitter.com/phage_nz/status/891922001647894528

5a] https://twitter.com/phage_nz/status/891918128627597315

6] https://pastebin.com/Cdvat2Bp

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
> https://www.hybrid-analysis.com/sample/cfac88050a8b5f7d293b93270f640b639d6d3891b8946fa7bb17c848a1e4c203?environmentId=100
Contacted Hosts
207.210.245.164
___

Fake 'Receipt' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/more-fake-receipts-and-payment-receipt-emails-deliver-globe-ransomware/
31 July 2017 - "... malware downloaders pretending to be a 'payment receipt' -or- a 'receipt' is an email with the subject of 'Receipt 21426' coming or pretending to come from donotreply@ random email addresses with a zip attachment containing a .vbs file that delivers globe ransomware. The zip name corresponds with the subject line. There are a mass of subject lines today. Some of the patterns include:
Receipt#83396
Receipt 21426
Payment-421
Payment Receipt 222
Payment Receipt#97481
Payment Receipt_8812
Receipt-351
Payment Receipt_03950 ...
One of the emails looks like:
From: donotreply@ blueprintrecruitment .co.uk
Date: Mon 31/07/2017 11:15
Subject: Receipt 21426
Attachment: P21426.zip
[Body content:]
Attached is the copy of your payment receipt.

P21426.zip: Extracts to: 20172.2017-07-31_75.20.68.vbs - Current Virus total detections 7/58*. Payload Security** shows a download of a txt file from
http ://koewege .de/98wugf56? > 81.169.145.77
which is simply renamed by the script to a random named .exe file (VirusTotal 14/64[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9f476dccaa8ed2d8ee30cea0232413c236197ad7fff59b77d266b55dbcd711d6/analysis/1501499651/
20172.2017-07-31_75.20.68.vbs

** https://www.hybrid-analysis.com/sample/9f476dccaa8ed2d8ee30cea0232413c236197ad7fff59b77d266b55dbcd711d6?environmentId=100
Contacted Hosts
81.169.145.77

3] https://www.virustotal.com/en/file/adcced3025b513fd907f595357182d66c630ebcad3d0720851230ec93a81fa27/analysis/1501501469/

4] https://www.hybrid-analysis.com/sample/adcced3025b513fd907f595357182d66c630ebcad3d0720851230ec93a81fa27?environmentId=100
Associated URLs: http ://okdomvrn .ru/98wugf56?
okdomvrn .ru: 92.53.96.9: https://www.virustotal.com/en/ip-address/92.53.96.9/information/
> https://www.virustotal.com/en/url/7b359d31ce2581591f65222a3905db9e526a104c503b9772e197cf40fcf380ed/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-08-01, 21:33
FYI...

Fake 'secure message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-santander-you-have-a-new-secure-message-waiting-malspam-delivers-trickbot-banking-trojan/
1 Aug 2017 - "An email with the subject of 'You have a new secure message waiting' pretending to come from Santander but actually coming from a look-alike-domain Santander <pleasedonotreply@ -santandersecuremessage- .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/spoofed-santander-You-have-a-new-secure-message-waiting.png

SecureMessage.doc - Current Virus total detections 5/58* Payload Security** shows a download from
http ://lexpertpret .com/fr/nologo.png which of course is -not- an image file but a renamed .exe file that gets renamed to ywbltmn.exe and autorun (VirusTotal 16/63[3]) (Payload Security[4]). An alternative download location is
https ://hvsglobal .co.uk/image/nologo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/08e3da6d2868bb292f81e3580b1686a34fc5c25051f2c9601671f35873688307/analysis/1501605462/
SecureMessage.doc

** https://www.hybrid-analysis.com/sample/08e3da6d2868bb292f81e3580b1686a34fc5c25051f2c9601671f35873688307?environmentId=100
Contacted Hosts
216.138.226.110
146.255.36.1
69.247.60.183
46.105.250.84
91.206.4.216

3] https://www.virustotal.com/en/file/12cb98d81a34cebca839eb91875b0d9d6cdc3401c16161f49eac1accea1fc6ec/analysis/1501604882/
ywbltmn.exe

4] https://www.hybrid-analysis.com/sample/12cb98d81a34cebca839eb91875b0d9d6cdc3401c16161f49eac1accea1fc6ec?environmentId=100

lexpertpret .com: 216.138.226.110: https://www.virustotal.com/en/ip-address/216.138.226.110/information/
> https://www.virustotal.com/en/url/7bebb4c78b1ae19b35e61ef4ea91b0aff7f3a396ace462e7eae8b574ce55c217/analysis/

hvsglobal .co.uk: 192.185.37.229: https://www.virustotal.com/en/ip-address/192.185.37.229/information/
> https://www.virustotal.com/en/url/9e614a031cf2cac8cb9df4a561443e9e3bf72051a4dde83f7da0db4af4ceea4b/analysis/
___

Fake 'Voicemail' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/fake-microsoft-voice-voicemail-from-845-551-at-935am-malspam-delivers-emotet-banking-trojan/
1 Aug 2017 - "... an email with the subject of 'Voicemail From 845-551-#### at 9:35AM' pretending to come from Microsoft Voice <MSVoice@ your own email domain> downloads Emotet banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Voicemail-From-845-551-8266-at-935AM.png

VM97358238_20170801.zip: Extracts to: VM9742814303_20170801.vbs Current Virus total detections 16/55*
Payload Security**. Manual analysis of the vbs file shows these download sites hardcoded in a base64 encoding with a bit of extra nonsense padding to try to hide them (there will be loads of other sites in other vbs files attached to a -different- version of this)
showyourdeal .com/JHghjHy6? > 143.95.99.159
89tg7gjkkhhprottity .com/af/JHghjHy6 > 91.214.114.154
mybutterhalf .com/JHghjHy6? > 208.91.198.170
dreamoneday .com/JHghjHy6? > 103.21.58.181
These are downloaded as txt files but are simply renamed .exe files (VirusTotal 16/55[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js

** https://www.hybrid-analysis.com/sample/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa?environmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

3] https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js

4] https://www.hybrid-analysis.com/sample/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa?environmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

Update: it appears that this is more likely to be Globeimposter ransomware* not Emotet. It looks like I was mislead by initial detections on VirusTotal and the delivery method.
* https://twitter.com/VK_Intel/status/892613372889399296
2nd Update 2 August 2017: This campaign has continued on and off all night (UK time) with a slight change to the zip file names. From exactly midnight UK time last night the last part of the zip name ( the date) changed from VM#######_20170801.zip to VM#######_20170802.zip. Looking through a few of the nearly 600 I received, it looks like the download sites are the -same- as many of the sites in yesterday’s (and earlier) Trickbot and globeimposter campaigns that I didn’t report on because of other real world commitments. A list of sites can be seen in VT comments**. Just change /98wugf56 to /JHghjHy6 (quite a few sites are live using the latest file name format).
** https://www.virustotal.com/en/file/adcced3025b513fd907f595357182d66c630ebcad3d0720851230ec93a81fa27/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-08-02, 18:26
FYI...

Fake 'Online Bill' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-vodafone-online-bill-manager-your-phone-bill-is-ready-to-view-delivers-banking-trojan/
2 Aug 2017 - "... malspam campaign pretending to be a 'Vodafone bill'. These started earlier this morning with links-in-the-email to a compromised or fraudulently set up SharePoint business site that soon stopped delivering the malware payloads. They then quickly switched to a whole host of other compromised sites to host the word doc that is the first stage in the malware download process. This is definitely a dyre based banking Trojan and might be Dridex or might be Trickbot...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Spoofed-Vodaphone-Online-Bill-Manager-Your-Phone-Bill-is-ready-to-view.png

Bill_02082017.doc - Current Virus total detections 21/59*. Payload Security** downloads an encrypted txt file from one of these 3 sites (may be more in other macros so far not examined):
http ://ortaokuldayiz .com/82yyfh3 > 94.73.148.130
http ://trredfcjrottrdtwwq .net/af/82yyfh3 > 54.214.108.57
http ://eoliko .com/82yyfh3 > 5.100.152.26
which is converted by the script to sultan8.exe (VirusTotal 16/63[3]) (Payload Security[/4])...
Eset Ireland did mention this one earlier today:
> https://blog.eset.ie/2017/08/02/fake-vodafone-bill-spreads-trojan-malware/
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e7731c732e562d09d59135acf4a331b4b6b1cdaf041c7629924cc35d0b159eb8/analysis/
Bill_02082017.doc

** https://www.hybrid-analysis.com/sample/e7731c732e562d09d59135acf4a331b4b6b1cdaf041c7629924cc35d0b159eb8?environmentId=100
Contacted Hosts
94.73.148.130
37.120.182.208
191.7.30.30
194.87.102.119
172.97.69.140

3] https://www.virustotal.com/en/file/36ca4659f4ecc1ff4f16a8012918d28b45a83574809d982afc7586859b665b22/analysis/
82yyfh3.exe

4] https://www.hybrid-analysis.com/sample/36ca4659f4ecc1ff4f16a8012918d28b45a83574809d982afc7586859b665b22?environmentId=100
Filename: 82yyfh3

:fear::fear: :mad:

AplusWebMaster
2017-08-03, 14:10
FYI...

Fake 'Secure Email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-nationwide-secure-email-secured-message-malspam-delivers-trickbot-banking-trojan/
3 Aug 2017 - "An email with the subject of 'Nationwide Secure Email – Secured Message' pretending to come from Nationwide but actually coming from a look-a-like domain <secured@ nationwidesecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domain is nationwidesecure .co.uk 184.168.221.37 ip-184-168-221-37 .ip.secureserver .net...

The word doc attachment looks like this and tells you to use the non existent passphrase to open it. The blue moving circle makes you think that you need to enable the content & macros to see the hidden secure content.
DO NOT enable the macros or content. You WILL be infected:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/nationwide-Secure_doc.png

Secure.doc - Current Virus total detections 7/58*. Payload Security** shows a download from
http ://catterydelacanaille .be/logo.png which of course is -not- an image file but a renamed .exe file
that gets renamed to tyltl.exe and autorun (VirusTotal 15/65[3]). An alternative download location is
http ://carriereiserphotography .com/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/aa86a97ed059b08289199a9b9775040313b54b5ada19a501e5cf81553f7d0801/analysis/1501756792/
Secure.doc

** https://www.hybrid-analysis.com/sample/aa86a97ed059b08289199a9b9775040313b54b5ada19a501e5cf81553f7d0801?environmentId=100
Contacted Hosts
89.255.9.40
37.120.182.208
185.30.144.205

3] https://www.virustotal.com/en/file/8ddad869f3b7bfa555890ee3cf503577e02c8599dd79b51dc458862f6f2843e7/analysis/1501755791/
tyltl.exe

catterydelacanaille .be: 89.255.9.40: https://www.virustotal.com/en/ip-address/89.255.9.40/information/
> https://www.virustotal.com/en/url/3a00411ce49cf8d31758220b01daaf036484d04b9cc92ba15ec20688dba44ba2/analysis/

carriereiserphotography .com: 72.32.177.50: https://www.virustotal.com/en/ip-address/72.32.177.50/information/
> https://www.virustotal.com/en/url/1aae82655f0069b6425194e1eec1c91d17d0eb36ec4a4b73c24ea7b67ebb9dce/analysis/
___

'Payment copy' - Phish
- https://myonlinesecurity.co.uk/payment-copy-please-ship-immediately-spam-leads-to-phishing-for-your-email-credentials/
3 Aug 2017 - "... phishing attempts for email credentials. This one is slightly different than many others and surprisingly creative from the phisher. It pretends to be a message saying to 'download a payment copy and please ship the goods' they have ordered...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Payment-copy-please-ship-immediately-phishing-scam.png

If you follow the link inside the email you see a webpage looking like this:
http ://clcktoviewnow.a-acheter .org/ which contains an -Iframe- to
http ://www.pensiunea-ciobanelu .ro/view-ttcpy/
which actually displays the phishing attempt:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/email_settings_pensiunea.png

After you input your email address and password, you get told “Please wait download will start in a minute”. It never does, there is no download of anything, whether malware or a genuine “fake” invoice or payment receipt and this is simply a phishing -scam- to get your email account credentials:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/email_settings_pensiunea2.png

... these emails use Social engineering tricks to persuade you to open the attachments or follow links in emails..."

clcktoviewnow.a-acheter .org: 85.14.138.114: https://www.virustotal.com/en/ip-address/85.14.138.114/information/
> https://www.virustotal.com/en/url/1674ddb125a95d736e4c14bda9b0573f38f853a3bd3e9174add43ba8a852319e/analysis/

pensiunea-ciobanelu .ro: 89.40.32.15: https://www.virustotal.com/en/ip-address/89.40.32.15/information/
> https://www.virustotal.com/en/url/edae46a1aff3897a52bf9f58373e2c7ffe3bb2f4a6f30a95fb81692addc18c36/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-08-14, 14:13
FYI...

Fake 'Beneficiary’s Details' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/fake-beneficiarys-details-delivers-java-adwind/
14 Aug 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... 'previously mentioned many of these HERE*. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically...
* https://myonlinesecurity.co.uk/?s=java+adwind

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/AU1427913065-PIN-12602119326.png

The link in the email body goes to
http ://karizma-co .com/wp-admin/user/Beneficiary%27s Details.R01 (VirusTotal 0/65[1]) (almost certainly a compromised WordPress website) where a zip file is downloaded.
Beneficiary’s Details.zip - Extracts to Beneficiary’s Details.jar (478kb) - Current Virus total detections 1/59[2]
Payload Security[3]... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustotal.com/en/url/154af4afc8df79b91b25616b831386bb9c1ddf03a47fd8db46708ba03f478c85/analysis/1502700304/

2] https://www.virustotal.com/en/file/d87f6963358d64399d54d34db03906807c99d15c32fba9a672399f11af206ec9/analysis/1502679993/
Xpressmoney Global network.jar

3] https://www.hybrid-analysis.com/sample/d87f6963358d64399d54d34db03906807c99d15c32fba9a672399f11af206ec9?environmentId=100
File Details:
Beneficiary's Details.jar

karizma-co .com: 5.189.185.178: https://www.virustotal.com/en/ip-address/5.189.185.178/information/
___

Fake 'Secure Email' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-you-have-a-santander-secure-email-delivers-trickbot/
14 Aug 2017 - "An email with the subject of 'You have a Santander Secure Email' pretending to come from Santander Bank but actually coming from a look-a-like domain <message@ santanderdocs .co.uk> with an html attachment which downloads a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is
santanderdocs .co.uk: 160.153.162.141: https://www.virustotal.com/en/ip-address/160.153.162.141/information/
> https://www.virustotal.com/en/url/1e5f2afa0c0ded3de9d9e71f93860cb643ec42ea48b0421e2ad95128b3a1ffb3/analysis/

I don’t have an actual email. The information was forwarded to me and only has the basic details with -no- email body content. The email looks like:
From: Santander <message@santanderdocs .co.uk>
Date: 14 August 2017 20:12
Subject: You have a Santander Secure Email
Attachment: SecureDoc.html

Screenshot of word doc: Beware of the -login- in the word doc. It is only there to persuade the recipient to enable content which allows the macros-to-run and infect you. Do NOT follow those instructions:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/santander_SecureDoc.png

SecureDoc.doc - Current Virus total detections 3/58*. Payload Security**. This malware file downloads from
http ://cfigueras .com/armanistand.png which of course is -not- an image file but a renamed .exe file that gets renamed to Cqgcf.exe (VirusTotal 10/64[3]). An alternative download location is
http ://centromiosalud .es/armanistand.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fec0812faf0e20a55bb936681e4cca7aeb3442b425b738375a8ee192e02fe602/analysis/1502715405/

** https://www.hybrid-analysis.com/sample/fec0812faf0e20a55bb936681e4cca7aeb3442b425b738375a8ee192e02fe602?environmentId=100
Contacted Hosts
178.255.225.215
158.69.26.138
46.160.165.31

3] https://www.virustotal.com/en/file/dd519253f01d706573215f115528c59c606107a235f6052533226d0444731688/analysis/1502713865/

cfigueras .com: 51.254.83.173: https://www.virustotal.com/en/ip-address/51.254.83.173/information/
> https://www.virustotal.com/en/url/ce052d4db02c51d5caf3453e7793f625a2d1c0814d4af5e8ec6a773a31aff174/analysis/

centromiosalud .es: 178.255.225.215: https://www.virustotal.com/en/ip-address/178.255.225.215/information/
> https://www.virustotal.com/en/url/d12fc7ac61e076528ac0b72ca06412ea97a5bd04f3779b06baac6074bb5fd183/analysis/

:fear::fear: :mad:

AplusWebMaster
2017-08-16, 13:12
FYI...

Fake 'eFax' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/
15 Aug 2017 - "An email with the subject of 'eFax' pretending to come from eFax but actually coming from a look-a-like domain eFax <noreply@ faxdocuments120 .ml> with a malicious word doc attachment is today’s latest spoof of a well known company, messaging service, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/faxdocuments120.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/efax42542153_2425_doc.png

efax42542153_2425.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
http ://cfigueras .com/nothing44.png which of course is -not- an image file but a renamed .exe file that gets renamed to Qhdizwg.exe and autorun (VirusTotal 14/64***). An alternative download location is
http ://cfai66 .fr/nothing44.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/527339f1c1a81f49bff0ff827aedb3ead8b2fbe0470d3af7fe1bb317c5123593/analysis/1502883132/
efax42542153_2425.doc

** https://www.hybrid-analysis.com/sample/527339f1c1a81f49bff0ff827aedb3ead8b2fbe0470d3af7fe1bb317c5123593?environmentId=100
Contacted Hosts
51.254.83.173
158.69.26.138
185.141.26.86
185.40.20.42

*** https://www.virustotal.com/en/file/bc52de68b68840d4becadd10dde75d659a61a38e0b116ac7b4bed067948b315e/analysis/1502881050/
Qhdizwg.exe

cfigueras .com: 51.254.83.173: https://www.virustotal.com/en/ip-address/51.254.83.173/information/
> https://www.virustotal.com/en/url/d8470b6142dc58eaa2e56fc4bc7d273f3904d86e2a63faf4fb3d7924945c777e/analysis/

cfai66 .fr: 87.252.5.144: https://www.virustotal.com/en/ip-address/87.252.5.144/information/
> https://www.virustotal.com/en/url/7e8aa828f92024f3ef61ce25384abca8ea7ed1dc050726a14a379593bc957f20/analysis/
___

Locky ransomware returns - two new "flavors"
- https://blog.malwarebytes.com/cybercrime/2017/08/locky-ransomware-returns-to-the-game-with-two-new-flavors/
Aug 16, 2017 - "We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware... From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random] .htm“. Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus .html“... Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script:
> https://blog.malwarebytes.com/wp-content/uploads/2017/08/Nercus_MalSpam.png
... The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should
-never- assume Locky is gone simply because it’s not active at a particular given time..."
(More detail at the first malwarebytes URL above.)
___

Paypal phish - fake verification
- https://isc.sans.edu/diary/22726
2017-08-16 - "They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new -fake- pages almost daily. Sometimes, the web server isn’t properly configured and the source code is publicly available... I presume that the kit is related to a spam campaign but I did not get the initial email. Based on the quality of the kit, I suspect the email to be properly written. As usual, it starts with the classic Paypal login page:
- https://isc.sans.edu/diaryimages/images/paypal-20170816-1.png
Then a fake verification page is displayed to warn the victim that a check of the account must be performed. Note that the values are hard coded:
- https://isc.sans.edu/diaryimages/images/paypal-20170816-2.png
The next steps ask the victim to enter his/her details, including banking details:
- https://isc.sans.edu/diaryimages/images/paypal-20170816-4.png
Graphically, the different pages are very clean and use components from the Paypal website to reproduce a look and feel very close to the official pages... There is also a second check of the IP address included in the PHP code. If a valid IP address or User-Agent is detected, an HTTP error 404 (page not found) is returned... When the verification screens are displayed to the victim, fields are prefilled with the extracted information from Paypal. This is really evil! All fields are also validated to prevent garbage and increase the change to capture real data. Depending on the card number that the victim provided, a next screen is presented to fill bank details. Based on the source code, three countries are targeted: US, CA and UK. Depending on the bank, specific forms are displayed to request valid connection details... At the end of the “verification process”, an email is sent to the attacker with all the victim's details. The destination is a gmail .com account... If most phishing kits remain simple and can be easily spotted by the victims, some of them are really well developed and harder-to-catch, especially if the URL used is nicely chosen and distributed via HTTPS. This kit was huge with more than 300 files in a 1.8MB ZIP file. Take care!"

:fear::fear: :mad:

AplusWebMaster
2017-08-17, 13:38
FYI...

Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-xero-accounting-software-invoice-delivers-dridex-banking-trojan/
17 Aug 2017 - "... an email with the subject of 'Your Xero Invoice INV-0855485' coming from subscription.notifications@ xeronet .org which uses -compromised- sharepoint aka onedrive for business accounts to deliver Dridex banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Your-Xero-Invoice-INV-0855485.png

The -link- in the body of the email is to
https ://lakesambel-my.sharepoint .com/personal/contact_caravanparkbeechworth_com_au/_layouts/15/guestaccess.aspx?docid=03b4b6316d9ca4fa48971a9101a38b364&authkey=Afo8hRz5LV65-XWim02sZtg
where a zip file containing a .js file is downloaded.

Xero Invoice.zip: Extracts to: Xero Invoice.js - Current Virus total detections 20/57[1]. Payload Security[2]
This malware downloads from
https ://stakks-my.sharepoint .com/personal/accounts_stakks_com_au/_layouts/15/guestaccess.aspx?docid=0426cc21c900f4425bfd868cf0a9bc836&authkey=AdVBGQCO-SGtytiexhgUfw8
to deliver documents.xero which is -renamed- to Y739Ayh.exe (VirusTotal 34/65[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/1dd6592efe42341716ab836efd19ca916c774024243aebecd2ab30933c0c89e2/analysis/1502950371/

2] https://www.hybrid-analysis.com/sample/1dd6592efe42341716ab836efd19ca916c774024243aebecd2ab30933c0c89e2?environmentId=100
Contacted Hosts
13.107.6.151
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

3] https://www.virustotal.com/en/file/bf05b3c1e875368426c12339439be054acbf7b6f4c304ea6c3728886fd2c0aea/analysis/

4] https://www.hybrid-analysis.com/sample/bf05b3c1e875368426c12339439be054acbf7b6f4c304ea6c3728886fd2c0aea?environmentId=100
Contacted Hosts
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

lakesambel-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-address/13.107.6.151/information/

stakks-my.sharepoint .com: 13.107.6.151
___

Fake 'Outstanding invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/outstanding-invoices-email-1-of-2-malspam-delivers-locky-ransomware/
17 Aug 2017 - "An email with the subject of 'Outstanding invoices email 1 of 2' pretending to come from random names and email addresses with a malicious word doc attachment delivers Locky Ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Outstanding-invoices-email-1-of-2.png

056757.doc - Current Virus total detections 15/58*. Payload Security**.
This malware downloads from
http ://campingtossa .com/87wifhFsdf (VirusTotal 23/63***).
There will be dozens if not hundreds of other downloads sites in different versions of these word docs...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5021e4e92c54684fb05cd1a1a17c53d9cf8f821ebc5ab06767fdab23298c1e47/analysis/1502969190/

** https://www.hybrid-analysis.com/sample/5021e4e92c54684fb05cd1a1a17c53d9cf8f821ebc5ab06767fdab23298c1e47?environmentId=100
Contacted Hosts
188.93.73.211
212.109.220.109

*** https://www.virustotal.com/en/file/2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea/analysis/1502969865/
87wifhFsdf.exe

campingtossa .com: 188.93.73.211: https://www.virustotal.com/en/ip-address/188.93.73.211/information/

:fear::fear: :mad:

AplusWebMaster
2017-08-18, 16:56
FYI...

Fake 'order' SPAM - links deliver malware
- https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/
18 Aug 2017 - "... an email with the subject of 'Your order no 8194788 (random numbers) has been processed' coming from random names @ creatingkindly .com which delivers some sort of malware... These pretend to be an order confirmation for cotton material from a -random- name shop with a -fake- address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Your-order-no-8194788-has-been-processed.png

The email has a -link- in the body to
http ://michellesteve .com/victim_name/8194788.php?recipient-id=bzmqkpohrma&=282193283842&395981697844=760611824 which downloads document.zip: which Extracts to: document.lnk
- Current Virus total detections 6/55[1]. Payload Security[2].
An alternative email had the -link- to
http ://letsgetvisibility .com/victim_name/6290807.php?id-ee=ycttmymbp&=vdfq&jxkhgrs=vddrhdu
which currently gives me a 404 on the entire domain although it does have registration details from 2015.
This malware downloads from
http ://otp.forgetmenotbeading .com/valid.bin which is -renamed- by the script to combo.exe
(VirusTotal 8/61[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected... just delete the unexpected zip and not risk any infection..."
1] https://www.virustotal.com/en/file/b45b861f33467df202ad4891ff37d42714263d39d884087e6fc4836107efb7f2/analysis/1503034822/
document.zip

2] https://www.hybrid-analysis.com/sample/b9595493d914e5c9b423cd892b52aa2531cd5746c1709056ad0103add0eaa81d?environmentId=100

3] https://www.virustotal.com/en/file/41e698c7f1febdb53b9b7eae0f48fd93949602d0631d6f6b7dc0768958f7107a/analysis/1503034808/
valid.bin

4] https://www.hybrid-analysis.com/sample/41e698c7f1febdb53b9b7eae0f48fd93949602d0631d6f6b7dc0768958f7107a?environmentId=100
Contacted Hosts
65.55.50.189
185.117.73.5

creatingkindly .com: 50.63.202.38: https://www.virustotal.com/en/ip-address/50.63.202.38/information/

michellesteve .com: 185.61.152.60: https://www.virustotal.com/en/ip-address/185.61.152.60/information/

letsgetvisibility .com: A temporary error occurred during the lookup...

[Corrected to:] otp.forgetmenotbeading .com: 185.183.97.141: https://www.virustotal.com/en/url/1bd921e90fbfe913e2bdabcdeccde407b4371d3b3ca71ef9d16d44b22467607e/analysis/
___

Cloud: User Account Attacks jumped 300% since 2016
... Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management...
- http://www.darkreading.com/cloud/microsoft-report-user-account-attacks-jumped-300--since-2016/d/d-id/1329666
8/17/2017 - "... 'One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites', the report* states... Attackers -frequently- compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning..."
* http://download.microsoft.com/download/F/C/4/FC41DE26-E641-4A20-AE5B-E38A28368433/Security_Intelligence_Report_Volume_22.pdf

:fear::fear: :mad:

AplusWebMaster
2017-08-21, 21:58
FYI...

Fake 'please print' 'images etc' SPAM - delivers Cerber
- http://blog.dynamoo.com/2017/08/cerber-spam-please-print-images-etc.html
21 Aug 2017 - "I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject: images
From: "Sophia Passmore" [Sophia5555@ victimdomain .tld]
Date: Fri, May 12, 2017 7:18 pm

*Sophia Passmore*
--
Subject: please print
From: "Roberta Pethick" [Roberta5555@ victimdomain .tld]
Date: Fri, May 12, 2017 7:18 pm

*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58*. Both samples contained a malicious Javascript named 20170821_08914700.js ...
Automated analysis [1] [2] shows a download from the following locations:
gel-batterien-agm-batterien .de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh .info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]
The Hybrid Analysis report[1] shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64[3].
Recommended blocklist:
46.4.91.144
119.28.100.249 "
* https://virustotal.com/#/file/27b49b7acbf5da3a52e06cb66acbf36998f771788712c6075e41541d82dee573/detection
??

1] https://www.hybrid-analysis.com/sample/ef608d12c3a0357697c6b1aaf1141004a504cb0aff2ee4452916699454bb0799?environmentId=100
Contacted Hosts
46.4.91.144
119.28.100.249
216.58.206.228

2] https://malwr.com/analysis/NjRlNDBiZDE2NDNmNDQ4MWI1NmFjNmVmMTJlNjg3Y2M/
Hosts
46.4.91.144
119.28.100.249

3] https://www.virustotal.com/en/file/a64b7f97b02812b4d6eb95f7d22036122cacc373fc3b26cb572fdf77472a234c/analysis/
___

Fake 'O2 Bill' SPAM - delivers Emotet banking Trojan
- https://myonlinesecurity.co.uk/fake-o2-bill-delivers-emotet-banking-trojan/
21 Aug 2017 - "... an email with the subject of 'My O2 Business – Your O2 Bill is ready' – (recipient’s name) coming from random senders which delivers Emotet banking Trojan. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in -all- the campaigns...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/O2_bill.png

Update 22 August 2017: a new malspam run this morning with a slightly changed subject 'Your O2 bill is ready' – (recipient name) still coming from random senders but pretending to come from 'O2 bill'. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in all the campaigns...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/O2_bill.png

The link in the email is to various sites where a word doc is downloaded. Some sites include:
http ://ekomer .es/HPRKFQZXAP5465294/ > 5.145.175.240
http ://eyelife .org/Rech-59081174958/ > 188.65.115.132
http ://cruisecapital .co.uk/gescanntes-Dokument-38085714326/ > 173.236.152.205
http ://theglobetrotters .org/Rechnung-55894642722/ > 69.195.116.213
http ://bryntel .com/JWYFPGLBMH8935758/ > 50.87.66.150
http ://itgrammatics .com/VMZJSGJXBS6464519/ > 178.159.253.100
http ://atitmedia .com/RIVTDJLDUW6513072/ > 109.104.86.127
http ://bytesoftware .com.br/FXXIGOFTER8590131/ > 216.172.172.168
http ://hapmag .com/VVHMVGTRCP7428957/ > 143.95.238.54
http ://marianamengote .com/RLDXAIYKZD2314573/ > 173.254.28.19
The word doc when opened [ and -if- you are unwise enough to enable macros ] will drop an encoded/obfuscated PowerShell script that has several obfuscated hard coded URLs inside it which download the actual Emotet banking Trojan. These do need quite a bit of decoding to get to the payload.
Some of today’s Urls are:
http ://ohleronline .com/qnhvqLeGds/ > Could not find an IP address for this domain name.
http ://wilsondesign .com.au/EmOYzciXN/ > 192.232.203.190
http ://effectiveit .com.au/zrMwJInVT/ > 175.107.174.7
http ://portseven .com.br/AEVHV/ > 67.23.238.138
http ://nubodyofdallas .com/FwJSgvPKF/ > 74.124.198.22
... The basic rule is NEVER open any attachment -or- link ln an email, unless you are expecting it...
Analysis reports: Note the binaries update at frequent intervals during the day (time of the malware campaign) so you will get -different- versions/file hashes from those mentioned here."
Word Doc: > https://www.virustotal.com/en/file/fb8639fbf833f30d2194c428c7296737a8b8b3ff241fe2bf2f26d585d17ec54e/analysis/
Rech-03674886877.doc
O2 bill - 000952128372.doc

> https://www.hybrid-analysis.com/sample/f13e2c5ae7e3f949a575856fb0b5d285eae746c7b77cf6272a6e11e99fcec9e6?environmentId=100

Dropped binary: > https://www.virustotal.com/en/file/70f9a9e8630541b8595c16205e1b83cd77309bb90c372e2c7096fab47a315275/analysis/1503320867/
nvidiamath.exe

> https://www.virustotal.com/en/file/750c0f24ca1af67a235c9344c15ccdf8495bb5adf10b37fc084974bad9474e71/analysis/1503333837/
vHsZK.exe

> https://www.hybrid-analysis.com/sample/750c0f24ca1af67a235c9344c15ccdf8495bb5adf10b37fc084974bad9474e71?environmentId=100
Contacted Hosts
104.236.252.178
storagewmi.exe

> https://www.hybrid-analysis.com/sample/70f9a9e8630541b8595c16205e1b83cd77309bb90c372e2c7096fab47a315275?environmentId=100
HTTP Traffic
104.236.252.178

:fear::fear: :mad:

AplusWebMaster
2017-08-22, 13:34
FYI...

Fake 'Voicemail Service' SPAM - delivers ransomware
- http://blog.dynamoo.com/2017/08/malware-spam-from-voicemail-service.html
22 Aug 2017 - "This -fake- voicemail leads to malware:
Subject: [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From: "Voicemail Service" [pbx@ local]
Date: Tue, August 22, 2017 10:37 am
To: "Evelyn Medina"
Priority: Normal
Dear user:
just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance. Thanks!
--Voicemail Service

The numbers and details -vary- from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js...
The script has a VirusTotal detection rate of 14/59*.
According to automated analysis [1] [2] the script reaches out to the following URLs:
5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]
A -ransomware- component is dropped (probably Locky) with a detection rate of 16/64[3]."
* https://virustotal.com/#/file/ac87d5f2d90f107eb16a9e89b3c4c1edc655134956b4522bca54ce4f500ae059/detection
??

1] https://malwr.com/analysis/NDI0ZWUyNDE1NmM3NGRmOTkzNzgwMWE0OWUxNGZkMTA/
msg6355.js
Hosts
91.234.195.48
5.196.99.239

2] https://www.hybrid-analysis.com/sample/ac87d5f2d90f107eb16a9e89b3c4c1edc655134956b4522bca54ce4f500ae059?environmentId=100
Contacted Hosts
216.58.209.238
91.234.195.48
5.188.63.30

3] https://www.virustotal.com/en/file/2e16d36064f2048f529d220d2cb3ce6ce0dccfdcd05d7c9b81802369f9bcd38f/analysis/
jbfr387

> https://myonlinesecurity.co.uk/more-fake-voicemail-messages-pbx-new-message-10-in-mailbox-101-from-100gofedex-delivers-locky/
22 Aug 2017 - "... an email with the subject of '[PBX]: New message 10 in mailbox 101 from 100GOFEDEX' <7820413853> pretending to come from 'Voicemail Service' <pbx@ local>... The new message number, mailbox number, gofedex number and telephone number are all random. All of these are being sent to Evelyn Medina <random_name@ recipient_domain .tld>...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/pbx-voicemail.png

msg0575.rar: Extracts to: msg0575.js - Current Virus total detections 16/55*. Payload Security** delivers
bURnweP2.exe VirusTotal 16/65***...
There are literally hundreds of sites listed in the different versions of js files - when one of the other researchers uploads a list of today’s sites, I will edit this post to link to it...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js

** https://www.hybrid-analysis.com/sample/dc3b1825b0a7b2caf545e50a9176681aab17f1e7164c05bf7f75653a45015b5d?environmentId=100
File Details
msg4975.js
Contacted Hosts
37.247.123.33
94.242.59.239
5.196.99.239

*** https://www.virustotal.com/en/file/2e16d36064f2048f529d220d2cb3ce6ce0dccfdcd05d7c9b81802369f9bcd38f/analysis/
jbfr387[1].3164.dr
___

Fake 'Payments request' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-spoofed-hsbc-payments-request-delivers-trickbot-banking-trojan/
22 Aug 2017 - "An email with the subject of 'Payments request' pretending to come from HSBC but actually coming from a look-a-like domain <message@ hsbc-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is hsbc-mail .co.uk 89.233.106.146. As usual they are registered via Godaddy as registrar and the emails are being sent via sent 89.233.106.146 AS35017 Swiftway Sp. z o.o...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/spoofed-HSBC-Payments-request.png

Word doc looks like: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/hsbc-paymentsdocuments_doc.png

PaymentDocuments.doc - Current Virus total detections 3/59*. Payload Security**. This malware file downloads from
http ://pfsmoney .com/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to vgjqlt.exe and autorun (VirusTotal 13/65***).
An alternative download location is
http ://panda .biz/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/201cfda8980f17963faa2d2f662540b347c89e3a353aee85f50d9b0450ca3167/analysis/

** https://www.hybrid-analysis.com/sample/201cfda8980f17963faa2d2f662540b347c89e3a353aee85f50d9b0450ca3167?environmentId=100
Contacted Hosts
195.191.25.102
37.120.182.208
194.87.144.16
172.93.37.143

*** https://www.virustotal.com/en/file/c7c8d2c271f2eb4032c8788467bf44b94e38771f317be4cf86aad286950e1179/analysis/1503394753/

pfsmoney .com: 162.144.12.198: https://www.virustotal.com/en/ip-address/162.144.12.198/information/
> https://www.virustotal.com/en/url/5d20e9e63cf20d92965f61e896577f3b161d81f52aaac26533b07745d07901b0/analysis/

panda .biz: 192.64.147.215: https://www.virustotal.com/en/ip-address/192.64.147.215/information/
___

Fake 'Purchase Order' SPAM - delivers nanocore RAT
- https://myonlinesecurity.co.uk/angelika-rodriguez-zalesmunicipiodepaute-gob-ec-purchase-order-malspam-delivers-nanocore-rat/
22 Aug 2017 - "... an email with the subject of 'Purchase Order' coming from Angelika Rodriguez <zales@ municipiodepaute .gob.ec>[1] which delivers what is probably a nanocore RAT (it matches yara sigs for that malware)...
1] http://www.reputationauthority.org/lookup.php?ip=181.113.129.250&d=gob.ec

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Angelika-Rodriguez-purchase-order.png

Purchase_Order_List_Aug.zip: Extracts to: Purchase_Order_List_Aug.exe - Current Virus total detections 12/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c245be38e88371cf478f20ff2c7c4c7d5c9d03787e585520026a235265850406/analysis/1503426139/
Purchase_Order_List_Aug.exe

** https://www.hybrid-analysis.com/sample/c245be38e88371cf478f20ff2c7c4c7d5c9d03787e585520026a235265850406?environmentId=100
Contacted Hosts
174.127.99.135

:fear::fear: :mad: