Fake 'payment receipt' SPAM
FYI...
Fake 'payment receipt' SPAM - delivers malware
- https://myonlinesecurity.co.uk/attac...ivers-malware/
15 Mar 2017 - "... an email with the subject of 'Document:36365' coming from random companies, names and email addresses with a semi-random named zip attachment which delivers what looks like Dridex banking Trojan ... One of the emails looks like:
From: Susie <Susie@ novayaliniya .com>
Date: Wed 15/03/2017 09:35
Subject: Document:36365
Attachment: document_3332.zip
Attached is the copy of your payment receipt.
Susie
document_3332.zip: Extracts to: file_356.js - Current Virus total detections 0/56*
MALWR** shows a download of a txt file from http ://mercurytdsconnectedvessel .com/hjg6657 which is renamed by the script to hjg6657.exe (VirusTotal 8/61***) MALWR[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...9b79/analysis/
** https://malwr.com/analysis/NDA3MGE5Y...E1MjE0NWM0ZjQ/
*** https://www.virustotal.com/en/file/6...is/1489573275/
4] https://malwr.com/analysis/OGM5NDVmM...NkNmZkZDRlODQ/
mercurytdsconnectedvessel .com: 66.135.46.202: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/08...5bf7/analysis/
:fear::fear: :mad:
Fake 'Returned Sendout Transaction', 'new message' SPAM
FYI...
Fake 'Returned Sendout Transaction' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoof...s-java-adwind/
16 Mar 2017 - "... This appears to be a newish Java Adwind version in this email, see below for details. The zip/Rar file contains -2- different sized and differently named java.jar files that both are slightly different Adwind versions...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ransaction.png
Benficiary details.jar (497kb) - Current Virus total detections 19/58*
Transaction Report.jar (267kb) - Current Virus total detections 18/59**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1489657794/
** https://www.virustotal.com/en/file/8...is/1489657804/
___
Fake 'new message' SPAM - delivers sharik, smoke trojan
- https://myonlinesecurity.co.uk/youve...-smoke-trojan/
15 Mar 2017 - "An email with the subject of 'You’ve got a new message in your NEST mailbox' pretending to come from do_not_reply@ nestpensions .org.uk with a malicious word doc attachment delivers smoke, dofoil, sharik Trojan... Nest Pensions are the UK Government workplace pension services that helps employers to provide a pension for all employees. These emails are coming via a -lookalike- email address info@nestpensions_randomnumber .top. The contact who forwarded me the details received several, all from different nestpensions_nnn .top. The email looks like:
Subject: You’ve got a new message in your NEST mailbox
Attachment: 0239478234862465.doc
There’s a new message in your NEST mailbox.
We’re confirming that payment of 6822.95 will be taken by Direct Debit in accordance with your agreed terms.
Please see the details in attached file.
What do you need to do now?
Please log into www .nestpensions .org.uk. Some messages may have important documents attached for you to read.
Where to go for help
We provide online support and answers to frequently asked questions at www .nestpensions .org.uk/help
Regards
Richard Hardy NEST Employer Services Manager ...
0239478234862465.doc - Current Virus total detections 6/56*. Payload Security** shows a download from
http ://robertefuller .com/adobe1403.exe (VirusTotal 6/61***). Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1489594975/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.29.88.131
92.122.180.80
139.59.64.134
*** https://www.virustotal.com/en/file/5...is/1489591624/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.150.16.117
139.59.64.134
robertefuller .com: 81.29.88.131: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/29...6784/analysis/
:fear::fear: :mad:
Update to Fake 'FedEx, UPS and USPS' SPAM
FYI...
Update to Fake 'FedEx, UPS and USPS' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/why-y...simple-stupid/
18 Mar 2017 - "A quick update to the never ending spoofed emails from 'FedEx, UPS and USPS cannot deliver your parcel' malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix... noticed a slight change today where it looks like the “apprentice” coding the javascript file in the email -attachment- has tried to be too clever and resulted in a spectacular fail. Instead of the usual “counter.js” or “counter.txt ” that gives the current download sites and what malware to download & run it just gives the php interpreter file that they bundle with the malware downloads...
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR* | Payload Security**. If “var m” ends in a character( a-z, A-Z) you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 (when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files...
* https://malwr.com/analysis/ZGYzZTdhZ...Y2NGQzNjNkMmU/
Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128
... all sites are downloading a 0 byte harmless empty file but if you do a little bit of simple editing of the javascript file and correct the apprentice’s mistake by removing the last digit to leave a character you get MALWR*** | Payload Security[4] -both- showing crypted files and nemucod ransomware at work.
Direct downloads of the malware 1.exe (Locky) VirusTotal 13/62[5] | 2.exe (kovter) VirusTotal 16/62[6]
Currently counter/txt is nemucod ransomware, which delivers a very heavily obfuscated javascript file...
*** https://malwr.com/analysis/YzY4YjU2O...BhMTQ3NTZhNmU/
Hosts
184.168.58.126
50.63.219.1
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (423)
5] https://www.virustotal.com/en/file/5...is/1489825684/
6] https://www.virustotal.com/en/file/3...is/1489825694/
... you end up with this txt file on your desktop (and normally the same as a html desktop background) the bitcoin address and the download decryptor links are individual to each javascript attachment. -Every- email attachment has a randomly hard coded address, which is embedded inside the Var “m” in the javascript..."
:fear::fear: :mad:
Fake 'Western Union', 'Your order' SPAM, Twitter app spams
FYI...
Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoof...s-java-adwind/
20 Mar 2017 - "... a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically... The link-in-the-email does not go to dropbox but to a compromised website being used to spread this malware https ://www.opelhugg .com/components/Sendout Report.zip... As usual with these, the zip contains -2- differently named and different size java.jar files...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ion-Report.png
beneficiary and mtcn details.jar (272kb) - Current Virus total detections 15/59* MALWR**
Sender’s copy of pending transaction..jar (501kb) - Current Virus total detections 20/58***. MALWR[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1489993883/
** https://malwr.com/analysis/MzdiYzJkN...ZkN2JjYTBmNTY/
*** https://www.virustotal.com/en/file/3...is/1489993897/
4] https://malwr.com/analysis/ZTk2NTBkZ...dhMTgyNzExMDM/
opelhugg .com: 208.83.210.25: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/aa...8ffe/analysis/
___
Fake 'Your order' SPAM - delivers Ramnit
- http://blog.dynamoo.com/2017/03/more...pam-using.html
20 Mar 2017 - "... comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).
From: customerservice@ newshocks .com [mailto:customerservice@ newshocks .com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details
Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:
[Name and address redacted]
If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks...
The newshocks .com domain used in the "From" field matches the sending server of rel209.newshocks .com (also mail.newshocks .com) on 185.141.164.209. This appears to be a legitimate but -unused- domain belonging to a distributor of car parts. The link-in-the-email goes to clipartwin .com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit* or similar. This is using another -hijacked- but apparently legitimate web server. I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient..."
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
180.149.132.47
185.117.74.77
52.9.172.230
185.141.164.209: https://www.virustotal.com/en/ip-add...9/information/
newshocks .com: 143.95.232.95: https://www.virustotal.com/en/ip-add...5/information/
clipartwin .com: 198.54.115.198: https://www.virustotal.com/en/ip-add...8/information/
___
Twitter app spams... and Amazon surveys
- https://blog.malwarebytes.com/cyberc...mazon-surveys/
Mar 20, 2017 - "... dodgy download links and random Zipfiles claiming to contain stolen nude photos and video clips, but today we’re going to look at one specific -spam- campaign aimed at Twitter users. The daisy chain begins with multiple links claiming to display stolen images of Paige, a well known WWE wrestler, caught up in the latest dump of files. With regards to two specific messages, we saw close to -300- over a 24 hour period (and it’s possible there were others we didn’t see). These appear to have been the most common:
> https://blog.malwarebytes.com/wp-con...3/app-spam.jpg
... The Bit(dot)ly link, so far clicked close to 7,000 times, resolves to the following:
twitter(dot)specialoffers(dot)pw/funnyvideos/redirect(dot)php
That smoothly segues into an offered Twitter App install tied to a site called Viralnews(dot)com:
> https://blog.malwarebytes.com/wp-con...pp-install.jpg
... there’s one final -redirect- URL (a bit(dot)do address) which leads to an Amazon themed survey gift card page. Suffice to say, filling this in hands your personal information to marketers – and there’s no guarantee you’ll get any pictures at the end of it (and given the images have been stolen without permission, one might say the people jumping through hoops receive their just desserts in the form of a large helping of “nothing at all”)... it’s time to return to the app and see what it’s been up to on the Twitter account we installed it on:
> https://blog.malwarebytes.com/wp-con...-spam-pile.jpg
Automated spam posts, complete with yet more pictures used as bait. As freshly leaked pictures and video of celebrities continue to be dropped online, so too will scammers try to make capital out of image-hungry clickers. Apart from the fact that these images have been taken without permission so you really shouldn’t be hunting for them, anyone going digging on less than reputable sites is pretty much declaring open season on their computers. Do yourself a favor and leave this leak alone..."
:fear::fear: :mad:
Canada/U.K. hit by Ramnit Trojan - malvertising, 'Important Notification' - phish
FYI...
Canada/U.K. hit by Ramnit Trojan - malvertising
- https://blog.malwarebytes.com/threat...sing-campaign/
Mar 21, 2017 - "Over the last few days we have observed an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously -redirect- users to the RIG exploit kit. This particular campaign abuses the ExoClick ad network (ExoClick was informed and took action to stop the fraudulent advertiser based on our reports) and, according to our telemetry, primarily targets Canada and the U.K. The ultimate payloads we collected during this time period were all the Ramnit information stealer (banking, FTP credentials, etc.) which despite a takedown in 2015 has rebounded and is quite active again... The payloads we collected via our honeypot were all the Ramnit Trojan, which is interesting considering the traffic flow from the TDS (Canada, U.K. being the most hits recorded in our telemetry)...
IOCs...
RIG EK IPs:
188.225.38.209
188.225.38.186
188.225.38.164
188.225.38.131
5.200.52.240"
(More detail at the malwarebytes URL above.)
___
'Important Notification' - phish
- https://myonlinesecurity.co.uk/your-...phishing-scam/
21 Mar 2017 - ".. my webmail is being blocked for spreading viruses, or so this -phishing- scam wants me (and you) to believe...
Screenshot: https://myonlinesecurity.co.uk/wp-co...il-blocked.png
The link goes to http ://ostelloforyou.altervista .org/modules/007008.php where it -redirects- to a page looking like a typical webmail login page on a Cpanel server http ://transcapital .com.ge/language/hgfghj/webmail/index.php where after you insert an email address and password are bounded on to a genuine Cpanel webmail login page on http ://jattours .com:2095/ which appears to be an innocent site picked at random and doesn’t give any indication of actually being hacked or compromised:
> https://myonlinesecurity.co.uk/wp-co...mail-login.png "
ostelloforyou.altervista .org: 104.28.14.157: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/d6...395f/analysis/
104.28.15.157: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/d6...395f/analysis/
transcapital .com.ge: 213.157.215.229: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/43...300d/analysis/
jattours .com: 192.163.250.41: https://www.virustotal.com/en/ip-add...1/information/
:fear::fear: :mad:
Word file targets -both- Windows and Mac OS X
FYI...
Word file targets -both- Windows and Mac OS X
- https://blog.fortinet.com/2017/03/22...rosoft-windows
Mar 22, 2017 - "... new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X -and- Microsoft Windows systems...
When the Word file is opened, it shows notifies victims to enable-the-Macro security option, which allows the malicious VBA code to be executed...
IoCs: URL:
hxxps ://sushi.vvlxpress .com:443/HA1QE
hxxps ://pizza.vvlxpress .com:443/kH-G5
hxxps ://pizza.vvlxpress .com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/
hxxps ://sushi.vvlxpress .com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/ "
(More detail at the fortinet URL above.)
vvlxpress .com: 184.168.221.63: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/d7...a0d7/analysis/
- https://www.helpnetsecurity.com/2017...d-windows-mac/
Mar 23, 2017 - "... The malicious Word file is currently flagged by nearly half of the malware engines used by VirusTotal*..."
* https://www.virustotal.com/en/file/0...8a74/analysis/
:fear::fear: :mad:
Fake 'Unusual sign-in' SPAM
FYI...
Fake 'Unusual sign-in' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/cerbe...ome_update-exe
24 Mar 2017 - "... a change to one of the common Cerber -ransomware- delivery methods today... 'pretends to be from Adobe, The body content is all about an unusual sign in activity on your Microsoft account and the -link- goes to a spoofed/fake Chrome download site where the malware payload is a -fake- Google chrome installer...
Screenshot: https://myonlinesecurity.co.uk/wp-co...n-activity.png
... Remember many email clients, especially on a mobile phone or tablet, only show the 'Name' in the 'From': and not the bit in <domain .com>. That is why these scams and phishes work so well...
chrome_update.exe - Current Virus total detections 19/61*. Payload Security**.. MALWR***...
The link in the email goes to http ://chromebewfk .top/site/chrome_update.html where you see this
-fake- Google Chrome download page... numerous other sites involved in this campaign, some delivering
Cerber and some Locky ransomware. One other site I have found is:
voperforseanx .top/site/chrome_update.html ...
> https://myonlinesecurity.co.uk/wp-co...nload-site.png
... They also display a -fake- Chrome 'terms & conditions' pop up when you press the 'download now':
> https://myonlinesecurity.co.uk/wp-co...-installer.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1490381016/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (1088)
*** https://malwr.com/analysis/ZGM2YmQ1M...RlYmI3MDkyZDk/
chromebewfk .top: 47.90.205.113: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/2a...73c5/analysis/
voperforseanx .top: 47.90.205.113:
> https://www.virustotal.com/en/url/e4...8a75/analysis/
35.187.59.173: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/2a...73c5/analysis/
> https://www.virustotal.com/en/url/e4...8a75/analysis/
:fear::fear: :mad: