Fake 'FedEx USPS UPS' SPAM
FYI...
Fake 'FedEx USPS UPS' SPAM - delivers Kovter and ransomware
- https://myonlinesecurity.co.uk/fake-...nd-ransomware/
1 Jun 2017 - "... malware via the “cannot deliver your parcel notifications” or “check where your parcel is”
-spoofing- FedEx, DHL, UPS, USPS etc. have changed the delivery method. The emails are still very similar to the ones we are used to seeing with this sort of subject line:
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS
Delivery Status Notification
... What has changed is the -attachment- to the emails contains the malware. These now contain an HTML attachment that when opened displays a webpage on your computer that pretends to be a Microsoft Word online website and says you need to download the 'MSOffice365 Webview Plugin update', with a -blurry-image- of scrambled writing in the background with this message prominantly displayed:
'This document cannot be read in your browser. Download and install latest plugin version':
> https://i2.wp.com/myonlinesecurity.c...view.png?ssl=1
Email screenshot: https://i2.wp.com/myonlinesecurity.c...tion.png?ssl=1
... 'previously described in THIS post from Mid April 2017* which shows the obfuscated/encoded nature of the files and how to decode/de-obfuscate them... At that time they linked to a remote website using the -fake- MSOffice365 scam. These malware gangs use a mix-and-match of different techniques to try to stay one step ahead of researchers and antivirus companies and gain more victims:
* https://myonlinesecurity.co.uk/chang...ering-malware/
... Infection chain from 31 May 2017:
1. FedEx-Delivery-Details-ID-8AXP4QH0.doc.html attachment (VirusTotal 2/56[1]) (Payload Security[2])
2. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.zip extracts to:
3. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js (VirusTotal 8/55[3]) (Payload Security[4])
Counter.js (VirusTotal 5/56[5]) which downloads 2 files pretending to be png (image files that are -renamed- .exe files) 1.exe currently Cerber -Ransomware- (VirusTotal 8/61[6]) (Payload Security[7]) 2.exe currently Kovter
(VirusTotal 12/60[8]) (Payload Security[9]). The 5 sites embeded in the original webview plugin.js are:
leadsfunnel360 .com
khushsingh .com
kskazan .ru
moodachainzgear .com
thegreenbook .ca
... where you get counter.js ... that when decrypted gives these 5 sites:
sharplending .com
moodachainzgear .com
buildthenewcity .biz
valdigresta .com
leadsfunnel360 .com
... Where <sitename)/counter/?1 gives the Cerber ransomware and <sitename)/counter/?2 gives Kovter... the js files try to contact the sites in order they are listed. It then tries each combination of sitename/counter/etc. and if any site fails to respond, then moves to next site in the list and continues to do that until the counter.js & the actual malware files are downloaded-and-run on the victim’s computer... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/6...is/1496239829/
FedEx-Delivery-Details-ID-8AXP4QH0.doc.html
2] https://www.hybrid-analysis.com/samp...ironmentId=100
3] https://www.virustotal.com/en/file/4...is/1496240000/
Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (1279)
5] https://www.virustotal.com/en/file/0...is/1496296754/
COUNTER[1].js
6] https://www.virustotal.com/en/file/0...is/1496240581/
60[1].png
7] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (1089)
8] https://www.virustotal.com/en/file/7...is/1496240649/
11.exe
9] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (413)
leadsfunnel360 .com: 50.63.124.1: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/a1...fb18/analysis/
khushsingh .com: 72.167.131.40: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/a4...101d/analysis/
kskazan .ru: 87.236.19.130: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/a4...13ca/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/24...fc14/analysis/
thegreenbook .ca: 50.62.160.59: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/5e...1d29/analysis/
sharplending .com: 184.168.55.1: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/5f...f398/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/24...fc14/analysis/
buildthenewcity .biz: 50.62.114.1: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/da...047e/analysis/
valdigresta .com: 64.202.169.211: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/bf...b8b0/analysis/
leadsfunnel360 .com: 50.63.124.1: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/a1...fb18/analysis/
:fear::fear::fear: :mad:
Fake 'Invoice', 'Message' SPAM
FYI...
Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice INV-0790' (random numbers) pretending to come from random names and email address that delivers Dridex banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...e-inv-0790.png
Invoice INV-0790.pdf - Current Virus total detections 12/56*. Payload Security** drops 231GEOHJWMQN935.docm
(VirusTotal 10/59[3]) (Payload Security[4]) downloads an encrypted txt file from
http ://lanphuong .vn\hH60bd which is converted by the script to miniramon8.exe
(VirusTotal 8/62[5]) (Payload Security[6]).
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
lanphuong .vn\hH60bd
newserniggrofg .net\af\hH60bd
resevesssetornument .com\af\hH60bd
mountmary .ca\hH60bd
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1496395482/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147
3] https://www.virustotal.com/en/file/7...is/1496395712/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147
5] https://www.virustotal.com/en/file/f...is/1496396221/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147
lanphuong .vn: 112.213.85.78: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/1b...a0ad/analysis/
___
Fake 'Message' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/more-...email-address/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is a blank/empty email with the subject of 'Message from KM_C224e' pretending to come from a -copier- at your email address that delivers Dridex banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...m-KM_C224e.png
The payload & websites are exactly the -same- as described in today’s earlier Dridex malspam run using fake invoices*..."
* https://myonlinesecurity.co.uk/fake-...anking-trojan/
2 Jun 2017
:fear::fear: :mad:
Fake 'Invoice' SPAM, 'WakeMed' Phish
FYI...
Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
5 Jun 2017 - "... emails with random numbered -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice' pretending to come from a random first name Holmes at random email addresses but the body of the email imitates John Miller Ltd...
Screenshot: https://myonlinesecurity.co.uk/wp-co...er_-Holmes.png
... the PDF actually having some content that makes it almost look real:
> https://myonlinesecurity.co.uk/wp-co...129303_pdf.png
A4 Inv_Crd 21297.pdf - Current Virus total detections 9/56*. Payload Security**
drops Invoice_129302.docm (VirusTotal 8/59[3]) (Payload Security[4]) downloads an encrypted txt file from
http ://spaceonline .in\8yfh4gfff which is converted by the script to miniramon8.exe (VirusTotal 13/61[5])...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1496654801/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177
3] https://www.virustotal.com/en/file/b...is/1496654938/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177
5] https://www.virustotal.com/en/file/c...5e97/analysis/
spaceonline .in: 111.118.212.86: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/e3...915b/analysis/
___
- http://blog.dynamoo.com/2017/06/malw...d-invoice.html
5 Jun 2017 - "This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does -not- match the company being spoofed, and varies from message to message.
Screenshot: https://3.bp.blogspot.com/-mxosSM7W0...ohn-miller.png
The attachment currently has a detection rate of about 9/56*. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis** shows the malicious file downloading a component from cartus-imprimanta .ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other -variants- possibly exist. A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61***. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:
192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)
The payload is not clear at this time, but it will be nothing good.
Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177 "
* https://virustotal.com/en/file/d9a96...is/1496654625/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
176.126.200.56
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177
*** https://virustotal.com/en/file/c7dc1...is/1496655625/
cartus-imprimanta .ro: 176.126.200.56: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/3d...0dc3/analysis/
___
'WakeMed' Phish
REAL 'WakeMed': http://www.wakemed.org/contact-us
Raleigh, NC 27610
FAKE/Phish: https://myonlinesecurity.co.uk/wakem...t-at-phishing/
5 June 2017
Screenshot: https://myonlinesecurity.co.uk/wp-co...RVICE-DESK.png
"... If you follow the link you see a very badly designed webpage, complete with spelling errors, obviously created by a non English speaker, looking like this:
(from: http ://itupdat.tripod .com/)
> https://myonlinesecurity.co.uk/wp-co...ipod_phish.png
... the spam -email- is a -compromised- (may be spoofed) Canadian Nova Scotia Department of Education address... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
itupdat.tripod .com: 209.202.252.101: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/53...ddb7/analysis/
ccrsb .ca: 142.227.247.226: https://www.virustotal.com/en/ip-add...6/information/
___
Police dismantle crime network - online payment SCAMS
- https://www.helpnetsecurity.com/2017...crime-network/
June 5, 2017 - "The Polish National Police, working in close cooperation with its law enforcement counterparts in Croatia, Germany, Romania and Sweden, alongside Europol’s European Cybercrime Centre (EC3), have smashed a Polish organised crime network suspected of online payment scams and money laundering... Operation MOTO on 29-31 May 2017 resulted in 9 arrests including the criminal network’s masterminds, as well as 25 house searches in Poland. The perpetrators were advertising online cars as well as construction or agricultural machinery/vehicles, but never delivered the advertised goods to interested buyers, despite having received advance fee payments..."
:fear::fear: :mad:
Fake 'Invoice', blank/empty, 'Message' SPAM, Office365 - Phish
FYI...
Fake 'Invoice' SPAM - pdf attachments drop malware
- https://myonlinesecurity.co.uk/more-...nking-malware/
7 Jun 2017 - "... emails with -pdf- attachments that drop a malicious macro enabled word doc... email with the subject of '32_Invoice_2220' (random numbers at start and end of invoice) pretending to come from random names and email addresses that delivers what looks like either Dridex or Emotet banking malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ff_invoice.png
001_8951.pdf - Current Virus total detections 12/54*: Payload Security** drops 690UICEBVOFF735.docm
... downloads an encrypted txt file from
http ://micolon .de/7gyb3ds which is converted by the script to krivokor8.exe
(VirusTotal 8/61[3]) (Payload Security[4])...
* https://www.virustotal.com/en/file/2...is/1496825964/
001_0673.pdf
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.145.167
37.120.182.208
194.87.234.99
192.157.238.15
185.23.113.100
178.33.146.207
3] https://www.virustotal.com/en/file/7...d40c/analysis/
krivokor8 - Copy.exe
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.218.206.69
The -macros- in this example are very different to the ones we have previously seen. There are 3 hardcoded (slightly obfuscated) download sites in -each- macro (The first I examined had these 3):
micolon .de/7gyb3ds
essentialnulidtro .com/af/7gyb3ds
suskunst .dk/7gyb3ds
Thanks to Racco42[5], -other- download sites found include:
5] https://twitter.com/Racco42/status/872384811301834752
http ://adproautomation .in/7gyb3ds
http ://camberwellroofing .com.au/7gyb3ds
http ://caperlea .com/7gyb3ds
http ://choralia .net/7gyb3ds
http ://chqm168 .com/7gyb3ds
http ://essentialnulidtro .com/af/7gyb3ds
http ://luxcasa .pt/7gyb3ds
http ://micolon .de/7gyb3ds
http ://musee-champollion .fr/7gyb3ds
http ://mytraveltrip .in/7gyb3ds
http ://saheser .net/7gyb3ds
http ://sanftes-reiten .de/7gyb3ds
http ://shopf3 .com/7gyb3ds
http ://shreekamothe .com/7gyb3ds
http ://spocom .de/7gyb3ds
http ://sumbermakmur .com/7gyb3ds
http ://surgideals .com/7gyb3ds
http ://suskunst .dk/7gyb3ds
http ://sutek-industry .com/7gyb3ds
http ://svagin .dk/7gyb3ds
http ://xinding .com/7gyb3ds ...
... Malware IP's: https://pastebin.com/arUi7B1H
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___
Fake blank/empty SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-...delivery-lure/
7 Jun 2017 - "... an email with a blank/empty subject as well as a completely empty email body pretending to come from random senders with a malicious word doc attachment delivers Trickbot... One of the email looks like:
From: random senders
Date: Wed 07/06/2017 13:15
Subject: none
Attachment: SCAN_0636.doc
Body content: Totally Blank/Empty
SCAN_0636.doc - Current Virus total detections 12/59*. Payload Security** downloads an encrypted txt file from
http ://beursgays .com\7gyb3ds
Still delivering the same krivokor8.exe (VirusTotal 9/61[3]) (Payload Security[4]) which is Trickbot banking Trojan.
So far We have found these additional sites:
essentialnulidtro .com\af\7gyb3ds
martos .pt\7gyb3ds
castvinyl .ru\7gyb3ds ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1496837651/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
178.237.37.40
50.19.227.215
185.86.150.185
3] https://www.virustotal.com/en/file/7...d40c/analysis/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.218.206.69
beursgays .com: 178.237.37.40: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/f9...e378/analysis/
essentialnulidtro .com: 119.28.85.128: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/42...1088/analysis/
martos .pt: 91.198.47.86: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/1c...aefd/analysis/
castvinyl .ru: 89.111.176.244: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/ff...690f/analysis/
___
Fake 'Message' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/messa...er-ransomware/
7 Jun 2017 - "... using 'Message from KM_C224e'... using the same subject and email template but with a zip attachment containing an .exe file... pretends to come from copier @ your-own-email-domain... Confirmed: this is JAFF ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ip-version.png
SKM_C224e03215953284.zip: Extracts to: SKM_C224e9930.exe - Current Virus total detections 12/61*
Payload Security** | MALWR***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1496843658/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
52.15.162.35
*** https://malwr.com/analysis/ZmE3YjMxM...QxZTI4NzZlOTM/
Hosts
52.15.162.35: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/7f...b9a6/analysis/
___
Office365 - Phish
- https://myonlinesecurity.co.uk/fake-...ired-phishing/
7 Jun 2017 - "... pretends to be a message from Microsoft Office365 saying 'your mailbox is full'...
Screenshot: https://myonlinesecurity.co.uk/wp-co...hing-email.png
-If- you follow the link in the email, you first get sent to:
http ://ronaldsinkwell .com.br/js/Office365/Secure/ where you get an immediate -redirection- ... and you see a webpage looking like this:
http ://www .ftc-network .com/js/Microsoft/Office365/ :
> https://myonlinesecurity.co.uk/wp-co...5_phishing.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
ronaldsinkwell .com.br: 192.185.214.91: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/9a...ff52/analysis/
ftc-network .com: 103.13.240.186: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/b0...1b26/analysis/
:fear::fear::fear: :mad:
Fake 'Emailing' SPAM, 'Google Drive' - Phish
FYI...
Fake 'Emailing' SPAM - delivers pdf malware
- https://myonlinesecurity.co.uk/malsp...liver-malware/
14 Jun 2017 - "... an email with the subject of 'Emailing: 288639672' (random numbers) pretending to come from random names and email address that delivers some sort of malware. Over the last couple of weeks these have switched between Jaff ransomware, Dridex banking Trojans and Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-288639672.png
288639672.pdf Current Virus total detections 11/56*. Payload Security** drops 000049764694.xlsm
(VirusTotal 11/56[3]) (Payload Security[4]). JoeSandbox[5]: downloads an encrypted txt file from
http ://mailblust .com\98tf77b which is converted by the script to fungedsp8.exe (VirusTotal 8/60[6])..
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
mailblust .com\98tf77b > 162.251.85.92
78tguyc876wwirglmltm .net\af\98tf77b > 119.28.85.128
randomessstioprottoy .net\af\98tf77b > 119.28.85.128
3456group .com\98tf77b > 69.49.96.24
... Other sites found so far have been posted HERE:
- https://twitter.com/coldshell/status/874943588412653568
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1497432816/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
162.251.85.92
3] https://www.virustotal.com/en/file/3...is/1497432816/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
162.251.85.92
5] https://jbxcloud.joesecurity.org/analysis/291764/1/html
6] https://www.virustotal.com/en/file/7...is/1497433869/
___
'Google Drive' - Phish
- https://myonlinesecurity.co.uk/impor...phishing-scam/
14 Jun 2017 - "... phishing attempts for email credentials... pretends to be a message saying 'log in to Google Drive' to get some documents that have been sent to you...
Screenshot: https://myonlinesecurity.co.uk/wp-co...e-phishing.png
If you follow the link (all are identical) you see a webpage looking like this:
https ://www.mealcare .ca/gdrive/drive/drive/auth/view/share/ - but it is HTTPS so it is “safe“. That is nothing you give to the criminal can be intercepted, so your email log in details can’t be stolen by another criminal on the way. Remember a green padlock HTTPS does NOT mean the site is safe. All it means is secure from easy interception between your computer and that site:
> https://myonlinesecurity.co.uk/wp-co...gle_phish1.png
After you select 'click here' on this identical copy of the Google drive page (if you are not looking at the url bar) you get:
> https://myonlinesecurity.co.uk/wp-co...gle_phish2.png
After you input your details you get sent to a 404 not found page on Morgan Stanley website. I can only assume the phisher tried to link originally to a genuine pdf on Morgan Stanley who quickly removed it:
> https://myonlinesecurity.co.uk/wp-co...tanley_404.png ..."
mealcare .ca: 77.104.162.117: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/1f...8939/analysis/
:fear::fear: :mad: