Fake Email account notice - Phish
FYI...
Fake Email account notice – Phish
... 'Your Mailbox Will Be Terminated'
- https://myonlinesecurity.co.uk/your-...l-credentials/
16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...
Screenshot: https://myonlinesecurity.co.uk/wp-co...er.co_.uk-.png
If you follow the link you see a webpage looking like this:
https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
(you can put any email address at the end of the link & get the same page with email already filled in).
The red countdown continues to decrease in time while the page is open:
> https://myonlinesecurity.co.uk/wp-co...ail_update.png
... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
> https://myonlinesecurity.co.uk/wp-co...il_update2.png
... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."
deadsocial .com: 184.154.216.243: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/71...24c7/analysis/
:fear::fear: :mad:
Fake 'Invoice', 'Receipt to print' SPAM
FYI...
Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-r...nvoice-emails/
21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...
Screenshot: https://myonlinesecurity.co.uk/wp-co...e-79898702.png
79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...9cd8/analysis/
INV-09837592.exe
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/b...is/1498057764/
_005C0000.mem
1] https://twitter.com/mpvillafranca94/...44503720247296
- http://blog.talosintelligence.com/20...-campaign.html
June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
> https://1.bp.blogspot.com/-O9IsDuPG5...600/image3.jpg
___
Fake 'Receipt to print' SPAM - delivers malware
- https://myonlinesecurity.co.uk/recei...ivers-malware/
21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...t-to-print.png
Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
Manual examination and basic decoding of the WSF file shows these download locations:
tag27 .com/08345ug? > 162.210.102.220
78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
malamalamak9 .net/08345ug? > 74.122.121.8
randomessstioprottoy .net/af/08345ug > 119.28.86.18
shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1498051603/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
162.210.102.220
119.28.86.18
74.122.121.8
*** https://www.virustotal.com/en/file/1...is/1480617465/
:fear::fear: :mad:
Fake 'Fattura' SPAM, Protect Your Cloud, Petya Ransomware Infections Reported
FYI...
Fake 'Fattura' SPAM - delivers xls attachment malware
- https://myonlinesecurity.co.uk/more-...nking-trojans/
27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
Update: I am 100% assured* that this is Trickbot banking Trojan...
* https://twitter.com/_operations6_/st...80802136707073
Screenshot: https://myonlinesecurity.co.uk/wp-co...a_it_spam1.png
Attachment: https://myonlinesecurity.co.uk/wp-co...a_it_spam2.png
The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
> https://myonlinesecurity.co.uk/wp-co...nvoice-xls.png
FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/d...9395/analysis/
1_FATTURA num. 5999 del 27-06-2017.xls
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
46.173.218.138
3] https://www.virustotal.com/en/file/8...19f8/analysis/
nvidia4.dvr
3eee22abda47 .faith: 46.173.218.138: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/a0...eca1/analysis/
___
Protect Your Cloud - from Ransomware
> http://www.darkreading.com/cloud/9-w...d/d-id/1329221
6/27/2017
___
Multiple Petya Ransomware Infections Reported
- https://www.us-cert.gov/ncas/current...tions-Reported
June 27, 2017
- http://blog.talosintelligence.com/20...e-variant.html
June 27, 2017 - "... a new malware variant has surfaced..."
- https://www.helpnetsecurity.com/2017...ya-ransomware/
June 27, 2017
- http://www.reuters.com/article/us-cy...-idUSKBN19I1TD
Jun 27, 2017 | 4:35pm EDT
- http://www.telegraph.co.uk/news/2017...cyber-attack1/
27 June 2017 • 8:50pm GMT
:fear::fear: :mad:
Fake 'UPS cannot deliver' SPAM, 'Blank Slate' ransomware
FYI...
Fake 'UPS cannot deliver' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/retur...ovter-payload/
29 Jun 2017 - "The 'UPS failed to deliver' messages have come back... it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the nemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom. Thanks to Michael Gillespie* a well known anti-ransomware campaigner for his assistance and pointing me in the right direction about the new nemucod ransomware version...
* https://twitter.com/demonslay335
If you get infected by this or any other ransomware please check out the ID Ransomware service** which will help to identify what ransomware you have been affected by and offer suggestions for decryption...
** https://id-ransomware.malwarehunterteam.com/index.php
The emails are the same as usual (you only have to look through this blog and search for UPS[1] or FedEx[2] or USPS[/3]... hundreds of different examples and subjects)...
1] https://myonlinesecurity.co.uk/?s=UPS
2] https://myonlinesecurity.co.uk/?s=fedex
3] https://myonlinesecurity.co.uk/?s=usps
Screenshot: https://myonlinesecurity.co.uk/wp-co...to_deliver.png
... there is a difference in the .js files that are coming in the (attachment) zips... The initial js looks very similar to previous but has much longer vars (var zemk) that is used to download the other files...
Showing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.
This ransom note (or something similar with different links) gets displayed on the victim’s desktop:
>> https://myonlinesecurity.co.uk/wp-co...structions.jpg
The original js downloads 3 files - 1 is Kovter as usual, the second is unknown and there is a massive 6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php files together are needed to run the downloaded php counter files to encrypt the computer...
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (406)
5] https://jbxcloud.joesecurity.org/analysis/300085/1/html
UPS-Delivery-005156577.doc.js
6]https://www.virustotal.com/en/file/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e/analysis/1498629470/
UPS-Delivery-005156577.doc.js
Detection ratio: 9/55
... The Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the line:
7] https://www.virustotal.com/en/file/2...is/1498630707/
da40c167cd75d.png
Detection ratio: 25/62
8] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (398)
... Sites involved in this campaign found so far this week:
resedaplumbing .com > 166.62.58.18
modx.mbalet .ru> 95.163.101.104
artdecorfashion .com > 107.180.0.125
eventbon .nl > 109.106.167.212
elita5 .md > 217.26.160.15
goldwingclub .ru > 62.109.17.210
www .gloszp .pl > 87.98.239.19
natiwa .com > 115.84.178.83
desinano .com.ar > 190.183.59.228
amis-spb .ru > 77.222.61.227
perdasbasalti .it > 94.23.64.3
120.109.32.72: https://www.virustotal.com/en/ip-add...2/information/
calendar-del .ru > 77.222.61.227
indexsa.com .ar > 190.183.59.228 ..."
___
'Blank Slate' - malspam campaign -ransomware-
- https://isc.sans.edu/forums/diary/Ca...+strong/22570/
Last Updated: 2017-06-29 - "'Blank Slate' is the nickname for a malicious spam (malspam) campaign pushing -ransomware- targeting Windows hosts... Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign. Today's Blank Slate malspam was pushing Cerber and GlobeImposter ransomware... -fake- Chrome pages sent victims zip archives containing malicious .js files designed to infect Windows hosts with ransomware... potential -victims- must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations..."
(More detail at the isc URL above.)
___
- https://www.bitdefender.com/news/mas...ages|goldeneye
Update 6/28 08.00 GMT+3 - "There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction..."
:fear::fear::fear: :mad:
Fake 'Documents', 'Customer message', 'invoice' SPAM, 'AdGholas' malvertising
FYI...
Fake 'Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
5 Jul 2017 - "An email with the subject of 'Important Account Documents' pretending to come from Lloyds bank but actually coming from a look-a-like domain Lloyds Bank Documents <no-reply@ lloydsbankdocs .co.uk> with a malicious word doc attachment... So far we have only found 1 site sending these today:
lloydsbankdocs .co.uk
As usual they are registered via Godaddy as registrar and the emails are sent via IP 37.46.192.51 which doesn’t have any identifying details except AS47869 Netrouting in Netherlands...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-Documents.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...count-docs.png
AccountDocs.doc - Current Virus total detections 7/57*. Payload Security** shows a download from
http ://pilotosvalencia .com/sergollinhols.png which of course is -not- an image file but a -renamed- .exe file that gets renamed to fsrtat.exe and autorun (VirusTotal 14/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...43f6/analysis/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.217.4
167.114.174.158
197.248.210.150
*** https://www.virustotal.com/en/file/2...0a11/analysis/
___
Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
5 July 2017 - "... delivering banking Trojans is an email with the subject of 'Customer message' pretending to come from 'Nat West Bank' but actually coming from a series of look alike domains - NatWest Bank Plc <alert@ natwest-serv478 .ml> with a malicious word doc attachment... criminals sending these have registered various domains that look-like-genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate-the-bank or some message sending service... we have found 6 but it is highly likely there could be hundreds, because they are -free- domains that don’t need any checkable registration details:
natwest-serv478 .ml > 81.133.163.165
natwest-serv347 .ml > 185.100.68.185
natwest-serv305 .ml > 72.21.246.90
natwest-serv303 .ml > 47.42.101.137
natwest-serv505 .ml > 98.191.98.153
natwest-serv490 .ml > 128.95.65.99
These are registered via freenom .com as registrar and the emails are sent via a series of what are most likely compromised email accounts or mail servers:
> https://myonlinesecurity.co.uk/wp-co..._spam_list.png
Screenshot: https://myonlinesecurity.co.uk/wp-co...er-message.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...ent283_doc.png
message_payment283.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
http ://armor-conduite .com/34steamballons.png which of course is -not- an image file but a renamed .exe file that gets renamed to nabvwhy.exe and autorun (VirusTotal 16/62***) which is a slightly different -Trickbot- payload... An alternative download location is
http ://teracom .co.id/34steamballons.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1499266638/
message_payment283.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
202.169.44.149
94.42.91.27
*** https://www.virustotal.com/en/file/d...ff7f/analysis/
nabvwhy.exe
armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/93...2e47/analysis/
teracom .co.id: 202.169.44.149: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/9c...dd04/analysis/
___
'AdGholas' malvertising ...
- https://blog.malwarebytes.com/cyberc...are-outbreaks/
July 5, 2017 - "... other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific -malvertising- gang of the moment, dubbed 'AdGholas'... A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the -malvertising- operators are able to quickly roll out and activate a -fake- advertising infrastructure for a few days before getting banned...
> https://blog.malwarebytes.com/wp-con...7/06/certs.png
... We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of -redirect- is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity...
IOCs:
AdGholas:
expert-essays[.]com
jet-travels[.]com
5.34.180.73
162.255.119.165
Astrum Exploit Kit:
uniy[.]clamotten[.]com
comm[.]clamotten[.]com
comp[.]computer-tutor[.]info
lexy[.]computer-tutor[.]info
sior[.]ccnacertification[.]info
kvely[.]our-health[.]us
nuent[.]mughalplastic[.]com
mtive[.]linksaffpixel[.]com
cons[.]pathpixel[.]com
sumer[.]pathlinkaff[.]com
nsruc[.]ah7xb[.]com
ction[.]ah7xb[.]com
nstru[.]onlytechtalks[.]com
const[.]linksaffpixel[.]com
quely[.]onlytechtalks[.]com
coneq[.]modweave[.]com
94.156.174.11 ..."
(More detail at the malwarebytes URL above.)
___
Fake 'invoice' SPAM - delivers java adwind malware
- https://myonlinesecurity.co.uk/fake-...g-java-adwind/
4 Jul 2017 - "... fake 'invoices' rather then their more usual method of fake 'MoneyGram' or 'Western Union money transfer' reports or updates...
Screenshot: https://myonlinesecurity.co.uk/wp-co...e-invoices.png
Payment Dunmore 27.26.170001.jar (566kb) - Current Virus total detections 12/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1499145423/
** https://malwr.com/analysis/ZTI2MTE2M...BiNWE0NmNlNGE/
:fear::fear: :mad:
Fake 'wire request', 'eFax' SPAM
FYI...
Fake 'wire request' SPAM - delivers banking trojan
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
6 Jul 2017 - "An email with the subject of 'The wire request is unsuccessful!' pretending to come from Billing Support using random senders & email addresses with a malicious word doc attachment delivers Chthonic banking trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ng-support.png
printed_ty_0717.doc - Current Virus total detections 12/58*. Payload Security** shows a download from
http ://185.117.73.105 /bofasup.exe (VirusTotal 13/57***)... alternative doc detections [1] [2]. Other download locations include: (there are 3 download locations hard coded in the macro):
http ://185.45.192.116 /bofasup.exe
http ://185.117.72.251 /bofasup.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1499318502/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/d...e397/analysis/
bofasup.exe
1] https://www.virustotal.com/en/file/b...3968/analysis/
printed_copy_da_0717.doc
Detection ratio: 13/57
2] https://www.virustotal.com/en/file/8...is/1499319821/
copy_wt_0717.doc
Detection ratio: 11/57
___
Fake 'eFax' SPAM - malicious doc/xls attachment
- https://myonlinesecurity.co.uk/more-...ivers-malware/
6 Jul 2017 - "... spoofed eFax message from 1 month ago[1], the same gang are using a similar range of fake e-faxcorporatexxx.top domains to send these malspam emails. Today’s comes with the usual typical subject of 'eFax message from “0300 200 3822” – 2 page(s)' coming from eFax <message@ e-faxcorporate102 .top> with a malicious word doc attachment which delivers some sort of malware...
1] https://myonlinesecurity.co.uk/fake-...-and-trickbot/
Screenshot: https://myonlinesecurity.co.uk/wp-co.../efax_nest.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...gedoc_nest.png
SecureMessage.doc - Current Virus total detections 6/57*... Joesandbox** shows a download from
http ://5.149.252.155 /parcelon13.exe (VirusTotal 15/63***)...
This email attachment contains what appears to be a genuine word doc -or- Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1499264264/
SecureMessage.doc
** https://jbxcloud.joesecurity.org/analysis/304760/1/html
*** https://www.virustotal.com/en/file/c...is/1499306577/
e-faxcorporate102 .top: 46.8.221.104: https://www.virustotal.com/en/ip-add...4/information/
:fear::fear: :mad:
Fake 'BACs documents' SPAM
FYI...
Fake 'BACs documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
7 Jul 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from Royal Bank of Scotland but actually coming from a look-a-like domain <Secure.Delivery@ rbsdocs .co.uk> with a -link- to a malicious zip attachment containing a .js file... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine Bank domains. Normally there are 3 or 4 newly registered domains that -imitate- the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today:
rbsdocs .co.uk > 160.153.162.130
As usual they are registered via Godaddy as registrar and hosted by Godaddy on ip 160.153.162.130 but the emails are being sent via host Europe 85.93.88.125...
Screenshot: https://myonlinesecurity.co.uk/wp-co...s_trickbot.png
Rbs_Account_BACs.js - Current Virus total detections 1/57*. Payload Security** shows a download from
http ://mutfakdolabisitesi .com/grandsergiostalls.png which of course is -not- an image file but a renamed .exe file that gets renamed to qkY5ijY.exe and autorun (VirusTotal 12/64***)... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1499423876/
Rbs_Account_BACs.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
46.235.11.61
50.19.227.215
37.120.182.208
78.47.139.102
*** https://www.virustotal.com/en/file/b...is/1499422646/
mutfakdolabisitesi .com: 46.235.11.61: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/f9...b157/analysis/
rbsdocs .co.uk: 160.153.162.130: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/8d...dfec/analysis/
___
'Facebook Lottery' - Scam
- https://myonlinesecurity.co.uk/facebook-lottery-scam/
7 Jul 2017 - "'Oh look I have won the Facebook Lottery', or might have done if there actually was such a thing. Unfortunately it is all a big scam. If you were unwise enough to reply, all you would get is a request for a sum of money for Post & packing and the transfer fee for the money. To make it more attractive than usual, apart from the just over $1m money they are giving you a Facebook cap, tee shirt and wallet, 'Wow! how exciting!'. To show how clueless or how they don’t filter or check email addresses they send to, this was sent to a spam-trap-email address...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ok-lottery.png
Email Headers:
124.153.79.193 - mailgw.notvday .in...
188.207.76.172 - static.kpn .net...
:fear::fear: :mad:
Fake 'Delivery Status', 'Secure Communication' SPAM
FYI...
Fake 'Delivery Status' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/new-p...unce-messages/
10 July 2017 - "We were notified of a new ransomware version* last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a -fake- 'Delivery Status Notification, failed to deliver' email bounce message. The .js file in the email attachment is a PowerShell -script- and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent 'UPS failed to deliver'** nemucod ransomware versions...
* https://twitter.com/SecGuru_OTX/stat...36470910562304
** https://myonlinesecurity.co.uk/retur...ovter-payload/
Screenshot: https://myonlinesecurity.co.uk/wp-co...re_email-1.png
There is also a section in the script... causes a fake pop up message making the victim think that the file isn’t running properly:
> https://myonlinesecurity.co.uk/wp-co...ot_found-1.png
After the file has run and encrypted your files, you get a message left called _README-Encrypted-Files .html:
> https://myonlinesecurity.co.uk/wp-co...mware_note.jpg
As well as encrypting the usual image, music, video and document files this also encrypts databases files, email, and very unusually many executable file types. It also encrypts your bitcoin wallet and other similar financial files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/7...is/1499666506/
Readable Msg-j8k5b798d4.js
2] https://www.reverse.it/sample/7a6d5a...ironmentId=100
Readable Msg-j8k5b798d4.js
The sender domain is also the C2 http ://joelosteel .gdn/pi.php currently hosted by digitalocean .com on 165.227.1.206 ..."
joelosteel .gdn: 165.227.1.206: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/66...e150/analysis/
___
Fake 'Secure Communication' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/yet-a...anking-trojan/
10 Jul 2017 - "An email with the subject of 'Secure Communication' pretending to come from HM Revenue & Customs but actually coming from a look-alike-domain < Secure.Communication@ hrmccommunication .co.uk > with a malicious word doc attachment... delivering Trickbot banking Trojan... a very important site involved in today’s campaign with images being hosted on www .libdemvoice .org/wp-content/uploads/2012/06/HMRC-logo-300×102.jpg... they have been hosting an HMRC logo since 2012...
Screenshot: https://myonlinesecurity.co.uk/wp-co...rc_10_july.png
HMRC3909308823743.doc - Current Virus total detections 6/57*. Payload Security** shows a download from one of these 2 locations:
http ://pilotosvalencia .com/grazlocksa34.png -or- http ://ridderbos .info/grazlocksa34.png
which of course is -not- an image file but a renamed .exe file that gets renamed to Sonqa.exe and
autorun (VirusTotal 10/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1499682599/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.217.4
107.22.214.64
93.99.68.140
195.133.197.179
*** https://www.virustotal.com/en/file/9...c9cf/analysis/
pilotosvalencia .com: 81.169.217.4: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/47...a61a/analysis/
ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/e6...e526/analysis/
libdemvoice .org: 104.28.31.9: https://www.virustotal.com/en/ip-add...9/information/
104.28.30.9: https://www.virustotal.com/en/ip-add...9/information/
:fear::fear: :mad: