Fake 'Voice Message' SPAM
FYI...
Fake 'Voice Message' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
25 Sep 2017 - "... Locky ransomware.... They are sticking with 'Voice Message' theme again today. It is an email with the subject of 'Message from 02031136950' (random phone number) pretending to come from server@ random number.um .broadviewnet .net. They all come from 'Message Server' and the email address is server@ random number.um .broadviewnet .net...
Screenshot: https://myonlinesecurity.co.uk/wp-co...2031136950.png
Voice Message(02031136950.7z: Extracts to: Voice Message(02090039814).vbs - Current Virus total detections 10/58*. Payload Security**. These -vbs- files download from a large number of -compromised- sites. This example contacts
asheardontheradiogreens .com/YTkjdJH7w1
tertrodefordown .info/af/YTkjdJH7w1
artplast .uz/YTkjdJH7w1?
where a txt file is downloaded. The file is a actually a renamed.exe file (VirusTotal 17/65***). With these if there is a ? at the end of a URL, you get a renamed.txt file. If there is no ? you get an .exe that has no extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1506322168/
Voice Message(02090039814).vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
199.30.241.139
*** https://www.virustotal.com/en/file/b...is/1506322258/
YTkjdJH7w1.txt
asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/cd...05d7/analysis/
tertrodefordown .info: 49.51.36.73: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/fa...0c52/analysis/
artplast .uz: 62.209.133.18: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/2e...f65d/analysis/
:fear::fear: :mad:
Fake 'eFax and Virgin Media' SPAM
FYI...
Fake 'eFax and Virgin Media' SPAM - deliver Dridex
- https://myonlinesecurity.co.uk/dride...-virgin-media/
26 Sep 2017 - "... Dridex Banking Trojans being delivered via malspam emails... The 2 that I have looked at so far are:
'Your Virgin Media bill is ready' coming from Virgin Media <webteam@ virginmedia.smebusinesslink .com>'
'Corporate eFax message' from “Unknown” – 4 page(s), Caller-ID: 44-161-261-1924 coming from eFax Corporate <message@ efax.inboundcop .com>
... the criminals sending these have registered look-a-like or plausible domains: they are actually using subdomains of these domains that make a recipient think that the emails are coming from a “proper” message sending service... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
smebusinesslink .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.217.40
> https://myonlinesecurity.co.uk/fake-...-and-trickbot/
inboundcop .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.232.177 ...
> https://myonlinesecurity.co.uk/fake-...-and-trickbot/
They are sending these emails from a whole range of IP addresses (all tracking back to various subdomains of the 2 main -fraudulent- domains) under the control of these criminals that pass email authentication for the -fake- domains:
46.105.101.20
46.105.101.72
46.105.101.110
54.36.192.0/24
94.23.32.95
188.165.217.40
188.165.217.44
188.165.200.80
188.165.215.105
188.165.215.115
188.165.239.123
188.165.232.177
188.165.217.228
... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
> 'Virgin Media Your Virgin Media bill is ready' ... and 'e Fax' ...
The link in the email goes to a -compromised- or fraudulently-set-up OneDrive for business/SharePoint site where a zip file containing a .js file is downloaded...
The virgin site is:
https ://grllen-my.sharepoint .com/personal/misaacs_grllen_com_au/_layouts/15/guestaccess.aspx?docid=0f577514318c64d3a83fdc412856063e6&authkey=AZhzom6O9TOyFzZv4HUJ6zM
where a .js file is downloaded. That downloads 46.105.102.161 /PDF/Virginmedia_bill_25_09_2017_3 .pdf
an innocent PDF file of a -genuine- Virgin media bill and displays that while at the same time downloads the Dridex banking Trojan in the background (I cannot determine the actual download location of the Dridex Trojan from the reports)
Virginmedia_bill_25_09_2017_3.zip: Extracts to: Virginmedia_bill_25_09_2017_3.js
Current Virus total detections 4/58[1]. Payload Security[2] | Dridex Payload - VirusTotal 13/61[3]|
Payload Security[4] |
The eFax site is:
https ://ucg1-my.sharepoint .com/personal/janet_lau_ucg_co_nz/_layouts/15/guestaccess.aspx?docid=0eab92172e4fb424093bc21e476a6a698&authkey=AT_9AE00prV_R0aRf9HYOtg
where another js file is downloaded. That also downloads an innocent PDF file from
188.165.193.38 /PDF/FAX_20170925_1401908954_6.pdf
saying it all about the Rural Payments agency and displays that while at the same time downloads the
-Dridex- banking Trojan in the background (I cannot determine the actual download location of the Dridex Trojan from the reports)...:
FAX_20170925_1401908954_6.zip: Extracts to: FAX_20170925_1401908954_6.js
Current Virus total detections 7/59[5]: Payload Security[6] | Dridex Payload - VirusTotal 13/61[7] |
Payload Security[8] |
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/0...is/1506415697/
Virginmedia_bill_25_09_2017_3.js
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
46.105.102.161
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
3] https://www.virustotal.com/en/file/9...is/1506415824/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
5] https://www.virustotal.com/en/file/5...is/1506418921/
FAX_20170925_1401908954_6.js
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
104.146.230.59
188.165.193.38
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
7] https://www.virustotal.com/en/file/9...is/1506415824/
8] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40
grllen-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-add...1/information/
ucg1-my.sharepoint .com: 13.107.6.151
188.165.217.40: https://www.virustotal.com/en/ip-add...0/information/
188.165.232.177: https://www.virustotal.com/en/ip-add...7/information/
:fear::fear: :mad:
Fake 'UPS' SPAM, Email credential phish, JavaScript - Stealer
FYI...
Fake 'UPS' SPAM - tries to deliver malware
- https://myonlinesecurity.co.uk/fake-...liver-malware/
27 Sep 2017 - "... malware downloaders... an email with the subject of 'UPS Ship Notification, Tracking Number 1Z51322Y3483221007' (random numbers) pretending to come from UPS Quantum View <pkginfo26@ ups .com> (random pkginfo numbers)...
Screenshot: https://myonlinesecurity.co.uk/wp-co...3483221007.png
... following the link gives you a webpage looking like one of these screenshots pressing login does different things or -nothing- depending on the site:
> https://myonlinesecurity.co.uk/wp-co...S_tracking.png
This is a slightly more complicated infection chain that usual. There are -dozens- of different sites in the emails -hidden- behind the shipment details link. A lot of them don’t do anything except display a -fake- UPS website. Some however are connecting via an -iframe- to download
http ://rateventrithathen .info/track.php which gave me TRACK-1Z68725Y5236890147.js
Current Virus total detections 2/59*. Payload Security** | Joe Security***
Neither online sandbox retrieved any payload, whether the sites are blocked or the JS is VM aware is unknown... The basic rule is NEVER open any attachment or link in email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1506504272/
TRACK-1Z68725Y5236890147.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
49.51.36.73
*** https://jbxcloud.joesecurity.org/analysis/378185/1/html
rateventrithathen .info: 49.51.36.73: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/39...64cf/analysis/
___
Email credential phish...
- https://myonlinesecurity.co.uk/email...invoice-scams/
27 Sep 2017 - "... seeing a series of “attacks” using Adobe as the lure. So far I have seen 2 different ones...
Screenshot:
1] https://myonlinesecurity.co.uk/wp-co...ment-email.png
This email has a genuine PDF attachment with a link to http ://bit .ly/2wTMuYg which will -redirect- you to
http ://cloudy-exch .pw/invoice/update.HTML. There is a warning on the bit.ly page that alerts to it being a phishing or malware site but will -still- allow you to visit the page by clicking-the-link:
> https://myonlinesecurity.co.uk/wp-co...tement_pdf.png
... However downloading the html file will open in Firefox only on the computer.
The page looks like this:
> https://myonlinesecurity.co.uk/wp-co...text_adobe.png
... where -if- you enter any details and press submit, you are redirected to https ://drive.google .com/file/d/0BxKSeHpNweSsWldNaGpUMDlHWW8/view
... where you see this -fake- statement:
> https://myonlinesecurity.co.uk/wp-co...ogle_drive.png
The next -phishing-scam- works right out of the box with no effort:
2] https://myonlinesecurity.co.uk/wp-co...ice-Urgent.png
This PDF attachment looks like:
> https://myonlinesecurity.co.uk/wp-co...-Order_pdf.png
Where -if- you follow the link you go to
https ://app-onlinedoc.000webhostapp .com/Inv-47654345584.php?code=2000500 where you see:
> https://myonlinesecurity.co.uk/wp-co...adobe_scam.png
Entering details tries to -redirect- you to
http ://alliancecr .com/skd/xendr.php , Where I get a 404 page not found (a quick look up shows the site registered by Godaddy in 2001, The DNS is managed by Cloudflare and there is no site found, so it is highly likely that Cloudflare have null routed the DNS already)... A quick look at the source code of the 000webhost page shows that it appears to try to send the information via Googlemail... Update: within minutes of reporting the 000webhost site, it was taken down. That is fast abuse response. I wish all webhosts were so quick and efficient..."
cloudy-exch .pw: 185.158.249.100: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/5a...37b8/analysis/
app-onlinedoc.000webhostapp .com: 145.14.145.6: https://www.virustotal.com/en/ip-add...6/information/
alliancecr .com: Could not find an IP address for this domain name...
___
JavaScript and Stealer DLL Variant in New Attacks
- http://blog.talosintelligence.com/20...7-stealer.html
Sep 27, 2017 - "... a newly discovered -RTF- document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in -phishing- campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms. The document contains messages enticing the user to click on an embedded object that executes scripts which are used to infect the system with an information stealing malware variant. This malware is then used to steal passwords from popular browsers and mail clients which are sent to remote nodes that are accessible to the attackers... The dropper variant that we encountered makes use of an LNK file to execute wscript.exe with the beginning of the JavaScript chain from a word document object...
Command and Control IPs"
104.232.34.36: https://www.virustotal.com/en/ip-add...6/information/
5.149.253.126: https://www.virustotal.com/en/ip-add...6/information/
185.180.197.20: https://www.virustotal.com/en/ip-add...0/information/
195.54.162.79: https://www.virustotal.com/en/ip-add...9/information/
31.148.219.18: https://www.virustotal.com/en/ip-add...8/information/
(More detail at the talosintelligence URL above.)
:fear::fear: :mad:
Fake 'invoice', 'Office 365 invoice', 'order' SPAM
FYI...
Fake 'invoice' SPAM - deliver Locky/Trickbot
- https://myonlinesecurity.co.uk/anoth...large-js-file/
29 Sep 2017 - "... Locky downloaders... an email with a blank/empty subject pretending to come from random names and email addresses. The body content pretends to be an 'invoice' notification. There are -no- attachments with these emails but a link-in-the-email-body goes to various -compromised- sites to download a .js file. As far as I can tell the actual Locky payload is -embedded- inside the .js file. For some strange reason the js file is named voicemsg_random numbers.js which would indicate that this was intended or has also been used in a voice message scam attempt to deliver Locky as well. The other strange thing in this campaign is the url in the body. All the ones I received are broken and start with 'ttp://' but looking at the mailscanner they look normal with a -complete- html on my server they look -normal- with a complete html and start with the proper 'http://'...
Screenshot: https://myonlinesecurity.co.uk/wp-co...nk-subject.png
voicemsg_088436.js - 410.7 KB (420558 bytes) - Current Virus total detections 5/59*. Payload Security**
| drops 1102.exe 298.0 KB (305152 bytes) - VirusTotal 14/65[3] - Payload Security[4].
Nothing is actually detecting these as -Locky- Ransomware and in fact some AV on VirusTotal detect as
-Cerber- Ransomware. I am only calling these Locky based on the
moroplinghaptan .info/eroorrrs post request (giving a 404) shown in the Payload Security report. This has been a strong Indicator-of-Compromise (IOC) for Locky recently.
> Update: I am reliably informed that it depends on your IP address and location what malware you get. You will either get
-Locky- Ransomware or -Trickbot- banking Trojan embedded inside the .js file.
Some of the download sites in the emails include:
http ://resortphotographics .com/invoice.html
http ://somallc .com/invoice.html
http ://pinkyardflamingos .com/invoice.html
http ://agregate-cariera .ro/invoice.html
http ://sgtenterprises .com/invoice.html
http ://weloveflowers .co.uk/invoice.html
They all use an -iframe- to actually download from
http ://moroplinghaptan .info/offjsjs/ - This site has been used in a later Locky campaign today that was spoofing voicemessages...
The basic rule is NEVER open any attachment or -link- an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1506691940/
voicemsg_088436.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
49.51.133.167
216.58.213.174
3] https://www.virustotal.com/en/file/3...is/1506692289/
1102.exe
4] https://www.hybrid-analysis.com/samp...ironmentId=100
moroplinghaptan .info: 49.51.133.167: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/47...a588/analysis/
___
Fake 'Office 365 invoice' - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
29 Sep 2017 - "The 3rd version I have seen today... Locky downloaders has gone back to a traditional zip (7z) attachment containing a vbs file. This is an email pretending to be an 'Office 365 Invoice' with the subject of 'Invoice' pretending to come from the -same-name- that is in the recipient field. Random names & email addresses...
Screenshot: https://myonlinesecurity.co.uk/wp-co...voice_O365.png
604173.7z: Extracts to: Invoice_930546166795.vbs - Current Virus total detections 10/58*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1506683968/
** https://www.virustotal.com/en/file/8...is/1506683968/
Contacted Hosts
185.57.172.213: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'order' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
29 Sep 2017 - "... malware today, all using -different- or unusual delivery methods. This next example is about an order confirmation. The attachment is a .uue attachment. Winzip says it can open .UUE files but only extracted a -garbled- encrypted/encoded txt file. Universal extractor extracted a working .exe file...
Screenshot: https://myonlinesecurity.co.uk/wp-co...rder_email.png
order290917.uue: (virusTotal 4/58*) - Extracts to: order290917.exe - Current Virus total detections 14/64**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1506681970/
order290917.uue
** https://www.virustotal.com/en/file/3...is/1506696900/
order290917.exe
*** https://www.hybrid-analysis.com/samp...ironmentId=100
:fear::fear: :mad:
Fake 'FedEx', 'Shipping', 'Cash Statement' SPAM
FYI...
Fake 'FedEx' SPAM - leads to info stealer
- https://isc.sans.edu/diary/rss/22888
2017-10-03 - "... On Monday 2017-10-02, I ran across malicious spam (malspam) pushing Formbook, an information stealer. Arbor Networks has a good article about Formbook here:
> https://www.arbornetworks.com/blog/a...-form-grabber/
... The email is disguised as a 'FedEx delivery notice'. It has a-link-to-a-compromised-website that's hosting malware. The link points to a supposed document for this fake delivery:
> https://isc.sans.edu/diaryimages/ima...y-image-01.jpg
Clicking on-the-link (DON'T) returned a RAR archive. The RAR archive contains a Windows executable that's poorly-disguised as some sort of receipt... indicators seen during the infection from Formbook malspam on Monday 2017-10-02:
Email:
Date/Time: 2017-11-02 at 14:23 UTC
Subject: Re: Alert: FedEx OFFICE Delivery® ... 17-10-02, at 07:22:11 AM BA
From: "DOCUMENT2017" <gifcos@ tutanota.com>
Link from the email: hxxps ://superiorleather .co.uk/Receipt.r22
Traffic seen when retrieving the RAR archive:
185.46.121.66 [1] port 443 - superiorleather .co.uk - GET /Receipt.r22 ..."
1] 185.46.121.66: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/97...6369/analysis/
Post-infection traffic:
47.90.52.201 port 80 - www .shucancan .com - GET /ch/?id=[80 character ID string]
52.87.61.120 port 80 - www .ias39 .com - GET /ch/?id=[80 character ID string]
66.206.43.242 port 80 - www .fairwaytablet .com - GET /ch/?id=[80 character ID string]
103.38.43.236 port 80 - www .chunsujiayuan .com - GET /ch/?id=[80 character ID string]
104.250.134.156 port 80 - www .ebjouv .info - GET /ch/?id=[80 character ID string]
104.31.80.135 port 80 - www .dailyredherald .com - GET /ch/?id=[80 character ID string]
153.92.6.50 port 80 - www .beykozevdenevenakliyatci .com - GET /ch/?id=[80 character ID string]
162.242.173.39 port 80 - www .238thrift .com - GET /ch/?id=[80 character ID string]
180.178.39.66 port 80 - www .et551 .com - GET /ch/?id=[80 character ID string]
195.154.21.65 port 80 - www .lesjardinsdemilady .com - GET /ch/?id=[80 character ID string]
198.54.114.238 port 80 - www .prfitvxnfe .info - GET /ch/?id=[80 character ID string]
199.34.228.59 port 80 - www .craigjrspestservice .com - GET /ch/?id=[80 character ID string]
162.242.173.39 port 80 - www .238thrift .com - POST /ch/
198.54.114.238 port 80 - www .prfitvxnfe .info - POST /ch/ "
(More detail @ the isc URL above.)
> http://www.malware-traffic-analysis..../03/index.html
___
Fake 'Shipping' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
3 Oct 2017 - "... an email with the subject of 'Re: Shipping arrangement process' pretending to come from Valero .com but coming from Anna Brugt <dhen.ordonez@ ritetrend .com.ph>...
Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-process.png
There is a-link-in-the-email body to
http ://www.oysterpublicschool .com//hy/reciept/_outputC9E322F.exe which gives a 404,
but there is also a RAR attachment with a file of the same name. It is highly likely that other versions of this email will have a different download link, that might be active.
_outputC9E322F.rar: Extracts to: _outputC9E322F.exe - Current Virus total detections 15/66*. Payload Security**
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1507051011/
_outputC9E322F.exe
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
109.169.89.11
oysterpublicschool .com: 192.185.115.66: https://www.virustotal.com/en/ip-add...6/information/
___
Fake 'Cash Statement' SPAM - delivers malware
- https://myonlinesecurity.co.uk/cash-...ivers-malware/
3 Oct 2017 - ... Malware downloaders... an email with the subject of 'Cash Statement of Account 10/03/2017' coming from Front Desk <reception@ st-timsrc .org>...
Screenshot: https://myonlinesecurity.co.uk/wp-co...10-03-2017.png
The email has a pdf attachment with a link to
https ://goo .gl/4tzM3b which redirects to
http ://uae-moneyremit .top/plugins/cfare.html where you seen a page like this asking you to install a plugin to view the page:
> https://myonlinesecurity.co.uk/wp-co...gin_needed.png
Pressing install will download
https ://www.dropbox .com/s/piw5k38lytremqz/firefoxplugin_install.exe (VirusTotal 13/64*) (Payload Security**)
We have had a series of these emails recently (28 September 2017) was DAY END CASH PAYMENT REPORT AS ON 28/09/2017 which delivered fxplugin_install.exe (VirusTotal 44/65[3]) (Payload Security[4]) which was netwire RAT...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1507058018/
firefoxplugin_install.exe
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
5.206.227.248
3] https://www.virustotal.com/en/file/2...is/1506917666/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
85.159.233.23
:fear::fear: :mad:
Fake 'Copy of invoice', 'Payment Confirmation' SPAM
FYI...
Fake 'Copy of invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
4 Oct 2017 - "... Locky downloaders... an email with the subject of 'Copy of invoice A5165059014. Please find your invoice attached' pretending to come from online@ screwfix .com...
Screenshot: https://myonlinesecurity.co.uk/wp-co...e-attached.png
InvoiceA5165059014.7z: Extracts to: Invoice558727316499528791952132.vbs - Current Virus total detections 6/59*
Payload Security** downloads from one of these hard coded locations in this vbs. (There will be numerous others):
“spazioireos .it/8etyfh3ni?”,
”derainlay .info/p66/8etyfh3ni”,
”turfschiploge .nl/8etyfh3ni?” (VirusTotal 16/65[3])...
> Update: current list of known download sites PASTEBIN(a) thanks to Racco42(b)
a) https://pastebin.com/ajXf4k0f
b) https://twitter.com/Racco42
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1507106667/
Invoice558727316499528791952132.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.29.205.233
3] https://www.virustotal.com/en/file/7...is/1507107227/
spazioireos .it: 81.29.205.233: https://www.virustotal.com/en/ip-add...3/information/
derainlay .info: https://en.wikipedia.org/wiki/Fast_flux
turfschiploge .nl: 46.235.43.11: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Payment Confirmation' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/fake-...s-java-adwind/
4 Oct 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments or -links- to download them. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
Screenshot: https://myonlinesecurity.co.uk/wp-co...nfirmation.png
Xpress Money Payment Confirmation.jar (462kb) - Current Virus total detections 16/62*. Payload Security**...
All the links-in-the-email (including the -image- of an XLS file) go to the-same-url (guaranteed to be a compromised site), where the all the site content is now about QTUM, a -bitcoin- exchange. I have been seeing several compromised malware delivery sites recently with all their content changed to the QTUM content) to download a zip file:
http ://restaurantelburladero .com/Xpress Money Payment Confirmation.z (.z is a file extension that many unzipping utilities will extract from, although not commonly used)... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1507035357/
Scan 2017100323 114727.xls Here.JAR
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.58.209.238
restaurantelburladero .com: 5.2.88.79: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/a5...fc97/analysis/
___
'Dnsmasq' - multiple vulnerabilities
> https://www.helpnetsecurity.com/2017...dnsmasq-flaws/
Oct 3, 2017
> https://www.kb.cert.org/vuls/id/973527
2 Oct 2017
> http://www.securitytracker.com/id/1039474
Oct 2 2017
:fear::fear: :mad: