Fake 'Payment Advice' SPAM
FYI...
Fake 'Payment Advice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
5 Oct 2017 - "An email with the subject of 'Important – Payment Advice' pretending to come from HSBC but actually coming from a look-a-like domain HSBC <no-reply@ hsbcpaymentadvice .com> or HSBC <no-reply@ hsbcadvice .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... there is a slight formatting problem in Outlook, where the emails arrive with a -blank- body. Reading in plain text or using view source, shows the content...
Screenshot: https://myonlinesecurity.co.uk/wp-co...vice_-HSBC.png
SecureMessage.doc - Current Virus total detections 10/59*. Payload Security**
This malware file downloads from
http ://diga-consult .de/ser1004.png which of course is -not- an image file but a renamed .exe file that gets renamed to aqdccc.exE (VirusTotal 13/65***). An alternative download location is
http ://hill-familie .de/ser1004.png
This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...c_4_Oct_17.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1507166812/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
87.106.222.158
64.182.208.181
194.87.92.191
*** https://www.virustotal.com/en/file/a...is/1507170157/
ser1004.png
diga-consult .de: 87.106.222.158: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/59...8c0e/analysis/
hill-familie .de: 148.251.5.116: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/cf...7ff4/analysis/
:fear::fear: :mad:
Fake 'Payment history' SPAM
FYI...
Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky...-of-zip-files/
6 Oct 2017 - "... Locky downloaders... an email with the subject of 'Payment history' pretending to come from accounts @ random email addresses and companies.... encoding the files today and the so called 7z attachment is actually a base64 file that needs decoding to get the 7z file, before extracting the VBS...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ocky-email.png
62046_Remittance.7z: decoded from base 64 and Extracts to: 872042 Remittance.vbs
Current Virus total detections 9/60*. Payload Security**
This particular VBS has these URLs hardcoded (there will be loads of others)
"asheardontheradiogreens .com/uywtfgh36?”,
”thedarkpvp .net/p66/uywtfgh36″
”2-wave .com/uywtfgh36?” (virusTotal 14/66[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1507281470/
872042 Remittance.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.58.213.142
74.125.160.39
199.30.241.139
91.142.170.187
209.54.62.81
3] https://www.virustotal.com/en/file/7...is/1507281734/
freSUUFBdtY.exe
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
173.223.106.227
asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-add...9/information/
thedarkpvp .net: https://en.wikipedia.org/wiki/Fast_flux
2-wave .com: 209.54.62.81: https://www.virustotal.com/en/ip-add...1/information/
:fear::fear: :mad:
Fake 'Remittance Advice' SPAM
FYI...
Fake 'Remittance Advice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky...-working-zips/
9 Oct 2017 - "... Locky downloaders... the same email as last Friday* with the subject of 'Your Remittance Advice' pretending to come from accounts @ random email addresses and companies...
* https://myonlinesecurity.co.uk/locky...-of-zip-files/
Screenshot: https://myonlinesecurity.co.uk/wp-co...ocky-email.png
43699 Remittance.7z: decoded from base 64 and Extracts to: Invoice IP8729962.vbs
Current Virus total detections 6/59*. Payload Security** | This particular VBS has these URLs hardcoded (there will be loads of others)
“anderlaw .com/8734gf3hf?”,
”scottfranch .org/p66/8734gf3hf”,
”cagliaricity .it/8734gf3hf?” (virusTotal 13/65***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1507542515/
Invoice IP8729962.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
98.124.251.69
*** https://www.virustotal.com/en/file/2...is/1507543011/
MEyrCrdQK.exe
anderlaw .com: 98.124.251.69: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/76...23e9/analysis/
scottfranch .org: https://en.wikipedia.org/wiki/Fast_flux
cagliaricity .it: 95.110.196.214: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/82...c176/analysis/
:fear::fear: :mad:
Fake 'MoneyGram' SPAM, FBI press releases
FYI...
Fake 'MoneyGram' SPAM - delivers java trojan
- https://myonlinesecurity.co.uk/fake-...s-java-trojan/
27 Oct 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...
The link-in-the-email goes to a zip file which doesn’t extract. However if you rename the zip to .rar it does...
Screenshot: https://myonlinesecurity.co.uk/wp-co...tion-Query.png
The link-in-the-email goes to
http ://analab .it/TransactionQuery_10-16-2017.zip which is actually a .rar file that needs to be renamed to .rar to extract it.
TransactionQuery_10-16-2017.jar (307kb) - Current Virus total detections 19/58*. Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...5185/analysis/
TransactionQuery_10-16-2017.jar
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
46.183.223.33: https://www.virustotal.com/en/ip-add...3/information/
analab .it: 62.149.205.46: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/87...7ff2/analysis/
___
FBI press releases
> https://www.fbi.gov/news/pressrel
10.17.2017: Twelve People Indicted Installing Credit-Card Skimmers on Gas Pumps in Five States and Stealing Account Information from Thousands
10.17.2017: Two Women, Including Former Associate Dean of Caldwell University, Admit Defrauding Veterans’ G.I. Bill
10.17.2017: Doctor Admits Billing Medicare, Other Insurers $3 Million for Therapy Services Performed by Unqualified Personnel
10.17.2017: New York Man Sentenced to 43 Months in Prison for Robbing Bergen County, New Jersey Bank
:fear::fear: :mad:
Fake 'Invoice', 'eFax' SPAM, Locky SPAM
FYI...
Fake 'Invoice' SPAM - delivers Locky and Trickbot
- https://myonlinesecurity.co.uk/malwa...icrosoft-word/
19 Oct 2017 - "Another change from the Necurs botnet delivering Locky and Trickbot again today with an email with the subject of 'Emailed Invoice – 459572' (random numbers) pretending to come from random names at your own email address or company domain...
They have changed to using word docs again but they are -not- using macros but using the DDE “exploit” or feature which -allows- linked files. These are very similar to embedded ole objects but instead of the object (normally a script file) being embedded in the word doc & you clicking it to allow it to run, these link to a remote website without you seeing the link. This link describes it in better detail:
> https://blog.barkly.com/microsoft-of...tack-no-macros
One of the emails looks like:
From: Stacie Osborne <Stacie@ victim domain .tld>
Date: Thu 19/10/2017 11:15
Subject: Emailed Invoice – 459572
Attachment: I_459572.doc
Body content:
As requested
regards
Stacie Osborne ...
Screenshot of word doc:
> https://myonlinesecurity.co.uk/wp-co...459572_doc.png
I_459572.doc - Current Virus total detections 9/60*. Payload Security**
The word doc uses this DDE “feature” to contact (in this example, there will be loads of others)
http ://alexandradickman .com/KJHDhbje71 where a base64 encoded file is opened and decoded.
This has 3 hardcoded URLS inside it (again there will be others in other examples)
“http ://shamanic-extracts .biz/eurgf837or”,
”http ://centralbaptistchurchnj .org/eurgf837or”,
”http ://conxibit .com/eurgf837or” which gives a txt file which is -renamed- to rekakva32.exe
(VirusTotal 6/65[3]) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1508408047/
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
98.124.251.65
83.242.103.81
98.124.251.65
Contacted Hosts
98.124.251.65
62.212.154.98
83.242.103.81
3] https://www.virustotal.com/en/file/d...is/1508408465/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.190.71.132
___
Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-...anking-trojan/
19 Oct 2017 - "An email with the subject of 'eFax' pretending to come from eFax service but actually coming from a whole range of look-a-like domains with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... the criminals sending these have registered various domains that look-like genuine Company, Bank, Government or message sending services...
Screenshot: https://myonlinesecurity.co.uk/wp-co...rvicexx_ml.png
efax190238535-34522.doc - Current Virus total detections 4/59*. Payload Security**
This malware file downloads from
http ://acupuncturenorthwest .com/kas47.png which of course is -not- an image file but a renamed .exe file that gets renamed to Fcd-4.exe (VirusTotal 12/64[3]). An alternative download location is
http ://www.agcofruit .com/kas47.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...-34522_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1508420918/
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
74.50.21.13
64.182.208.184
Contacted Hosts
74.50.21.13
64.182.208.184
79.170.7.139
185.125.46.77
3] https://www.virustotal.com/en/file/b...884d/analysis/
Fcd-4.exe
acupuncturenorthwest .com: 74.50.21.13: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/42...fff7/analysis/
agcofruit .com: 192.185.118.67: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/ad...0065/analysis/
___
Locky Ransomware’s Recent SPAM
- http://blog.trendmicro.com/trendlabs...am-activities/
Oct 19, 2017 - "... A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers... We’ve also found how the scale and scope of Locky’s distribution are fueled by the Necurs botnet, a spam distribution infrastructure comprising zombified devices. It churns out a sizeable amount of spam emails carrying information stealers like Gameover ZeuS, ZBOT or Dridex, and other ransomware families such as CryptoLocker, CryptoWall, and Jaff. Necurs is Locky’s known and long-time partner in crime, and it’s no coincidence that the surge of Locky-bearing spam emails corresponds with the uptick in Necurs’ own activity. In fact, we saw that Necurs actively pushed Locky from August to October:
> https://blog.trendmicro.com/trendlab...cky-spam-2.jpg
It’s also worth noting that Necurs also distributed Locky via URL-only spam emails — that is, the messages didn’t have -any- attachments, but rather -links- that divert users to -compromised- websites hosting the ransomware. The use of HTMLs embedded with -links- to the -compromised- site also started gaining traction this year... the continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists. Some of the recent lures we saw were:
- Fake voice message notifications (vishing, or the use of voice-related systems in phishing attacks)
- HTML attachments posing as invoices
- Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
- Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts..."
(More detail at the trendmicro URL above.)
:fear::fear: :mad:
Cyber criminal attempts to INFECT systems through E-mail gets WORSE
FYI...
Today's crop of cyber criminal attempts to INFECT systems and PC's through E-mail gets WORSE. 'Best bet is to read these posts by "good-guy" analysts and get what you can from their research, however convoluded the criminals means have evolved, and remember the standard warnings for ALL E-mail that hits your Inbox:
"DO NOT follow the advice they give to enable macros or enable editing to see the content.
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it."
Scanned image from MX-2600N malspam pretending to come from your own company delivers Locky ransomware using Word DDE exploit
- https://myonlinesecurity.co.uk/scann...d-dde-exploit/
20 Oct 2017
Fake Swift Copy message delivers fareit trojan
- https://myonlinesecurity.co.uk/fake-...fareit-trojan/
20 Oct 2017
More Locky ransomware delivered via DDE exploit pretending to come from your own company or email address
- https://myonlinesecurity.co.uk/more-...email-address/
20 Oct 2017
Necurs Botnet malspam pushes Locky using DDE attack
- https://isc.sans.edu/forums/diary/Ne...+attack/22946/
2017-10-19 - "... the DDE attack* technique has spread to large-scale distribution campaigns..."
* https://www.bleepingcomputer.com/new...eeding-macros/
___
Alert (TA17-293A)
Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
- https://www.us-cert.gov/ncas/alerts/TA17-293A
Oct 20, 2017 - "Systems Affected:
Domain Controllers
File Servers
Email Servers
Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks...
DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity..."
(More detail at the us-cert URL above.)
:fear::fear: :mad: