Fake 'account documents' SPAM
FYI...
Fake 'account documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trick...-form-malspam/
7 Dec 2017 - "... an email containing the subject of 'Your account documents' pretending to come from Companies House but actually coming from a look-a-like or typo-squatted domain <no-reply@ companieshouseform .co.uk> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ecure-form.png
SecureForm84.doc - Current Virus total detections 3/60*| Hybrid Analysis**... This malware docx file downloads from
http ://aperhu .com/ser0712.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ejjmdejh9.exe (VirusTotal 8/68[3])...
The alternative download location is
http ://altarek .com/ser0712.png... Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar using privacy protection services...
companieshouseform .co.uk hosted on numerous servers and IP addresses and sending the emails via 185.207.204.218 | 185.23.215.76 | 89.39.106.208 | All of which are based in Netherlands...
Malware detail:
> https://myonlinesecurity.co.uk/wp-co...m_word_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/2...is/1512651253/
SecureForm6.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
146.255.36.1
143.95.252.46
Contacted Hosts
143.95.252.46
146.255.36.1
185.80.128.223
82.146.47.221
185.125.46.161
3] https://www.virustotal.com/en/file/b...is/1512647520/
fbwnk.exe
aperhu .com: 143.95.252.46: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/8a...01d0/analysis/
altarek .com: 64.50.184.217: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/c1...50bb/analysis/
:fear::fear: :mad:
Fake 'Amazon invoice' SPAM
FYI...
Fake 'Amazon invoice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...necurs-botnet/
12 Dec 2017 - "... Necurs botnet has changed again today...
Update: I am informed that this is definitely Trickbot banking trojan, not ransomware, although several antiviruses are detecting it as a ransomware version. An email with the subject of 'Invoice RE-2017-12-12-00572' (random numbers after the date) pretending to come from Amazon Marketplace <lqftdwbmxYYfT@ marketplace.amazon .com> (random characters before the @) with a malicious word doc attachment...
Screenshot: https://myonlinesecurity.co.uk/wp-co...arketplace.png
RE-2017-12-12-00572.doc - Current Virus total detections 12/59*. Hybrid Analysis**...
This malware downloads from
http ://ragazzemessenger .com/nyRhdkwSD which gave ejmaryj8.exe (VirusTotal 9/67[3]) (Hybrid Analysi[4])...
There will be loads of other download sites... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/8...is/1513080354/
RE-2017-12-12-00775.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
158.69.26.138
98.124.251.168
Contacted Hosts
98.124.251.168
158.69.26.138
67.209.219.92
179.43.147.243
95.213.237.241
3] https://www.virustotal.com/en/file/2...is/1513080273/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
ragazzemessenger .com: 98.124.251.168: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/a8...4c38/analysis/
:fear::fear: :mad:
Fake 'Scan' SPAM, Fake FBI phish, AIM discontinued
FYI...
Fake 'Scan' SPAM - delivers Globeimposter ransomware
- https://myonlinesecurity.co.uk/anoth...are-but-fails/
15 Dec 2017 - "... Necurs botnet has messed up again today... an email with the subject of 'Scan' pretending to come from random names and email addresses... It is trivially easy to decode the base64 section, create the 7z file & extract the vbs to get the Globeimposter ransomware they are attempting to deliver. Over the last few weeks we have seen this behaviour several times. Sometimes with 7z or zip files. Sometimes with word docs...
Screenshot: https://myonlinesecurity.co.uk/wp-co...5_08-02-13.png
Scan_00057.7z: - Extracts to: Scan_005287.vbs - Current Virus total detections 7/60*. Hybrid Analysis**...
This particular version downloads from
http ://peopleiknow .org/JKHhgdf72? - there will be several other locations in -other- vbs files...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1513324220/
Scan_005287.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
peopleiknow .org: 67.210.102.240: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/1e...3e61/analysis/
___
Fake FBI phish - leads to Tech Support Scam
- https://myonlinesecurity.co.uk/fake-...-support-scam/
14 Dec 2017 - "... It pretends to be a message from the FBI saying you might be a victim of cyber crime and you should ring the phone number in the email. The phone number belongs to a dubious Tech Support service:
globalphonesupport .com: 69.89.31.186: https://www.virustotal.com/en/ip-add...6/information/
If you are unwise enough to ring the number you will be falsely told that there is something wrong with your computer. 'It needs cleaning'... and it will cost you at least one hundred USD to repair.
It is highly likely that these scammers will ask you to install a 'remote access program' (although they call it something else)...
Unusually there is no link in this email. [Some] of these scams will have a link that leads to page saying your computer is infected with Zeus trojan or similar that locks-the-browser and displays the phone number to ring...
Screenshot: https://myonlinesecurity.co.uk/wp-co...pport-Scam.png
" ... RE: Case: 8755174734
The IP address registered on your name was referred to our ICC Center multiple times as being a possible victim of cyber crime.
We believe that your IP address and other identifying information were used to commit several computer fraud and abuse crimes. This investigation covers the time period from August 7, 2017 to the present date.
We appreciate your instant assistance to this matter. Please contact us urgently with all of the information concerning this case, at telephone number listed below... "
These emails use Social engineering tricks to persuade you to open the attachments, follow links or ring the phone number in the email...
___
AIM - discontinued on Dec 15, 2017
- https://help.aol.com/articles/aim-discontinued
"As of December 15, 2017, AOL Instant Messenger products and services will be shut down and will no longer work.
If you are an AOL member, AOL products and services like AOL Mail, AOL Desktop Gold and Member Subscriptions will not be affected. To view your benefits, please visit: https://mybenefits.aol.com/ "
:fear::fear: :mad:
Fake 'Website Job Application' SPAM, Office - malware delivery platform
FYI...
Fake 'Website Job Application' SPAM - delivers malware
- https://myonlinesecurity.co.uk/more-...erent-malware/
20 Dec 2017 - "... This is a continuation from these 3 previous posts about malware using resumes or job applications as the lure [1] [2] [3]... The primary change in delivery method is the use of a password for the word doc to try to bypass antivirus filters... Today’s version continues to SmokeLoader/Sharik trojan which is a downloader for -other- malware. An email with the subject of 'Website Job Application' coming from Rob Meyers <Gong@ latestmistake .com> (probably random names) with a malicious word doc attachment delivers SmokeLoader/ sharik trojan...
1] https://myonlinesecurity.co.uk/websi...be-ransomware/
2] https://myonlinesecurity.co.uk/spear...ds-to-malware/
3] https://myonlinesecurity.co.uk/fake-...liver-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...sume_eml-1.png
Rob Resume.doc - Current Virus total detections 11/59*. Hybrid Analysis**... It should be noted that this malicious word doc and the downloaded malware either has some sort of anti-analysis protection or the malware delivery site will reject connections from known sandboxes, VM analysis tools and known researcher or antivirus IP addresses. Neither of the 2 Online sandboxes / analysis tools could retrieve the downloaded malware. That had to be done manually. They have continued with the previous behaviour of using BITS (bitsadmin.exe) to download the file instead of PowerShell. They also are still using “autoclose” in the macro so it doesn’t run until the word doc has been closed, so avoiding any obvious signs of infiltration. Also the downloaded file sleeps for a long, long time before doing anything. This malware downloads from
http ://80.82.67.217/paddle.jpg which of course it -not- an image file but a renamed .exe (ASxas.exe)
VirusTotal 8/67[4]. Hybrid Analysis[5]... HA shows a further download of a bitcoin miner (VirusTotal 43/66[6])
but Anyrun could not get anything despite leaving it running for 10 minutes...
This word doc looks like this:
> https://myonlinesecurity.co.uk/wp-co...sume_1_doc.png
And after you input the password from the email body (123456) you see a typical page asking you to enable editing and then macros and content:
> https://myonlinesecurity.co.uk/wp-co...sume_2_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1513715092/
Resume.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
4] https://www.virustotal.com/en/file/f...is/1513716371/
paddle.jpg.exe
5] https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
37.59.55.60
107.181.246.221
Contacted Hosts
139.59.208.246
107.181.246.221
188.165.214.95
6] https://www.virustotal.com/en/file/9...d51c/analysis/
bitcoinminer1
80.82.67.217: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/f4...cbe9/analysis/
___
Office as a malware delivery platform: DDE, Scriptlets, Macro obfuscation
... Powerful behind-the-scenes features in Office have suddenly stepped back into the malware limelight, with an onslaught of mostly macro-less attacks starring jimmied Word, Excel and PowerPoint documents
> https://www.computerworld.com/articl...fuscation.html
Dec 19, 2017 - "... Some clever researchers have found new and unexpected ways to get Word, Excel and PowerPoint documents to deliver all sorts of malware — ransomware, snoopers, even a newly discovered credential stealer that specializes in gathering usernames and passwords. In many cases, these new uses employ methods as old as the hills. But the old warning signs don’t work as well as they once did..."
(Much more detail at the computerworld URL above.)
ADV170021 | Microsoft Office Defense in Depth Update
- https://portal.msrc.microsoft.com/en...sory/ADV170021
12/12/2017 - "... provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word..." - Also:
> https://docs.microsoft.com/en-us/sec...s/2017/4053440
Updated: Dec 12, 2017
>> https://www.askwoody.com/forums/topi...n/#post-153388
Dec 20, 2017
:fear::fear: :mad:
DoubleClick Ad XSS vuln, Cryptominers ...
FYI...
DoubleClick Advertising network XSS vuln
- https://myonlinesecurity.co.uk/doubl...vulnerability/
21 Dec 2017 - "Just a quick alert about an email from Google warning of vulnerabilities in some DoubleClick publishers. This has been sent to all website owners who use DoubleClick in any form. However this will ONLY affect website owners who use DoubleClick as a stand alone service to display adverts. It does not affect website owners who use Google AdSense to display adverts and have enabled the additional options to also use DoubleClick as a method of advertising in the allowed advertisers section of your Google AdSense settings page:
> https://myonlinesecurity.co.uk/wp-co..._XSS_alert.png
The email reads:
'Dear Customer,
We’ve identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please check if you are hosting these files and remove them with the help of your webmaster. These are the currently identified third-party vendor files...'"
(More detail at the myonlinesecurity URL above.)
> https://support.google.com/dfp_premium/answer/7622991
___
Cryptominers...
- https://umbrella.cisco.com/blog/2017...mining-mayhem/
Dec 19, 2017 - "As cryptocurrencies continue to increase in value, cryptomining becomes increasingly more lucrative. With Bitcoin nearly reaching $18,000USD/1BTC, speculation that other cryptocurrencies such as Etherium and Monero may hit this mark eventually is rising. Monero is especially interesting given that one of its primary advantages is the relatively low processing power needed to mine it. Given that it is capable of being mined even by consumer grade computers, many organizations have tried to capitalize on this facet of the currency.
> https://s3-us-west-1.amazonaws.com/u...eOfTheCoin.png
Launched in September of this year, Coinhive is a service that has transformed the internet already in its short life. 'Coinhive' allows users to embed JavaScript API calls to enable anonymous mining of Monero cryptocurrency in browsers. 'Monero' aims to improve on existing cryptocurrency design by obscuring the sender, recipient and amount of every transaction made, as well as making the mining process more egalitarian by lowering processing costs. Though Coinhive as an organization has said they want users to come up with new uses for their service, it’s hard to imagine they wanted users to create apps that then go on to be abused...
It’s impossible to say with accuracy where the future will take cryptocurrencies or cryptominers, but they’re almost certainly here to stay. As the internet continues to evolve in its third decade of existence, enterprising individuals will always be looking for the next motherlode, taking advantage of a landscape that others can’t see."
(More detail at the umbrella.cisco URL above.)
:fear::fear::fear:
Fake 'Outstanding Statement' SPAM
FYI...
Fake 'Outstanding Statement' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/fake-...er-ransomware/
22 Dec 2017 - "... malware downloaders from the Necurs botnet... an email with the subject of 'Outstanding Statement' pretending to come from Prime Express Oldham <sales62@ primeexpressuk .com> (random numbers after sales) delivering Globeimposter ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...2_11-48-59.png
Customer Statement (122017_6816162).7z: Extracts to: Customer Statement (122017_51767638).js
Current Virus total detections 16/55*. Hybrid Analysis**...
This js file downloads from
http ://www.upperlensmagazine .com/tOldHSYW??DVTCGAtym=DVTCGAtym (VirusTotal 11/68[3]). As usual there will be 6 or 8 other download sites... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
45.126.209.154
Contacted Hosts
45.126.209.154
3] https://www.virustotal.com/en/file/d...is/1513941343/
GWMadFzby2.exe
upperlensmagazine .com: 45.126.209.154: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/3d...ae1b/analysis/
:fear::fear: :mad:
Fake blank/empty SPAM, WordPress Brute Force Attacks
FYI...
Fake blank/empty SPAM - delivers globeimposter ransomware
- https://myonlinesecurity.co.uk/more-...er-ransomware/
26 Dec 2017 - "... malware downloaders from the Necurs botnet... a blank/empty email with the subject of 'CCE26122017_004385' (random numbers after the date) pretending to come from random names and random email addresses that just has a 7z attachment containing a .js file... One of the emails looks like:
From: Emmitt <Emmitt@ kendrixcorp .com>
Date: Tue 26/12/2017 15:04
Subject: CCE26122017_004385
Attachment: CCE26122017_004385.7z
Body content: completely blank/empty
Screenshot: https://myonlinesecurity.co.uk/wp-co...6_15-28-28.png
CCE26122017_004385.7z: Extracts to: CCE26122017_48779.js - Current Virus total detections 11/58*. Hybrid Analysis**...
This particular version downloads from
http ://www.thedournalist .com/mnbTREkfDS??jYAbcsB=jYAbcsB (there will normally be 6-8 other download locations)
(VirusTotal 7/68[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1514301126/
CCE26122017_48779.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
86.106.30.37
Contacted Hosts
86.106.30.37
3] https://www.virustotal.com/en/file/3...is/1514301538/
mnbTREkfDS.exe
thedournalist .com: 86.106.30.37: https://www.virustotal.com/en/ip-add...7/information/
___
Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
- https://www.bleepingcomputer.com/new...monero-miners/
Dec 20, 2017 - "... WordPress sites around the globe have been the targets of a massive brute-force campaign during which hackers attempted to guess admin account logins in order to install a Monero miner on compromised sites...
Once attackers get in, they install a Monero miner, and they also use the infected site to carry out further brute-force attacks. These two operations don't happen at the same time, and each site is either brute-forcing other WordPress sites or mining Monero..."
WordPress Brute Force Attack Campaign
- https://www.wordfence.com/blog/2017/...rdpress-attack
Dec 18, 2017 - "A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour. The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012..."
___
Remove the Slmgr32.exe Monero CPU Miner
- https://www.bleepingcomputer.com/vir...nero-cpu-miner
Nov 3, 2017
:fear::fear: :mad:
Fake 'Scan' SPAM, Apple 'Batterygate'
FYI...
Fake 'Scan' SPAM - Necurs botnet traffic
- https://myonlinesecurity.co.uk/freak...er-ransomware/
29 Dec 2017 - "... Necurs botnet... several hundred I have received in the last hour have been quarantined on my mail server. The next in the never ending series of malware downloaders is an email with the subject of 'Scan' pretending to come from random names and email address. The name in the email body matches the alleged sender...
Screenshot: https://myonlinesecurity.co.uk/wp-co...9_10-17-04.png
Scan_0041.7z: Extracts to: -6dt874p53077.js - Current Virus total detections 14/59*. Hybrid Analysis**...
This particular js has these 3 urls embedded in it (there will be dozens of other Urls that download the payload in different js files). It uses the first url & only moves to the next if the first does not respond
(VirusTotal 9/66[3])...
http ://damynghedunglinh .com/YoepHGds?
http ://3dpvietnam .com/YoepHGds?
http ://emergency-help .com.au/YoepHGds? ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1514542049/
Scan_005416.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
198.143.137.42
Contacted Hosts
198.143.137.42
3] https://www.virustotal.com/en/file/1...is/1514542104/
YoepHGds.exe
damynghedunglinh .com: 198.143.137.42: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/1d...a43c/analysis/
___
Apple 'Batterygate'
>> https://www.cnbc.com/2017/12/28/appl...full-text.html
Dec 29, 2017 - 14 Hours Ago
"Apple apologizes for iPhone slowdowns and offers $29 battery replacements..."
Video 1:55
>> https://www.reuters.com/article/us-a...-idUSKBN1EM20N
Dec 28, 2017 - "... Apple Inc (AAPL.O) is slashing prices for battery replacements and will change its software to show users whether their phone battery is good..."
> https://www.apple.com/iphone-battery-and-performance/
Dec 28, 2017 - "A Message to Our Customers about iPhone Batteries and Performance...
Apple is reducing the price of an out-of-warranty iPhone battery replacement by $50 — from $79 to $29 — for anyone with an iPhone 6 or later whose battery needs to be replaced, starting in late January and available worldwide through December 2018. Details will be provided soon on apple.com.
Early in 2018, we will issue an iOS software update with new features that give users more visibility into the health of their iPhone’s battery, so they can see for themselves if its condition is affecting performance..."
:fear::fear: :mad: