-
Fake 'Invoice January', 'Statements' SPAM, LastPass - Phish
FYI...
Fake 'Invoice January' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...ary-baird.html
18 Jan 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers but is instead a simple -forgery- with a malicious attachment.
From "A . Baird" [ABaird@ jtcp .co.uk]
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as
outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller ...
Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday... The payload is meant to be the Dridex banking trojan...
UPDATE: A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo .com/786585d/08g7g6r56r.exe
esecon .com.br/786585d/08g7g6r56r.exe
outago .com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54*. The same source identifies the following C2 servers which are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173 "
* https://www.virustotal.com/en/file/2...4bcf/analysis/
TCP connections
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
- http://myonlinesecurity.co.uk/invoic...ls-attachment/
18 Jan 2016 - "The Dridex bots are -still- not having a good day today. On Friday they sent -3- different malformed/damaged /broken malspams. Today, the first damaged/malformed broken one is an email with the subject of 'Invoice January- pretending to come from A . Baird <ABaird@ jtcp .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The -damaged/broken- attachment has a name something like INV-IN174074-2016-386.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc..
VirusTotal Detections 5/55* which will attempt to download Dridex banking malware from
[emirelo .com/786585d/08g7g6r56r.exe] (VirusTotal 3/54**) Payload Security /Reversit Analysis***
The email looks like:
From: A . Baird <ABaird@ jtcp .co.uk>
Date: Mon 18/01/2016 09:45
Subject: Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller ...
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you. Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you...
By default protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/6...is/1453114324/
** https://www.virustotal.com/en/file/2...is/1453115492/
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
*** https://www.reverse.it/sample/629bfd...nvironmentId=1
Contacted Hosts
194.24.228.5: https://www.virustotal.com/en/ip-add...5/information/
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'Statements' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...ts-alison.html
18 Jan 2016 - "This -fake- financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
From Alison Smith [ASmith@ jtcp .co.uk]
Date Mon, 18 Jan 2016 18:27:36 +0530
Subject Statements
Sent 12 JAN 16 15:36
J Thomson Colour Printers
14 Carnoustie Place
Glasgow
G5 8PB ...
Attached is a file S-STA-SBP CRE (0036).xls which is actually -corrupt- due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since -Friday- the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one*, also spoofing the same company."
* http://blog.dynamoo.com/2016/01/malw...ary-baird.html
- http://myonlinesecurity.co.uk/j-thom...ls-attachment/
18 Jan 2016 - "... damaged/broken attachment has a name something like S-STA-SBP CRE (0036).xls ... it would if fixed, download -Dridex- from the same locations as today’s earlier malspam runs..."
___
LastPass - Phish...
- https://www.seancassidy.me/lostpass.html
2016-01-18 - "... discovered a -phishing- attack against LastPass that allows an attacker to steal a LastPass user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. I call this attack 'LostPass'... Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well:
> https://www.seancassidy.me/images/lastpass_login.png
...
> https://www.seancassidy.me/images/lastpass_2fa.png
... Here's an image of LastPass and LostPass for Firefox on Windows 8 side-by-side. Which one is which?:
> https://www.seancassidy.me/images/lastpass_firefox.png "
:fear::fear: :mad:
-
Fake 'Insurance', 'Payment overdue', 'Remittance Advice' SPAM, Cisco Security Report
FYI...
Fake 'Insurance' SPAM - doc malware
- http://myonlinesecurity.co.uk/thank-...d-doc-malware/
19 Jan 2016 - "The Dridex bots are still having problems again today. Their latest attempt is an email with the subject of 'Thank you for purchasing from Cheaper Travel Insurance – 14068156' pretending to come from info87@ Resellers.insureandgo .com (the info number is random) with a malicious word doc attachment is another one from the current bot runs... While they appear to have fixed the malware attachments, they instead have introduced a new bug and are sending broken emails with -garbled- content... when corrected it will look something like this:
Screenshot: http://myonlinesecurity.co.uk/wp-con...PER-TRAVEL.png
19 January 2016: 14068156.doc - Current Virus total detections 4/55*
[MALWR**] attempts to download Dridex banking malware from
http :// www .cnbhgy .com/786585d/08g7g6r56r.exe but seems to be having problems and timing out... Update: it eventually downloaded (VirusTotal 2/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1453193244/
** https://malwr.com/analysis/ODliNGI1N...Q1MDFjYmNiNDc/
123.1.157.76
216.59.16.175
13.107.4.50
*** https://www.virustotal.com/en/file/e...is/1453194356/
TCP connections
216.59.16.175
8.254.218.14
- http://blog.dynamoo.com/2016/01/malw...urchasing.html
19 Jan 2016 - "This -fake- financial spam comes with a malicious attachment:
Header screenshot: http://www.insureandgo.com/emails/07...per_header.jpg
Your policy number: MF/CP/205121/14068156
Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156 ...
The sender appears to be from info[some-random-number]@ Resellers.insureandgo .com, but it is just a simple forgery. Attached is a malicious Word document that I have seen -five- different versions... download locations as:
www .cnbhgy .com/786585d/08g7g6r56r.exe
seaclocks .co .uk/786585d/08g7g6r56r.exe
mosaicambrosia .com/786585d/08g7g6r56r.exe
This has a VirusTotal result of 3/54*.... combined with this Hybrid Analysis** show traffic to:
216.59.16.175 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
200.57.183.176 (Triara.com, S.A. de C.V., Mexico)
62.109.133.248 (Ignum s.r.o, Czech Republic)
103.23.154.184 (Ozhosting.com Pty Ltd, Australia)
41.38.18.230 (TE Data, Egypt)
202.137.31.219 (Linknet, Indonesia)
176.53.0.103 (Network Devices, Turkey)
The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign...
Recommended blocklist:
216.59.16.175
195.96.228.199
200.57.183.176
62.109.133.248
103.23.154.184
41.38.18.230
202.137.31.219
176.53.0.103
* https://www.virustotal.com/en/file/e...is/1453194985/
TCP connections
216.59.16.175
8.254.218.14
** https://www.hybrid-analysis.com/samp...nvironmentId=4
___
Fake 'Payment overdue' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...t-overdue.html
19 Jan 2016 - "This -fake- financial spam does not come from the Daily Mail, but is instead a simple -forgery- with a malicious attachment:
From Raashida Sufi [Raashida.Sufii@ dmgmedia .co.uk]
Date Tue, 19 Jan 2016 11:40:37 +0300
Subject Daily Mail - Payment overdue
Hi,
I have currently taken over from my colleague Jenine so will be your new POC going
forward.
I have attached an invoice that is currently overdue for £360.00. Kindly email me
payment confirmation today so we can bring your account up to date?
Kind Regards
Rash Sufi ...
I have seen -three- different versions of the malicious attachment Invoice.doc (VirusTotal results 4/53[1]...). The Malwr analysis of these documents [4]... shows that the payload is identical to the Dridex banking trojan described here*."
1] https://www.virustotal.com/en/file/3...is/1453197760/
4] https://malwr.com/analysis/ZGRmYTEwN...I0MGM2ODM3ZGY/
23.229.242.73
216.59.16.175
13.107.4.50
* http://blog.dynamoo.com/2016/01/malw...urchasing.html
- http://myonlinesecurity.co.uk/daily-...d-doc-malware/
19 Jan 2016 - "... an email with the subject of 'Daily Mail – Payment overdue'... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x775.png
19 January 2016: Invoice.doc - Current Virus total detections 4/53*
This will download Dridex banking malware [ http :// www .cnbhgy .com/786585d/08g7g6r56r.exe ] which is the same location and malware as today’s earlier malspam run**..."
* https://www.virustotal.com/en/file/3...is/1453195633/
** http://myonlinesecurity.co.uk/thank-...d-doc-malware/
___
Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...-1b859e37.html
19 Jan 2016 - "This -fake- financial does not come from Bellingham + Stanley but is instead a simple -forgery- with a malicious attachment. Reference numbers and sender names will vary.
From: Adeline Harrison [HarrisonAdeline20@ granjacapital .com.br]
Date: 19 January 2016 at 09:45
Subject: Remittance Advice 1B859E37
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Kind regards,
Adeline Harrison ...
I have seen at least -four- different variations of the attachment, named in the format remittance_advice14DDA974.doc ... Malwr reports... show those samples communicating with:
http :// 179.60.144.19/victor/onopko.php
http :// 5.34.183.127/victor/onopko.php
Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)
UPDATE 1: this related spam run also downloads from:
91.223.88.206/victor/onopko.php
This is allocted to "Private Person Anton Malyi" in Ukraine. A file aarab.exe is dropped... [VT 4/53*] which appears to communicate** with:
198.50.234.211 (OVH, Canada)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2: This other Dridex 120 spam run[1] uses different download locations:
46.17.100.209 /aleksei/smertin.php
31.131.20.217 /aleksei/smertin.php
The dropped "aarab.exe" file is also different... and a detection rate of just 2/54***.
Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217 "
* https://www.virustotal.com/en/file/6...is/1453202263/
** https://malwr.com/analysis/OWMwZWMzO...cxZmNhYjNkNjk/
198.50.234.211
13.107.4.50
1] http://blog.dynamoo.com/2016/01/malw...dvice-for.html
*** https://www.virustotal.com/en/file/e...is/1453211427/
- http://myonlinesecurity.co.uk/remitt...d-doc-malware/
19 Jan 2016 - "Dridex is definitely back with a vengeance today. The latest one of a long line is an email with the subject of 'Remittance Advice For Invoice 04050722' from C-Tech (random numbers) pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Carey Lucas <LucasCarey44@ search4what .com>
Date: Tue 19/01/2016 09:41
Subject: Remittance Advice For Invoice 04050722 From C-Tech
Dear Accounts
Please find attached our current remittance advice.
Kind Regards
Carey Lucas MAAT
Accounts Assistant ...
19 January 2016: C-Tech Remittance04050722.doc - Current Virus total detections 3/55*
downloads an -updated- Dridex banking malware from the ones described in this earlier run** from
http :// 46.17.100.209 /aleksei/smertin.php or http :// 31.131.20.217 /aleksei/smertin.php (VirusTotal 2/54***)
Each attempt at download seems to give me a -different- named file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1453211898/
** http://myonlinesecurity.co.uk/ac-433...sheet-malware/
*** https://www.virustotal.com/en/file/e...is/1453211427/
aarab.exe
46.17.100.209: https://www.virustotal.com/en/ip-add...9/information/
31.131.20.217: https://www.virustotal.com/en/ip-add...7/information/
___
Twitter is back up ...
- http://www.theinquirer.net/inquirer/...r-major-outage
Jan 19 2016 - "... Twitter was down for a decent time this morning. Long enough for people to start noticing and complaining about it on things like Facebook and in person... Twitter's status page*, which is presented through Yahoo's Tumblr, shows a trio of recent incidents..."
* http://twitterstatus.tumblr.com/
___
2016 Cisco Annual Security Report
- http://blogs.cisco.com/security/fore...ecurity-report
Jan 19, 2016 - "Our just-released 2016 Cisco Annual Security Report (ASR*) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom... attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks... This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Aging infrastructure opens up green-field attack surfaces while uneven or inconsistent security practices remain a challenge... Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users—and for companies, potentially cloaks suspicious activity. We are also seeing more use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks. Alarmingly, between February and October 2015, the number of compromised WordPress installations used by cybercriminals grew by more than 221%... Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late."
(More detail at the cisco URL above.)
* http://www.cisco.com/c/m/en_us/offer...Code=001031952
:fear::fear: :mad:
-
Fake 'Tax Invoice', 'Letter-response', 'Order Confirmation' SPAM, Malvertising
FYI...
The 25 worst passwords of 2015
- https://nakedsecurity.sophos.com/201...make-the-list/
20 Jan 2016
> https://sophosnews.files.wordpress.c...-rank-list.png
___
Fake 'Tax Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/tax-in...d-doc-malware/
20 Jan 2016 - "The Dridex bots seem to have fixed their problems with this email pretending to be a tax invoice with the subject of 'Tax Invoice IN092649' pretending to come from Karin Edwards <karin.edwards@ batonlockuk .com> with a malicious word doc or Excel XLS spreadsheet attachment which downloads Dridex banking Trojan/Malware... The email looks like:
From: Baton Lock Ltd <karin.edwards@ batonlockuk .com>
Date:Wed 20/01/2016 10:36
Subject: Tax Invoice IN092649
Tax Invoice IN092649 from Baton Lock Ltd.
Best Regards
Karin Edwards
Baton Lock Ltd
20 January 2016: Tax Invoice IN092649.DOC - Current Virus total detections 3/54*
Downloads Dridex banking malware... [I expect it to be the same locations as this earlier run[1] and will update if there is any difference]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1453285912/
1] http://myonlinesecurity.co.uk/your-c...ls-attachment/
- http://blog.dynamoo.com/2016/01/malw...649-karin.html
20 Jan 2016 - "This -fake- financial spam is not from Baton Lock Ltd but is instead a simple -forgery- with a malicious attachment.
From: Karin Edwards [karin.edwards@ batonlockuk .com]
Date: 20 January 2016 at 09:34
Subject: Tax Invoice IN092649
Tax Invoice IN092649 from Baton Lock Ltd.
Best Regards
Karin Edwards
Baton Lock Ltd
Attached is a file Tax Invoice IN092649.DOC which comes in at least two different versions (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
www .helios .vn/98jh6d5/89hg56fd.exe
The dropped file is Dridex, the same as used in this campaign*."
* http://blog.dynamoo.com/2016/01/malw...n-its-way.html
1] https://www.virustotal.com/en/file/4...is/1453286684/
2] https://www.virustotal.com/en/file/f...is/1453286698/
3] https://malwr.com/analysis/N2VlNmM3N...RjMmMwM2MyNTE/
198.173.254.216
37.49.223.235
62.221.68.80
216.224.175.92
13.107.4.50
4] https://malwr.com/analysis/MzNjNGI1M...I3NDgzZTNiOGY/
103.28.38.14
216.224.175.92
13.107.4.50
___
Fake 'Invoice / Credit Note' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...edit-note.html
20 Jan 2016 - "This -fake- financial spam is not from Express Newspapers but is instead a simple -forgery- with a malicious attachment:
From: georgina.kyriacoumilner@ express .co.uk
Reply-To: hannah.johns@ express .co.uk
Date: 20 January 2016 at 14:28
Subject: Invoice / Credit Note Express Newspapers (S174900)
Please find attached Invoice(s) / Credit Note(s) from Express Newspapers...
N.B. Please do not reply to this email address as it is not checked.
Kind Regards,
Express Newspapers...
Attached is a file S174900.DOC which comes in at least three different versions... and the Malwr reports for those... shows the following download locations:
www .helios .vn/98jh6d5/89hg56fd.exe [404 error]
202.191.112.60 /~n02022-1/98jh6d5/89hg56fd.exe
www .lassethoresen .com/98jh6d5/89hg56fd.exe
These are the same locations as seen here*, but now the payload has -changed- ... and a detection rate of 1/54**. The malware still phones home to
216.224.175.92 (SoftCom America Inc, US) which I recommend you -block-"
* http://blog.dynamoo.com/2016/01/malw...n-its-way.html
** https://www.virustotal.com/en/file/8...is/1453307125/
TCP connections
216.224.175.92
13.107.4.50
- http://myonlinesecurity.co.uk/invoic...macro-malware/
20 Jan 2016 - "... an email that pretends to be an invoice/credit note from express newspapers with the subject of 'Invoice / Credit Note Express Newspapers (S174900)' pretending to come from georgina.kyriacoumilner@ express .co.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...0-1024x609.png
20 January 2016: S174900.DOC - Current Virus total detections 1/53*
Downloads Dridex from www .lassethoresen .com/98jh6d5/89hg56fd.exe and I am sure other versions of this attachment will download from all the other Dridex locations today** ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1453306851/
** http://myonlinesecurity.co.uk/emaili...d-doc-malware/
___
Fake 'Letter-response' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...05-letter.html
20 Jan 2016 - "... this -fake- financial email isn't from Tim or Plan4Print (aka Excel Colour Print) at all, but is a simple -forgery- with a malicious attachment.
From Tim Speed [Tim@ plan4print .co.uk]
Date Wed, 20 Jan 2016 14:33:24 +0300
Subject Emailing: 120205 Letter-response A3 2-2
Hi
Please find estimate attached for Letter-response A3 2-2
Kind regards
Tim Speed
Estimator / Account Handler ..
Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54*. The Malwr report** shows it downloading from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
This is the same malicious binary as used in this earlier attack***. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/3...is/1453293437/
** https://malwr.com/analysis/ZWViMDQyZ...c5Y2UyYjFiMjc/
198.173.254.216
216.224.175.92
8.253.44.158
*** http://blog.dynamoo.com/2016/01/malw...n-its-way.html
- http://myonlinesecurity.co.uk/emaili...d-doc-malware/
20 Jan 2016 - "... an email with the subject of 'Emailing: 120205 Letter-response A3 2-2' pretending to come from Tim Speed <Tim@plan4print .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...2-1024x676.png
20 January 2016: 120205 Letter-response A3 2-2.doc - Current Virus total detections 3/54*
Downloads an -updated- Dridex version from today’s earlier ones from http ://www.helios .vn/98jh6d5/89hg56fd.exe (VirusTotal 1/54**) I am sure all the other same locations*** will also be used in different version of this attachment..."
* https://www.virustotal.com/en/file/1...is/1453296447/
** https://www.virustotal.com/en/file/8...is/1453296242/
TCP connections
216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
*** http://myonlinesecurity.co.uk/your-c...ls-attachment/
___
Fake 'Order Confirmation' SPAM - doc/xls attachment
- http://myonlinesecurity.co.uk/emaile...ls-attachment/
20 Jan 2016 - "The Dridex bots are back to having another bad day. Over the last few days they have sent numerous different malformed/damaged/broken malspams. Today, the first one is a damaged/malformed/broken one is an email with the subject of 'Emailed Order Confirmation – 94602:1' pretending to come from DANE THORNTON <dane@ direct-electrical .com> with a damaged attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The damaged/broken attachment has a name something like Order_94602~1.doc . It would if fixed, download Dridex. The email looks like:
From: DANE THORNTON <dane@ direct-electrical .com>
Date: Wed 20/01/2016 08:55
Subject: Emailed Order Confirmation – 94602:1
DANE THORNTON
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
- http://blog.dynamoo.com/2016/01/malw...led-order.html
20 Jan 2016 - "This -fake- financial spam is meant to have a malicious attachment.
From "DANE THORNTON" [dane@ direct-electrical .com]
Date Wed, 20 Jan 2016 16:31:21 +0800
Subject Emailed Order Confirmation - 94602:1
--
DANE THORNTON
Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up..."
___
MSN - More Malware via Malvertising
- https://blog.malwarebytes.org/malver...-malvertising/
Jan 19, 2015 - "Malvertisers are once again abusing ad technology platform AdSpirit and exposing visitors of the MSN homepage to malware. These attacks appeared to have been primarily focused on Germans users via an ad for Lidl, one of the Germany’s leading supermarkets. This is not the first time we have caught malvertising on MSN or via AdSpirit. Each time, we spot telltale signs of suspicious activity with advertiser domains freshly created a few days prior the attack or hiding behind the CloudFlare service.
Perhaps the only surprise here was to find -different- exploit kits than the usual Angler EK to carry out the execution to the malware payload. In two separate incidents, we observed the RIG and Neutrino exploit kits... While we did not collect the payload in these specific attacks, other similar captures of RIG during the same time frame show that -CryptoWall-ransomware- was downloaded onto vulnerable machines:
> https://blog.malwarebytes.org/wp-con...Cryptowall.png
We immediately notified AdSpirit about those incidents which were confirmed and addressed promptly. AppNexus also deactivated the offending ad objects and will be doing a further review about these attacks. To prevent these malvertising infections please ensure that your computer is up-to-date and that you are running the right security tools to mitigate those attacks..."
___
Trojan for Linux takes screenshots
- https://news.drweb.com/show/?i=9790&c=5&lng=en&p=0
Jan 19, 2016 - "Malware for Linux becomes more and more diverse. Among them are spyware programs, ransomware, and Trojans designed to carry out DDoS attacks. Doctor Web security researchers examined yet another cybercriminals’ creation dubbed Linux.Ekoms.1. This Trojan can periodically take screenshots and download different files to a compromised machine. Once launched, Linux.Ekoms.1 checks whether one of subfolders in the home directory contains files with specified names. If it fails to find any, it randomly chooses a subfolder to save its own copy there. Then, the Trojan is launched from new location. If successful, the malicious program establishes connection to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted. Every 30 seconds the Trojan takes a screenshot and saves it to a temporal folder in the JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is downloaded to the server in specified intervals..."
:fear::fear: :mad:
-
Fake '201552 ebill', 'Telephone Bill', 'Replacement Keys', 'Healthcare' SPAM
FYI...
Fake Facebook emails deliver malware / phish ...
- http://net-security.org/malware_news.php?id=3191
21.01.2016 - "A new spam campaign is targeting Facebook users. It uses the same approach as the recent one aimed at WhatsApp users, and Comodo researchers* believe that the authors of both campaigns are likely the same. The -fake- emails are made to look like an official communication from the popular social network, and their goal is to make the victims believe they have received a voice message..."
* https://blog.comodo.com/comodo-news/...alware-attack/
Jan 21, 2016 - "... As part of a random -phishing- campaign, cybercriminals were sending -fake- emails representing the information as official WhatsApp content to spread malware when the attached “message” was clicked on. Now, researchers at the Threat Research Lab have identified a very similar phishing campaign targeted at businesses and consumers who use Facebook – most likely designed by the same cyber criminals who developed the WhatsApp malware. And just like the WhatsApps malware, the new Facebook malware tries to represent itself as an email from Facebook which states there is a new message for the recipient. The email address and sender’s name tries to brand itself as Facebook, but the sender’s email address is from different domains and not in any way related with the Facebook company... The malware in the email itself is in a .zip file, sent as an attachment. Inside the zip file there is an executable file. Upon executing the file (e.g. clicking on the attachment), the malware will automatically replicate itself into “C:\” directory and add itself into an auto-run in the computer’s registry, spreading the malware. Additionally, like the WhatsApp malware, the engineers have Comodo have also identified this new Facebook malware as a variant of the “Nivdort” malware** family... A screen grab of the -malicious- email has been captured below:
> https://blog.comodo.com/wp-content/uploads/Nivdort.png
** https://file-intelligence.comodo.com...1d3f0dbad90efd
___
Fake '201552 ebill' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...nvoicecom.html
21 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
From invoices@ ebillinvoice .com
Date Thu, 21 Jan 2016 15:13:36 +0530
Subject 201552 ebill
Customer No : 8652
Email address : [redacted]
Attached file name : 8652_201552.DOC
Dear customer
Please find attached your invoice for 201552.
To manage your account online - please visit Velocity...
There are at least -three- different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:
phaleshop .com/8h75f56f/34qwj9kk.exe
bolmgren .com/8h75f56f/34qwj9kk.exe
return-gaming .de/8h75f56f/34qwj9kk.exe
montaj-klimat .ru/8h75f56f/34qwj9kk.exe [spotted here*]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54**. Those reports indicate that it phones home to.
216.224.175.92 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.
Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173 "
1] https://www.virustotal.com/en/file/9...is/1453373816/
2] https://www.virustotal.com/en/file/e...is/1453373886/
3] https://www.virustotal.com/en/file/9...is/1453373898/
4] https://malwr.com/analysis/MTQ2ZjM1M...ExNGEyMThlODk/
5] https://malwr.com/analysis/N2I4MDJlO...NlNDQ2OTlmZjE/
6] https://malwr.com/analysis/ZGVkZWYxM...E2NDAwODY3OWU/
* http://blog.dynamoo.com/2016/01/malw...tkeyscouk.html
** https://www.virustotal.com/en/file/c...is/1453374873/
TCP connections
216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/
- http://myonlinesecurity.co.uk/201552...d-doc-malware/
21 Jan 2016 - "An email with the subject of '201552 ebill' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: invoices@ ebillinvoice .com
Date: Thu 21/01/2016 09:37
Subject: 201552 ebill
Customer No : 8652
Email address : rob@ securityandprivacy .co.uk
Attached file name : 8652_201552.DOC
Dear customer
Please find attached your invoice for 201552.
To manage your account online – please visit Velocity...
21 January 2016: 8652_201552.DOC - Current Virus total detections 4/54*
... this will download Dridex banking malware from [ return-gaming .de/8h75f56f/34qwj9kk.exe ] (VirusTotal 2/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1453370622/
** https://www.virustotal.com/en/file/6...is/1453371930/
TCP connections
216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Telephone Bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...hone-bill.html
21 Jan 2016 - "This -fake- financial spam has a malicious attachment.
From "The Billing Team" [noreply@ callbilling .co.uk]
Date Thu, 21 Jan 2016 11:44:19 +0100
Subject Your Telephone Bill Invoices & Reports
Please see the attached Telephone Bill & Reports.
Please use the contact information found on the invoice if you wish to contact your
service provider.
This message was sent automatically...
I have only seen a single sample of this email, with an attachment Invoice_316103_Jul_2013.doc which has a detection rate of 2/53*. The Malwr report** for that document shows a download location of:
bolmgren .com/8h75f56f/34qwj9kk.exe
That is one of the locations found with this earlier spam run***, and the payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/b...is/1453376703/
** https://malwr.com/analysis/MjYwZTRhY...E0Y2JlZWY0Y2Q/
195.128.175.9
216.224.175.92
13.107.4.50
*** http://blog.dynamoo.com/2016/01/malw...nvoicecom.html
- http://myonlinesecurity.co.uk/your-t...sheet-malware/
21 Jan 2016 - "An email with the subject of 'Your Telephone Bill Invoices & Reports' pretending to come from The Billing Team <noreply@ callbilling .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: The Billing Team <noreply@ callbilling .co.uk>
Date: Thu 21/01/2016 10:20
Subject: Your Telephone Bill Invoices & Reports
Please see the attached Telephone Bill & Reports.
Please use the contact information found on the invoice if you wish to contact your service provider.
This message was sent automatically...
21 January 2016: Invoice_316103_Jul_2013.doc - Current Virus total detections 2/54*
This will also download Dridex banking malware from
http ://return-gaming .de/8h75f56f/34qwj9kk.exe which is the -same- download site as today’s other concurrent malspam run**..."
* https://www.virustotal.com/en/file/1...is/1453371806/
** http://myonlinesecurity.co.uk/201552...d-doc-malware/
___
Fake 'Replacement Keys' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...tkeyscouk.html
21 Jan 2016 - "This spam has a malicious attachment. It does not come from admin@ replacementkeys .co.uk but is instead a simple -forgery- with a malicious attachment.
From Replacement Keys [admin@ replacementkeys .co.uk]
Date Thu, 21 Jan 2016 17:15:08 +0530
Subject =?utf-8?B?TmV3IE9yZGVyICMgMTAwMTE0MDAw?=
Order Received!
We will send you another email when it has been dispatched . If you have any questions about your order please reply to this email. Your order confirmation is below. Thank you for ordering from us.
Thank you again,
Replacement Keys
Attached is a file INVOICEPaid_100114000.xls of which I have only seen a single variant. The VirusTotal detection rate is 4/53* and the Malwr report** indicates a download location from:
montaj-klimat .ru/8h75f56f/34qwj9kk.exe
The binary dropped is identical to the one in this earlier spam run*** and it leads to the Dridex banking trojan."
* https://www.virustotal.com/en/file/e...is/1453377591/
** https://malwr.com/analysis/NGZlMDk1Y...Q5NTU0NjcyZGY/
*** http://blog.dynamoo.com/2016/01/malw...nvoicecom.html
- http://myonlinesecurity.co.uk/new-or...sheet-malware/
21 Jan 2016 - "An email with the subject of 'New Order # 100114000' pretending to come from Replacement Keys <admin@ replacementkeys .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Replacement Keys <admin@ replacementkeys .co.uk>
Date: Thu 21/01/2016 12:21
Subject: New Order # 100114000
Order Received!
We will send you another email when it has been dispatched ...
21 January 2016: logmein_pro_receipt.xls - Current Virus total detections 4/52*
Downloads Dridex from http ://www .bridge-freunde-colonia .de/8h75f56f/34qwj9kk.exe (VirusTotal 1/49**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1453379373/
** https://www.virustotal.com/en/file/a...is/1453382710/
___
Fake 'Healthcare' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...hcare-ltd.html
21 Jan 2016 - "This -fake- financial spam does not come from Gompels Healthcare Ltd but is instead a simple -forgery- with a malicious attachment.
From: Gompels Healthcare ltd [salesledger@ gompels .co.uk]
Date: 21 January 2016 at 12:57
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business [/i]
The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:
return-gaming .de/8h75f56f/34qwj9kk.exe
phaleshop .com/8h75f56f/34qwj9kk.exe
That marks it out as Dridex 220, similar to this spam run*. However, the executable has -changed- from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal**. However, the malware still phones home to the same IP of 216.224.175.92 as before."
1] https://www.virustotal.com/en/file/3...is/1453381421/
2] https://www.virustotal.com/en/file/d...is/1453381734/
3] https://malwr.com/analysis/NGQ4NzYyN...AzNTg1ZDNjNjE/
82.165.218.65
216.224.175.92
8.254.249.78
4] https://malwr.com/analysis/OWZmYWQzO...EyZWU3M2VjNmU/
112.78.2.113
216.224.175.92
184.28.188.186
* http://blog.dynamoo.com/2016/01/malw...nvoicecom.html
** https://www.virustotal.com/en/file/a...is/1453381954/
216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/
phaleshop .com: 112.78.2.113: https://www.virustotal.com/en/ip-add...3/information/
- http://myonlinesecurity.co.uk/gompel...d-doc-malware/
21 Jan 2016 - "An email with the subject of 'Gompels Healthcare Ltd Invoice' pretending to come from Gompels Healthcare ltd <salesledger@ gompels .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Gompels Healthcare ltd <salesledger@gompels.co.uk>
Date: Thu 21/01/2016 13:12
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business
21 January 2016: fax00375039.DOC - Current Virus total detections 5/54*
Downloads Dridex banking malware from
http ://phaleshop .com/8h75f56f/34qwj9kk.exe which is the -same- Dridex payload as described HERE**..."
* https://www.virustotal.com/en/file/d...is/1453383052/
** http://myonlinesecurity.co.uk/new-or...sheet-malware/
:fear::fear: :mad:
-
Fake 'scanner', 'mathforum', 'tracking info' SPAM
FYI...
Fake 'scanner' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...caminolta.html
22 Jan 2016 - "At the moment there is a heavy spam run pushing the Dridex banking trojan, pretending to be from a multifunction device or scanner.
Subject: Message from KONICA_MINOLTA
Subject: Message from MFD
Subject: Message from scanner
The spam appears to come from within the victim's own domain, from one of the following email addresses:
MFD@ victimdomain .tld
scanner@ victimdomain .tld
KONICA_MINOLTA@ victimdomain .tld
This is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in -three- versions... reports... indicate executable download locations at:
www .showtown-danceband .de/ghf56sgu/0976gg.exe
ausonia-feng-shui .de/ghf56sgu/0976gg.exe
gahal .cz/ghf56sgu/0976gg.exe
This binary has a detection rate of 1/54* and that VirusTotal report plus this Malwr report** show it phoning home to:
192.241.207.251 (Digital Ocean Inc., US)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220."
* https://www.virustotal.com/en/file/e...is/1453454938/
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/
** https://malwr.com/analysis/Y2NhNDhlM...M5NzA0ODM2NmQ/
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
8.254.207.46: https://www.virustotal.com/en/ip-add...6/information/
- http://myonlinesecurity.co.uk/messag...d-doc-malware/
22 Jan 2016 - "An email with the subject of 'Message from KONICA_MINOLTA' (or Message from MFD or any other scanner or printer) pretending to come from scanner@ <your email domain> on behalf of MFD@ <victim domain> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: scanner@ malware-research .co.uk; on behalf of; MFD@ malware-research .co.uk
Date: Fri 22/01/2016 08:56
Subject: Message from KONICA_MINOLTA or Message from MFD or Message from Scanner
Body content: totally empty body
22 January 2016: SKM_4050151222162800.doc - Current Virus total detections 3/54*
Downloads Dridex banking malware from http ://ausonia-feng-shui .de/ghf56sgu/0976gg.exe
(VirusTotal **). Other download locations from different versions of this maldoc attachment are: www .showtown-danceband .de/ghf56sgu/0976gg.exe and gahal .cz/ghf56sgu/0976gg.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1453452819/
** https://www.virustotal.com/en/file/e...is/1453453469/
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/
___
Fake 'mathforum' SPAM - JS malware
- http://myonlinesecurity.co.uk/hi-mat...rg-js-malware/
22 Jan 2016 - "An email with the subject of 'hi' coming from gshatford <gshatford@ mathforum .org> (probably -compromised- servers, that will be sending these out from multiple email addresses) with a zip attachment is another one from the current bot runs... The content of the email simply says:
DATE:1/22/2016 7:47:24 AM
22 January 2016: yu.zip: Extracts to: invoice_SCAN_1pMVj.js - Current Virus total detections 5/53*
[MALWR**] [WEPAWET***] which downloads 80.exe (virus total 2/55[4]) from a combination of these sites memyselveandi .com/80.exe | deempheal .com/80.exe - These have previously been teslacrypt/cryptowall or similar ransomware... it definitely is a password stealer and ransomware version [MALWR[5]].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1453449215/
** https://malwr.com/analysis/ZGFjNDBjM...Y0MzViM2IwMDg/
51.255.10.132
*** https://wepawet.iseclab.org/view.php...fd0932&type=js
4] https://www.virustotal.com/en/file/d...is/1453449556/
TCP connections
144.76.253.225: https://www.virustotal.com/en/ip-add...5/information/
182.50.147.1: https://www.virustotal.com/en/ip-add...1/information/
5] https://malwr.com/analysis/NmM0MDMzM...dhNjkyZjNjOTI/
144.76.253.225
182.50.147.1
185.24.99.98
176.106.190.60
94.23.247.172
104.28.5.189
69.73.182.201
___
Fake 'tracking info' SPAM - xls malware
- http://myonlinesecurity.co.uk/ukmail...sheet-malware/
22 Jan 2016 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: no-reply@ ukmail .com
Date: Fri 22/01/2016 12:15
Subject: UKMail 988271023 tracking information
UKMail Info!
Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail
22 January 2016: 988271023-PRCL.xls - Current Virus total detections 4/55*
This will download Dridex banking malware from
http ://www .stijnminne .be/ghf56sgu/0976gg.exe (VirusTotal 1/54**)... Dridex malware was seen in some examples of THIS earlier malspam run***, which was malspammed out in -several- waves throughout the morning. Note: Dridex updates frequently throughout the day..."
* https://www.virustotal.com/en/file/8...is/1453464516/
** https://www.virustotal.com/en/file/e...is/1453462957/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/
*** http://myonlinesecurity.co.uk/messag...d-doc-malware/
- http://blog.dynamoo.com/2016/01/malw...-tracking.html
22 Jan 2016 - "This -fake- delivery email is not from UKMail but is instead a simple -forgery- with a malicious attachment:
From: no-reply@ ukmail .com
Date: 22 January 2016 at 12:14
Subject: UKMail 988271023 tracking information
UKMail Info!
Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package...
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail
The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:
www .stijnminne .be/ghf56sgu/0976gg.exe
raeva .com.ua/ghf56sgu/0976gg.exe
This binary has a detection rate of 4/54*. It is the -same- payload as found in this earlier spam run**."
1] https://www.virustotal.com/en/file/e...is/1453467080/
2] https://www.virustotal.com/en/file/8...is/1453467094/
3] https://malwr.com/analysis/N2JmNGEyM...cxNjM4MDBlZDg/
91.234.32.117
192.241.207.251
13.107.4.50
4] https://malwr.com/analysis/ZjkyMGFhZ...FkN2Q5Nzc1Mjg/
195.130.132.84
192.241.207.251
184.25.56.42
* https://www.virustotal.com/en/file/e...is/1453467328/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/
** http://blog.dynamoo.com/2016/01/malw...caminolta.html
:fear::fear: :mad:
-
Fake 'E-mail-Account Update' PHISH
FYI...
Fake 'E-mail-Account Update' SPAM – PHISH ...
- http://myonlinesecurity.co.uk/e-mail...date-phishing/
24 Jan 2016 - "A slightly different -phishing- email today, that pretends to be a notice from your email provider saying that you 'need to update your email'. All the ones I have seen are addressed to different names at different email domains...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x615.png
The links behind all the links go to http ://www .clavadelriverlodge .co.za/images/upgrade/index.php?email=name@ victimdomain .com, where they have set up rather a clever attempt to get your email log in details. They already have your email address and want the -password- to go along with it.
The site does a fairly good imitation of a Cpanel page with a processing bar that gradually increases to 100%. The name on the page is dynamically created based on the email address in the referral. The phishers have gone to quite a lot of trouble and effort with this one. Luckily Internet Explorer smart filter knows about it & warns you with a bright red Address bar in your browser. Unfortunately Chrome & Firefox haven’t caught up yet:
> http://myonlinesecurity.co.uk/wp-con...e-1024x599.png
... Watch for -any- site that invites you to enter ANY personal, log in or financial information... All of these emails use Social engineering tricks to persuade you to open the -attachments- or follow the -links- that come with the email..."
clavadelriverlodge .co.za: 192.185.174.108: https://www.virustotal.com/en/ip-add...8/information/
:fear::fear: :mad:
-
Fake 'Direct Debit', 'Order PO' SPAM
FYI...
Fake 'Direct Debit' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/direct...d-doc-malware/
25 Jan 2016 - "... mass Dridex malspams. The first is an email with random subject of 'Direct Debit Mandate' from [random companies] pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Ezekiel Holcomb <HolcombEzekiel7086@ acttv .in>
Date: Mon 25/01/2016 09:10
Subject: Direct Debit Mandate from Thames Water Authority
Good morning
Please attached Direct Debit Mandate from Thames Water Authority;
complete, sign and scan return at your earliest convenience.
Kind regards,
Ezekiel Holcomb
TEAM SUPPORT
Thames Water Authority ...
25 January 2016 : SharpC1889@acttv.in_4430446<font col...0">.doc</font> - Current Virus total detections 3/52*
MALWR** shows it downloads Dridex from http ://109.234.35.80 /konfetka/roschen.php which gave me a file named mancity.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1453712908/
** https://malwr.com/analysis/MDM5MGFkM...ljYTIyMjUzMDM/
109.234.35.80
*** https://www.virustotal.com/en/file/d...is/1453713995/
109.234.35.80: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Order PO' SPAM - malware
- http://myonlinesecurity.co.uk/order-...00731-malware/
25 Jan 2016 - "An email with the subject of Order PO # 10000731' pretending to come from Parkcom Co.ltd <simpark@ parkcom .co.kr> with a zip attachment is another one from the current bot runs... The email looks like:
From: Parkcom Co.ltd <simpark@ parkcom .co.kr>
Date: Mon 25/01/2016 03:39
Subject: Order PO # 10000731
Attachment: PO _ 10000731.zip
Body content:
Dear Customer,
Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment,We need this Order urgently. kindly confirm the PO and send PI asap.
Thank you.
Ms. Sim Park ...
Todays Date: PO _ 10000731.zip: Extracts to: PO # 10000731.exe - Current Virus total detections 9/54*
I don’t actually know what this one does. The detections are all generic detections. MALWR crashed.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1453717414/
TCP connections
23.206.38.87: https://www.virustotal.com/en/ip-add...7/information/
:fear::fear: :mad:
-
Payment data security, Fake 'Refund', 'Bill', 'Heating Invoice' SPAM, TurboTax Phish
FYI...
Payment data security - at risk...
- http://net-security.org/secworld.php?id=19369
26 Jan 2016 - "With acceptance of mobile and other new forms of payments expected to double in the next two years, a new global study shows a critical need for organizations to improve their payment data security practices. This is according to a recent survey of more than 3,700 IT security practitioners from more than a dozen major industry sectors conducted by the Ponemon Institute for Gemalto*... 54% of those surveyed said their company had a security or data breach involving payment data, four times in past two years in average. This is not surprising given the security investments, practices and procedures highlighted by the surveyed respondents:
- 55% said they did -not- know where all their payment data is stored or located.
- Ownership for payment data security is -not- centralized with 28% of respondents saying responsibility is with the CIO, 26% saying it is with the business unit, 19% with the compliance department, 15% with the CISO, and 14% with other departments.
- 54% said that payment data security is -not- a top five security priority for their company with only one third (31%) feeling their company allocates enough resources to protecting payment data.
- 59% said their company -permits- third party access to payment data and of these only 34% utilize multi-factor authentication to secure access.
- Less than half of respondents (44%) said their companies use end-to-end encryption to protect payment data from the point of sale to when it is stored and/or sent to the financial institution.
- 74% said their companies are either -not- PCI DSS compliant or are only partially compliant.
... the study found that nearly three quarters (72%) of those surveyed believe these new payment methods are putting payment data at risk and 54% do not believe or are unsure their organization’s existing security protocols are capable of supporting these platforms..."
* http://blog.gemalto.com/blog/2016/01...bile-payments/
26 Jan 2016
___
Fake 'Refund' SPAM - JS malware
- http://myonlinesecurity.co.uk/refund...en-js-malware/
26 Jan 2016 - "Another run of Nemucod downloaders today starting with an email with the subject of 'Refund for the Purchase' – Kevin Cohen [random names] pretending to come from random senders and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Kevin Cohen <fonenzo@ teletu .it>
Date: Tue 26/01/2016 06:21
Subject: Refund for the Purchase – Kevin Cohen.
Attachment: Kevin Cohen.zip
We are sorry to tell you, however, the item you have purchased is not available at the moment. In the file enclosed you can see the details about the refund policy.
26 January 2016: Kevin Cohen.zip - Extracts to: Kevin Cohen.js - Current Virus total detections 6/55*
which WEPAWET** shows us downloads 3 files
http ://dertinyanl .com/img/script.php?tup1.jpg which is renamed to 3330263.exe (VirusTotal 4/54[3])
http ://dertinyanl .com/img/script.php?tup2.jpg which is renamed to 4441845.exe (VirusTotal 3/53[4])
http ://dertinyanl .com/img/script.php?tup3.jpg which is renamed to 5553619.exe (VirusTotal 3/54[5])
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1453800745/
** https://wepawet.iseclab.org/view.php...11c552&type=js
3] https://www.virustotal.com/en/file/1...is/1453801558/
4] https://www.virustotal.com/en/file/4...is/1453801571/
5] https://www.virustotal.com/en/file/5...is/1453801579/
Nemucod malware spreads ransomware Teslacrypt:
- http://www.welivesecurity.com/2015/1...-around-world/
___
Fake 'Bill' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/fwdbil...sheet-malware/
26 Jan 2016 - "An email with the subject of 'Fwd: Bill to Grant Morgan' coming from random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Grant Morgan <rafael.kamal@ compume .com.eg>
Date: Tue 26/01/2016 05:25
Subject: Fwd:Bill to Grant Morgan.
Attachment: 20MEPRZ8WBE.doc
Body content:
Hello.
Please check the report attached. In order to avoid fine for delay you need to pay within 48 hours.
Best regards
Grant Morgan
-or-
Good morning.
Please see the invoice in attachment. In order to avoid penalty for delay you should pay in 24 hours.
Thanks
Barrett Watkins
26 January 2016: 20MEPRZ8WBE.doc - Current Virus total detections 2/54*
... Hybrid Analysis** eventually gave me 209743.exe (VirusTotal 3/45***) downloaded from
icenails .ro/imgwp.jpg?LJGKKxdZEHWYMi=38 .
>> http://myonlinesecurity.co.uk/wp-con...1/WP_image.png
The bad actors behind this campaign are using a new-macro-style which is long and even more complicated than previous ones... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1453787886/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
Contacted Hosts
188.214.17.162
110.138.108.142
*** https://www.virustotal.com/en/file/c...is/1453812606/
icenails .ro: 188.214.17.162: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/file/c...bceb/analysis/
___
Fake 'Heating Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...nnovation.html
26 Jan 2016 - "This -fake- financial email is not from Alpha Heating Innovation but is instead a simple
-forgery- with a malicious attachment:
From Kurt Sexton
Date Tue, 26 Jan 2016 10:59:05 -0500
Subject =?UTF-8?B?UmVtaXR0YW5jZSBBZHZpY2UgNTk2M0U5?=
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on
your account.
Please contact us on the email address below if you would like your remittance sent
to a different email address, or have any queries regarding your remittance.
Kind regards,
Kurt Sexton
Best Regards,
Kurt Sexton
Credit Controller - Alpha Heating Innovation ...
The names of the sender and reference numbers will vary. I have only seen -two- different variants of the attachment, in the format remittance_advice5963E9.doc (VirusTotal [1] [2]) but there are probably more. Analysis is pending... It does seem to have some characterstics of a Dridex downloader."
1] https://www.virustotal.com/en/file/7...is/1453824210/
4/54 - remittance_adviceB177B0.doc
2] https://www.virustotal.com/en/file/7...is/1453824233/
4/54 - remittance_advice5963E9.doc
Labels: DOC, Dridex, Malware, Spam, Viruses
- http://myonlinesecurity.co.uk/alpha-...d-doc-malware/
26 Jan 2016 - "An email with the subject of 'Remittance Advice 17B6D1' (random numbers) pretending to come from random email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Leonardo Bryan <BryanLeonardo1689@ thedogofnashville .com>
Date: Tue 26/01/2016 14:57
Subject: Remittance Advice 17B6D1
Attachment: remittance_advice00AAD7.doc
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Kind regards,
Leonardo Bryan
Best Regards,
Leonardo Bryan
Credit Controller – Alpha Heating Innovation...
26 January 2016: remittance_advice00AAD7.doc - Current Virus total detections 4/54*
Waiting for analysis. It is likely to be the Dridex banking malware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1453825399/
___
TurboTax Phish
- https://security.intuit.com/alert.php?a=329
1/25/2016 - "People are receiving -fake- emails with the title containing their name. Below is a copy of the email people are receiving:
> https://security.intuit.com/images/T...h201252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."
- https://security.intuit.com/alert.php?a=328
1/25/2016 - " People are receiving -fake- emails with the title "Access to prior year returns is locked". Below is a copy of the email people are receiving:
> https://security.intuit.com/images/T...h101252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."
... more here:
>> https://security.intuit.com/security-alerts.php
:fear::fear: :mad:
-
Fake 'New Order', 'Invoice', 'Enterprise Invoices' SPAM, 'WorldRemit' phish
FYI...
Fake 'New Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...le-ludlow.html
27 Jan 2016 - "This -fake- financial spam does not come from DS Smith Plc, but is instead a simple forgery with a malicious attachment.
From Michelle Ludlow [Michelle.Ludlow@ dssmith .com]
Date Wed, 27 Jan 2016 17:27:22 +0800
Subject New Order
Hi
Please see attached for tomorrow.
Thanks
Michelle Ludlow
Customer Services Co-Ordinator - Packaging Services
Packaging Division ...
So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:
vinagps .net/54t4f4f/7u65j5hg.exe
trendcheckers .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 5/53*. Those two Malwr reports and the VirusTotal report show the malware phoning home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
I strongly recommend that you -block- traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity."
1] https://www.virustotal.com/en/file/6...is/1453887313/
2] https://www.virustotal.com/en/file/f...is/1453887331/
3] https://malwr.com/analysis/Y2I4ZWFkZ...ZhYjNiNGZjN2I/
4] https://malwr.com/analysis/MzY5MDlkZ...I0M2U3MDM0MmY/
* https://www.virustotal.com/en/file/9...is/1453887706/
TCP connections
119.160.223.115: https://www.virustotal.com/en/ip-add...5/information/
104.86.110.240: https://www.virustotal.com/en/ip-add...0/information/
- http://myonlinesecurity.co.uk/new-or...sheet-malware/
27 Jan 2016 - "An email with the subject of 'New Order' pretending to come from Michelle Ludlow <Michelle.Ludlow@ dssmith .com> with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x650.png
27 January 2016: doc4502094035.doc - Current Virus total detections 5/53*
MALWR** - Downloads http ://vinagps .net/54t4f4f/7u65j5hg.exe
It is almost certain to be Dridex banking Trojan (VirusTotal 4/54***)
I am informed that an alternate download site is trendcheckers .com/54t4f4f/7u65j5hg.exe
[The Auto Analysers at payload security are under very-heavy-load this morning with hundreds of files queued and long delays. I assume the bad actors are deliberately flooding them to slow down analysis] ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1453886419/
** https://malwr.com/analysis/Y2I4ZWFkZ...ZhYjNiNGZjN2I/
112.213.95.154
119.160.223.115
13.107.4.50
*** https://www.virustotal.com/en/file/9...is/1453886821/
TCP connections
119.160.223.115: https://www.virustotal.com/en/ip-add...5/information/
104.86.110.240: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoic...d-doc-malware/
27 Jan 2016 - "An email with the subject of 'Invoice 9210' pretending to come from Dawn Salter <dawn@ mrswebsolutions .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x802.png
27 January 2016: 9210.doc - Current Virus total detections 1/55*
This downloads Dridex banking Trojan from
http ://www .hartrijders .com/54t4f4f/7u65j5hg.exe (VirusTotal 1/55**)
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1453901338/
** https://www.virustotal.com/en/file/a...is/1453902011/
- http://blog.dynamoo.com/2016/01/malw...wn-salter.html
27 Jan 2016 - "... The attachment is named 9210.doc which I have seen come in -three- versions... The Malwr reports for those... shows executable download locations at:
www .cityofdavidchurch .org/54t4f4f/7u65j5hg.exe
www .hartrijders .com/54t4f4f/7u65j5hg.exe
grudeal .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 1/53*... Hybrid Analysis of the binary shows that it phones home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
This is the -same- IP as seen in this earlier spam run**, I recommend you -block- it."
* https://www.virustotal.com/en/file/a...is/1453903737/
** http://blog.dynamoo.com/2016/01/malw...le-ludlow.html
___
Fake 'Enterprise Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...-invoices.html
27 Jan 2016 - "This -fake- financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple -forgery- with a malicious attachment.
From: Vicki Harvey
Date: 27 January 2016 at 15:30
Subject: Enterprise Invoices No.91786
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Vicki Harvey
Accountant ...
The name of the sender and references will vary. There seem to be -several- different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524<f...0">.xls</font> ... Analysis of the attachments is pending... attempted downloads from:
109.234.35.37 /californication/ninite.php
5.189.216.105 /californication/ninite.php
This binary has a -zero- detection rate at VirusTotal*. That VirusTotal report and this Malwr report** indicate network traffic to:
8.254.218.46 (Level 3, US)
I strongly recommend that you -block- traffic to that IP. This will be some variant of the Dridex banking trojan."
* https://www.virustotal.com/en/file/b...is/1453913182/
ninite.exe
** https://malwr.com/analysis/NjQwOTNhZ...ZkYzc0NGRkM2E/
109.234.35.37
103.224.83.130
8.254.249.78
- http://myonlinesecurity.co.uk/enterp...sheet-malware/
27 Jan 2016 - "... garbled mishmash with an email with no subject coming from random senders with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... All the attachments start with the name of a scanner or multifunctional printer/scanner device, then have the -alleged- senders email domain and then random numbers so this one is called twist-scanA56CC@ fotosdeguarras .com_2782255.xls . The email looks like:
From: Maggie Nolan <NolanMaggie95043@ fotosdeguarras .com>
Date: Wed 27/01/2016 16:25
Subject: Enterprise Invoices No.84984 ( random numbers)
Attachment: twist-scanA56CC@ fotosdeguarras .com_2782255.xls
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Maggie Nolan
Accountant ...
27 January 2016: twist-scanA56CC@ fotosdeguarras .com_2782255.xls - Current Virus total detections 0/52*
MALWR** shows a download from http ://109.234.35.37 /californication/ninite.php which gave me FCGVJHads.exe
(VirusTotal 0/55***) the file looks wrong for Dridex, so I will be guided by antivirus responses as to what it actually is... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1453912101/
** https://malwr.com/analysis/NTMxMmU2M...AxYmNjODY0NmU/
109.234.35.37
103.224.83.130
13.107.4.50
*** https://www.virustotal.com/en/file/b...is/1453912539/
TCP connections
103.224.83.130: https://www.virustotal.com/en/ip-add...0/information/
8.254.218.46: https://www.virustotal.com/en/ip-add...6/information/
___
'WorldRemit Transaction' phish
- http://myonlinesecurity.co.uk/your-w...tion-phishing/
27 Jan 2016 - "A high proportion of phishing attempts involve PayPal, your Bank, Credit Card or another money transfer service. This one is a money transfer service that I have never previously heard of: 'WorldRemit'...
Screenshot: http://myonlinesecurity.co.uk/wp-con...2-1024x455.png
The Second one pretends to be a request to review your service on Trust Pilot:
Screenshot: http://myonlinesecurity.co.uk/wp-con...1-1024x550.png
-All- the links in -both- emails go to http ://www.simplyyankeecosmetics .com/wellsfargo.com/cgi-bin/direct.php which -redirects- to either http ://syscross .com/fb/inc/index.html or http ://www.cinit .com.mx/cli/httpswww .worldremit.comsend/LoginPage.htm
[I am sure that as the actual phish sites get blocked or taken down, these phishers will set up, yet another redirect from the first site]... Where you end up on a webpage looking like this, where some of the links are part of the phish, but some go to the genuine https ://www.worldremit .com/ web site:
> http://myonlinesecurity.co.uk/wp-con...h-1024x546.png
If you fill in the email-address and password you get -bounced- on to the genuine site..."
simplyyankeecosmetics .com: 192.185.78.193: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/67...9560/analysis/
:fear::fear: :mad:
-
Fake 'Purchase Order', 'Invoice', 'PAYMENT' SPAM, iCloud Phish, Business Email...
FYI...
Fake 'Purchase Order' SPAM - doc malware
- http://myonlinesecurity.co.uk/ikea-p...alware-dridex/
28 Jan 2016 - "An email with the subject of 'IKEA Purchase Order [2001800526]' with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: order@ ibxplatform .com
Date: Thu 28/01/2016 10:24
Subject: IKEA Purchase Order [2001800526]
Attachment: Purchase_Order_Number__2001800526.doc
This message contains a Purchase Order from IKEA. If you have any questions regarding this Purchase Order and its contents, we kindly ask you to contact your customer directly.
If this message is incomplete or not readable, feel free to refer to our contact details below.
Please do not reply to this message! ...
28 January 2016: Purchase_Order_Number__2001800526.doc - Current Virus total detections 2/54*
MALWR shows a download of Dridex Banking malware from
http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 5/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1453980691/
** https://www.virustotal.com/en/file/9...is/1453981023/
TCP connections
198.50.234.210
5.178.43.10: https://www.virustotal.com/en/ip-add...0/information/
119.160.223.115: https://www.virustotal.com/en/ip-add...5/information/
astigarragakomusikaeskola .com: 82.98.134.155: https://www.virustotal.com/en/ip-add...5/information/
ponpes-alhijrah .sch.id: 119.235.255.242: https://www.virustotal.com/en/ip-add...2/information/
___
Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoic...d-doc-malware/
28 Jan 2016 - "An email with the subject of 'Invoice' pretending to come from Hayley Stoakes <hayley@ whirlowdale .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Hayley Stoakes <hayley@ whirlowdale .com>
Date: Thu 28/01/2016 11:44
Subject: Invoice
Attachment: 96413.DOC
Thank you for your order. Your Invoice – 96413 – is attached.
26 January 2016: 96413.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads the -same- Dridex banking Trojan from the -same- locations
http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe ..."
* https://www.virustotal.com/en/file/f...is/1453986418/
** http://myonlinesecurity.co.uk/ikea-p...alware-dridex/
___
Fake 'PAYMENT CONFIRMATION' SPAM - doc malware
- http://myonlinesecurity.co.uk/paymen...d-doc-malware/
28 Jan 2016 - "An email with the subject of 'PAYMENT CONFIRMATION' pretending to come from Lesley Mawson <LMawson@ agrin .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Lesley Mawson <LMawson@ agrin .co.uk>
Date: Thu 28/01/2016 13:11
Subject: PAYMENT CONFIRMATION
For the attention of the accounts department.
Please find attached a copy of our payment to you.
Kind regards
Lesley
Lesley Mawson
A.I.P. Ltd
9 Wassage Way, Hampton Lovett Ind Estate, Droitwich. WR9 0NX
28 January 2016: PAYMENT VOUCHER.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads an
-updated- Dridex banking Trojan from the -same- locations
http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 2/53***) which despite comments on VT shows none of the typical characteristics of common ransomware and looks much more like a Dridex banking Trojan..."
* https://www.virustotal.com/en/file/f...is/1453986418/
** http://myonlinesecurity.co.uk/ikea-p...alware-dridex/
*** https://www.virustotal.com/en/file/d...is/1453986791/
___
iCloud Phish - used to activate Stolen iPhones
- https://blog.malwarebytes.org/phishi...len-iphones-2/
Jan 28, 2016 - "... Losing a device or getting it stolen can be disastrous, way beyond the monetary loss. Apple has a nifty feature which allows to remotely erase-and-lock your phone if you ever faced that problem and wanted to make sure your personal information would not fall into the wrong hands. At the same time, this renders the device -useless- for those not in possession of your ID and password:
> https://blog.malwarebytes.org/wp-con...1/activate.png
'Find My iPhone Activation Lock'
> https://support.apple.com/en-ca/HT201365
This is an -inconvenience- for thieves who may want to resell those stolen phones on the black market, but crooks never lack imagination and seem to have found a way to circumvent this protection... a user claimed that -after- her iPhone was stolen, she proceeded to wipe-it and put it in 'Lost Mode', to prevent anyone from using it. Shortly after, she received a message letting her know the phone had been found -but- that she needed to go to a website and verify her Apple ID first. The site was an almost exact -replica- of Apple’s official iCloud.com and loaded fine in Safari (-no- security/phishing warning):
>> https://blog.malwarebytes.org/wp-con.../01/safari.png
... not many people would suspect this is a -fraudulent- website. Add to this the euphoria of knowing your precious phone was allegedly found, and proceeding to enter your Apple ID and password seems like a no brainer - Sadly, the website is a -fake- and the information entered in it is directly relayed to the crooks who stole your phone... There were several other domains residing on the same server (104.149.141.56):
find.apple-service .me
www .my-icloud .help
your.icloud-service .help
We have reported this phishing scam to Apple since Safari did -not- flag the website as -dangerous- at the time of writing... Users should be particularly careful of schemes that leverage the emotions involved with the theft or loss of their devices. Online crooks have no shame in abusing their victims twice to get what they want."
104.149.141.56: https://www.virustotal.com/en/ip-add...6/information/
___
Business Email Compromise - Fraud ...
- http://blog.trendmicro.com/trendlabs...-do-you-start/
Jan 26, 2016 - "What will you do if an executive in your company gives you instructions to wire money for a business expense? On email? In a world where cybercriminals devise devious social engineering and computer intrusion schemes to fool employees into wiring money, enterprises run a very serious -risk- of getting -scammed- via email. This emerging global threat is known as the 'business email compromise (BEC)' and it has already victimized 8,179 companies in 79 countries between October 2013 and August 2015 alone*:
* https://www.ic3.gov/media/2015/150827-1.aspx#ref2
... Multiple warnings were issued by the FBI as to these types of emails in the past year alone. The FBI notes the targets to be companies working with foreign suppliers and/or those that regularly perform wire transfer payments. By February last year, the total number of reported victims had reached 2,126 and the money lost amounted to roughly US $215 million. Come August, the victim numbers have ballooned to 8,179, the money lost added to nearly US $800 million. How can you protect your company from becoming a part of this statistic?
- Know the Basics...
- Familiarize with Past Scams...
- Gear Up Against BEC Threats...
... install email security solutions to block known BEC-related malware before they come in..."
(More detail at the trendmicro URL above.).
:fear::fear: :mad:
-
Fake 'Despatch Note', 'Scanned image', 'Resume' SPAM, HSBC DDoS'd
FYI...
Fake 'Despatch Note' SPAM - doc malware
- http://myonlinesecurity.co.uk/despat...d-doc-malware/
29 Jan 2016 - "An email with the subject of 'Despatch Note FFGDES34309' pretending to come from Foyle Food Group Limited <accounts@ foylefoodgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Foyle Food Group Limited <accounts@ foylefoodgroup .com>
Date: Fri 29/01/2016 09:17
Subject: Despatch Note FFGDES34309
Attachment: FFGDES34309.doc
Please find attached Despatch Note FFGDES34309
29 January 2016: FFGDES34309.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from jjcoll .in/56gf/g545.exe (VirusTotal 2/54**)
Other download locations include http ://romana .fi/56gf/g545.exe and
http ://clickchiropractic .com/56gf/g545.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454062970/
** https://www.virustotal.com/en/file/a...is/1454062183/
jjcoll .in: 198.12.152.113: https://www.virustotal.com/en/ip-add...3/information/
romana .fi: 217.78.212.183: https://www.virustotal.com/en/ip-add...3/information/
clickchiropractic .com: 50.87.150.204: https://www.virustotal.com/en/ip-add...4/information/
- http://blog.dynamoo.com/2016/01/malw...gdes34309.html
29 Jan 2016 - "This -fake- financial spam is not from Foyle Food Group Limited but is instead a simple -forgery- with a malicious attachment:
From Foyle Food Group Limited [accounts@ foylefoodgroup .com]
Date Fri, 29 Jan 2016 17:58:37 +0700
Subject Despatch Note FFGDES34309
Please find attached Despatch Note FFGDES34309
... The attachment is FFGDES34309.doc which comes in three different variants, downloading from:
jjcoll .in/56gf/g545.exe
romana .fi/56gf/g545.exe
clickchiropractic .com/56gf/g545.exe
This has... a detection rate of 6/49*. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220."
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3 "
* https://www.virustotal.com/en/file/a...9a5f/analysis/
TCP connections
85.143.166.200: https://www.virustotal.com/en/ip-add...0/information/
8.254.218.30: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Scanned image' SPAM - doc malware
- http://myonlinesecurity.co.uk/scanne...d-doc-malware/
29 Jan 2016 - "An email with the subject of 'Scanned image from copier@ victimdomain .tld' pretending to come from copier@ victimdomain .tld with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victmdomain .tld
Date: Fri 29/01/2016 11:02
Subject: Scanned image from copier@ victimdomain .tld
Attachment: copier@ ...co.uk_20160129_084903.doc
Body content:
Reply to: copier@ ...co.uk <copier@ ...co.uk>
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format...
29 January 2016: copier@ ...co.uk_20160129_084903.doc - This is exactly the -same- malware which downloads the -same- Dridex banking malware from the -same- locations as described in this earlier post*..."
* http://myonlinesecurity.co.uk/despat...d-doc-malware/
___
Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...resumertf.html
29 Jan 2016 - "This spam leads to malware:
From: Laurena Washabaugh [washabaugh .1946@ rambler .ru]
Date: 29 January 2016 at 10:10
Subject: Quick Question
Signed by: rambler .ru
What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
Best regards,
Laurena Washabaugh
The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro... the document has a VirusTotal detection rate of 9/54*... but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you -block- traffic to that IP..."
* https://www.virustotal.com/en/file/8...is/1454068566/
1] https://malwr.com/analysis/ZDYyOTUzM...kxZDEzNWM1Y2U/
2] https://www.hybrid-analysis.com/samp...nvironmentId=1
3] https://www.hybrid-analysis.com/samp...nvironmentId=4
89.248.166.131: https://www.virustotal.com/en/ip-add...1/information/
- http://myonlinesecurity.co.uk/quick-...sheet-malware/
29 Jan 2016 - "An email with the subject of 'Quick Question' pretending to attach a -resume- coming from random senders with a malicious word rtf attachment which is actually a word docx file is another one from the current bot runs... The email looks like:
From: Robbi Aguinaldo <aguinaldo.1993@ rambler .ru>
Date: Fri 29/01/2016 08:18
Subject: Quick Question
Attachment: Resume.rtf
Howdy
I was visting your website on 1/29/2016 and I’m very interested.
I’m currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
In appreciation,
Robbi Aguinaldo
29 January 2016: Resume.rtf - Current Virus total detections 0/55*
* https://www.virustotal.com/en/file/0...is/1449129718/
.. which downloads the following files:
http ://89.248.166.131/jer.jpg?810 (Currently unavailable)
> 89.248.166.131: https://www.virustotal.com/en/ip-add...1/information/
http ://91.224.161.116/clv002/f32.bin (VirusTotal 0/55**) which the malicious macro alters/decodes/creates several of the below files:
> cccyk7m15911_1.exe
- https://www.virustotal.com/en/file/a...is/1454087239/
> http ://192.227.181.211/foru.exe saved as: cigiquk79yycc7.exe
- https://www.virustotal.com/en/file/1...is/1454087310/
>FASDA.exe
- https://www.virustotal.com/en/file/6...is/1454087462/
> http ://89.248.166.131/1.exe saved as: m3q3c5s79uy5k95.exe
- https://www.virustotal.com/en/file/d...is/1454087618/
> MQERY.exe
- https://www.virustotal.com/en/file/5...is/1454087665/
... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... DO NOT click on it or try to open it..."
** https://www.virustotal.com/en/file/0...is/1449129718/
rambler .ru: 81.19.93.6: https://www.virustotal.com/en/ip-add...6/information/
81.19.77.5: https://www.virustotal.com/en/ip-add...5/information/
81.19.77.6: https://www.virustotal.com/en/ip-add...6/information/
81.19.93.5: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/33...94bd/analysis/
0/66
___
HSBC internet banking services down after cyber attack
- http://www.reuters.com/article/us-hs...-idUSKCN0V71BO
Jan 29, 2016 - "HSBC is working with law enforcement to catch those behind a cyber attack that forced its personal banking websites in the UK to shutdown, its second major service outage this month, the bank said on Friday. Europe's largest lender said it had "successfully defended" its systems against a distributed denial of service (DDoS) attack but it was experiencing fresh threats, impeding full restoration of its services... The outage began on Friday morning and online services were still down by 1630 GMT (11:30 a.m. ET). DDoS attacks are often used by cyber criminals trying to disrupt businesses and companies with significant online activities..."
___
GitHub Blog:
Update on 1/28 service outage:
- https://github.com/blog/2101-update-...service-outage
Jan 29, 2016 - "On Thursday, January 28, 2016 at 00:23am UTC, we experienced a severe service outage that impacted GitHub.com... A brief power disruption at our primary data center caused a cascading failure that impacted several services critical to GitHub.com's operation. While we worked to recover service, GitHub.com was unavailable for two hours and six minutes. Service was fully restored at 02:29am UTC. Last night we completed the final procedure to fully restore our power infrastructure..."
:fear::fear: :mad:
-
Fake 'Order Processed', 'Invoice INV19', 'Scanned image' SPAM
FYI...
Fake 'Order Processed' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...d-noreply.html
1 Feb 2016 - "This -fake- financial spam does not come from Duration Windows but is instead a simple -forgery- with a malicious attachment:
From NoReply-Duration Windows [noreply@ duration .co.uk]
Date Mon, 01 Feb 2016 04:21:03 -0500
Subject Order Processed.
Dear Customer,
Please find details for your order attached as a PDF to this e-mail.
Regards,
Duration Windows
Sales Department ...
I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54*... likely to be the Dridex banking trojan.
UPDATE: The Malwr analysis** shows that the document downloads a malicious executable from:
www .peopleond-clan .de/u56gf2d/k76j5hg.exe
This has a VirusTotal detection rate of 4/54*** and those reports plus this Hybrid Analysis[4] show it phoning home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/6...is/1454322319/
** https://malwr.com/analysis/ZGNhYjJhM...ZlYjk0YzlhOWU/
*** https://www.virustotal.com/en/file/d...is/1454323739/
4] https://www.hybrid-analysis.com/samp...nvironmentId=4
- http://myonlinesecurity.co.uk/order-...d-doc-malware/
1 Feb 2016 - "An email with the subject of 'Order Processed' ... with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: NoReply-Duration Windows <noreply@ duration .co.uk>
Date: Mon 01/02/2016 10:16
Subject: Order Processed.
Attachment: V9568HW.doc
Dear Customer,
Please find details for your order attached as a PDF to this e-mail.
Regards, Duration Windows Sales Department ...
1 February 2016: V9568HW.doc - Current Virus total detections 4/55*
MALWR** shows downloads Dridex banking malware from
http ://iamnickrobinson .com/u56gf2d/k76j5hg.exe (VirusTotal 3/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454322062/
** https://malwr.com/analysis/ZmFkM2JiM...ZlZDdhMzY3NmQ/
74.86.19.136: https://www.virustotal.com/en/ip-add...6/information/
185.24.92.236: https://www.virustotal.com/en/ip-add...6/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
*** https://www.virustotal.com/en/file/d...is/1454325006/
TCP connections
185.24.92.236: https://www.virustotal.com/en/ip-add...6/information/
2.22.22.113: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'Invoice INV19' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...3456-from.html
1 Feb 2016 - "This spam appears to originate from a -variety- of companies with -different- references. It comes with a malicious attachment.
From: Marisol Barrett [BarrettMarisol04015@ victimdomain .tld]
Date: 1 February 2016 at 08:39
Subject: Invoice 48014 from JKX OIL & GAS
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Marisol Barrett ...
From: Oswaldo Browning [BrowningOswaldo507@ victimdomain .tld]
Date: 1 February 2016 at 09:38
Subject: Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Oswaldo Browning
J P MORGAN PRIVATE EQUITY LTD ...
The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the -fake- reference number). There are at least -three- different versions...
UPDATE 2: The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as -malicious- and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a -malicious- binary with a detection rate of 2/53*. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23 "
1] https://malwr.com/analysis/NDQyZDUwN...ViOGNlMzQyMWE/
2] https://malwr.com/analysis/NzAwMmM2Z...M3MWU0OTI2YTk/
3] https://malwr.com/analysis/NTg1ZmNjN...A1OWQ5YTA0OWE/
* https://www.virustotal.com/en/file/6...b31/analysis/#
- http://myonlinesecurity.co.uk/invoic...alware-broken/
1 Feb 2016 - "An email with the subject of 'Invoice' (random number) from Random companies pretending to come from random names at your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
1 February 2016: INV19 – 882596.doc - Current Virus total detections 2/54*
MALWR** shows a download from http ://31.41.45.23/indiana/jones.php
which gave me crypted120med.exe (VirusTotal 2/53***)..."
* https://www.virustotal.com/en/file/d...is/1454319886/
** https://malwr.com/analysis/NTk2NmJiN...M0Zjg1ZmM1NGU/
*** https://www.virustotal.com/en/file/6...is/1454322842/
___
Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...mage-from.html
1 Feb 2016 - "This -fake- document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple -forgery- with a malicious attachment.
From: copier@ victimdomain .tld
Date: 1 February 2016 at 12:11
Subject: Scanned image from copier@ victimdomain .tld
Reply to: copier@ victimdomain .tld [copier@ victimdomain .tld]
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format...
I have seen two different versions of the attached document, named in a format copier@ victimdomain .tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report* for one of them shows the macro downloading from:
dulichando .org/u56gf2d/k76j5hg.exe
This executable has a detection rate of 4/53** and the Hybrid Analysis reports*** that it phones home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP. The payload is Dridex, as seen here****."
1] https://www.virustotal.com/en/file/0...is/1454332258/
2] https://www.virustotal.com/en/file/a...is/1454332268/
* https://malwr.com/analysis/M2RhNmU5O...ZiZTM0NDY3YjY/
** https://www.virustotal.com/en/file/b...is/1454332659/
*** https://www.hybrid-analysis.com/samp...nvironmentId=4
**** http://blog.dynamoo.com/2016/02/malw...d-noreply.html
:fear::fear: :mad:
-
Fake 'Order Dispatch', 'New order', 'PURCHASE', 'RB0081 INV' SPAM
FYI...
Fake 'Order Dispatch' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/order-...sheet-malware/
2 Feb 2016 - "An email with the subject of 'Order Dispatch: AA608034' (random order numbers) pretending to come from aalabels <customercare45660@ aalabels .com> (random customercare numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...4-1024x549.png
2 February 2016: invoice_AA608034.doc - Current Virus total detections 4/52*
Downloads Dridex Banking malware from
hebenstreit .us.com/5h4g/0oi545gfgf.exe (VirusTotal 3/51**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...47d8/analysis/
** https://www.virustotal.com/en/file/2...is/1454402505/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/
- http://blog.dynamoo.com/2016/02/malw...-aa207241.html
2 Feb 2016 - "This -fake- financial spam is not from aalabels .com but is instead a simple -forgery- with a malicious attachment.
Screenshot: https://3.bp.blogspot.com/-WM975r0NV...0/aalabels.png
The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least -three- different versions... Malwr reports... show the macro in the documents downloading from one of the folllowing locations:
timestyle .com.au/5h4g/0oi545gfgf.exe
hebenstreit .us.com/5h4g/0oi545gfgf.exe
fillingsystem .com/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/52*... Malwr reports show it phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I would strongly recommend -blocking- traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects."
* https://www.virustotal.com/en/file/2...is/1454404870/
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/
___
Fake 'New order' SPAM - malware
- http://myonlinesecurity.co.uk/corcom...06754-malware/
2 Feb 2016 - "An email with the subject of 'New order Enquiry 206754' pretending to come from Corcom Co ltd <corcom@ bnisyariah .co.id> with a zip attachment is another one from the current bot runs... The email looks like:
From: Corcom Co ltd <corcom@ bnisyariah .co.id>
Date: Tue 02/02/2016 03:13
Subject: New order Enquiry 206754
Attachment: Enquiry 206754.zip
Dear Customer,
Find attached our purchase order. Kindly quote us best price and send
us proforma invoice asap, so that we can proceed with the necessary
payment,We need this Order urgently. kindly confirm the PO and send PI
asap.
Thank you.
Ms. Sim Rabim
Jl. M.H. Thamrin 59 Jakarta 10350 ? Indonesia ...
2 February 2016: Enquiry 206754.zip: Extracts to: Enquiry 206754.exe - Current Virus total detections 14/52*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will be hidden instead of showing it as the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1454400171/
___
Fake 'PURCHASE' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...016-d1141.html
2 Feb 2016 - "This spam does not come from Flower Vision but is instead a simple -forgery- with a malicious attachment:
From: sales@ flowervision .co.uk
Date: 2 February 2016 at 08:28
Subject: PURCHASE 02/02/2016 D1141
FLOWERVISION
Internet Order Confirmation
Page
1/1 ...
Attached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50*. This Hybrid Analysis** shows the macro in the spreadsheet downloading from:
www .torinocity .it/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/51***, and is the same payload as seen earlier****."
* https://www.virustotal.com/en/file/0...is/1454406875/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
*** https://www.virustotal.com/en/file/2...is/1454407813/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/
**** http://blog.dynamoo.com/2016/02/malw...-aa207241.html
- http://myonlinesecurity.co.uk/purcha...alware-dridex/
2 Feb 2016 - "An email with the subject of 'PURCHASE 02/02/2016 D1141' pretending to come from sales@ flowervision .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...1-1024x586.png
25 February 2015: SALES_D1141_02022016_164242.xls ...
Downloads Dridex from same locations as today’s earlier Malspam*. This one is
http ://www .fabian-enkenbach .de/5h4g/0oi545gfgf.exe (VirusTotal 5/51**)..."
* http://myonlinesecurity.co.uk/order-...sheet-malware/
** https://www.virustotal.com/en/file/2...is/1454407813/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/
___
Fake 'RB0081 INV' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...039-sales.html
2 Feb 2016 - "This -fake- financial spam does not come from Leathams but is instead a simple -forgery- with a malicious attachment.
From: Sales invoice [salesinvoice@ leathams .co.uk]
Reply-To: "no-reply@ leathams .co.uk" [no-reply@ leathams .co.uk]
Date: 2 February 2016 at 13:15
Subject: RB0081 INV2372039
Dear Sir/Madam,
Please find attached your sales invoice(s) for supplied goods. Please process for payment as soon as possible.
In the event that you have a query - please direct your query...
Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least -two- different versions... The Malwr analysis for one of those samples shows a download from:
fillingsystem .com/5h4g/0oi545gfgf.exe
This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero*... The payload is the Dridex banking trojan.
UPDATE: Automated analysis [1] [2] shows the executable phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend -blocking- traffic to that IP, or the whole /22 in which it resides."
* https://www.virustotal.com/en/file/f...is/1454419546/
0/53
1] https://malwr.com/analysis/Y2EwMjNkO...QyMzM5YWZhMTM/
2] https://www.hybrid-analysis.com/samp...nvironmentId=1
- http://myonlinesecurity.co.uk/rb0081...d-doc-malware/
2 Feb 2016 - "An email with the subject of 'RB0081 INV2372039' pretending to come from Sales invoice <salesinvoice@ leathams .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sales invoice <salesinvoice@ leathams .co.uk>
Date: Tue 02/02/2016 12:13
Subject: RB0081 INV2372039
Attachment: Leathams Ltd_INV2372039.doc
Dear Sir/Madam,
Please find attached your sales invoice(s) for supplied goods. Please process for payment as soon as possible.
In the event that you have a query – please direct your query...
2 February 2016: Leathams Ltd_INV2372039.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from the same locations as today’s earlier malspams**. This example connects to http ://fillingsystem .com/5h4g/0oi545gfgf.exe which delivers an updated Dridex version to the earlier ones (VirusTotal 0/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454417962/
** http://myonlinesecurity.co.uk/order-...sheet-malware/
*** https://www.virustotal.com/en/file/f...is/1454419046/
:fear::fear: :mad:
-
Fake 'Invoice (SI-523)', 'Invoice MOJU', 'Attached Image' SPAM, Tesco PHISH
FYI...
Turning Off Specific Files from Previewing in the Microsoft Outlook Reading Pane
- http://windowsitpro.com/outlook/turn...k-reading-pane
Block Certain File Types from Opening in Associated Office Applications
- http://windowsitpro.com/microsoft-of...e-applications
>> http://myonlinesecurity.co.uk/malfor...macro-viruses/
3 Feb 2016
___
Security flaws discovered in smart toys and kids' watches
- http://net-security.org/secworld.php?id=19404
3 Feb 2016 - "Rapid7 researchers* have unearthed serious flaws in two 'Internet of Things' devices:
• The Fisher-Price Smart Toy, a "stuffed animal" type of toy that can interact with children and can be monitored via a mobile app and WiFi connectivity, and
• The hereO GPS Platform, a smart GPS toy watch that allows parents to track their children's physical location.
In both cases the problem was with the authentication process, i.e. in the platform's web service (API) calls. In the first instance, the API calls were not appropriately verified, so an attacker could have sent unauthorized requests and extract information such as customer details, children's profiles, and more... In the second instance, the flaw allowed attackers to gain access to the family's group by adding an account to it, which would allow them to access the family member's location, location history, etc. "We have once again been able to work with vendors to resolve serious security issues impacting their platforms and hope that vendors considering related products are able to take note of these findings so that the overall market can improve beyond just these particular instances," noted Mark Stanislav, manager of global services at Rapid7*... "
* https://community.rapid7.com/communi...o-gps-platform
Feb 2, 2016
___
Fake 'Free Travel Lottery' SPAM - doc malware
- http://myonlinesecurity.co.uk/free-t...d-doc-malware/
3 Feb 2016 - "An email with the subject of 'Free Travel Lottery Drawing' pretending to come from VIATOR.COM <winners@ viator .com> with a malicious word doc attachment is another one from the current bot runs.. The email looks like:
From: VIATOR .COM <winners@ viator .com>
Date: Wed, 3 Feb 2016 16:14
Subject: Free Travel Lottery Drawing
Attachment: winner_81.doc
ATripAdvisor®Company
Unforgettable time in the place where summer never ends!
We held a lottery drawing among the customers of our travel agency Viator!
Free travel for 2 persons to a Paradise Island Koh-Samui, in Kingdom of Thailand for 10 days! Travel insurance included!
2,500,000 our customers took participation in the lottery. Only 250 winners!
To learn more about the tour and your Winner Bonus become familiar with the attached document...
3 February 2015: winner_81.doc - Current Virus total detections 1/54*
MALWR** shows downloads http ://finiki45toget .com/post/511plvk.exe (virustotal 2/52***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454514245/
** https://malwr.com/analysis/ZDgyZmI0Z...Y5NzZiNzc3ODg/
163.20.136.189: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/bc...588a/analysis/
*** https://www.virustotal.com/en/file/b...is/1454512889/
___
Fake 'Invoice (SI-523)' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...nvoice-si.html
3 Feb 2016 - "This -fake- financial spam does not come from GS Toilet Hire but is instead a simple -forgery- with a malicious attachment. In other words, if you open it.. [don't].
From: GS Toilet Hire [donotreply@ sageone .com]
Date: 3 February 2016 at 09:12
Subject: GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016
Good morning
Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.
Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.
Kind regards,
Linda Smith
Office, GS Toilet Hire ...
I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates... containing some highly obfuscated scripts... which... downloads a binary from one of the following locations:
obstipatie..nu/43rf3dw/34frgegrg.exe
bjhaggerty..com/43rf3dw/34frgegrg.exe
(also www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe ...)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro... The binary... shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.
UPDATE: The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:
xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is a different binary from before, with a detection rate of 4/53*. It still phones home to the same location."
1] https://www.virustotal.com/en/file/a...is/1454494549/
2] https://www.virustotal.com/en/file/5...is/1454494559/
3] https://malwr.com/analysis/YjBlMDMzZ...ZhMTkwZmRlYzE/
98.143.159.150
91.239.232.145
13.107.4.50
4] https://malwr.com/analysis/YWZiMGE1M...QwMGQwZjczZDU/
192.186.239.3
91.239.232.145
184.25.56.44
* https://www.virustotal.com/en/file/9...3f67/analysis/
- http://myonlinesecurity.co.uk/gs-toi...ing-to-dridex/
3 Feb 2016 - "... an email with the subject of 'GS Toilet Hire – Invoice (SI-523) for £60.00, due on 28/02/2016' pretending to come from GS Toilet Hire <donotreply@ sageone .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...0-1024x515.png
- or: http://myonlinesecurity.co.uk/wp-con...n-1024x515.png
3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip - Extracts to: invoice_id2677432297.js
Current Virus total detections 2/54*. MALWR**
3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.doc - VirusTotal 3/52***
downloads what looks like -Dridex- from xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
(VirusTotal 4/53[4])
obstipatie .nu/43rf3dw/34frgegrg.exe
bjhaggerty .com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1454491705/
** https://malwr.com/analysis/ZGI5OWI1Z...FiN2FjNjdiYjA/
46.17.1.250
*** https://www.virustotal.com/en/file/a...is/1454492103/
4] https://www.virustotal.com/en/file/9...is/1454493882/
___
Fake 'Invoice MOJU' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...-accounts.html
3 Feb 2016 - "This -fake- financial spam comes with a malicious attachment. It does not come from Moju Ltd but is instead a simple -forgery- with a malicious attachment:
From: Accounts [message-service@ post.xero .com]
Date: 3 February 2016 at 09:04
Subject: Invoice MOJU-0939
Hi,
Here's invoice MOJU-0939 for 47.52 GBP. For last weeks delivery.
The amount outstanding of 47.52 GBP is due on 25 Feb 2016.
If you have any questions, please let us know.
Thanks,
Moju Ltd
I have only seen one sample of this, with an attachment named Invoice MOJU-0939.zip containing a malicious script invoice_id4050638124.js that has detection rate of 2/53* and which according to this Malwr report** downloads a binary from:
www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe
This payload is the same as seen in this concurrent spam run***."
* https://www.virustotal.com/en/file/0...b867/analysis/
** https://malwr.com/analysis/MDhlY2U2M...dlYmU4NWFhNDQ/
210.160.220.144
*** http://blog.dynamoo.com/2016/02/malw...nvoice-si.html
- http://myonlinesecurity.co.uk/invoic...alware-dridex/
3 Feb 2016 - "An email with the subject of 'Invoice MOJU-0939' pretending to come from Accounts <message-service@ post.xero .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...9-1024x497.png
3 February 2016: Invoice MOJU-0939.zip: Extracts to: invoice_id6174018044.js
Current Virus total detections 2/52*. MALWR** which downloads what looks like Dridex banking malware from http ://obstipatie .nu/43rf3dw/34frgegrg.exe (VirusTotal 3/54***)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1454489431/
** https://malwr.com/analysis/ZGI5OWI1Z...FiN2FjNjdiYjA/
*** https://www.virustotal.com/en/file/e...is/1454490157/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Attached Image' SPAM - xls malware
- http://myonlinesecurity.co.uk/attach...sheet-malware/
3 Feb 2016 - "... another email with the subject of 'Attached Image' pretending to come from canon@ victimdomain .tld with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: canon@ victimdomain .tld
Date: Wed 03/02/2016 10:38
Subject: Attached Image
Attachment: 1690_001 .xls
Body content: Blank
3 February 2016: 1690_001.xls - Current Virus total detections 2/52*
.. same Dridex macro dropper, downloading the -same- Dridex banking malware that was described in this earlier post** from -same- locations. This one was from
best-drum-set .com/43rf3dw/34frgegrg.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1454500546/
** http://myonlinesecurity.co.uk/gs-toi...ing-to-dridex/
- http://blog.dynamoo.com/2016/02/malw...rom-canon.html
3 Feb 2016 - "This spam pretends to come from the victim's own domain, but it doesn't. Instead it is a simple -forgery- with a malicious attachment.
From: canon@ victimdomain .tld
Date: 3 February 2016 at 12:09
Subject: Attached Image
There is no body text. Attached is a file 1690_001.xls of which I have seen a single variant with a detection rate of 9/54*. The Hybrid Analysis** shows it downloading an executable from:
best-drum-set .com/43rf3dw/34frgegrg.exe
This has a detection rate of 6/51 and is the -same- binary as used in this other spam attack today***."
* https://www.virustotal.com/en/file/b...is/1454501819/
** https://www.hybrid-analysis.com/samp...nvironmentId=4
192.254.190.17
*** http://blog.dynamoo.com/2016/02/malw...nvoice-si.html
___
Tesco 'shop for free' – phish
- http://myonlinesecurity.co.uk/tesco-...free-phishing/
3 Feb 2016 - "An email saying 'Tesco is giving you a chance to shop for free' pretending to come from Tesco .com <info@ sets .com> is one of the latest phishing emails trying to -steal- your Tesco bank details... This one -only- wants your personal details, Tesco log-in details and your credit card and bank details... some of the screen shots are from this new phish, but others have been re-used from older versions that I have already blogged about, but are identical except for the site name in the URL bar. If you follow that link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-con...1-1024x606.jpg
Then you get a page asking to verify your mobile phone number:
>> http://myonlinesecurity.co.uk/wp-con...2-1024x689.png
After filling in that page you then get this one:
>>> http://myonlinesecurity.co.uk/wp-con...1-1024x517.png
Then this comes up... Any 5 digit number entered in the box gets you to the next page:
>>>> http://myonlinesecurity.co.uk/wp-con...4-1024x568.png
Then you get a page asking for password and Security number... After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... eventually it auto -redirects- you to the genuine Tesco bank site... -All- of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
:fear::fear: :mad:
-
Fake 'January balance', 'Swift Copy', 'Fuel Card E-bill' SPAM, Amazon PHISH
FYI...
Fake 'January balance' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...ce-alison.html
4 Feb 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers, but is instead a simple -forgery- with a malicious attachment:
From Alison Smith [ASmith056@ jtcp .co.uk]
Date Thu, 04 Feb 2016 10:52:21 +0300
Subject "January balance £785"
Hi,
Thank you for your recent payment of £672.
It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?
Regards
Alison Smith
Assistant Accountant ...
The poor company being spoofed has already been hit by this attack recently... The email address of the sender varies from message to message. Attached is a file IN161561-201601.js which comes in at least -five- different versions (VirusTotal 0/53[1]..). This is a highly obfuscated script... and automated analysis of the various scripts [6].. shows that the macro downloads from the following locations (there may be more):
ejanla .co/43543r34r/843tf.exe
cafecl .1pworks.com/43543r34r/843tf.exe
This binary has a detection rate of 2/52* and phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220."
1] https://www.virustotal.com/en/file/2...is/1454576263/
6] https://www.hybrid-analysis.com/samp...nvironmentId=1
* https://www.virustotal.com/en/file/1...is/1454577822/
TCP connections
62.76.191.108
13.107.4.50
- http://myonlinesecurity.co.uk/januar...rs-js-malware/
4 Feb 2016 - "... once again spoofing Alison Smith of J Thomson Colour Printers with an email with the subject of 'January balance £785' pretending to come from Alison Smith <ASmith5AC@ jtcp .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...5-1024x761.png
4 February 2016: IN161561-201601.js - Current Virus total detections 0/52*
MALWR** shows a download from http ://ejanla .co/43543r34r/843tf.exe which is highly likely to be Dridex banking malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1454576306/
** https://malwr.com/analysis/YWY2YzczY...dhNWE5OGEzN2Y/
23.229.207.163
62.76.191.108
13.107.4.50
___
Fake 'Swift Copy' SPAM - doc malware
- http://myonlinesecurity.co.uk/reswif...-1761-exploit/
4 Feb 2016 - "An email with the subject of 'Re: Swift Copy' pretending to come from Kim Raymonds <kimraymonds@ sssup .it> (probably random email addresses) with a malicious word doc attachment is another one from the current bot runs... This is using CVE-2014-1761 exploit* in unpatched versions of office and it doesn’t matter if you have macros turned off or not. If you are -not- patched, then you WILL be infected by this.
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-1761 - 9.3 (HIGH)
You also need to read the bottom paragraph of THIS page** to use additional settings to protect yourself against this & similar exploits...
** http://myonlinesecurity.co.uk/malfor...macro-viruses/
The email looks like:
From: Kim Raymonds <kimraymonds@ sssup .it>
Date: Thu 04/02/2016 10:27
Subject: Re:Swift Copy
Attachment: Swift Copy.doc
Dear
My boss requested i should send the swift copy to you.
Pls see the attached.
Have a great day!
Thanks,
Kim Raymonds
Office Manager
4 February 2016 : Swift Copy.doc - Current Virus total detections 23/52*
MALWR** shows it downloads http ://andersonken479 .pserver .ru/doc.exe (VirusTotal 16/54***) which is some sort of banking Trojan and password stealer. One additional trick being played on you to infect you, is the downloaded doc.exe has an icon looking like a word doc, so if you accidentally open the original swift copy.doc, the doc.exe gets silently downloaded in background and is supposed to autorun..."
* https://www.virustotal.com/en/file/5...is/1454405380/
** https://malwr.com/analysis/M2Q5NzBjY...lmMzBmYjg0MTU/
91.202.12.139: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/8d...d4c3/analysis/
*** https://www.virustotal.com/en/file/4...is/1454514020/
___
Fake 'Fuel Card E-bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...rd-e-bill.html
4 Feb 2016 - "This -fake- financial spam does not come from Fuel Card Services Ltd but is instead a simple
-forgery- with a malicious attachment:
From "Fuel Card Services" [adminbur@ fuelcardgroup .com]
Date Thu, 04 Feb 2016 04:29:24 -0700
Subject BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016 ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin.
Fuel Card Services Ltd ...
I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro... which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:
www .trulygreen .net/43543r34r/843tf.exe
... also reported is as a download location is:
www .mraguas .com/43543r34r/843tf.exe
If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52* and according to this Hybrid Analysis** shows that it phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too."
* https://www.virustotal.com/en/file/8...bc6d/analysis/
** https://www.hybrid-analysis.com/samp...nvironmentId=4
- http://myonlinesecurity.co.uk/bp-fue...sheet-malware/
4 Feb 2016 - "... an email with the subject of 'BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016' pretending to come from 'Fuel Card Services <adminbur@ fuelcardgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Fuel Card Services <adminbur@ fuelcardgroup .com>
Date: Thu 04/02/2016 12:31
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Attachment: ebill0200442.xls ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin...
4 February 2016: ebill0200442.xls - Current Virus total detections 4/52*
This will download Dridex banking Trojans from
http ://www .mraguas .com/43543r34r/843tf.exe (VirusTotal 4/52**)
Other locations so far discovered include
http ://clothesmaxusa .com/43543r34r/843tf.exe
http ://cluster007.ovh .net/~lelodged/43543r34r/843tf.exe
http ://69.61.48.46 /43543r34r/843tf.exe
http ://www .trulygreen .net/43543r34r/843tf.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1454588668/
** https://www.virustotal.com/en/file/8...is/1454588381/
___
Fake Amazon Mail - Phish ...
- https://blog.malwarebytes.org/fraud-...t-information/
Feb 4, 2016 - "From the mailbox: a -fake- Amazon mail which attempts to persuade the lucky recipient that they have the chance to win £10 in return for completing a quick survey. The mail, titled “ΙD: 569369943” and claiming to be from “members support” / message@ notice-amazon(dot)com, reads as follows:
'As a valued customer we would like to present you with an opportunity to make a quick buck. We are offering £10 each to a selected number of customers in exchange for completing a quick survey relating to our service. Your opinions and thoughts are vital in order for us to provide the best possible service..'
> https://blog.malwarebytes.org/wp-con...mznsignin0.jpg
... the link directed eager clickers from what looked to be a compromised home and gardens website (now offline) to:
amazon-update-account-awd547324897457(dot)tube-gif-converter(dot)com/Login(dot)php
... where the site asked for Amazon login credentials:
>> https://blog.malwarebytes.org/wp-con...mznsignin1.jpg
After this, the next page requested full-payment-information including address, phone number, credit card details, sort code / bank-account-number and “security question” too. At time of writing, both the initial redirection site and the phishing page(s) are both down for the count. Of course, scammers will likely resurrect this fake Amazon £10 survey reward / swipe your banking information tactic elsewhere so it pays to have an idea what they’re up to at all times. At this point, we’d usually suggest looking out for the green padlock / verified identity advice typically given near the end of a “Don’t get phished” blog. However, HTTPS isn’t deployed across the entirety of Amazon – only the pages where it’s really needed, such as login / payment and so on. All the same, it’s good practice to check for a green padlock / identity information anytime you’re asked to login or submit potentially sensitive data. Follow these simple steps, and you’re probably going to be safe from this type of attack. As a final tip, be very wary around emails claiming you’ve been entered into surveys or competitions – and if you see well known brands sending you odd mails about “making a quick buck”, you may want to run the other way."
notice-amazon(dot)com: 172.99.89.200: https://www.virustotal.com/en/ip-add...0/information/
:fear::fear: :mad:
-
Fake 'Scanned file', 'Invoices', 'Scanned Referral' SPAM
FYI...
Fake 'Scanned file' SPAM – JS malware
- http://myonlinesecurity.co.uk/scanne...alware-dridex/
8 Feb 2016 - "An email with the subject of 'Scanned file from Optivet Referrals' pretending to come from Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com> on behalf of Optivet Referrals <reception@ optivet .com> with a .JS attachment is another one from the current bot runs... The email looks like:
From: Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of; Optivet Referrals <reception@ optivet.com>
Date: Mon 08/02/2016 08:08
Subject: Scanned file from Optivet Referrals
Attachment: 4060395693402.tiff.js
Dear Sir/Madam
Please find attached a document from Optivet Referrals.
Yours faithfully
The Reception Team at Optivet.
Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system...
8 February 2016: 4060395693402.tiff.js - Current Virus total detections 1/54*
MALWR** shows it downloads Dridex banking Trojan from http ://zuhr-kreativ .com/98876hg5/45gt454h
(VirusTotal 0/55***) which is downloaded as a text file and the javascript file renames it to pVSgp3Qo.scr (or other random named scr file) and automatically runs it (virustotal 3/54[4]). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1454922441/
** https://malwr.com/analysis/YjkyNTBhZ...JkNTlkYThjMTE/
50.87.89.243
188.40.224.73
184.28.188.112
*** https://www.virustotal.com/en/file/3...is/1454923278/
4] https://www.virustotal.com/en/file/9...is/1454923099/
TCP connections
188.40.224.73: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...mentation.html
8 Feb 2016 - "This -fake- financial spam does not come from Crosswater Holdings, but it is instead a simple -forgery- with a malicious attachment:
From: CreditControl@ crosswater .co.uk
Date: 8 February 2016 at 10:34
Subject: Accounts Documentation - Invoices
Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
If you have any queries please do not hesitate to contact the Credit Controller who deals with your account...
Attached is a malicious script ~13190.js which comes in at least two different variants (VirusTotal [1] [2]). According to automated analysis [3]... these scripts download from:
hydroxylapatites7.meximas .com/98876hg5/45gt454h
80.109.240.71 /~l.pennings/98876hg5/45gt454h
This drops an executable with a detection rate of 3/53[4] which appears to phone home** to:
188.40.224.73 (NoTag, Germany)
I strongly recommend that you -block- traffic to that IP address. The payload is likely to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/9...is/1454938464/
2] https://www.virustotal.com/en/file/2...is/1454938475/
3] https://malwr.com/analysis/ZWJhYzY1Y...JlYzhmOGQ4ODA/
31.170.165.165
31.170.160.60
* https://www.virustotal.com/en/file/d...is/1454938652/
** https://www.hybrid-analysis.com/samp...nvironmentId=4
80.109.240.71: https://www.virustotal.com/en/ip-add...1/information/
188.40.224.73: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'Scanned Referral' SPAM - JS malware
- http://myonlinesecurity.co.uk/scanne...alware-dridex/
8 Feb 2016 - "An email with the subject of 'Scanned file from Optivet Referrals' pretending to come from Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of Optivet Referrals <reception@ optivet .com> with a .JS attachment is another one from the current bot runs... The email looks like:
From: Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of; Optivet Referrals <reception@ optivet .com>
Date: Mon 08/02/2016 08:08
Subject: Scanned file from Optivet Referrals
Attachment: 4060395693402.tiff.js
Dear Sir/Madam
Please find attached a document from Optivet Referrals.
Yours faithfully
The Reception Team at Optivet...
8 February 2016: 4060395693402.tiff.js - Current Virus total detections 1/54*
MALWR** shows it downloads Dridex banking Trojan from http ://zuhr-kreativ .com/98876hg5/45gt454h
(VirusTotal 0/55***) which downloaded is downloaded as a text file and the javascript file -renames- it to pVSgp3Qo.scr (or other random named scr file) and automatically runs it (virustotal 3/54[4]). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1454922441/
** https://malwr.com/analysis/YjkyNTBhZ...JkNTlkYThjMTE/
50.87.89.243
188.40.224.73
184.28.188.112
*** https://www.virustotal.com/en/file/3...is/1454923278/
4] https://www.virustotal.com/en/file/9...is/1454923099/
:fear::fear: :mad:
-
Fake -blank subject-, 'statement' SPAM
FYI...
Fake -blank subject- SPAM - malicious attachment
- http://myonlinesecurity.co.uk/empty-...alware-dridex/
Feb 9, 2016 - "... an email with no subject pretending to come from accounts_do_not_reply@ aldridgesecurity .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: accounts_do_not_reply@ aldridgesecurity .co.uk
Date: Tue 09/02/2016 08:07
Subject: NONE
Attachment: document2016-02-09-103153.doc
Body content:
Accounts
9 February 2016: document2016-02-09-103153.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from http ://promo.clickencer .com/4wde34f/4gevfdg (VirusTotal 0/54**) which is saved/downloaded as a text file and converted to label8.exe (VirusTotal 0/54***) by the macro and then autorun - MALWR[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1455008860/
** https://www.virustotal.com/en/file/2...is/1455010031/
*** https://www.virustotal.com/en/file/2...is/1455010031/
4] https://malwr.com/analysis/NmFjMTM0Z...kwMmI4NWQ5NTg/
66.7.195.81
50.56.184.194
184.25.56.42
- http://blog.dynamoo.com/2016/02/malw...-accounts.html
Feb 9, 2016 - "This rather terse spam does not come from Aldridge Security but it is instead a simple forgery with a malicious attachment. There is no subject.
From [accounts_do_not_reply@ aldridgesecurity .co.uk]
Date Tue, 09 Feb 2016 10:31:14 +0200
Subject
Accounts
I have only seen a single sample with an attachment document2016-02-09-103153.doc which has a VirusTotal detection rate of 5/54*. Automated analysis [1] [2] shows that it downloads a malicious executable from:
promo.clickencer .com/4wde34f/4gevfdg
This has a detection rate of 5/54**. Those analyses indicates that the malware phones home to:
50.56.184.194 (Rackspace, US)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/e...is/1455011714/
1] https://malwr.com/analysis/NmFjMTM0Z...kwMmI4NWQ5NTg/
2] https://www.hybrid-analysis.com/samp...nvironmentId=4
** https://www.virustotal.com/en/file/e...is/1455011714/
___
Fake 'statement' SPAM - doc malware jpg
- http://myonlinesecurity.co.uk/fwnibh...ed-from-a-jpg/
9 Feb 2016 - "An email with the subject of 'Fw:Nibh Donec Est LLC. statement' pretending to come from random senders at random email addresses with a malicious word doc attachment is another one from the current bot runs... The company in the subject matches the company in the body. The subjects vary but are all related to statements. Some subjects include:
Fw:Nibh Donec Est LLC. statement
Fwd:Quis Massa Mauris PC. statement
Re:Tellus Aenean LLP – statement
Aliquet Lobortis LLC – statement
The email looks like:
From: Brittany Hood <gerados@gerados .info>
Date: Tue 09/02/2016 06:06
Subject: Fw:Nibh Donec Est LLC. statement
Attachment: 62YDP.doc
Please find attached a statement
Best regards
Nibh Donec Est LLC
Brittany Hood
9 February 2016: 62YDP.doc - Current Virus total detections 2/54*
MALWR** shows a download from http ://inroadsdevelopment .us/ht.jpg?RZ9lqw4jFWvx=35 which delivers ht.jpg (VirusTotal 9/53***) which is decoded by a combination of the -macro- in the word doc and a dropped/extracted VBS file 12047.vbs (VirusTotal 1/51[4]) to give you 1204745.exe (VirusTotal 5/54[5])...
inroadsdevelopment .us: 192.185.16.61: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/68...c1cd/analysis/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1454998395/
** https://malwr.com/analysis/NDY5MDQxY...MwN2IwNjUzNzY/
*** https://www.virustotal.com/en/file/7...is/1454998178/
4] https://www.virustotal.com/en/file/a...is/1454999501/
5] https://www.virustotal.com/en/file/7...is/1454999510/
:fear::fear: :mad:
-
Fake 'SERVICE SHEET', 'New Doc 115', 'Message', 'DHL' SPAM
FYI...
Fake 'SERVICE SHEET' SPAM - doc malware
- http://myonlinesecurity.co.uk/emaili...d-doc-malware/
10 Feb 2016 - "An email with the subject of 'Emailing: MX62EDO 10.02.2016' pretending to come from documents@ dmb-ltd .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: documents@ dmb-ltd .co.uk
Date: Wed 10/02/2016 08:18
Subject: Emailing: MX62EDO 10.02.2016
Attachment: MX62EDO 10.02.2016.doc
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 10.02.2016 SERVICE SHEET
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled...
10 February 2016: MX62EDO 10.02.2016.doc - Current Virus total detections 5/54*
MALWR** shows us a download of Dridex banking malware from
http ://g-t-c .co.uk/09u8h76f/65fg67n (VirusTotal 0/54***) Which is once again as seen in previous runs this last week, downloaded as a text file and -renamed- by the macro and saved to \%temp%\label8.exe where it is autorun (VirusTotal 4/54[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1455095855/
** https://malwr.com/analysis/NTNlNTdkO...M5ZWIwMmM2NGU/
185.11.240.14
87.229.86.20
13.107.4.50
*** https://www.virustotal.com/en/file/0...is/1455096865/
4] https://www.virustotal.com/en/file/0...is/1455097168/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
- http://blog.dynamoo.com/2016/02/malw...-10022016.html
10 Feb 2016
"... Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3 "
___
Fake 'New Doc 115' SPAM - doc malware
- http://myonlinesecurity.co.uk/new-do...d-doc-malware/
10 Feb 2016 - "... an email with the subject of 'New Doc 115' pretending to come from admin <ali73_20081475@ yahoo .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: admin <ali73_20081475@ yahoo .co.uk>
Date: Wed 10/02/2016 11:02
Subject: New Doc 115
Attachment: New Doc 115.doc
Sent from Yahoo Mail on Android
10 February 2016: New Doc 115.doc - Current Virus total detections 5/54*
.. -same malware- and -same- download locations as today’s earlier malspam run** ..."
* https://www.virustotal.com/en/file/f...is/1455101427/
** http://myonlinesecurity.co.uk/emaili...d-doc-malware/
___
Fake 'Message' SPAM - xls malware
- http://myonlinesecurity.co.uk/messag...sheet-malware/
10 Feb 2016 - "... an email with the subject of 'Message from KMBT_C224' pretending to come from copier @ your own company or email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victimdomain .tld
Date: Wed 10/02/2016 12:20
Subject: Message from KMBT_C224
Attachment: SKMBT_C22416020417390.xls
Body content: Empty
10 February 2016: SKMBT_C22416020417390.xls - Current Virus total detections 5/54*
MALWR** shows what should be a download of Dridex banking malware from
http ://toptut .ru/09u8h76f/65fg67n - however when I tried, I got a '404 not found'.
NOTE: there -will- be other download locations in different versions of this... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1455110388/
** https://malwr.com/analysis/YjQ5N2QzM...JkMDAyNTRlMDc/
85.10.201.19
toptut .ru: 85.10.201.19: https://www.virustotal.com/en/ip-add...9/information/
___
Fake 'DHL' SPAM - Teslacrypt
- http://myonlinesecurity.co.uk/dhl-de...re-teslacrypt/
10 Feb 2016 - "An email with the subject of 'DHL DeliverNow Notification Card on lost shipment (Third Notification)' pretending to come from DHL DeliverNow Network <zkfwgyh@ grafeia-teleton-kyriakidis .gr> (probably random email addresses with sender spoofed as DHL) with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...--1024x769.png
25 February 2016: DHL_Notification_card.zip: Extracts to: file.zip which extracts to invoice_m7BNUn.js
Current Virus total detections 3/55*. MALWR** shows a download of what looks like Teslacrypt from either http ://fromjamaicaqq .com/26.exe or http ://greetingsfromitaff .com/26.exe (VirusTotal 4/55***).
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1455124017/
** https://malwr.com/analysis/NjY1MWFhM...dhZTg5N2E2OGQ/
173.82.74.197
192.3.186.222
*** https://www.virustotal.com/en/file/5...is/1455124442/
:fear::fear: :mad:
-
Fake 'Unpaid Invoice', 'Confirmation', 'Office Direct', 'Scan', 'SagePayInvoice' SPAM
FYI...
Fake 'Unpaid Invoice' SPAM - JS malware
- http://myonlinesecurity.co.uk/int242...om-js-malware/
11 Feb 2016 - "An email with the subject of 'INT242343 Unpaid Invoice – Your Services May Be Suspended' pretending to come from payments <payments@ wavenetuk .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: payments <payments@ wavenetuk .com>
Date: Thu 11/02/2016 08:38
Subject: INT242343 Unpaid Invoice – Your Services May Be Suspended
Attachment: OutstandingStatement201602111650.js
PLEASE NOTE: THIS IS A NO REPLY EMAIL ACCOUNT
Dear Customer Please find attached to this email your statement You can view the invoices listed on our e-billing site at www .netbills .co.uk If you have any queries regarding use of the e-billing site or this statement please call us on 08444 12 7777.
Accounts Department Wavenet Group Incorporating – Titan Technology, Centralcom and S1 Network Services Tel 08444127777 ...
11 February 2016: OutstandingStatement201602111650.js - Current Virus total detections 0/54*
MALWR** shows a download of Dridex banking malware from
http ://aforbescompany .com/09u8h76f/65fg67n which once again is a text file that the javascript saves to & renames to %Temp%\sREKjVas.scr or another random named file (VirusTotal 2/55***)
Other download locations so far discovered include: http ://gp-training .net/09u8h76f/65fg67n ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1455183429/
** https://malwr.com/analysis/YzQxYzFjZ...UxMmJmODY2MWQ/
69.89.31.158
87.229.86.20
184.25.56.44
*** https://www.virustotal.com/en/file/b...is/1455183938/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
88.221.14.11: https://www.virustotal.com/en/ip-add...1/information/
- http://blog.dynamoo.com/2016/02/malw...d-invoice.html
11 Feb 2016 - "This spam does not come from Wavenet Group but is instead a simple -forgery- with a malicious attachment:
From payments [payments@ wavenetuk .com]
Date Thu, 11 Feb 2016 15:14:59 +0530
Subject INT242343 Unpaid Invoice - Your Services May Be Suspended
PLEASE NOTE: THIS IS A NO REPLY EMAIL ACCOUNT
Dear Customer
Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www .netbills .co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.
Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777 ...
I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53*. The Malwr analysis shows that this script downloads an executable from:
gp-training .net/09u8h76f/65fg67n
There are probably a few other download locations. This binary has a detection rate of 2/54**. The Malwr report also indicates that it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/4...is/1455185997/
** https://www.virustotal.com/en/file/b...is/1455186992/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
88.221.14.11: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/confir...d-doc-malware/
11 Feb 2016 - "An email with the subject of 'Confirmation' pretending to come from sales@ writeonltd .co.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x775.png
11 February 2016: Sales_Order_Confirmation__Priced_SORD00137058.doc - Current Virus total detections 5/55*
MALWR** is once again showing an attempted download from
http ://maraf0n.vv .si/09u8h76f/65fg67n which is giving a 404 not found and diverts to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1455188335/
** https://malwr.com/analysis/NmY4NGE1M...UxY2EzODVlMzE/
31.170.164.132: https://www.virustotal.com/en/ip-add...2/information/
31.170.160.60: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Office Direct' SPAM - doc malware
- http://myonlinesecurity.co.uk/uk-off...d-doc-malware/
11 Feb 2016 - "An email with the subject of 'UK Office Direct A/C OD04450155' pretending to come from office@ ukofficedirect .co.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...5-1024x767.png
11 February 2016: Invoice_INV8000288979.doc - Current Virus total detections 5/54*
MALWR** shows an attempted download from http ://maraf0n.vv .si/09u8h76f/65fg67n but like all the others this morning is giving a 404 and redirects to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1455187463/
** https://malwr.com/analysis/YWE2NzU5Y...ExMDM3MmUzZGE/
31.170.164.132: https://www.virustotal.com/en/ip-add...2/information/
31.170.160.60: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Scan' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...50-please.html
11 Feb 2016 - "This -fake- document -scan- leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.
From: scanner@ victimdomain .tld
Date: 11 February 2016 at 10:24
Subject: Scan from KM1650
Please find attached your recent scan
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1]..). The Malwr reports [4].. indicate the the macro in the document downloads a malicious executable from:
maraf0n.vv .si/09u8h76f/65fg67n
www .sum-electronics .co.jp/09u8h76f/65fg67n
The dropped executable has a detection rate of 2/54*. As with this earlier spam run** it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
-Block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustotal.com/en/file/d...is/1455191710/
4] https://malwr.com/analysis/MGQzODg3Z...AzZDg0YWIxMWY/
* https://www.virustotal.com/en/file/b...is/1455192649/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/00...23cb/analysis/
88.221.14.11: https://www.virustotal.com/en/ip-add...1/information/
** http://blog.dynamoo.com/2016/02/malw...d-invoice.html
___
Fake 'Sage Pay Invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/your-s...sheet-malware/
11 Feb 2016 - "An email with the subject of 'Your Sage Pay Invoice INV00318132' pretending to come from Sagepay EU <accounts@ sagepay .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sagepay EU <accounts@ sagepay .com>
Date: Thu 11/02/2016 13:01
Subject: Your Sage Pay Invoice INV00318132
Attachment: INV00318132_V0072048_12312014.xls
Please find attached your invoice.
We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact ...
11 February 2016: INV00318132_V0072048_12312014.xls - Current Virus total detections 4/54*
MALWR** shows a download of Dridex banking malware from
http ://www .phraseculte .fr/09u8h76f/65fg67n (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1455199262/
** https://malwr.com/analysis/MTllNjllN...MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50
*** https://www.virustotal.com/en/file/f...is/1455198516/
TCP connections
84.38.67.231: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/8a...f65b/analysis/
104.86.111.136: https://www.virustotal.com/en/ip-add...6/information/
- http://blog.dynamoo.com/2016/02/malw...y-invoice.html
11 Feb 2016 - "... a simple -forgery- with a malicious attachment... Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least -11-). The VirusTotal detection rate for a subset of these is 6/54[1]... Only a single Malwr report* seemed to work, indicating the macro downloading from:
www .phraseculte .fr/09u8h76f/65fg67n
This dropped executable has a detection rate of 3/54**. The Malwr report shows it phoning home to:
84.38.67.231 (ispOne business GmbH, Germany)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustotal.com/en/file/c...23ee/analysis/
* https://malwr.com/analysis/MTllNjllN...MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50
** https://www.virustotal.com/en/file/f...is/1455203414/
TCP connections
84.38.67.231: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/8a...f65b/analysis/
104.86.111.136: https://www.virustotal.com/en/ip-add...6/information/
___
We might use your 'IoT stuff' to spy on you ...
- https://nakedsecurity.sophos.com/201...james-clapper/
Feb 11, 2016 - "... think that it could be 'Big Brother' doing the eyeballing, be it through your internet-connected fridge, your toothbrush, or your TV... the Internet of Things, or IoT: that collection of connected gadgets that have plenty of 'neat-o!' factor but which, all too often, are pockmarked with security holes:
> https://nakedsecurity.sophos.com/201...nt-to-get-off/
... IoT refers to a whole class of day-to-day 'things' that are now being offered with built-in network connectivity. These everyday objects can directly hook into the internet, all on their own, rather than needing to first be plugged into a computer connected to the internet. The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking into all manner of objects... We’ve seen issues with connected kettles, TVs, lightbulbs, thermostats, refrigerators and baby monitors that have all been designed without adherence to the information security principle of least privilege:
> https://en.wikipedia.org/wiki/Princi...east_privilege
But one person’s security hole is another person’s opportunity. To intelligence agencies, IoT devices could illuminate an environment that they claim is 'going dark' due to new forms of encryption being used in consumer products and services... Wired* quoted remarks he made at a summit for In-Q-Tel, the CIA’s venture capital firm:
'Transformational' is an overused word, but I do believe it properly applies to these technologies, particularly to their effect on clandestine tradecraft' ..."
* http://www.wired.com/2012/03/petraeus-tv-remote/
___
Malware Found in 3rd Party App Stores
- http://blog.trendmicro.com/trendlabs...ty-app-stores/
Feb 10, 2016 - "... Because some users have concerns with the app giant Google Play, they choose to download apps from third-party stores. For instance, there are no region locks for apps in some third-party app stores. Some developers of paid apps even partner with third-party app stores with purchase capability to give those who download from the partnered store considerable discounts. Third-party app stores can also be the preferred store due to its popularity in a specific region. Android users have to keep in mind that installing apps from these third-party app stores requires users to allow the installation from 'unknown sources'. Malicious apps have a history of popping up from these third party websites, a reason why it is often recommended that Android users -must- stick to Google Play. Because of Google’s security measures, we believe it is the safest platform for downloading apps. It is worth noting, however, that third-party app stores are implementing means to tighten their security. Malicious apps were recently seen making the rounds in some third-party app stores. They spoof popular apps, increasing the chances of getting selected and downloaded. These include popular mobile games, mobile security apps, camera apps, music streaming apps, and so on. They even share the exact same package and certification with their Google Play counterpart... However, the malware only downloads and installs other apps -without- the user’s knowledge. These secretly downloaded apps will then present themselves as ads luring users to downloading other apps from time to time. It can also be used to collect user data and forward them to the attacker. Based on the data from our Trend Micro Mobile App Reputation Service, there are -1,163- malicious APKs detected as ANDROIDOS_ LIBSKIN.A. In addition, between January 29 and February 1, malicious apps detected as this malware have been downloaded in -169- countries and can be found in -four- third party app stores, namely Aptoide, Mobogenie, mobile9, and 9apps. We have already contacted these stores and informed them about these threats, but as of this writing, we have yet to receive any confirmation from their end...
> https://blog.trendmicro.com/trendlab...us-apps-01.png
... The popups lure users into clicking-unwanted-apps. Clicking-on-the-ads may not necessarily lead the user to the respective app or site. Other than that, ANDROIDOS_ LIBSKIN.A can also collect users’ data and send them back to a remote malicious user. This includes data about the user’s phone, subscription IDs, device ID, language, network type, apps running, network name, and so on... we do warn users to approach downloading apps with caution. One option that users may do to avoid downloading fake apps is to download the app from the developer’s website. They may also check the -reputation- of the store before downloading anything..."
:fear::fear: :mad:
-
Fake 'DVSA', 'Fuelcard' SPAM
FYI...
Fake 'DVSA' SPAM - malcious attachment
- http://blog.dynamoo.com/2016/02/malw...a-receipt.html
12 Feb 2016 - "This spam email does not come from a UK government agency, but is instead a simple -forgery- with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi .gov.uk.
From FPO.CC.15@ vosa.gsi .gov.uk
Date Fri, 12 Feb 2016 12:47:20 +0300
Subject DVSA RECEIPT
Good afternoon
Please find attached your receipt, sent as requested.
Kind regards
(See attached file)
Fixed Penalty Office
Driver and Vehicle Standards Agency ...
Attached is a file Fixed Penalty Receipt.docm which comes in at least -ten- different variants... I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:
raysoft .de/09u8h76f/65fg67n
xenianet .org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here (5)]
This dropped file has a detection rate of 5/54* ... This Hybrid Analysis report** indicates subsequent traffic to:
192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)
The payload is the Dridex banking trojan.
Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231 "
1] https://www.virustotal.com/en/file/5...is/1455274179/
2] https://www.virustotal.com/en/file/d...is/1455275696/
3] https://malwr.com/analysis/YzMzNTQ1M...I2MTUyM2E5MjQ/
4] https://malwr.com/analysis/OGFjN2VlZ...RiMTQyODdhMzA/
5] https://www.virustotal.com/en/file/f...is/1455274504/
* https://www.virustotal.com/en/file/f...is/1455274504/
** https://www.hybrid-analysis.com/samp...nvironmentId=4
___
Fake 'Fuelcard' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-l...eet-malware-2/
12 Feb 2016 - "An email with the subject of 'Your latest invoice' from The Fuelcard Company UK Ltd pretending to come from customerservice@ fuelcards .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: customerservice@ fuelcards .co.uk
Date: Fri 12/02/2016 10:16
Subject: Your latest invoice from The Fuelcard Company UK Ltd
Attachment: invoice.xls
Please find your latest invoice attached.
If you have any queries please do not hesitate to contact our Customer Service Team at customerservice@fuelcards.co.uk
Regards
The Fuelcard Compa
The Fuelcard Company UK Ltd ...
12 February 2016: invoice.xls - Current Virus total detections 5/53*
MALWR** shows a download of what is almost certainly Dridex Banking Trojan from
http ://web82 .snake.kundenserver42 .de/09u8h76f/65fg67n (VirusTotal 5/53***)
Other download locations include: http ://raysoft .de/09u8h76f/65fg67n
http ://steinleitner-online .net/09u8h76f/65fg67n
http ://www .xenianet .org/09u8h76f/65fg67n
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1455275820/
** https://malwr.com/analysis/ZDRiNDVlO...UxZGJjNTA2OTQ/
195.93.200.140
192.100.170.19
13.107.4.50
*** https://www.virustotal.com/en/file/f...is/1455276505/
TCP connections
192.100.170.19
13.107.4.50
87.229.86.20
- http://blog.dynamoo.com/2016/02/malw...oice-from.html
12 Feb 2016 - "... Hybrid Analysis* shows that this particular sample downloads from:
legismar .com/09u8h76f/65fg67n
This is the -same- executable as found in this earlier spam run**."
* https://www.hybrid-analysis.com/samp...nvironmentId=4
** http://blog.dynamoo.com/2016/02/malw...a-receipt.html
:fear::fear: :mad:
-
Fake 'Invoice', 'Overdue Invoice' SPAM, Dyre Trojan - gone dark
FYI...
Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoic...d-doc-malware/
15 Feb 2016 - "An email with the subject of 'Invoice (w/e 070216)' pretending to come from Kelly Pegg <kpegg@ responserecruitment .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Kelly Pegg <kpegg@ responserecruitment .co.uk>
Date: SKM_C3350160212101601 .docm
Subject: Invoice (w/e 070216)
Attachment: SKM_C3350160212101601 .docm
Good Afternoon
Please find attached invoice and timesheet.
Kind Regards
Kelly
15 February 2016: SKM_C3350160212101601.docm - Current Virus total detections 7/54*
MALWR** shows a download of Dridex banking Trojan from
http ://216.158.82.149 /09u8h76f/65fg67n (VirusTotal 4/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1455537274/
** https://malwr.com/analysis/ZTViNjYyM...k2OTlkYmIyMWU/
216.158.82.149: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/b3...a391/analysis/
5.45.180.46
13.107.4.50
*** https://www.virustotal.com/en/file/c...is/1455536293/
TCP connections
5.45.180.46
13.107.4.50
- http://blog.dynamoo.com/2016/02/malw...216-kelly.html
15 Feb 2016 - "... Attached is a file SKM_C3350160212101601.docm which comes in -several- different variants. The macro in the document attempts to download a malicious executable from:
216.158.82.149 /09u8h76f/65fg67n
sstv.go .ro/09u8h76f/65fg67n
www .profildigital .de/09u8h76f/65fg67n
This dropped a malicious executable with a detection rate of 6/54* which according to these automated analysis tools [1] [2] calls home to:
5.45.180.46 (B & K Verwaltungs GmbH, Germany)
I strongly recommend that you -block- traffic to that address. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/c...433c/analysis/
TCP connections
5.45.180.46: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/56...85ee/analysis/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
1] https://malwr.com/analysis/ZWEyODc4Y...EyNDBjODRiNmI/
5.45.180.46
184.25.56.44
2] https://www.hybrid-analysis.com/samp...nvironmentId=4
___
Fake 'Overdue Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...ce-012345.html
15 Feb 2016 - "This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From: Brandi Riley [BrandiRiley21849@ horrod .com]
Date: 15 February 2016 at 12:20
Subject: Overdue Invoice 089737 - COMS PLC
Dear Customer,
The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Brandi Riley
COMS PLC
Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis* shows an attempted download from:
node1.beckerdrapkin .com/fiscal/auditreport.php
This is hosted on an IP that you can assume to be malicious:
193.32.68.40 (Veraton Projects, BZ / DE)
The dropped executable (detection rate 4/54**) then phones home to:
194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)
The payload is the Dridex banking trojan.
Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229 "
1] https://www.virustotal.com/en/file/d...is/1455541445/
2] https://www.virustotal.com/en/file/c...is/1455541455/
3] https://www.virustotal.com/en/file/6...e6b1/analysis/
* https://www.hybrid-analysis.com/samp...nvironmentId=4
** https://www.virustotal.com/en/file/f...is/1455542606/
TCP connections
202.158.123.130: https://www.virustotal.com/en/ip-add...0/information/
81.52.160.146: https://www.virustotal.com/en/ip-add...6/information/
185.24.92.229: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/65...02fa/analysis/
___
Dyre Trojan - gone dark...
- https://securityintelligence.com/dyr...ted-in-moscow/
Feb 9, 2016 - "... Reuters reports* that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called 'Botnet', loosely based on a 2010 cybercrime case... IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most. Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration-update-servers and its real-time-webinjection-server were -both- disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark:
> https://static.securityintelligence....ks_Flatten.png
It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November. Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data:
> https://static.securityintelligence....op_Bankers.png
If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities... Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid..."
* http://www.reuters.com/article/us-cy...-idUSKCN0VE2QS
:fear::fear: :mad:
-
Fake 'Remittance Advice', 'receipt', 'Invoice-J' SPAM
FYI...
Fake 'Remittance Advice' SPAM - doc malware
- http://myonlinesecurity.co.uk/remitt...d-doc-malware/
16 Feb 2016 - "An email with the subject of 'Remittance Advice : Tue, 16 Feb 2016 16:55:29 +0800' pretending to come from fmis@ oldham .gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: fmis@ oldham .gov.uk
Date: Tue 16/02/2016 08:55
Subject: Remittance Advice : Tue, 16 Feb 2016 16:55:29 +0800
Attachment: 201602_4_2218.docm
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.
Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses...
16 February 2016: 201602_4_2218.docm - Current Virus total detections 5/54*
MALWR** shows a download of Dridex banking Trojan from
http ://lepeigneur .power-heberg .com/09u8h76f/65fg67n (VirusTotal 4/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1455613213/
** https://malwr.com/analysis/YmNhZDRhM...IyMzJhNDFhNDA/
91.238.72.69
151.248.117.140
184.25.56.42
*** https://www.virustotal.com/en/file/c...is/1455613578/
TCP connections
151.248.117.140: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/f2...767c/analysis/
104.86.111.136: https://www.virustotal.com/en/ip-add...6/information/
- http://blog.dynamoo.com/2016/02/malw...emittance.html
16 Feb 2016 - "... This spam is related to this one*. Automated analysis of the samples [1]... plus some private sources indicate download locations for this and other related campaigns today at:
labelleflowers .co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg .com/09u8h76f/65fg67n
yurtdisiegitim .tv/09u8h76f/65fg67n
hg9.free .fr/09u8h76f/65fg67n
jtonimages.perso.sfr .fr/09u8h76f/65fg67n
test.blago .md/09u8h76f/65fg67n
This file has a detection rate of 3/54**. According to those reports, it phones home to:
151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)
Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194 "
* http://blog.dynamoo.com/2016/02/malw...-accounts.html
1] https://malwr.com/analysis/YmNiY2Q5N...NjODZlYmU0NTA/
91.238.72.69
** https://www.virustotal.com/en/file/f...is/1455625563/
___
Fake 'receipt' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/receip...sheet-malware/
16 Feb 2016 - "An email with the subject of 'receipt' pretending to come from Accounts <accounts@ aacarpetsandfurniture .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Accounts <accounts@ aacarpetsandfurniture .co.uk>
Date: Tue 16/02/2016 08:22
Subject: receipt
Attachment: CCE06102015_00000.docm
Please find attached receipt
Kind Regards
Christine ...
16 February 2016: CCE06102015_00000.docm - Current Virus total detections 5/54*
.. it will be downloading Dridex probably from -same- locations as today’s other versions (.. waiting for analysis and will update later)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1455615125/
- http://blog.dynamoo.com/2016/02/malw...-accounts.html
16 Feb 2016 - "This -fake- financial spam does not come from AA Carpets and Furniture, but is instead a simple -forgery- with a malicious attachment:
From "Accounts" [accounts@ aacarpetsandfurniture .co.uk]
Date Tue, 16 Feb 2016 02:15:52 -0700
Subject receipt
Please find attached receipt
Kind Regards
Christine ...
Attached is a file CCE06102015_00000.docm of which I have only seen a single sample, with a detection rate of 5/54*. Analysis is pending, however this would appear to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/9...is/1455618478/
___
Fake 'Invoice-J' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...-06593788.html
16 Feb 2016 - "This -fake- financial spam does not come from Apache Corporation but instead is a simple -forgery- with a malicious attachment.
From: June Rojas [RojasJune95@ myfairpoint .net]
Date: 16 February 2016 at 09:34
Subject: ATTN: Invoice J-06593788
Dear nhardy,
Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
June Rojas ...
Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc ... This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them [1]... and it shows that the macro dowloads from one of the following locations:
www .southlife .church/34gf5y/r34f3345g.exe
www .iglobali .com/34gf5y/r34f3345g.exe
www .jesusdenazaret .com.ve/34gf5y/r34f3345g.exe ...
Each one phones home to a -different- location, the ones I have identified are:
109.234.38.35 (McHost.ru, Russia)
86.104.134.144 (One Telecom SRL, Moldova)
195.64.154.14 (Ukrainian Internet Names Center, Ukraine)
That last sample phones home to:
91.195.12.185 (PE Astakhov Pavel Viktorovich, Ukraine)
... according to this Hybrid Analysis*.
Recommended blocklist:
109.234.38.0/24
86.104.134.128/25
195.64.154.14
91.195.12.185 "
1] https://www.hybrid-analysis.com/samp...nvironmentId=4
* https://www.hybrid-analysis.com/samp...nvironmentId=4
:fear::fear: :mad:
-
Fake 'random invoices', 'Updated Invoice' SPAM, Locky ransomware (multiple entries)
FYI...
Fake 'random invoices' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/random...sheet-malware/
17 Feb 2017 - "... 2 concurrent runs of malspam this morning both with similar email subjects about -invoices- pretending to come from random companies with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The 1st email looks like:
From: Daniel Barnett <tmdana@ bezeqint .net>
Date: Wed 17/02/2016 05:50
Subject: Fw:Vel Faucibus Institute Last Invoice
Attachment: AKDYH0NQ.doc (versions vary in size between 230kb and 245kb)
Hi
Please review the invoice in attachment. To eliminate penalty you need to pay within 48 hours.
Best regards
Daniel Barnett
Vel Faucibus Institute
The 2nd email where the attachment name matches the subject looks like:
From: Rosie Shannon <ShannonRosie30676@ association-freudienne .be>
Date: Wed 17/02/2016 06:56
Subject: Invoice 2016-71041044 ( random numbers)
Attachment: SCAN_INVOICE_2016_71041044.doc ( 46kb)
Hi rob,
Here’s invoice 2016-71041044 for 93,79 USD for last weeks delivery.
The amount outstanding of 400,72 USD is due on 23 Feb 2016.
If you have any questions, please let us know.
Thanks,
Rosie Shannon ...
17 February 2016: AKDYH0NQ.doc - Current Virus total detections 2/55*. Waiting for analysis.
17 February 2016: SCAN_INVOICE_2016_71041044.doc - Current Virus total detections 2/54**
No conclusive result from MALWR... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1455698505/
** https://www.virustotal.com/en/file/b...is/1455695702/
___
Fake 'Updated Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...neque-llc.html
17 Feb 2017 - "This malware spam may come from several different companies, but I have only a single sample. It is notable for the -mis-spelling- of "Macros" as "Macroses" in the document.
From: Fletcher Oliver [angel@ jiahuan .com.tw]
Date: 17 February 2016 at 06:23
Subject: Fwd:Accumsan Neque LLC Updated Invoice
Good morning
Please check the bill in attachment. In order to avoid fine you have to pay in 12 hours.
Best regards
Fletcher Oliver
Accumsan Neque LLC
Attached is a document Q7FX9ZH.doc with the distinctive text: Attention! To view this document, please turn on the Edit mode and Macroses!
> https://2.bp.blogspot.com/-DoSFYG0qR...0/macroses.png
Needless to say, enabling Edit mode and Macroses is a Very-Bad-Idea. The VirusTotal detection rate for this file is just 2/54*. Hybrid Analysis [1] [2] shows that the macro first downloads from:
www .design-i-do .com/mgs.jpg?OOUxs4smZLQtUBK=54
This looks to be an unremarkable JPEG file..
> https://2.bp.blogspot.com/-vubE5GhCX.../s1600/mgs.jpg
(Note that I have munged the JPEG slightly to stop virus scanners triggering). As far as I can tell, the JPEG actually contains data that is decrypted by the macro (a technique called steganography). A malicious VBS is created... and a malicious EXE file is dropped with a VirusTotal result of 7/54**.
Automated analysis of the dropped binary [3] [4] shows that it phones home to:
216.59.16.25 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
I strongly recommend that you -block- traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan."
* https://www.virustotal.com/en/file/1...is/1455699463/
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://www.hybrid-analysis.com/samp...nvironmentId=4
** https://www.virustotal.com/en/file/1...is/1455701128/
TCP connections
216.59.16.25
72.247.177.174
3] https://www.hybrid-analysis.com/samp...nvironmentId=1
4] https://malwr.com/analysis/ZjE0MjJhZ...Q4NTZjM2QwNTI/
216.59.16.25
8.254.249.78
___
Fake bilingual SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/02/malw...016-11365.html
17 Feb 2016 - "This -bilingual- spam does not come from mpsmobile but is instead a simple -forgery- with a malicious attachment.
... (English version)
Dear Ladies and Gentlemen,
please find attached document 'Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.
Best regards
mpsmobile GmbH...
In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54*. According to this Malwr report** the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:
feestineendoos .nl/system/logs/7623dh3f.exe?.7055475
This dropped file has a detection rate of 3/53***. Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed. Machines infected with Locky will display a message similar to this:
> https://4.bp.blogspot.com/-8Mkzv8eXC...structions.png
Unfortunately, the only known way to recover from this is to -restore- files from offline -backup- once the infection has been removed from the PC.
UPDATE: Another version plopped into my inbox, VT 7/54[4] and according to this Malwr report[5], it downloads from:
nadeenk .sa/system/logs/7623dh3f.exe?.7055475
This variant POSTs to a server at:
46.4.239.76 (Myidealhost .com / Hetzner, Germany)
It is likely that the C2 server (identified in the previous report) is:
85.25.149.246 (PlusServer AG, Germany)
Recommended blocklist:
85.25.149.246
46.4.239.76 "
* https://www.virustotal.com/en/file/8...is/1455715572/
** https://malwr.com/analysis/NzAwNmQwN...ZlOWY0NDg1M2Q/
Hosts
195.20.11.76: https://www.virustotal.com/en/ip-add...6/information/
195.22.28.197: https://www.virustotal.com/en/ip-add...7/information/
195.22.28.222: https://www.virustotal.com/en/ip-add...2/information/
104.238.173.18: https://www.virustotal.com/en/ip-add...8/information/
69.195.129.70: https://www.virustotal.com/en/ip-add...0/information/
85.25.149.246: https://www.virustotal.com/en/ip-add...6/information/
*** https://www.virustotal.com/en/file/0...is/1455716319/
4] https://www.virustotal.com/en/file/7...is/1455717484/
5] https://malwr.com/analysis/NTMxZWM2M...U0MDEzMzgyMjM/
Hosts
185.79.250.2: https://www.virustotal.com/en/ip-add...2/information/
46.4.239.76: https://www.virustotal.com/en/ip-add...6/information/
85.25.149.246: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/file/0...1301/analysis/
46.4.239.76: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/8a...d20c/analysis/
___
Fake 'tracking documents' SPAM - Locky Ransomware
- http://myonlinesecurity.co.uk/tracki...ky-ransomware/
17 Feb 2016 - "An email with the subject of 'tracking documents' pretending to come from cmsharpscan3175@ gmail .com <cmsharpscan6395@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: cmsharpscan3175@ gmail .com <cmsharpscan6395@ gmail .com>
Date: Wed 17/02/2016 12:39
Subject: tracking documents
Attachment: cmsharpscan@ gmail .com_20160217_132046.docm
Reply to: cmsharpscan@ gmail .com <cmsharpscan@ gmail .com>
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
25 February 2016: cmsharpscan@ gmail .com_20160217_132046.docm - Current Virus total detections 5/54*
MALWR** shows us connections to several sites where Locky ransomware is delivered and info sent back . http ://olvikt.freedomain.thehost .com.ua/admin/js/7623dh3f.exe (VirusTotal 2/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1455716522/
** https://malwr.com/analysis/NDgwZGEwZ...M2MjIyYzIxNGU/
176.114.0.200: https://www.virustotal.com/en/ip-add...0/information/
69.195.129.70: https://www.virustotal.com/en/ip-add...0/information/
85.25.149.246: https://www.virustotal.com/en/ip-add...6/information/
*** https://www.virustotal.com/en/file/0...is/1455717353/
TCP connections
195.22.28.196: https://www.virustotal.com/en/ip-add...6/information/
195.22.28.222: https://www.virustotal.com/en/ip-add...2/information/
195.22.28.198: https://www.virustotal.com/en/ip-add...8/information/
185.26.105.244: https://www.virustotal.com/en/ip-add...4/information/
69.195.129.70: https://www.virustotal.com/en/ip-add...0/information/
85.25.149.246: https://www.virustotal.com/en/ip-add...6/information/
- http://blog.dynamoo.com/2016/02/malw...documents.html
17 Feb 2016 - "This -fake- document scan spam has a malicious attachment:
From: cmsharpscan3589@ gmail .com
Date: 17 February 2016 at 14:32
Subject: tracking documents
Reply to: cmsharpscan@ gmail .com [cmsharpscan@ gmail .com]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
I have only seen a single sample of this with an attachment cmsharpscan@ gmail .com_20160217_132046.docm which has a VirusTotal detection rate of 7/54*. According the the Malwr analysis** of the document, the payload is the Locky ransomware and is -identical- to the earlier attach described here***."
* https://www.virustotal.com/en/file/9...is/1455720732/
** https://malwr.com/analysis/MWJlNWEzZ...NiZDBiNDcyYmM/
Hosts
185.79.250.2: https://www.virustotal.com/en/ip-add...2/information/
195.22.28.197: https://www.virustotal.com/en/ip-add...7/information/
195.22.28.222: https://www.virustotal.com/en/ip-add...2/information/
195.22.28.198: https://www.virustotal.com/en/ip-add...8/information/
104.238.173.18: https://www.virustotal.com/en/ip-add...8/information/
69.195.129.70: https://www.virustotal.com/en/ip-add...0/information/
85.25.149.246: https://www.virustotal.com/en/ip-add...6/information/
*** http://blog.dynamoo.com/2016/02/malw...016-11365.html
___
Dridex botnet - now also spreading ransomware
- https://www.helpnetsecurity.com/2016...ng-ransomware/
Feb 17, 2016 - "... the botnet is segregated into a number of subnets, each likely operated by a different team of attackers, and they continue to mount campaigns that will swell the number of infected machines and to exploit the stolen banking information:
> https://www.helpnetsecurity.com/imag...net-dridex.jpg
... its likely that, barring a comprehensive takedown, the group(s) behind the botnet will continue to pose a threat throughout 2016... one of the subnets – 220 – seems to have temporarily switched to sending out spam email delivering the Bartallex downloader, which then downloads the Locky crypto ransomware. Palo Alto Networks researchers* suspect “there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky.” Spamming campaigns aimed at delivering the Dridex banking Trojan are many and massive – many -millions- of emails are sent out per day... The criminals mainly target English-speaking regions. Dridex is capable of stealing banking details of customers of nearly -300- financial institutions in wealthy countries, mostly the US, European and several Asia-Pacific countries."
* http://researchcenter.paloaltonetwor...-distribution/
Feb 16, 2016 - "... We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined:
> http://researchcenter.paloaltonetwor...y3-500x374.png
Industry analysis for targeting reveals expected indiscriminant distribution within impacted countries; however, Higher Education, Wholesale and Retail, and Manufacturing make up over a third of observed targeting... Defending against ransomware first requires a focus on the basics of a strong security posture: security awareness and the hardening and patching of systems... To further reduce associated risks, layered preventive controls are a must..."
___
WordPress Compromise Campaign - Nuclear EK to Angler EK
- https://blog.malwarebytes.org/exploi...-to-angler-ek/
Feb 17, 2016 - "A couple of weeks ago we blogged about an attack against WordPress-sites initially discovered by Denis Sinegubko over at Sucuri. The campaign is still going on but quickly evolved, as reported by DeepEnd Research*, with a change in its URL pattern from “/admedia/” to “/megaadvertize/”. According to our honeypot data, this change happened around Feb. 4th and has been active as ever since. Besides some pattern changes in the URL, the redirection mechanism is different from the initial campaign as well as its payload. Indeed the Admedia campaign was pushing the Nuclear exploit kit whereas this one is delivering Angler... Compromised WordPress sites are injected with a malicious blurb which is appended to -all- JavaScript files. The blurb is obfuscated -twice- before it can be human readable and reveal that its purpose is to silently load an external-malicious-URL. This URL, which bears the “MegaAdvertize” trademark, performs a fingerprint of the visitor’s machine before proceeding any further. Only people running the Internet-Explorer-browser and using a screen resolution -greater- than 800×600 (honeypot evasion) are the intended target... The payload dropped in this particular instance is TeslaCrypt. We tested this attack without Anti-Exploit to allow the malware to be downloaded... We will continue to monitor this malware campaign as we expect it to evolve again..."
* http://www.deependresearch.org/2016/...ated-with.html
___
HP Enterprise identifies top risks for businesses
- http://www.securitynewsdesk.com/hewl...inesses-today/
Feb 17, 2016
> http://www.theinquirer.net/inquirer/...prise-security
Feb 17, 2016
:fear::fear: :mad:
-
Fake 'Invoice', 'Payment' SPAM, Locky ransomware
FYI...
Fake 'Invoice' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/02/malw...-20161802.html
18 Feb 2016 - "This -fake- financial spam spoofs different senders and different companies, with a different reference number in each.
From: Devon Vincent
Date: 18 February 2016 at 08:14
Subject: Copy of Invoice 20161802-99813731
Dear [redacted],
Please find attached Invoice 20161802-99813731 for your attention.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Devon Vincent
Tenet Healthcare Corporation ...
=================
From: Elvia Saunders
Date: 18 February 2016 at 09:19
Subject: Copy of Invoice 20161802-48538491
Dear [redacted],
Please find attached Invoice 20161802-48538491 for your attention.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Elvia Saunders
The PNC Financial Services Group, Inc. ...
I have seen two variants of the document (VirusTotal [1] [2]). Analysis of the documents is pending, however it is likely to be the Dridex banking trojan.
UPDATE 1: There is a second variant of the spam with essentially the same (undefined) payload:
From: Heather Ewing
Date: 18 February 2016 at 08:41
Subject: Invoice
Dear Sir/Madam,
I trust this email finds you well,
Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.
Best Regards,
Heather Ewing
The Bank of New York Mellon Corporation ...
In this case the attachment was named Invoice51633050.doc - automated analysis is inconclusive. An examination of the XML attachment... indicates that it may be malformed.
UPDATE 2: A contact (thank you) analysed one of the samples and found that the document downloaded an executable from:
killerjeff.free .fr/2/2.exe
According to this Malwr report* this is the Locky ransomware, and it phones home to:
95.181.171.58 (QWARTA LLC, Russia)
69.195.129.70 (Joes Data Center, US)
I suspect that the second one may be a sinkhole, but there should be no problem if you block:
95.181.171.58
69.195.129.70
UPDATE 5: ... Malwr reports on all the available samples... various versions of Locky seem to call back to:
95.181.171.58 (QWARTA LLC, Russia)
31.41.47.37 (Relink Ltd, Russia)
185.14.30.97 (ITL, Ukraine / Serverius, Netherlands)
69.195.129.70 (Joes Datacenter, US)
I have omitted what appear to be obvious sinkholes.
Recommended blocklist:
95.181.171.58
31.41.47.37
185.14.30.97
69.195.129.70 "
1] https://www.virustotal.com/en/file/6...is/1455787094/
2] https://www.virustotal.com/en/file/c...is/1455787228/
* https://malwr.com/analysis/MGYxNTQ3Z...ljZmZlNWVjMDI/
Hosts
69.195.129.70
95.181.171.58
- http://myonlinesecurity.co.uk/mtc-ho...sheet-malware/
18 Feb 2016 - "A German language email with the subject of 'Per E-Mail senden: Rechnung-54-110090.xls (random numbers)' pretending to come from MTC Hof – MTC GmbH <mtc-hof@ mtc-handy .de> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: MTC Hof – MTC GmbH <mtc-hof@mtc-handy.de>
Date:
Subject: Per E-Mail senden: Rechnung-54-110090.xls
Attachment: Rechnung-54-110090.xls
Body content: Totally blank
18 February 2016: Rechnung-54-110090.xls - Current Virus total detections 7/55*
So far automatic analysis in inconclusive... the -same- that Dynamoo describes** about today’s slightly earlier run of random invoice malspam..."
* https://www.virustotal.com/en/file/5...is/1455790340/
** http://blog.dynamoo.com/2016/02/malw...-20161802.html
___
Fake 'Payment' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/02/malw...ce-cottle.html
18 Feb 2016 - "This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appended to it:
From: Laurence Cottle [lcottle60@ gmail .com]
Date: 18 February 2016 at 13:35
Subject: Payment
Hi
Any chance of getting this invoice paid, please?
Many thanks
Laurence
Attached is a file unnamed document.docm which comes in several different versions. Third-party analysis (thank you!) reveals that there are download locations at:
acilkiyafetgulertekstil .com/system/logs/7647gd7b43f43.exe
alkofuror .com/system/engine/7647gd7b43f43.exe
merichome .com/system/logs/7647gd7b43f43.exe
organichorsesupplements .co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo .com/image/templates/7647gd7b43f43.exe
tutikutyu .hu/system/logs/7647gd7b43f43.exe
vipkalyan .com.ua/system/logs/7647gd7b43f43.exe
This dropped a malicious binary with a detection rate of 3/55*, since updated to one with a detection rate of 4/55**... The malware phones home to:
195.154.241.208 /main.php
46.4.239.76 /main.php
94.242.57.45 /main.php
kqlxtqptsmys .in/main.php
cgavqeodnop .it/main.php
pvwinlrmwvccuo .eu/main.php
dltvwp .it/main.php
uxvvm .us/main.php
wblejsfob .pw/main.php
Out of those, the most supect IPs are:
195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)
Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70 "
* https://www.virustotal.com/en/file/5...acc0/analysis/
** https://www.virustotal.com/en/file/3...16f3/analysis/
:fear::fear: :mad:
-
Fake 'Invoice FEB', 'Rechnung', 'Our Order' SPAM - Locky ransomware, IRS phish/fraud
FYI...
Released today - Good read:
Banking Botnets: The Battle Continues
- https://www.secureworks.com/research...ttle-continues
19 Feb 2016
___
Fake 'Invoice FEB' SPAM - Locky ransomware
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
19 Feb 2016 - "An email with the subject of 'Invoice FEB-51829253 (random numbers)' pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Tracy Osborn <OsbornTracy63422@ thehottomato .com>
Date: Fri 19/02/2016 12:05
Subject: Invoice FEB-51829253
Attachment: invoice_feb-79754078.doc
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.
Thank you!
Tracy Osborn
Accounting Specialist
19 February 2016: invoice_feb-79754078.doc - Current Virus total detections 3/56*
MALWR** shows a download from http ://www .proteusnet .it/6/6.exe (VirusTotal 8/55***) which is Locky ransomware created and distributed by the Dridex gangs... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1455888998/
** https://malwr.com/analysis/MzM5MmUxM...k2ZjdlNzEwZGQ/
Hosts
217.72.102.113
85.25.138.187
*** https://www.virustotal.com/en/file/0...is/1455889149/
- http://blog.dynamoo.com/2016/02/malw...6789-from.html
19 Feb 2016 - "This -fake- financial spam comes from random senders, the attachment is malicious and drops the Locky ransomware:
From: Kenya Becker
Date: 19 February 2016 at 11:59
Subject: Invoice FEB-92031923
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.
Thank you!
Kenya Becker
Accounting Specialist ...
Attached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report 2/55*) which contains an XML (file)... Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:
ratgeber-beziehung .de/5/5.exe
www .proteusnet .it/6/6.exe
If recent patterns are followed, there will be several different download locations with -different- versions of the file at each.. The binaries has a detection rate of 7/55** and 6/54***... Malwr reports [3]... indicate that it phones home to:
85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)
Other samples are being analysed, but in the meantime I recommend that you -block- traffic to:
85.25.138.187
31.41.47.3 ...
UPDATE 1: Some additional download locations from these Malwr reports [3]...:
ecoledecorroy .be/1/1.exe
animar .net.pl/3/3.exe
luigicalabrese .it/7/7.exe ...
UPDATE 2: Two other locations are revealed in these Malwr reports [4] [5]:
http ://lasmak .pl/2/2.exe
http ://suicast .de/4/4.exe "
* https://www.virustotal.com/en/file/c...is/1455887101/
1] https://malwr.com/analysis/YTcyNmZmN...c3ZWQ1MzVlZjQ/
Hosts
217.72.102.113
31.41.47.37
2] https://malwr.com/analysis/YTEwMGI3Z...dhZTM4NjFkMmI/
Hosts
109.237.140.6
85.25.138.187
** https://www.virustotal.com/en/file/0...is/1455887497/
*** https://www.virustotal.com/en/file/2...is/1455888443/
3] https://malwr.com/analysis/YjY4MDBjN...YzYzk3MWRmZDE/
Hosts
46.252.153.77
85.25.138.187
4] https://malwr.com/analysis/Nzk5ODdmZ...g3OWFjM2E5MGE/
Hosts
212.69.64.100
31.41.47.37
5] https://malwr.com/analysis/YmEyYzM1Y...JhYzZmNjY4NGU/
Hosts
46.30.212.56
85.25.138.187
___
Fake 'Unpaid Invoice' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/02/malw...50-credit.html
19 Feb 2016 - "This -fake- financial spam does not come from Thistle Removals but is instead a simple -forgery- with a malicious attachment.
From credit control [invoices@ thistleremovals .co.uk]
Date Fri, 19 Feb 2016 17:52:49 +0200
Subject Unpaid Invoice #350
Message text
Please see attached letter and a copy of the original invoice.
Attached is a file with a semi-random-name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the -same- locations as found here*, dropping a malicious executable with a detection rate of 10/55** (changed from earlier today). Third party analysis (thank you) indicates that this then phones home to the following locations:
91.121.97.170 /main.php (OVH, France)
46.4.239.76 /main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106 /main.php (Virty.io, Russia)
The payload is the Locky ransomware.
Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106 "
* http://blog.dynamoo.com/2016/02/malw...r-2016131.html
** https://www.virustotal.com/en/file/e...15fd/analysis/
___
Fake 'Rechnung Nr. 2016_131' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/02/malw...r-2016131.html
19 Feb 2016 - "This German language spam does not comes from LFW Ludwigsluster but is instead a simple -forgery- with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.
From: fueldner1A0@ lfw-ludwigslust .de
Date: 19 February 2016 at 09:10
Subject: Rechnung Nr. 2016_131
Sehr geehrte Damen und Herren,
bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:
LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG
Vielen Dank!
Mit freundlichen Grüßen
Anke Füldner ...
Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with -zero- detection rates at VirusTotal [1] [2]. Malwr analysis* of one of the samples shows that a binary is downloaded from:
mondero .ru/system/logs/56y4g45gh45h
Other samples probably have different download locations. This executable has a detection rate of 7/53** and it appears to drop another executable with a relatively high detection rate of 26/55***. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.
The malware phones home to:
46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you -block- it...
UPDATE: An additional analysis from a trusted source (thank you). Download locations are:
mondero .ru/system/logs/56y4g45gh45h
tcpos .com .vn/system/logs/56y4g45gh45h
www .bag-online .com/system/logs/56y4g45gh45h
The malware phones home to:
46.4.239.76 /main.php
94.242.57.45 /main.php
wblejsfob .pw/main.php
kqlxtqptsmys .in/main.php
cgavqeodnop .it/main.php
pvwinlrmwvccuo .eu/main.php
dltvwp .it/main.php
uxvvm .us/main.php
The active C2s (some may be sinkholes) appear to be:
46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)
Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70 "
1] https://www.virustotal.com/en/file/9...is/1455877852/
2] https://www.virustotal.com/en/file/1...is/1455877999/
* https://malwr.com/analysis/M2VjNDQ0Y...kyMzdlZGU5ZDI/
** https://www.virustotal.com/en/file/7...is/1455878753/
*** https://www.virustotal.com/en/file/2...is/1455878570/
> http://myonlinesecurity.co.uk/rechnu...de-js-malware/
19 Feb 2016
"... Screenshot: http://myonlinesecurity.co.uk/wp-con...1-1024x775.png
... it is likely to be either Dridex banking malware or the new Locky ransomware which uses the Dridex delivery network. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Fake 'Our new Order' SPAM - PDF malware
- http://myonlinesecurity.co.uk/our-ne...e-pdf-malware/
19 Feb 2016 - "An email with the subject of 'Our new Order' pretending to come from Benalin CO LTD <jkt-genmbox@ benline .co.id> with an executable file that is named to look like a PDF file attachment is another one from the current bot runs... The email looks like:
From: Benalin CO LTD <jkt-genmbox@benline .co.id>
Date: Fri 19/02/2016 09:30
Subject: Our new Order
Attachment: PO_160136_pdf
Dear Customer,
Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment,We need this Order urgently. kindly confirm the PO and send PI asap.
thank you.
Graha Paramita Building 12th Floor
Jalan Denpasar Raya Blok D-2
Kav.8, Kuningan
Jakarta 12940, Indonesia ...
25 February 2016: PO_160136_pdf - Current Virus total detections 7/55* . MALWR**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1455874178/
** https://malwr.com/analysis/YWFkNGU0N...NjMTI2NTY2OTE/
___
Phishy Accountant... doesn’t Add Up
- https://blog.malwarebytes.org/phishi...doesnt-add-up/
Feb 19, 2016 - "We’ve recently come across a -phish- aimed at people working in / related to accounting firms, sent from a -compromised- accountant’s email address leading to a -fake- Google Docs page. The email reads as follows:
> https://blog.malwarebytes.org/wp-con...ntantspam1.jpg
'Subject Important - For your review
Hello, I've shared some files with you on Google Drive.
Please, click on the E-Document to download the file.
Best regards
The -bogus- link would take potential victims to:
espaciovitalhn(dot)com/cpa/
> https://blog.malwarebytes.org/wp-con...ntantspam2.jpg
The site reads as follows:
'To view shared files and folders
You are required to sign in with your email address to access shared files and folders'
The -fake- login page casts a wide net, offering up login fields for Gmail, Yahoo Mail, Hotmail, AOL and “other”. You’ll notice the “CPA” in the URL – this would be related to Certified Public Accountants. Given the potentially sensitive data accountants have access to on a daily basis, angling for their logins could result in a nice-little-haul for the scammers. Anybody dealing with finance tends to be a hot target for -fake- mails containing Ransomware files*, but it’s worth remembering the more straightforward scams are still out there ready to strike. As always, some basic security precautions pay dividends here – note the -lack- of HTTPs on the above screenshot, which is (almost always) a sign that the site is a phish. You should always-be-highly-suspicious of -any- email you didn’t request directing you to a login page – that (plus the -missing- green padlock) certainly hits high on the “Back away slowly” meter..."
* http://blog.dynamoo.com/2016/02/malw...6789-from.html
espaciovitalhn(dot)com: 72.167.131.7: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/af...bbee/analysis/
___
Surge in IRS E-mail Schemes - 2016 Tax Season - Tax Industry Also Targeted
- https://www.irs.gov/uac/Newsroom/Con...-Also-Targeted
Feb. 18, 2016 - "The Internal Revenue Service renewed a consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season. The -emails- are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information. Variations of these -scams- can be seen via text messages, and the communications are being reported in every section of the country... This tax season the IRS has observed fraudsters more frequently asking for personal tax information, which could be used to help file -false- tax returns... The IRS has seen an increase in reported phishing and malware schemes, including:
• There were 1,026 incidents reported in January, up from 254 from a year earlier.
• The trend continued in February, nearly doubling the reported number of incidents compared to a year ago. In all, 363 incidents were reported from Feb. 1-16, compared to the 201 incidents reported for the entire month of February 2015.
• This year's 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.
... tax professionals are also reporting phishing scams that are seeking their online credentials to IRS services, for example the IRS Tax Professional PTIN System. Tax professionals are also reporting that many of their clients are seeing the e-mail schemes... It is important to keep in mind the IRS generally does -not- initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels..."
(More detail at the IRS URL above.)
:fear::fear: :mad:
-
Fake 'Rechnung Nr. 88971', 'BoA Invoice' SPAM
FYI...
Fake 'Rechnung Nr. 88971' SPAM - malicious doc attachment
- http://myonlinesecurity.co.uk/rechnu...d-doc-malware/
22 Feb 2016 - "... an email written in German language pretending to be from an ADVANCED COURIER with the subject of 'Rechnung Nr. 88971 vom 15.02.2016' pretending to come from Volker Maier <MaierVolker8742@ malware-research .co.uk> (I think it is probably a random name at your own email domain) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Volker Maier <MaierVolker8742@ malware-research .co.uk>
Date:
Subject: Rechnung Nr. 88971 vom 15.02.2016
Attachment: Rechnung88971_3974069.doc
Sehr geehrte Damen und Herren,
in der Anlage erhalten Sie unsere Rechnung 88971 vom 15.02.2016 im MS-Office Word Format. Diese Reifen sind per DPD an Sie unterwegs.
Bitte drucken Sie diesen Beleg für Ihre weitere Verwendung und für Ihre Unterlagen aus.
Bitte beachten ! Dieser Beleg ist das Orginalexemplar !
Mit freundlichen Grüßen
Volker Maier
ADVANCED COURIER
22 February 2016: Rechnung88971_3974069.doc - Current Virus total detections 1/56*
MALWR** shows a download from http ://main.americaafricatradeshowandconference .com/feel/good.php which gave me loader.med.120.exe (VirusTotal 34/56***) which looks like a typical Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1456146779/
** https://malwr.com/analysis/NjA5OTk1N...YwNmJlNjEyMjU/
Hosts
37.46.133.164
192.100.170.12
13.107.4.50
*** https://www.virustotal.com/en/file/8...is/1456146232/
___
Fake 'BoA Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/bank-o...d-doc-malware/
22 Feb 2016 - "An email appearing to be a Bank of America Invoice or statement with the subject of 'Invoice Attached' coming from admin@ mastershell .ru with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: admin@ mastershell .ru
Date: Tue 23/02/2016 08:20 ( received at 16.30 gmt)
Subject: Invoice Attached
Attachment: invoice_321112.doc
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Thank you!
Mr. Jakes Jordaan J.D. Accounting Specialist| Bank of America, The Jordaan Law Firm, PLLC
Banking products are provided by Bank of America, N.A. and affiliated banks, Members FDIC and wholly owned subsidiaries of Bank of America Corporation.
Investment and insurance products ...
22 February 2016: invoice_321112.doc - Current Virus total detections 3/51*
MALWR** shows a download from http ://amoretanointrodano31 .com/posts/amr507.exe (virustotal 4/56***) Which is being indentified as Nymaim ransomware... Dridex/Locky -does- update at frequent intervals during the day, so you might get a different version of this nasty Ransomware or banking, password stealer Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1456155179/
** https://malwr.com/analysis/MWU5ZTU3M...RhZmY4ZTRhOGU/
Hosts
96.251.21.189: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/b1...1c6d/analysis/
*** https://www.virustotal.com/en/file/3...is/1456158904/
___
Locky: Clearly Bad Behavior
- https://labsblog.f-secure.com/2016/0...-bad-behavior/
2016.02.22 - "... Locky’s most common infection vector has been via e-mail. A word document attachment is sent out claiming to be an invoice. When opened, the document appears scrambled and prompts the recipient to enable macros in order to view, and -if- they do so, an executable (ladybi.exe) gets dropped and starts encrypting data files using 128-bit AES encryption..."
:fear::fear: :mad:
-
Fake 'VAT Invoice', 'Ikea order', 'Order Conf', 'Scanned image' SPAM, Evil network ..
FYI...
Fake 'VAT Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/britis...d-doc-malware/
24 Feb 2016 - "An email appearing to be a British Gas vat invoice with the subject of 'VAT Invoice – Quote Ref: ES0142570' pretending to come from CardiffC&MFinance <CardiffC&MFinance@ centrica .com> with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...0-1024x546.png
24 February 2016: archive-0910001923884.docm - Current Virus total detections 3/56*
Payload Security** shows it downloads skropotov .ru/system/logs/87h754.exe (VirusTotal 5/55***). This almost certainly will be either Dridex banking Trojan or Locky Ransomware which is distributed via the Dridex botnet and gangs... Other download locations discovered include:
school62 .dp .ua/new_year/balls/87h754.exe
designis .com .ua/admin/images/87h754.exe
armo .sk/system/logs/87h754.exe
eyesquare .tn/system/logs/87h754.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1456307598/
** https://www.reverse.it/sample/a501e5...nvironmentId=4
Host Address
78.108.80.77
80.86.91.232
62.109.133.248
176.53.0.103
*** https://www.virustotal.com/en/file/7...is/1456308031/
TCP connections
80.86.91.232: https://www.virustotal.com/en/ip-add...2/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
- http://blog.dynamoo.com/2016/02/malw...quote-ref.html
24 Feb 2016 - "This -fake- financial spam is not from British Gas/Centrica but is instead a simple -forgery- with a malicious attachment.
From: CardiffC&MFinance [CardiffC&MFinance@ centrica .com]
Date: 24 February 2016 at 09:09
Subject: VAT Invoice - Quote Ref: ES0142570
Good Afternoon,
Please find attached a copy of the VAT invoice as requested.
Regards
Tracy Whitehouse
Finance Team
British Gas Business ...
... there is an attached file named archive-0910001923884.docm which has a VirusTotal detection rate of 3/55*. Analysis of this document is pending, but it is likely to drop either the Dridex banking trojan or Locky ransomware."
* https://www.virustotal.com/en/file/b...is/1456309444/
UPDATE 1: The Hybrid Analysis[1] of the document plus the VirusTotal scan of the dropped EXE look like Dridex. The download location for that document was:
skropotov .ru/system/logs/87h754.exe
C2 to block:
80.86.91.232 (PlusServer, Germany)..."
1] https://www.hybrid-analysis.com/samp...nvironmentId=4
skropotov .ru: 78.108.80.77: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/39...5abc/analysis/
80.86.91.232: https://www.virustotal.com/en/ip-add...2/information/
___
Fake 'Ikea order' SPAM - doc malware
- http://myonlinesecurity.co.uk/ikea-t...doc-malware-2/
24 Feb 2016 - "An email that appears to be an Ikea order with the subject of 'Thank you for your order!' pretending to come from DoNotReply@ ikea .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Many of these are coming in corrupt with the attachment embedded inside the email body as a base 64 attachment. Some mail servers will automatically fix them, but others will deliver them as non working... The email looks like:
From: DoNotReply@ ikea .com
Date: Wed 24/02/2016 10:50
Subject: Thank you for your order!
Attachment: IKEA receipt 656390.docm
IKEA UNITED KINGDOM
Order acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost: £122.60
Delivery date: 24-02-2016
Delivery method: Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number: 607656390
Order time: 8:31am GMT
Order/Invoice date: 24-02-2016 ...
24 February 2016: IKEA receipt 656390.docm - Current Virus total detections 3/56*
I am waiting for analysis. This will almost certainly turn out to download either Dridex banking Trojan or Locky Ransomware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1456311298/
- http://blog.dynamoo.com/2016/02/malw...-for-your.html
24 Feb 2016 - "This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.
From: DoNotReply@ ikea .com
Date: 24 February 2016 at 09:56
Subject: Thank you for your order!
IKEA
IKEA UNITED KINGDOM
Order acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost: £122.60
Delivery date: 24-02-2016
Delivery method: Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number: 607656390
Order time: 8:31am GMT
Order/Invoice date: 24-02-2016 ...
The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do -not- open it... UPDATE: Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this*."
* http://blog.dynamoo.com/2016/02/malw...quote-ref.html
___
Fake 'Order Conf' SPAM - doc malware
- http://myonlinesecurity.co.uk/order-...d-doc-malware/
24 Feb 2016 - "... an email with the subject of 'Order Conf. 3360069' pretending to come from Abigail Jones <ajones@ designersguild .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Abigail Jones <ajones@ designersguild .com>
Date: Wed 24/02/2016 11:09
Subject: Order Conf. 3360069
Attachment: Order Conf__3360069_22_02_2016.docm
Please see attached
24 February 2016: Order Conf__3360069_22_02_2016.docm - Current Virus total detections 3/55*
Waiting for analysis but this is almost certain to download either Dridex Banking Trojan or Locky Ransomware for the -same- locations in today’s earlier Malspam runs** with Word docs***... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1456312210/
** http://myonlinesecurity.co.uk/britis...d-doc-malware/
*** http://myonlinesecurity.co.uk/ikea-t...doc-malware-2/
___
Evil network: 184.154.28.72/29 ...
- http://blog.dynamoo.com/2016/02/evil...o-cipovic.html
24 Feb 2016 - "liveadexchanger .com is an advertising network with a questionable reputation* currently hosted on a Google IP of 146.148.46.20. The WHOIS details are -anonymous-, never a good sign for an ad network. Seemingly running ads on the scummiest websites, liveadexchanger .com does things like trying to install fake-Flash-updates on visitors computers, as can be seen from this URLquery report**... you might find the screenshot missing because of the complex URL, so here it is..
> https://3.bp.blogspot.com/-uOJGa-oJf...ke-flash-2.jpg
That landing page is on alwaysnewsoft.traffic-portal .net (part of an extraordinarily nasty network at 184.154.28.72/29) which then forwards unsuspecting visitors to a -fake- download at intva31.peripheraltest .info which you will not be surprised to learn is hosted at the adware-pusher's favourite host of Amazon AWS. Of the 567 sites that have been hosted in this /29 (not all are there now), 378 of them are tagged-as-malicious in some way by Google (67%) and 157 (28%) are also tagged by SURBL as being malicious in some way. Overall then, 74% are marked as malicious by either Google or SURBL, which typically means that they just haven't caught up yet with the other bad domains... I would recommend the following blocklist:
liveadexchanger .com
184.154.28.72/29 "
(More detail at the dynamoo URL above.)
* https://www.google.com/transparencyr...dexchanger.com
** https://urlquery.net/report.php?id=1456327368298
___
Fake 'Scanned image' SPAM - JS malware
- http://myonlinesecurity.co.uk/scanne...in-js-malware/
24 Feb 2016 - "An email with the subject of 'Scanned image' pretending to come from admin <southlands3452@ victim domain .tld> with a zip attachment is another one from the current bot runs... The email looks like:
From: admin <southlands3452@ victim domain .tld>
Date: Wed 24/02/2016 15:43
Subject: Scanned image
Attachment:
Image data in PDF format has been attached to this email.
24 February 2016: 24-02-2016-00190459.zip: Extracts to: PD7755363543.js - Current Virus total detections 0/56*
which downloads Locky ransomware from same locations in this earlier post**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1456327535/
** http://myonlinesecurity.co.uk/neues-...306-js-malware
"...demo2.master-pro .biz/plugins/ratings/87h754 which is a text file that is saved as kEGQvyeDi.exe
(virustotal ***)
*** https://www.virustotal.com/en/file/3...is/1456322392/
demo2.master-pro .biz: 81.177.140.123: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/4e...ad49/analysis/
- http://blog.dynamoo.com/2016/02/malw...mage-data.html
24 Feb 2016 - "This -fake- document scan has a malicious attachment. It appears to come from within the victim's own domain, but this is a malicious forgery.
From: admin [southlands71@ victimdomain .tld]
Date: 24 February 2016 at 15:25
Subject: Scanned image
Image data in PDF format has been attached to this email.
... As this Hybrid Analysis shows*, the payload is the Locky ransomware. The dropped binary has a detection rate of just 2/55**.
Those reports show the malware phoning home to:
5.34.183.136 (ITL, Ukraine)
I strongly recommend that you -block- traffic to that IP."
* https://www.hybrid-analysis.com/samp...nvironmentId=1
** https://www.virustotal.com/en/file/f...is/1456331864/
TCP connections
5.34.183.136: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/78...26ac/analysis/
___
More Fake 'random invoice's SPAM - Dridex or Locky ransomware
- http://myonlinesecurity.co.uk/more-r...ky-ransomware/
24 Feb 2016 - "... flooded again this afternoon with emails about invoices and remittance advices pretending to come from random companies and random email addresses with a malicious word doc attachment... (more) from the current bot runs... There are -3- distinct email templates spreading. All mention the name of the alleged sender in the body. The 1st email that mentions a randomly chosen well known company in the body looks like:
From: Patty Reese <ReesePatty0497@une .net.co>
Date: Wed 24/02/2016 16:59
Subject: February Invoice #079732
Attachment: INV00849 – 079732.doc
Hello ,
Please review the attached copy of your Electronic document.
A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
Thank you for your business,
Patty Reese
Wahl Canada Inc...
24 February 2016: INV00849 – 079732.doc - Current Virus total detections 1/53[1]
Downloads svrapp02.smoothiewarehouse .info/fecha/esberando.php which gave me scrooge.exe (VirusTotal 3/56[2])
24 February 2016: Invoice_ref-39513520.doc - Current Virus total detections 1/56[3]
downloads Locky ransomware from s536335847.mialojamiento .es/4/4.exe (VirusTotal 4/56[4])
24 February 2016: remittance_advice6BEFBC.doc - Current Virus total detections 1/55[5]
downloads Locky ransomware from svrapp02.cubicgrains .com/fecha/esberando.php (VirusTotal 3/56[6])..
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/2...d744/analysis/
2] https://www.virustotal.com/en/file/3...is/1456334642/
TCP connections
31.41.47.37: https://www.virustotal.com/en/ip-add...7/information/
3] https://www.virustotal.com/en/file/3...is/1456333034/
4] https://www.virustotal.com/en/file/5...is/1456334033/
TCP connections
51.254.19.227: https://www.virustotal.com/en/ip-add...7/information/
5] https://www.virustotal.com/en/file/a...is/1456334810/
6] https://www.virustotal.com/en/file/3...is/1456334642/
TCP connections
31.41.47.37: https://www.virustotal.com/en/ip-add...7/information/
:fear::fear: :mad:
-
Fake 'Doc attached', 'FW: INVOICE', 'Attached Image', 'BACS', 'Scanned Invoice' SPAM
FYI...
Fake 'Doc attached' SPAM - xls malware
- http://myonlinesecurity.co.uk/docume...sheet-malware/
25 Feb 2016 - "An email with the subject of 'Document No 1076196' pretending to come from Accounts at your own domain with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Accounts <accounts@ victim domain .tld>
Date:
Subject: Document No 1076196
Attachment: Document No 1076196.xls
Thanks for using electronic billing
Please find your document attached
Regards
Accounts
25 February 2016: Document No 1076196.xls - Current Virus total detections 5/56*
Hybrid analysis** shows it downloads demo2.master-pro .biz/images/flags/76ghby6f45.exe.
It is almost certain that this is either Dridex banking Trojan or Locky ransomware. Locky is distributed via the Dridex botnet... Other download locations discovered so far include:
http ://mysite.dp .ua/adminka/jqvmap/76ghby6f45.exe and:
sepadugroup .com .my/system/logs/76ghby6f45.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1456394222/
** https://www.hybrid-analysis.com/samp...nvironmentId=4
Host Address
81.177.140.123: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/8c...4278/analysis/
91.236.4.234: https://www.virustotal.com/en/ip-add...4/information/
___
Fake 'FW: INVOICE' SPAM - doc malware
- http://myonlinesecurity.co.uk/fw-inv...d-doc-malware/
25 Feb 2016 - "An email with the subject of 'FW: INVOICE- 1442049 ( random numbers)' pretending to come from Maddi Cross <maddi.cross@ your own email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Maddi Cross <maddi.cross@ victim domain . tld>
Date: Thu 25/02/2016 10:17
Subject: FW: INVOICE- 1442049
Attachment: INVOICE-6154119.docm
With Kind Regards,
Maddi Cross
Customer Service Team Leader ...
25 February 2016: INVOICE-6154119.docm - Current Virus total detections 6/56*
Downloads sepadugroup .com.my/system/logs/76ghby6f45.exe (VirusTotal 2/56**). It is almost certain to download either Dridex banking Trojan or Locky Ransomware, which are both using the -same- distribution network... Other download locations with same file names so far discovered include:
http ://mysite.dp .ua/adminka/jqvmap/76ghby6f45.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1456396242/
** https://www.virustotal.com/en/file/a...is/1456396563/
sepadugroup .com.my: 167.114.103.208: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/1f...0c5a/analysis/
mysite.dp .ua: 176.114.0.200: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/9e...3f18/analysis/
___
Fake 'Attached Image' SPAM - doc malware
- http://myonlinesecurity.co.uk/attach...ky-ransomware/
25 Feb 2016 - "... an email with the subject of 'Attached Image' pretending to come from scanner@ your own email domain with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: scanner@ Victim domain. tld
Date: Thu 25/02/2016 11:00
Subject: Attached Image
Attachment: 2156_001.docm
Body content: is totally blank
25 February 2016: 2156_001.docm - Current Virus total detections 6/56*
Waiting for analysis. It is almost certain to download either Dridex banking Trojan or Locky Ransomware from the -same-locations- described in today’s earlier posts [1] [2], which are both using the -same- distribution network, file names and methods of infection... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1456398208/
1] http://myonlinesecurity.co.uk/fw-inv...d-doc-malware/
2] http://myonlinesecurity.co.uk/docume...sheet-malware/
___
Fake 'BACS' SPAM - doc malware
- http://myonlinesecurity.co.uk/bacs-r...d-doc-malware/
25 Feb 2016 - "An email with the subject of 'BACS Remittance Advice (25/02/16)' pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Annette Rojas <RojasAnnette913@ fiber .net .id>
Date: Thu 25/02/2016 14:02
Subject: BACS Remittance Advice (25/02/16)
Attachment: BACS_remittance_advice_0339266.doc
Please find attached your remittance advice.
If you do have any queries regarding this remittance advice, please contact:
Threadneedle (Supplier Reference beginning TP) ...
25 February 2016: BACS_remittance_advice_0339266.doc - Current Virus total detections 2/56*
Hybrid analysis** shows it downloads serveur.wininstall .co/colombian/cocaina.php - which gave me crypted120med.exe (virustotal 1/55***). This will be either Dridex or Locky Ransomware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1456407906/
** https://www.reverse.it/sample/c087c8...nvironmentId=4
Host Address
91.223.88.209
>> https://www.virustotal.com/en/url/d0...431c/analysis/
81.93.151.248
188.40.224.76
*** https://www.virustotal.com/en/file/8...is/1456409978/
TCP connections
188.40.224.76: https://www.virustotal.com/en/ip-add...6/information/
104.86.110.240: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Scanned Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/scanne...d-doc-malware/
25 Feb 2016 - "An email with the subject of 'Scanned Invoice' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... It looks like these criminal gangs are distributing Dridex in the mornings this week and switch to Locky ransomware in the afternoons... The email looks like:
From:Katheryn Garner <GarnerKatheryn5049@ beyondbackyards .com>
Date: Thu 25/02/2016 16:14
Subject: Scanned Invoice
Attachment:
Dear erek ,
Scanned Invoice in Microsoft Word format has been attached to this email.
Thank you!
Katheryn Garner
Sales Manager
25 February 2016: SCAN_Invoice_erek.doc - Current Virus total detections 2/56*
.. downloads insittu .com/2/2.exe which is Locky ransomware (virustotal 3/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1456416843/
** https://www.virustotal.com/en/file/8...is/1456417770/
TCP connections
51.254.19.227: https://www.virustotal.com/en/ip-add...7/information/
insittu .com: 192.185.147.147: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/30...ee8f/analysis/
___
Magnitude EK - Malvertising ...
- https://blog.malwarebytes.org/malver...ising-deja-vu/
Feb 24, 2016 - "... witnessed an increase in the number of malvertising incidents involving the Magnitude exploit kit. The last time we blogged about this was in mid November 2015 and we attributed the event to the fact that Magnitude EK had just integrated a newer Flash exploit (CVE-2015-7645). We fast-forward a few months and see that things haven’t changed one bit:
Same ad network (Propeller Ads Media)
Newer Flash exploit (CVE-2015-8651)
CryptoWall
We see the use of “redirectors” which obfuscate the URL to Magnitude... While reviewing this attack, we also spotted a similar malvertising attack via another ad network (AdsTerra)... We reported both campaigns to the respective ad networks.
- IOCs: Ad networks:
terraclicks[.]com: 198.134.112.232: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/d8...73c9/analysis/
onclickads[.]net:
78.140.191.90: https://www.virustotal.com/en/ip-add...0/information/
78.140.191.110: https://www.virustotal.com/en/ip-add...0/information/
88.85.82.172: https://www.virustotal.com/en/ip-add...2/information/
78.140.191.80: https://www.virustotal.com/en/ip-add...0/information/
78.140.191.69: https://www.virustotal.com/en/ip-add...9/information/
78.140.191.109: https://www.virustotal.com/en/ip-add...9/information/
88.85.82.171: https://www.virustotal.com/en/ip-add...1/information/
206.54.165.192: https://www.virustotal.com/en/ip-add...2/information/
78.140.191.89: https://www.virustotal.com/en/ip-add...9/information/
206.54.165.193: https://www.virustotal.com/en/ip-add...3/information/
78.140.191.70: https://www.virustotal.com/en/ip-add...0/information/
- Redirectors:
discount-shop[.]org: 'A temporary error occurred during the lookup...'
freewellgames[.]biz: 185.49.69.88: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/70...9bc7/analysis/
onlinewellgame[.]com: 'A temporary error occurred during the lookup...'
mov-3s[.]com: 'A temporary error occurred during the lookup...'
Payload (CryptoWall): e5c3fa1f1b22af46bf213ed449f74d40 "
:fear::fear: :mad:
-
Fake 'Invoice/Credit Note', 'Active Discount', 'Your Order' SPAM
FYI...
Fake 'Invoice/Credit Note' SPAM - doc malware
- http://myonlinesecurity.co.uk/corpor...d-doc-malware/
26 Feb 2016 - "An email with the subject of 'Corporate Direct (Europe) Ltd Invoice/Credit Note Attached' pretending to come from Sharron Blevins <Blevins.Sharron04@ corpteluk .com> (These are actually random names at corpteluk .com) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Sharron Blevins <Blevins.Sharron04@ corpteluk .com>
Date: Fri 26/02/2016 08:42
Subject: Corporate Direct (Europe) Ltd Invoice/Credit Note Attached
Attachment: UK_2871159073.doc
DO NOT DELETE
Dear Sir or Madam
Please find your invoice attached.
If you have any queries regarding your account please do not hesitate to contact us.
Thank you for your business.
Corporate Telecommunications Accounts.
Joanna Monks
Credit Control ...
26 February 2016: UK_2871159073.doc - Current Virus total detections 4/56*
MALWR** shows us a download of Dridex banking Trojan from
http ://5.149.248.225 /britishairaways/takeoff.php which gave me 120.exe (VirusTotal 1/55***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1456479676/
** https://malwr.com/analysis/NWQ3NzQ2N...RmMDM4YTIyY2Q/
5.149.248.225: https://www.virustotal.com/en/ip-add...5/information/
81.93.151.248
184.25.56.42
*** https://www.virustotal.com/en/file/9...is/1456480745/
TCP connections
81.93.151.248: https://www.virustotal.com/en/ip-add...8/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Active Discount' SPAM - doc malware
- http://myonlinesecurity.co.uk/active...d-doc-malware/
26 Feb 2016 - "An email with the subject of 'Active Discount Transaction – 60126092105029/1' pretending to come from Lloyds Bank plc <supplier.finance@ lloydsbanking .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Lloyds Bank plc <supplier.finance@ lloydsbanking .com>
Date: Fri 26/02/2016 09:28
Subject: Active Discount Transaction – 60126092105029/1
Attachment: 60126092105029_1.docm
This message is to inform that the following event happened or action is required in the Lloyds Bank plc system
Event/Action Description : Active Discount Transaction – 60126092105029/1
Date : Feb 26, 2016
Number of Invoices : 5
Total Amount : 595.78
Discount Amount : 592.88 ...
26 February 2016: 60126092105029_1.docm - Current Virus total detections 4/55*
MALWR** shows a download of what looks like Dridex banking Trojan from
http ://autoshara .com.ua/system/logs/76tg654viun76b which is a text file that is renamed/saved as a .exe and autorun (VirusTotal ***). The Comments in Virus total show other download locations as
http ://www .westport .in/vqmod/xml/76tg654viun76b
http ://glavmedmag .ru/system/logs/76tg654viun76b ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1456482256/
** https://malwr.com/analysis/NTg2ZjVhN...E0MzVhMjJmZTY/
193.169.189.202
91.236.4.234
23.216.10.177
*** https://www.virustotal.com/en/file/1...is/1456481804/
TCP connections
203.162.141.13: https://www.virustotal.com/en/ip-add...3/information/
23.63.98.17: https://www.virustotal.com/en/ip-add...7/information/
___
Fake 'Your Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...-has-been.html
26 Feb 2016 - "This spam does -not- come from Harrison Products but is instead a simple -forgery- with a malicious attachment:
From warehouse | Harrison [warehouse@ harrisonproducts .net]
Date Fri, 26 Feb 2016 18:07:04 +0500
Subject Your Order has been despatched from Harrison
Dear Customer
Thank you for your valued Order, your Despatch Confirmation is attached
If there are any queries relating to this delivery please contact our Customer Service
Team on 01451 830083 or email sales@ harrisonproducts .net
Kind Regards
The Harrison Products Team ...
I have seen only one sample of this with an attachment named Order ref. 16173.xls which has a VirusTotal detection rate of 6/55*. This Malwr report** plus this Hybrid Analysis*** for that sample shows a binary being downloaded from:
thetoyshop .by/system/logs/76tg654viun76b
There are probably other download locations too. This dropped file has a detection rate of 3/52[4]. Those two reports indicate that this is the Dridex banking trojan. It phones home to:
203.162.141.13 (VietNam Data Communication Company, Vietnam)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/9...is/1456493060/
** https://malwr.com/analysis/NjBmMGE4Z...UzMzI3MWM3ZGU/
*** https://www.hybrid-analysis.com/samp...nvironmentId=4
4] https://www.virustotal.com/en/file/1...is/1456493451/
:fear::fear: :mad:
-
Facebook Video, 'Invoice', 'Scanned image' SPAM
FYI...
Facebook Video SPAM... and 'Leaked' iPhone
- https://blog.malwarebytes.org/phishi...leaked-iphone/
Feb 29, 2016 - "Spam posts on Facebook are nothing new. Since videos continue to be a staple form of entertainment — a whopping 8-billion views-per-day according to last year’s numbers — within the social network ecosystem, video spam has become a particular nuisance. From -shock- videos of supposed bears tearing people apart to celebrity deaths to mermaids, one can almost say they have seen it all. However, it is -uncommon- nowadays to find video spam that is sexually graphic in nature... :
> https://blog.malwarebytes.org/wp-con...fb-comment.png
The above was posted as a reply to an innocent update made by a family member of the poster. We’re fairly certain that s/he didn’t knowingly post it themselves, too, because clicking the Facebook App page link below the video preview photo -redirects- one to a page that -claims- to be one of Facebook’s:
fb-moviews[DOT]com, as seen:
> https://blog.malwarebytes.org/wp-con...oshotindie.png
... Whether one provides their info to the page or not, clicking “Masuk” (or “Enter” in English) allows the affected user’s account to do two things: (1) it shares the original poster’s video link and (2) it replies to posts with the video link including some -garbled- text and URL. At the same time, fb-moviews -redirects- users to a site where users won’t be seeing any videos... specifically presented with the page (screenshot below) about a leak of a rumored new iPhone smartphone, which has been making rounds in big news outlets today:
> https://blog.malwarebytes.org/wp-con.../iphone365.png
... We have said this before... again: Be careful what-you-click..."
fb-moviews[DOT]com: 104.18.51.45: https://www.virustotal.com/en/ip-add...5/information/
104.18.50.45: https://www.virustotal.com/en/ip-add...5/information/
___
Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...5215-dear.html
29 Feb 2016 - "This fake financial email (sent to "Dear costumer") has a malicious attachment.
From: Velma hodson
Date: 29 February 2016 at 16:49
Subject: Invoice #16051052/15
Dear costumer,
You are receiving this informational letter because of the fact that you have a debt totaling $157,54 due to late payment of invoices dating March ‘15.
In attachment you will find a reconciliation of the past 12 months (year 2015).
Please study the file and contact us immediately to learn what steps you should take to avoid the accrual of penalties.
I have only seen a single sample with an attachment named Invoice_ref-16051052.zip which in turn contains a malicious script invoice_kOUEsX.js ... The script has a VirusTotal detection rate of 2/55* and these automated analysis tools [1] [2] show that it attempts to download a binary from the following locations:
ohiyoungbuyff .com/69.exe?1
helloyungmenqq .com/69.exe?1
The domain names have a similar theme, indicating that the -servers- are malicious. It might be worth blocking:
91.196.50.241 (EuroNet, Poland)
50.3.16.250 (Eonix, US)
This Malwr report** shows that the dropped payload is ransomware, calling home to the following domains:
biocarbon .com.ec
imagescroll .com
I recommend that you -block- traffic to those domains plus the two IPs, giving a recommended blocklist of:
91.196.50.241
50.3.16.250
biocarbon .com.ec
imagescroll .com
music.mbsaeger .com
stacon .eu "
* https://www.virustotal.com/en/file/8...is/1456771424/
1] https://malwr.com/analysis/ZmY1M2EyY...IwZjQ0MDNlYWU/
2] https://www.hybrid-analysis.com/samp...nvironmentId=4
** https://malwr.com/analysis/NzllYzhhM...VhNjkyNWUyMGY/
Hosts
192.185.39.66
62.210.141.228
76.125.213.205
188.116.9.2
___
Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...e-data_29.html
29 Feb 2016 - "This -fake- document scan has a malicious attachment:
From: admin [ands21@ victimdomain .tld]
Date: 29 February 2016 at 19:05
Subject: Scanned image
Image data in PDF format has been attached to this email.
The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js I have seen three different versions of the attached scripts with detection rates of around 1/55 [1]... The Malwr reports for those [4] [5] [6] show download locations at:
www .notebooktable .ru/system/logs/7ygvtyvb7niim.exe
svetluchok .com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution .in.th/system/logs/7ygvtyvb7niim.exe
This appears to be Locky ransomware with a detection rate of just 3/55*. Those Malwr reports also indicate C&C servers at:
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)
Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, however I recommend that you block-all-traffic to:
51.254.19.227
185.14.29.188 "
1] https://www.virustotal.com/en/file/a...is/1456774937/
4] https://malwr.com/analysis/MGFjOTJlY...U0NjgwOTYyNTY/
195.208.1.116
185.14.29.188
5] https://malwr.com/analysis/MTBkYjlhY...QxYmExZTZlY2E/
176.114.0.200
6] https://malwr.com/analysis/YTJlYjA5Y...I5OTFhZTdiYTU/
103.233.192.226
51.254.19.227
* https://www.virustotal.com/en/file/b...ef0e/analysis/
TCP connections
51.254.19.227: https://www.virustotal.com/en/ip-add...7/information/
___
Snapchat hit by phishing scam
- http://blog.snapchat.com/post/140194...-our-employees
Feb 28, 2016 - "... Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information. Unfortunately, the phishing email wasn’t recognized for what it was –a scam– and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed... Within four hours of this incident, we confirmed that the phishing attack was an isolated incident and reported it to the FBI. We began sorting through which employees–current and past– may have been affected. And we have since contacted the affected employees and have offered them two years of free identity-theft insurance and monitoring. When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again..."
:fear::fear: :mad:
-
Fake 'March Invoice', 'Your Order', 'MX62EDO' SPAM, Tesco Bank Phish
FYI...
Fake 'March Invoice' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/03/malw...kan-dream.html
1 Mar 2016 - "This -fake- financial spam can't make up its mind which month it is for.
From: Caitlin Velez
Date: 1 March 2016 at 11:50
Subject: March Invoice
Hi,
Attached is the November invoice.
Thanks!
Caitlin Velez
Customer Service
Balkan Dream Properties ...
So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero*. This Malwr report** shows that it is the Locky ransomware, download a binary from:
intuit.bitdefenderdistributor .info/intrabmw/get.php
This is hosted on a bad webserver at..
93.95.100.141 (Mediasoft ekspert, Russia)
..and it then phones home to..
5.34.183.195 (ITL / UA Servers, Ukraine)
There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..
31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141 "
* https://www.virustotal.com/en/file/0...is/1456833407/
** https://malwr.com/analysis/MDlhNDk3Y...ZhZGQxZDg4N2I/
- http://myonlinesecurity.co.uk/march-...ky-ransomware/
1 Mar 2016 - "... an email with the subject of 'March Invoice' pretending to come from random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Grace Buckley <BuckleyGrace41@ jackvalan .com>
Date: Tue 01/03/2016 11:51
Subject: March Invoice
Attachment: INVBEAC8E.zip
Hi,
Attached is the November invoice.
Thanks!
Grace Buckley
Customer Service
MONTANARO UK SMALLER COS INVESTM TR ...
1 March 2016: INVBEAC8E.zip: Extracts to: statistics_60165140386.js - Current Virus total detections 0/56*
MALWR** shows it downloads http ://intuit.bitdefenderdistributor .info/intrabmw/get.php which gave me
lohi.exe (VirusTotal 5/54***). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1456833183/
** https://malwr.com/analysis/MDlhNDk3Y...ZhZGQxZDg4N2I/
93.95.100.141
5.34.183.195
*** https://www.virustotal.com/en/file/f...is/1456832632/
TCP connections
185.14.29.188: https://www.virustotal.com/en/ip-add...8/information/
___
Fake 'Your Order' SPAM - Locky ransomware
- http://myonlinesecurity.co.uk/delay-...ky-ransomware/
1 Mar 2016 - "An email with the subject of 'Delay with Your Order #200C189B, Invoice #37811753' [random numbered] pretending to come from Random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Joel Barron <BarronJoel28@ softranstech .com>
Date: Tue 01/03/2016 11:30
Subject: Delay with Your Order #200C189B, Invoice #37811753
Attachment: order_copy_200C189B.zip
Dear Valued Customer,
It is very unpleasant to hear about the delay with your order #200C189B, but be sure that our department will do its best to resolve the problem. It usually takes around 7 business days to deliver a package of this size to your region.
The local post office should contact your as soon as they will receive the parcel. Be sure that your purchase will be delivered in time and we also guarantee that you will be satisfied with our services.
Thank you for your business with our company.
Joel Barron
Sales Manager
1 March 2016: order_copy_200C189B.zip: Extracts to: readme_692768919.js - Current Virus total detections 0/56*
MALWR** shows what looks like a download of Locky Ransomware from
http ://sitemar.ro/5/92buyv5 ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1456831819/
** https://malwr.com/analysis/YzUzMWY2N...UzZjg0ZmY1ZmU/
Hosts
89.38.241.66
185.14.29.188
- http://blog.dynamoo.com/2016/03/malw...mer-it-is.html
1 Mar 2016 - "This strangely worded spam leads to the Locky ransomware:
From =cU3RlZmFuaWUgU3VsbGl2YW4=?= [SullivanStefanie68750@numericable .fr]
Date Tue, 01 Mar 2016 13:40:48 +0200
Subject =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICM3QjZCN0UwOCwgSW52b2ljZSAjMzI1ODMzNDY=?=
Dear ValuedCustomer,
It is very unpleasant to hear about the delay with your order #7B6B7E08, but be sure
thatour department will do its best to resolve the problem.It usually takes around7
business days to deliver a package of this size to your region.
The local post office should contact your as soon as they will receive theparcel.Be
sure that your purchase will be delivered in time and we alsoguarantee that you will
be satisfied with our services.
Thank you for your business with our company.
Stefanie Sullivan
Sales Manager
All the samples I have seen have slightly -mangled- headers. The sender name varies. Attacked is a ZIP file named in a similar format to order_copy_7B6B7E08.zip which contains a malicious script named something like:
important_181031694.js
warning_659701636.js
statistics_466026824.js
I have seen -six- different samples so far with zero detection rates [1]... and which according to these analysis [7]... attempt to download a Locky binary from:
sitemar .ro/5/92buyv5
pacificgiftcards .com/3/67t54cetvy
maisespanhol .com.br/1/8y7h8bv6f
Those binaries phone home to:
5.34.183.195/main.php
31.184.197.119/main.php
Those C&C servers are the same as I mentioned in this spam run* and I suggest you -block- traffic to:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55 "
1] https://www.virustotal.com/en/file/a...6de8/analysis/
7] https://malwr.com/analysis/OWM1MmU0M...VjZmNlNTM4NWY/
* http://blog.dynamoo.com/2016/03/malw...kan-dream.html
___
Fake 'MX62EDO' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...-01032016.html
1 Mar 2016 - "This -fake- document scan has a malicious attachment. It appears to come from within the victim's own domain.
From: documents@ victimdomain .tld
Date: 1 March 2016 at 13:43
Subject: Emailing: MX62EDO 01.03.2016
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 01.03.2016 SERVICE SHEET
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
This email has been checked for viruses by Avast antivirus software...
I have seen two samples so far, with an attachment that has a similar name to MX62EDO20160301538482.zip which contains a malicious randomly-named script (e.g. PK5293425659.js). Detection rates on the scripts are fairly low [1] [2]. According to these Malwr reports [3] [4] the payload is the Locky ransomware. These two samples download malicious binaries from:
tianshilive .ru/vqmod/xml/87yhb54cdfy.exe
ubermensch .altervista.org/system/logs/87yhb54cdfy.exe
In turn, these attempt to phone home to:
31.184.197.119 /main.php
5.34.183.195 /main.php
These are the -same- C&C servers as seen here*."
1] https://www.virustotal.com/en/file/4...9efa/analysis/
2] https://www.virustotal.com/en/file/0...is/1456840115/
3] https://malwr.com/analysis/MDExMGY0O...UxNTAwMWE1NWI/
Hosts
5.101.152.42
31.184.197.119
4] https://malwr.com/analysis/Yzk3OTI3N...FmMWU2NTQ2ZjI/
Hosts
176.9.24.196
5.34.183.195
* http://blog.dynamoo.com/2016/03/malw...mer-it-is.html
___
Tesco Bank - 'Interest Rate And Tax' Phish
- http://myonlinesecurity.co.uk/tesco-...-tax-phishing/
1 Mar 2016 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card.. This one from Tesco is no exception... The link in this case goes to:
http ://grupomathile .com.br/hhaa/hhaa.html which -redirects- to:
http ://agapechurchindia .org/jss/tesco/tesco/Log.htm
This particular phishing campaign starts with an email with-a-link:
Screenshot: http://myonlinesecurity.co.uk/wp-con...x-1024x511.png
If you fill in the user name you get sent on to a series of pages asking for more information:
> http://myonlinesecurity.co.uk/wp-con...1-1024x558.png
... which is a typical phishing page that looks very similar to a genuine Tesco Bank page, if you don’t look carefully at the URL in the browser address bar..."
:fear::fear: :mad:
-
Fake 'Invoices', 'Package', 'Invoice Copy', 'remittance advice' SPAM, TeslaCrypt
FYI...
Fake 'Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...tstanding.html
2 Mar 2016 - "These randomly-generated financial spam emails come with a malicious attachment:
From: Buckminster U. Petty
Date: 2 March 2016 at 07:55
Subject: Outstanding Invoice
Please check the receipt attached to this message. The Transaction will be posted on your account within 48 hours.
----------
From: Astra B. Fuller
Date: 2 March 2016 at 08:08
Subject: Fwd: ZYL Invoice
Please find the payment details attached to this message. The Transfer should appear on your account in 2 days.
----------
From: Audrey U. Oneil
Date: 2 March 2016 at 07:34
Subject: Re: Sales Invoice
Please review the invoice attached to this message. The Transfer should appear on your bank in 48 hours.
Attached is a randomly-named file with an -RTF- extension which is actually a -DOCX- file in disguise. I have seen three different attachments with detection rates of 1/55 [1] [2] [3] and the Malwr reports for those [4] [5] [6] show the macro contained within downloading from the following locations:
thevillagelounge .nl/e.jpg?LnRiNLIoPC3=55
creeko .com/d.jpg?GIk1nRWM0r27m5Ss=50
creeko .com/d.jpg?GIk1nRWM0r27m5Ss=8
The VirusTotal results for the two unique binaries dropped are 3/55 [7] [8] but automated analysis.. is inconclusive. It looks rather like -ransomware- but I cannot confirm this."
1] https://www.virustotal.com/en/file/7...is/1456908576/
2] https://www.virustotal.com/en/file/5...is/1456908593/
3] https://www.virustotal.com/en/file/e...is/1456908601/
4] https://malwr.com/analysis/ODdkNDBmY...A2NjU4OGQ4YjA/
Hosts
172.231.69.95
209.242.233.7: https://www.virustotal.com/en/ip-add...7/information/
5] https://malwr.com/analysis/ZWZhZDRhN...M3MmRjYTFmOGY/
Hosts
172.231.69.95
209.242.233.7: https://www.virustotal.com/en/ip-add...7/information/
6] https://malwr.com/analysis/OWVkMTU4Z...Y1NTQ2MzAyM2E/
Hosts
172.231.69.95
178.251.196.62: https://www.virustotal.com/en/ip-add...2/information/
7] https://www.virustotal.com/en/file/e...is/1456909038/
8] https://www.virustotal.com/en/file/d...is/1456909051/
creeko .com: 209.242.233.7: https://www.virustotal.com/en/ip-add...7/information/
thevillagelounge .nl: 178.251.196.62: https://www.virustotal.com/en/ip-add...2/information/
___
Fake 'Package' SPAM – JS malware/ransomware
- http://myonlinesecurity.co.uk/packag...to-ransomware/
2 Mar 2016 - "An email with the subject of 'Package # 16049177' [random numbered] that matches the attachment and the number in the body of the email, pretending to come from random email addresses, names and companies with a zip attachment is another one from the current bot runs... The email looks like:
From: Alyson cockcroft <cockcroftAlyson2993@ arc-performance .com> ( random senders)
Date: Wed 02/03/2016 10:14
Subject: Package # 16049177
Attachment: Invoice_ref-16049177.zip
Dear Client,
Your replacement package was shipped 5 days ago and is now being transferred to your local post office.
The package identification number is # 16049177 , please double-check the information on it in the file attached below.
We are grateful for your purchase from our shop and are very sorry for the inconvenience.
2 March 2016: Invoice_ref-16049177.zip: Extracts to: invoice_scan_EdcJqY.js - Current Virus total detections 5/56*
MALWR** shows a download of what looks like Teslacrypt rather than Locky ransomware based on the file names and locations from either http ://ohelloweuqq .com/69.exe or http ://soclosebutyetqq .com/69.exe
(VirusTotal 4/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1456913677/
** https://malwr.com/analysis/ZTcwMTE0M...A1YTEwNzQ5M2I/
104.232.35.31: https://www.virustotal.com/en/ip-add...1/information/
91.196.50.241: https://www.virustotal.com/en/ip-add...1/information/
*** https://www.virustotal.com/en/file/0...is/1456916592/
TCP connections
194.228.3.204: https://www.virustotal.com/en/ip-add...4/information/
___
Fake 'Invoice Copy' SPAM - doc macro/ransomware
- http://myonlinesecurity.co.uk/invoic...ky-ransomware/
2 Mar 2016 - "An email with the subject of 'Invoice Copy' pretending to come from random senders with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Jerrod Parker <ParkerJerrod02870@ kabel-deutschland .de>
Date: Wed 02/03/2016 10:15
Subject: Invoice Copy
Attachment: scan_559376.doc
Dear Customer,
Please make sure you send payment for your parcel to avoid any inconvenience. Open the attached file to review the confirmation listing.
Thank you for your business – we appreciate it very much.
Sincerely,
Jerrod Parker
Account Manager
-Or:
Dear User,
Your order will be shipped shortly, we apologize for the troubles. Please, review the invoice in the attached file.
Thank you for your business – we appreciate it very much.
Sincerely,
Johnnie Newman
Project Manager
2 March 2016: scan_559376.doc - Current Virus total detections 6/55*
MALWR shows a download from http ://cabanasestina .ro/num/5buybbtyu8 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1456917614/
cabanasestina .ro: 188.213.205.89: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/73...6cb4/analysis/
___
Fake 'remittance advice' SPAM - JS malware/ransomware
- http://myonlinesecurity.co.uk/remitt...to-ransomware/
2 Mar 2016 - "An email pretending to be a remittance advice for the payment made on the 19th Feb 2015 from Hillsong Church London with a random subject of 'MEARS GROUP March Invoice #17577' [random numbered] and random company names pretending to come from random senders with a zip attachment is another one from the current bot runs... The name of the alleged sender matches the name in the email body... The email looks like:
From: Osvaldo West <West.Osvaldo736@ ttml .co.in>
Date: Wed 02/03/2016 12:16
Subject: MEARS GROUP March Invoice #17577
Attachment: Hillchurch-C7EA2.zip or Hillsong-914FCE.xls
Hi there,
Please find the remittance advice for the payment made on the 19th Feb 2015 from Hillsong Church London.
Please let me know if there are any queries.
Kind regards,
Osvaldo West ...
2 March 2016: Hillchurch-C7EA2.zip: Extracts to: TR914740032016.js Current Virus total detections 3/56*
MALWR** shows a download from http ://doaemdpmekd.securalive .eu/8fjvimkel1/c987ah8j9ei1.php (VirusTotal 2/55***)
which gave me readme.exe ...
2 March 2016 : Hillsong-914FCE.xls - Current Virus total detections 2/55[4]
which is being detected as a Dridex downloader. -Both- Locky Ransomware and Dridex banking Trojans use the -same- download mechanisms and until you actually see the payload, it is impossible to tell whether it is Dridex or Locky.. MALWR shows a download from http ://oimedoaeklmrf.giftcardnanny .ca/nu2o3mk4/c987ah8j9ei1.php which gave me likeaboss.exe (VirusTotal 2/56[5]).. this is the -same- malware file as the js version so is more likely to actually be Dridex rather than Locky... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1456921684/
** https://malwr.com/analysis/YTUzYWZiY...A3NWU1ZTJlZjc/
Hosts
193.201.227.90: https://www.virustotal.com/en/ip-add...0/information/
24.172.94.181
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
*** https://www.virustotal.com/en/file/d...is/1456922055/
TCP connections
24.172.94.181
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
4] https://www.virustotal.com/en/file/b...is/1456922090/
5] https://www.virustotal.com/en/file/d...is/1456922631/
TCP connections
24.172.94.181
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
doaemdpmekd.securalive .eu: 193.201.227.90: https://www.virustotal.com/en/ip-add...0/information/
oimedoaeklmrf.giftcardnanny .ca: 193.201.227.90
- http://blog.dynamoo.com/2016/03/malw...ng-church.html
2 Mar 2016 - "... the body text is from a church..
Hi there,
Please find the remittance advice for the payment made on the 19th Feb 2015 from
Hillsong Church London...
... all these locations are on the same server (and are the same binary), hosted on:
193.201.227.90 (PE Tetyana Mysyk, Ukraine)
According to VirusTotal*, there are a few -hijacked- GoDaddy subdomains on that IP. This method is a little unusual for this type of attack... this Hybrid Analysis** show the malware phoning home to:
24.172.94.181 (Time Warner Cable, US)
It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.
Recommended blocklist:
193.201.227.90
24.172.94.181 "
* https://www.virustotal.com/en/ip-add...0/information/
** https://www.hybrid-analysis.com/samp...nvironmentId=4
___
Fake 'March Invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/le-mar...sheet-malware/
2 Mar 2016 - "An email with the subject of 'ENABLES IT GROUP PLC March Invoice #39903' (random company names and invoice numbers) pretending to come from random names with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Ina Wolfe <Wolfe.Ina680@ intex .in>
Date:
Subject: ENABLES IT GROUP PLC March Invoice #39903
Attachment: Hillsong-838834.xls
Afternoon,
Please find attached a copy of our bank details.
If we can be of further assistance then please do not hesitate to contact me
Many thanks,
Ina Wolfe
Credit Controller
Le Mark Self-Adhesive Ltd. ...
2 March 2016: Hillsong-838834.xls - When renamed to zip & extracted you get SCAN7420032016.js (VirusTotal 3/56*)
MALWR shows a download from http ://aoieofnv.lotnine .com/8fjvimkel1/c987ah8j9ei1.php which is the -same- malware as described in THIS post**... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1456931124/
** http://myonlinesecurity.co.uk/remitt...to-ransomware/
aoieofnv.lotnine .com: 193.201.227.90: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Invoice Scan/copy' SPAM - doc macro malware
- http://myonlinesecurity.co.uk/paymen...macro-malware/
2 Mar 2016 - "An email with the subject of 'Payment Confirmation / Invoice Scan / Invoice copy' pretending to come from random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Gavin Gaines <GainesGavin739@ iconpln .net.id>
Date: Wed 02/03/2016 14:07
Subject: Payment Confirmation / Invoice Scan / Invoice copy
Attachment: scan_174761.doc
Dear Customer,
Please review the attached copy of your Electronic document.
Thank you for your business – we appreciate it very much.
Sincerely,
Gavin Gaines
Account Manager
-Or:
Dear Member,
The mistake made will be compensated promptly, please do not worry. Please
take a look at the file attached as it contains all the information.
Thank you for your business – we appreciate it very much.
Sincerely,
Marisol Lara
Account Manager
2 March 2016: scan_174761.doc - Current Virus total detections 6/56*
MALWR isn’t showing any download on this one but that might be due to analysis protection more than anything else... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1456927470/
___
Fake 'Whitehouse paperwork' SPAM - JS malware / Locky ransomware
- http://myonlinesecurity.co.uk/whiteh...ky-ransomware/
2 Mar 2016 - "An email with the subject of 'Whitehouse paperwork' pretending to come from 'Admin' at your own email domain with a zip attachment is another one from the current bot runs... The email looks like:
From: admin <admin@ victimdomain .tld>
Date: Wed 02/03/2016 14:48
Subject: Whitehouse paperwork
Attachment: 201603021282046970.zip
This E-mail was sent from “RNPDD9C46” (Aficio MP C2500).
Scan Date: Wed, 02 Mar 2016 19:18:02 +0430
2 March 2016: 201603021282046970.zip: Extracts to:OR5121206096.js - Current Virus total detections 6/56*
MALWR shows a download from http ://cocowashi .com/system/logs/76tr5rguinml.exe (VirusTotal 4/56**) which is locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1456933931/
** https://www.virustotal.com/en/file/e...is/1456934341/
TCP connections
109.237.111.168: https://www.virustotal.com/en/ip-add...8/information/
cocowashi .com: 50.118.112.2: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/53...d99b/analysis/
___
Fake 'Order reference' SPAM - JS malware/Teslacrypt
- http://myonlinesecurity.co.uk/order-...to-teslacrypt/
2 Mar 2016 = "An email with the subject of 'Order reference # 58087317' [random numbered] pretending to come from random email addresses, companies and names with a zip attachment is another one from the current bot runs... The email looks like:
From: Felecia niven <nivenFelecia41@ neukoelln-arcaden .de>
Date: Wed 02/03/2016 17:09
Subject: Order reference # 58087317
Attachment: Invoice_ref-58087317.zip
Dear Customer,
We apologize for the troubles with your parcel # 58087317 and can assure you that this mistake will not be happening again.
Please, check the information on this case in the attachment.
Taking in consideration the problem on your order we also included info on your bonus of $483,35 , which you may use during your next order.
2 March 2016: Invoice_ref-58087317.zip: Extracts to: invoice_copy_wvpthP.js - Current Virus total detections 9/56*
MALWR** shows a download from http ://soclosebutyetqq .com/80.exe or http ://ohelloweuqq .com/80.exe
(VirusTotal 4/56***) Which is almost certainly Teslacrypt ransomware.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a safe file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1456942781/
** https://malwr.com/analysis/Y2UwMDRlN...JiMDI4NmY2YzE/
Hosts
104.232.35.31: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/f2...b20f/analysis/
173.82.74.197: https://www.virustotal.com/en/ip-add...7/information/
*** https://www.virustotal.com/en/file/6...is/1456942277/
TCP connections
194.228.3.204: https://www.virustotal.com/en/ip-add...4/information/
soclosebutyetqq .com: 173.82.74.197: https://www.virustotal.com/en/ip-add...7/information/
91.196.50.241: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/97...2241/analysis/
ohelloweuqq .com: 104.232.35.31: https://www.virustotal.com/en/ip-add...1/information/
50.3.16.250: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/25...e9b7/analysis/
___
Fake 'Visa benefits, rewards' leads to TeslaCrypt ransomware
- http://www.symantec.com/connect/fr/b...ypt-ransomware
01 Mar 2016 - "... recently observed a -spam-campaign- offering -fake- Visa rewards and benefits as -bait- to deliver -ransomware- to recipients’ computers. The email in this particular campaign purports to come from 'Visa Total Rewards' and provides details about the benefits of using Visa credit cards. Attached to the email is an archive file which poses as a -whitepaper- containing more information about the supposed rewards and benefits offered by the program. If the recipient opens the attachment, they will see only an obfuscated JavaScript file (detected as JS.Downloader):
> http://www.symantec.com/connect/site...ure1-email.png
If the recipient is fooled into opening the JavaScript file, the script downloads a -variant- of the TeslaCrypt ransomware (detected as Trojan.Cryptolocker.N) from the specified URL and runs it. A few minutes later, a message is displayed stating that all of the user’s files have been encrypted and payment in Bitcoin is required to decrypt the files:
> http://www.symantec.com/connect/site...re-2-tesla.png
The ransomware provides more information to victims on a personalized home page and demands a payment of US$500 (or 1.2 bitcoins) within 160 hours of infection in order to unlock the encrypted files. If the transaction is not made within the specified time frame, the price doubles to $1,000. This page provides a contact form that offers assistance in case of payment issues or any other problems the victims may run into. There is also an opportunity to decrypt a single file for no fee to prove that the files can be properly decrypted:
> http://www.symantec.com/connect/site...igure3-pay.png
The vast majority of the spam is being distributed to English-speaking countries, with the UK (40 percent) and the US (36 percent) most targeted. Other regions around the globe are affected as well:
> http://www.symantec.com/connect/site...ie-chart_0.png
... Tips on protecting yourself from ransomware:
•Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
•Always keep your security software up to date to protect yourself against any new variants of malware.
•Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
•Delete any suspicious-looking emails you receive, especially if they contain links or attachments..."
:fear::fear: :mad:
-
Fake 'FreePDF', 'Receipt', 'Order Delay', 'Hyperama' SPAM, Teslacrypt, Phishing surge
FYI...
Fake 'FreePDF' SPAM - doc malware
- http://myonlinesecurity.co.uk/freepd...macro-malware/
3 Mar 2016 - "An email with the subject of 'FreePDF: 1922110915192.doc' pretending to come from Worrall, Antony <Ant.Worrall@ cmco .eu> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...u-1024x556.png
3 March 2016: 1922110915192.docm - Current Virus total detections 3/56*
MALWR** shows a download from http ://corsian .com/system/logs/98yh87b564f.exe which looks like Dridex banking Trojan from the MALWR quick overview, but might be some sort of ransomware (VirusTotal 4/55***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1457001459/
** https://malwr.com/analysis/NWExZmZkM...YzNzY4MDViNTA/
Hosts
173.0.136.57
188.40.224.78
8.254.249.78
*** https://www.virustotal.com/en/file/6...is/1457001741/
TCP connections
188.40.224.78: https://www.virustotal.com/en/ip-add...8/information/
8.253.82.30: https://www.virustotal.com/en/ip-add...0/information/
- http://blog.dynamoo.com/2016/03/malw...025984doc.html
3 Mar 2015 - "This -fake- financial spam has a malicious attachment.
From "Worrall, Antony" [Ant.Worrall@ cmco .eu]
Date Thu, 03 Mar 2016 14:25:14 +0430
Subject FreePDF: 1922110025984.doc
Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run*."
* http://blog.dynamoo.com/2016/03/malw...no-173535.html
___
Fake 'Receipt' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...no-173535.html
3 Mar 2015 - "This spam does not come from KM Media Group but it is instead a simple -forgery- with a malicious attachment:
From Sally Webb [swebb@thekmgroup .co.uk]
Date Thu, 03 Mar 2016 10:58:07 +0100
Subject Receipt - Order No 173535
regards,
Sally
*Sally Webb*
Recruitment Media Sales Executive
KM Media Group
DDI : 01622 794500 ...
Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detection rates around 3/55*. Analysis from another source (thank you) gives download locations... The initial payload has a detection rate of 4/55** which has now been -updated- with a -new- payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:
188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234 "
* https://www.virustotal.com/en/file/1...c76f/analysis/
** https://www.virustotal.com/en/file/6...ce97/analysis/
TCP connections
188.40.224.78
8.253.82.30
___
Fake 'Order Delay' SPAM - JS malware leading to Teslacrypt
- http://myonlinesecurity.co.uk/order-...to-teslacrypt/
2 Mar 2016 - "An email with the subject of 'Order Delay – Package Ref. 91063856' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Ernestine simister <simisterErnestine49836@ mail.vistony .com>
Date: Thu 03/03/2016 16:52
Subject: Order Delay – Package Ref. 91063856
Attachment: Invoice_ref-91063856.zip
Respected Customer,
The delay of your parcel ref. # 91063856 cannot be controlled due to the unstable weather conditions in our region.
We are doing everything we can to arrange the best shipping time for your package.
Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.
Sincerely,
Sales Department Manager ...
3 March 2016: Invoice_ref-91063856.zip: Extracts to: invoice_SCAN_WxapPe.js Current Virus total detections 3/56*
MALWR** shows a download from http ://isthereanybodyqq .com/69.exe?1 or
http ://ujajajgogoff .com/69.exe?1 (currently down) which is Teslacrypt ransomware (VirusTotal 4/54***)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1457023881/
** https://malwr.com/analysis/MjU2YWMwY...ZhMGNjZjA5Yjk/
Hosts
50.3.16.250
173.82.74.197
173.201.145.1
108.167.143.8
50.62.66.1
*** https://www.virustotal.com/en/file/d...is/1457024955/
isthereanybodyqq .com: 173.82.74.197: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/a4...849f/analysis/
91.196.50.241
78.135.108.94
ujajajgogoff .com: 204.44.84.21: https://www.virustotal.com/en/ip-add...1/information/
162.211.67.244
___
Fake 'Hyperama' SPAM - JS malware leads to Locky ransomware
- http://myonlinesecurity.co.uk/891217...ky-ransomware/
3 Mar 2016 - "An email with a random numbered subject pretending to come from Administrator <tward9232@ hyperama .com> (random numbers afterward) with a zip attachment is another one from the current bot runs... The email looks like:
From: Administrator <tward9232@ hyperama .com>
Date: Mon 18/01/2016 15:26
Subject: 8912179-99
Attachment: doc0022386.zip
Tracey Ward
Purchase Ledger
Hyperama ...
3 March 2016: Edoc0022386.zip: Extracts to: DOC7797628157.js - Current Virus total detections 23/56*
MALWR** shows a download of Locky ransomware from http ://anro.kiev .ua/vqmod/vqcache/4trf3g45.exe
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/
** https://malwr.com/analysis/ZDNiNmMyO...lhMDVmMGVmOGE/
Hosts
77.87.194.146: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/40...6d01/analysis/
192.121.16.196: https://www.virustotal.com/en/ip-add...6/information/
anro.kiev .ua: 77.87.194.146
___
Phishing surges, file-sharing takes lead as most targeted industry of Q1
- http://www.hotforsecurity.com/blog/p...-q1-13472.html
Mar 03, 2016 - "Phishing through file-sharing services has soared in the past three months, making cloud-based file distribution services the most targeted sector of the first quarter of the year, Bitdefender found. Globally, file-sharing is being used to spread phishing scams more than the retail and payment industries, the traditional favorites of hackers. Almost one-in-five-malicious-URLs uses a file-sharing service to deliver malicious payloads to users, recent Bitdefender data shows.
Top 10 Most Targeted Industry Sectors for Internet Phishing
> http://www.hotforsecurity.com/wp-con...t1-768x380.jpg
What the technique lacks in innovation is compensated for by the ease of use and popularity of consumer-grade sharing services. In the past year, Dropbox reached 400 million users who stored 35 billion Microsoft Office files, while Google Drive had 190 million in 2014. As importantly, file-sharing and cloud storage services lack security features to filter harmful content. This helps attackers hide their malware-infected files without a trace... The typical infection flow goes like this: the user receives a genuine-looking email that advises users to click-on-an-embedded-link to view an attached document. The link -redirects- the user to a phishing page hosted on the provider’s domain. The page asks for the user’s credentials, then captures and sends the data to cyber-criminals over SSL. SSL certificates ensure data on a website is submitted in a secure manner, but they do -not- guarantee the site itself is safe. Thus, hackers are taking advantage, buying cheap SSL certificates and using them on phishing websites to appear legitimate... Scammers are usually after more than just cloud storage credentials; the malicious URLs can trick users into downloading file-encrypting ransomware, for instance. And the hazard has become significantly more serious as new ransomware iterations can seize control over files stored on cloud services..."
:fear::fear: :mad:
-
Fake 'Closing bill', 'Remittance' SPAM
FYI...
Fake 'Closing bill' SPAM - xls malware leading to Dridex
- http://myonlinesecurity.co.uk/closin...ing-to-dridex/
4 Mar 2016 - "An email with the subject of 'Closing bill' pretending to come from MyBill <mybill.central@ affinitywater .co.uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x755.png
4 March 2016: 54138887_51656_18836.xls - Current Virus total detections 5/56*
MALWR shows a download from http ://17.rent-shops .ru/system/logs/vbry73f34f.exe (VirusTotal 5/56**)
which looks like Dridex banking Trojan. All the XLS attachments are random names/numbers and all created on the fly. So far I have seen -15- or so all with individual file hashes which doesn’t make it easy.
Other download locations so far discovered include
http ://2.casino-engine .ru/games/megajack/vbry73f34f.exe | http ://prettymom.ru/system/logs/vbry73f34f.exe |
http ://shop-bedep .com/system/logs/vbry73f34f.exe | desean .com.sg/system/logs/vbry73f34f.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1457083098/
** https://www.virustotal.com/en/file/c...is/1457082565/
- http://blog.dynamoo.com/2016/03/malw...ll-mybill.html
4 Mar 2016 - "... Some additional download locations and C&C servers to block, from another source (thank you!)
jean-daniel .com.ua/system/logs/vbry73f34f.exe
namkeendelights .com/system/logs/vbry73f34f.exe
Overall, some of these download locations look like good candidates for blocking, especially:
81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)
These additional C&C servers have been seen before:
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57 "
___
Fake 'Remittance' SPAM - malicious .rtf attachment
- http://myonlinesecurity.co.uk/remitt...macro-malware/
4 Mar 2016 - "An email with the subject of 'Remittance' coming from random email addresses, companies and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Bridgette – WITAN PACIFIC INVESTMENT TRUST <Cunningham.Bridgette3@ leonduniec .com>
Date: Fri 04/03/2016 10:30
Subject: Remittance
Attachment: rem.advice-3798605447.rtf
Dear Sir/Madam,
Hope you are well. I am writing you to let you know that full amount specified in the contract has been paid into your bank account on the 1st of March at 14 through BACS payment system and should reach the destination (beneficiary’s) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Bridgette Cunningham ...
4 March 2016: rem.advice-3798605447.rtf - Current Virus total detections 2/56*
MALWR is unable to detect any HTTP connection or download any malware, that is probably due to an anti-analysis protection in the word doc RTF. It will almost certainly turn out to download Dridex banking trojan, Locky or another similar ransomware..
Update: Dynamoo[1] has posted some locations for the downloads which appear to be Dridex banking Trojan..
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1457091062/
1] http://blog.dynamoo.com/2016/03/malw...om-random.html
4 Mar 2016 - "This fake financial spam appears to come from random companies. The body text is similar in all cases.
Sample 1: From: Ignacio - Floris of London
Date: 4 March 2016 at 09:42
Subject: Remittance
Dear Sir/Madam,
I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Ignacio Knox
Accounts Payable
... This is the -same- IP as seen here* which Sophos identified as being Dridex.
Recommended blocklist:
31.131.24.76
24.172.94.181 "
* https://www.sophos.com/en-us/threat-...-analysis.aspx
___
The Rules Of Spam ...
- http://bruce.pennypacker.org/2005/02...rules-of-spam/
"... Rule #1: Spammers lie...
... Rule #2: If a spammer seems to be telling the truth, see Rule #1..."
ref via: http://blog.dynamoo.com/
___
New Macro Malware - Uses Forms to Store its Code
- http://blog.trendmicro.com/trendlabs...ms-store-code/
Mar 3, 2016 - "The resurgence and continued prevalence of macro malware could be linked to several factors, one of which is their ability to -bypass- traditional antimalware solutions and sandboxing technologies. Another factor is the continuous enhancements in their routines: just recently, we observe that the macro malware related to DRIDEX and the latest crypto-ransomware variant, Locky ransomware, used Form object in macros to obfuscate the malicious code. With this improvement, it could further aid cybercriminals or attackers to -hide- any malicious activity they perform in their target network or system... Locky ransomware, which is reported to be responsible for compromising the network and encrypting the records of Hollywood Presbyterian Medical Center last February 2016, is the first instance of ransomware that capitalized on malicious macros to infiltrate systems. Typically, ransomware is distributed via compromised websites or spam emails. However, this -variant- deviated and replicated this behavior (use of macros) commonly seen in DRIDEX. Based on our Smart Protection Network data, the top countries by Locky ransomware are Germany, Japan, and the United States:
Top countries affected by Locky ransomware for the past 3 months
> https://blog.trendmicro.com/trendlab...y-1024x596.png
DRIDEX, a prevalent online banking malware has its own macro downloader. When we’re conducting our analysis, we found out that most of our DRIDEX detections pertain to its macro downloader and -not- the actual TSPY_DRIDEX. This could suggest that this threat is -still- rampant as ever despite the takedown of some of its command-and-control (C&C) servers last year.
Countermeasures... awareness of such threats and their behavior is one of the initial steps in order to combat their risks. It’s also important to -not-enable-macros- from email attachments as this can add another layer of protection to prevent the download of malicious files on the system. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources."
(More detail at the trendmicro URL at the top of this post.)
:fear::fear: :mad:
-
Fake 'Customer Invoice' SPAM, Teslacrypt, iCloud PHISH
FYI...
Fake 'Customer Invoice' SPAM - JS malware Teslacrypt
- http://myonlinesecurity.co.uk/dear-v...to-teslacrypt/
5 March 2016 - "An email with the subject of Invoice, Ref. 00278908' [random numbered] pretending to come from random email addresses and names with a zip attachment is another one from the current bot runs...
The email looks like:
From: Derrick bolton <boltonDerrick32@ kgorman .ca>
Date: Sat 05/03/2016 07:38
Subject: Invoice, Ref. 00278908
Attachment: Invoice_ref-00278908.zip
Dear Valued Customer,
We are very grateful for your purchase. The specified sum of $679,48 was paid and now your order is being processed by our company.
Delivery information and the invoice can be found in the attached file.
Thank you!
Derrick bolton
Sales Manager ...
5 March 2016 : Invoice_ref-00278908.zip: Extracts to: invoice_ZAwuzp.js (I have seen -4- different zip files by # all extracting to -different- js files) VirusTotal detections [1] [2] [3] [4] all of which according to MALWR [a].. contact http ://ujajajgogoff .com/80.exe?1 where they actually download a file called 69... This site was distributing Teslacrypt ransomware earlier in the week, so this is likely to be the same. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/6...is/1457036665/
a] https://malwr.com/analysis/MmQwNmNmN...M0ZWJhYTM2MDA/
74.117.183.252
>> https://www.virustotal.com/en/url/31...138c/analysis/
- https://isc.sans.edu/diary.html?storyid=20801
Last Updated: 2016-03-05 - "We have seen in the last two weeks a massive amount of websites hosting a variant of angler exploit kit that infects computers downloading and activating a variant of teslacrypt... Please keep in mind some countermeasures to avoid infection by Angler EK or ransomware:
• Implements strong antispam, antimalware and antiphishing procedures.
• Keep operating systems patched against known vulnerabilities.
• Install patches from vendors as soon as they are distributed, after performing a full test procedure for each patch.
• Train your users to be careful when opening attachments.
• Configure antimalware software to automatically scan all email and instant-message attachments.
• Configure email programs to do not automatically open attachments or automatically render graphics.
• Ensure that the preview pane of your e-mail reader is turned off.
• Use a browser plug-in like noscript to block the execution of scripts and iframes."
___
iCloud PHISH
- http://myonlinesecurity.co.uk/i21506...loud-phishing/
5 March 2016 - " 'i215061438' pretending to come from Online-iApple <replyonline@ online .apple .org> is one of the latest -phish- attempts to steal your Apple/iCloud account. This one only wants your 'iCloud/Apple email address log in and password...
Hello [REDACTED]
You received one new message!
SignIn and View
Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.
Thank you,
The iApple Team
... It is quite easy to mistake-the-URL for a genuine apple site because you are instinctively drawn to the http ://icloudapple .com at the -start- of the URL, where you should be looking at the last-part before the first - otrack .net .. That clearly is -not- an Apple or iCloud site. If did click the link you would see a webpage looking like this where any email address and password gives you a message saying: 'Your Apple ID or password was incorrect. Forgot password?' .. which is the link to the genuine Apple forgot password site:
> http://myonlinesecurity.co.uk/wp-con...g-1024x549.png
The links behind the unsubscribe and 'Click here to view our privacy policy' lead you to the Romanian Security Team forum. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
otrack .net: 192.185.195.163 >> https://www.virustotal.com/en/url/d2...cd26/analysis/
:fear::fear: :mad:
-
HMRC Tax Refund/iCloud PHISH
FYI...
HMRC Tax Refund/iCloud PHISH
- http://myonlinesecurity.co.uk/apple-...shing-attempt/
6 Mar 2016 - "A right mishmash of an email with this HMRC tax phishing attempt. The bots sending these are very confused this morning. The email subject says 'Tax Refund New Message Alert!' but the body is all about an iCloud log in... The email looks like:
From: HM & Customs <1Message@ HMRC .gov.uk>
Date: Sun 06/03/2016 04:50
Subject: Tax Refund New Message Alert!
Attachment: none
Your ID was used to sign in to App Store via a web browser.
Date and Time: March 04, 2016, 14:03 PM PDT
If you have not signed in to iCloud recently and believe someone may have accessed your account, you should verify your identity and change your password. Sign in to HMRC online Services
Hm & Customs respects your privacy.
The link behind the 'Sign in to' leads to http ://chefom .com/hmrc .gov.uk/8a9e617ee9a73ddf31d5b21bd3ef46ba/index.php which is known by Internet Explorer Smart filter as well as Chrome and Firefox phishing filters and blocked. There no doubt will be other sites using the same email template that aren’t yet blocked. If you are unwise enough to follow-the-links and have anti-phishing or smart filter turned off, then you see a typical HMRC phishing page which looks very similar to a HMRC genuine page:
> http://myonlinesecurity.co.uk/wp-con...HMRC_phish.png "
chefom .com: 192.186.242.105: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/f6...61b2/analysis/
:fear::fear: :mad:
-
Fake 'Order Confirmation', 'Appear in Court', 'DHL invoice', 'payment proof' SPAM
Fake 'Order Confirmation', 'Appear in Court', 'DHL invoice', 'payment proof' SPAM, WordPress plugin backdoor, Payroll and Human Resources - PHISH
FYI...
Fake 'Order Confirmation' SPAM - ransomware
- http://blog.dynamoo.com/2016/03/malw...n-payment.html
7 Mar 2016 - "This -fake- financial spam comes from various senders with different references, amounts and slightly different addresses. There is a malicious attachment which appears to be ransomware.
From: Ellen thorp
Date: 7 March 2016 at 07:08
Subject: Order Confirmation - Payment Successful, Ref. 81096454
Dear Client,
Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
Double check please the document enclosed to this email.
Thank you for your order and we hope to see you again as our customer.
Respectfully,
Ellen thorp
Chief Accountant ...
Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1]... These Hybrid Analysis reports on three of the samples [2].. show the script download a malicious binary from:
blablaworldqq .com/80.exe?1
hellomydearqq .com/69.exe?1
hellomydearqq .com/80.exe?1
At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:
51.254.226.223 (OVH, France)
173.82.74.197 (Multacom Corporation, US)
The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [3]... Analysis of these files [4]... indicates behaviour consistent with ransomware, and these binaries attempt to phone home...
Recommended blocklist:
51.254.226.223
173.82.74.197
conspec .us
tmfilms .net
iqinternal .com
goktugyeli .com
saludaonline .com "
1] https://www.virustotal.com/en/file/4...is/1457338902/
2] https://www.hybrid-analysis.com/samp...nvironmentId=4
3] https://www.virustotal.com/en/file/4...is/1457338902/
4] https://malwr.com/analysis/N2YyNWRiY...U5MmJlODc4OTQ/
- http://myonlinesecurity.co.uk/order-...pt-ransomware/
7 Mar 2016 - "An email with the subject of 'Order Confirmation – Payment Successful, Ref. 67703560" [random numbered] pretending to come from random email addresses, companies and names with a zip attachment is another one from the current bot runs... The name of the alleged sender matches the name of the Chief Accountant. The ref number in subject matches the attachment number. The email looks like:
From: Amie yonk <yonkAmie092@ bumperscuffshrewsbury .co.uk>
Date: Mon 07/03/2016 05:56
Subject: Order Confirmation – Payment Successful, Ref. 67703560 (random numbers)
Attachment: Invoice_ref-67703560.zip
Dear Client,
Thank you for your transaction of $727,71. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
Double check please the document enclosed to this email.
Thank you for your order and we hope to see you again as our customer.
Respectfully,
Amie yonk
Chief Accountant ...
7 March 2016: Invoice_ref-67703560.zip: Extracts to: invoice_zVVGbu.js - Current Virus total detections 2/56*
MALWR** shows a download from http ://hellomydearqq .com/69.exe?1 so that tells us that this is Teslacrypt ransomware (VirusTotal 2/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1457330191/
** https://malwr.com/analysis/ZDZkZGRjM...U2ZjI1MDg4MzM/
Hosts
173.82.74.197
50.62.245.1
*** https://www.virustotal.com/en/file/9...is/1457333744/
___
Fake 'Notice to Appear in Court' SPAM - JS malware leads to Kovter and ransomware
- http://myonlinesecurity.co.uk/notice...nd-ransomware/
7 Mar 2016 - "An email with the subject of 'Notice to Appear in Court' coming from no-reply@ mailout .pl with a zip attachment is another one from the current bot runs... The email looks like:
From: no-reply@ mailout .pl
Date: Mon 07/03/2016 10:19
Subject: Notice to Appear in Court
Attachment: Notice_to_Appear_00736595.zip
Notice to Appear,
You have to appear in the Court on the March 15.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Sincerely,
Adam Middleton,
Court Secretary.
7 March 2016: Notice_to_Appear_00736595.zip: Extracts to: Notice_to_Appear_00736595.doc.js - Current Virus total detections 15/56*
.. MALWR** shows a download of -3- files from http ://mehulic-art .com which are known as Kovter, and other ransomware files. VirusTotal [1] [2] [3].. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1457346335/
** https://malwr.com/analysis/Y2Q4ZWYwN...BjYmUwMWZhNjg/
Hosts
185.58.74.132
1] https://www.virustotal.com/en/file/d...is/1457304422/
2] https://www.virustotal.com/en/file/d...is/1457346993/
3] https://www.virustotal.com/en/file/5...is/1457285169/
___
Fake 'DHL invoice' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/your-l...ky-ransomware/
7 Mar 2016 - "An email with the subject of 'Your latest DHL invoice: HSC4387902' [random numbered] pretending to come from e-billing@ dhl .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...
Screenshot: http://myonlinesecurity.co.uk/wp-con...2-1024x551.png
7 March 2016: HSC4387902.zip: Extracts to: MNB3492495814.js - Current Virus total detections 1/54*
.. MALWR** shows a download of the -same- Locky ransomware version as mentioned in THIS post*** from http ://shapes .com.pk/system/logs/87tg7v645c.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1457349592/
** https://malwr.com/analysis/YmY0ZGQ1M...JiMjFiOGFlYmE/
Hosts
50.87.248.127
*** http://myonlinesecurity.co.uk/paymen...ky-ransomware/
___
Fake 'payment proof' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/paymen...ky-ransomware/
7 Mar 2016 - "An email with the subject of 'payment proof' pretending to come from SunBeverages <Info@ sunbeverages .eu> with a zip attachment is another one from the current bot runs... The email looks like:
From: SunBeverages <Info@ sunbeverages .eu>
Date: Mon 07/03/2016 09:42
Subject: payment proof
Attachment: 169990489_0492729.zip (random numbers)
Please see attached proof of payment...
5 March 2016: 169990489_0492729.zip: Extracts to: SPL6767845811.js - Current Virus total detections 1/57*
.. MALWR** shows a download of Locky ransomware from http ://aqarhits .com/system/logs/87tg7v645c.exe
(VirusTotal 4/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1457347704/
** https://malwr.com/analysis/MTliZTkyN...E4MmU0ZTc4NGM/
Hosts
162.210.102.210
46.108.39.18
*** https://www.virustotal.com/en/file/3...is/1457348069/
TCP connections
212.47.223.19: https://www.virustotal.com/en/ip-add...9/information/
___
Fake 'E-Service Invoice' SPAM - leads to malware
- http://blog.dynamoo.com/2016/03/malw...urope-ltd.html
7 Mar 2016 - "This -fake- financial spam leads to malware:
From Andrew Williams [andrew.williams@ eurocoin .co.uk]
Date Mon, 07 Mar 2016 17:37:49 +0530
Subject E-Service (Europe) Ltd Invoice No: 10013405
Dear Customer,
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.
Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment ...
Attached is a ZIP file named Invoice 10013405.zip which contains one of a wide range of randomly-named scripts. A trusted third party analysis (thank you!) shows that there are download locations.. The dropped binary has a detection rate of 5/56* and the Malwr report** clearly shows this is the Locky ransomware. My contact reports that the malware phones home to:
192.121.16.196 (EDIS, Netherlands)
46.108.39.18 (EDIS, Romania)
212.47.223.19 (Web Hosting Solutions OY, Estonia)
109.237.111.168 (Krek Ltd, Russia)
185.92.220.35 (Choopa LLC, Netherlands)
89.108.85.163 (Agava Ltd, Russia)
192.71.213.69 (EDIS, Spain)
Recommended blocklist:
192.121.16.196
46.108.39.18
212.47.223.19
109.237.111.168
185.92.220.35
89.108.85.163
192.71.213.69 "
- http://myonlinesecurity.co.uk/e-serv...ky-ransomware/
7 Mar 2016 - "An email with the subject of 'E-Service (Europe) Ltd Invoice No: 10013405' [random numbered] pretending to come from Andrew Williams <andrew.williams@ eurocoin .co.uk> with a zip attachment is another one from the current bot runs which downloads LOCKY RANSOMWARE.. The email looks like:
From: Andrew Williams <andrew.williams@ eurocoin .co.uk>
Date: Mon 07/03/2016 11:39
Subject: E-Service (Europe) Ltd Invoice No: 10013405 ( random numbers)
Attachment: Invoice 10013405.zip
Dear Customer,
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you to make payment for all transactions on or before their due date...
7 March 2016: Invoice 10013405.zip: Extracts to: YOJ5879833117.js - Current Virus total detections 2/54*
.. MALWR** shows a download of Locky ransomware from http ://kiddyshop.kiev .ua/image/data/87tg7v645c.exe (VirusTotal 5/54***) Which is slightly different to today’s earlier versions. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1457354372/
** https://malwr.com/analysis/OTVkYTBkZ...QzMzNjMmU5ZWU/
Hosts
176.114.0.200
185.92.220.35
*** https://www.virustotal.com/en/file/d...is/1457355960/
TCP connections
192.121.16.196: https://www.virustotal.com/en/ip-add...6/information/
___
WordPress plugin opens backdoor, steals user credentials
- https://www.helpnetsecurity.com/2016...r-credentials/
Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
• The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
• The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
> https://blog.sucuri.net/2016/03/when...-goes-bad.html
Updated Mar 7, 2016
(More detail at both URLs above.)
___
Payroll and Human Resources - PHISH
- https://www.helpnetsecurity.com/2016...employee-data/
Mar 7, 2016 - "... 'Because a W-2 form provides the employee’s name, Social Security number, address, and earnings information for the year with how much had been deducted for taxes, etc. – as well as the employer’s name and address – it provides everything criminals need to engage in tax refund fraud', Dissent, the privacy advocate running the Office of Inadequate Security blog*, explains. 'It used to be that in February and March, we’d see a number of reports-of-breaches involving employees’ W-2 tax statements that were due to printing or mailing errors. This year, we’re seeing reports of W-2 data-theft -via- phishing'. The blogger has been flagging reports of various companies being successfully targeted with this type of attack: Actifio, AmeriPride, Evening Post Industries, GCI, Main Line Health, and the latest, Seagate. Snapchat was hit earlier this month. And there are likely many more... instead of going directly after the money, the attackers are after information that can be used for stealing money. The fake emails almost always seem to be coming from the firm’s -CEO- asking the payroll -or- HR employee to send the employees’ W-2 forms, in PDF form, 'for review'... we can expect a continuing, steady stream of these emails hitting all types of companies. It remains on them to educate their staff so they don’t fall for it."
* http://www.databreaches.net/mounting...ctims-in-2016/
Mar 7, 2016
:fear::fear: :mad:
-
Fake 'Pay_Advice_Vendor', 'Emailing', 'Order', 'FeDex-service', 'Compensation' SPAM
FYI...
Fake 'Pay_Advice_Vendor' SPAM - JS malware leads to Dridex
- http://myonlinesecurity.co.uk/pay_ad...ads-to-dridex/
8 Mar 2016 - "An email with the subject of PayPay_Advice_Vendor_0000300320_1000_for_03.03.2016' pretending to come from Accounts Payable <vendoramendments@ yorkshirewater .co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: Accounts Payable <vendoramendments@ yorkshirewater .co.uk>
Date: Tue 08/03/2016 08:25
Subject: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
Attachment: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP
Spotted a leak?
If you spot a leak please report it immediately. Call us ...
Get a free water saving pack
Don’t forget to request your free water and energy saving pack, it could save you money on your utility bills and help you conserve water..
8 March 2016: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP: Extracts to: LQO1169369605.js
Current Virus total detections 4/56*.. MALWR shows a download of what looks like Dridex banking Trojan from http ://reclamus .com/9uj8n76b5.exe (VirusTotal 2/56**). Other download locations so far discovered include
lhs-mhs .org/9uj8n76b5.exe | jatukarm-30 .com/9uj8n76b5.exe | stopmeagency.free .fr/9uj8n76b5.exe ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1457426128/
** https://www.virustotal.com/en/file/b...is/1457426412/
TCP connections
38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
8.253.82.126: https://www.virustotal.com/en/ip-add...6/information/
- http://blog.dynamoo.com/2016/03/malw...003003201.html
8 Mar 2016 - "This -fake- financial spam does not come from Yorkshire Water but is instead a simple -forgery- with a malicious attachment.
From Accounts Payable [vendoramendments@ yorkshirewater .co.uk]
Date Tue, 08 Mar 2016 10:32:52 +0200
Subject Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
Spotted a leak?
If you spot a leak please report it immediately. Call us...
Get a free water saving pack
Don't forget to request your free water and energy saving pack, it could save you
money on your utility bills and help you conserve water...
I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54*. According to the Malwr report** and Hybrid Analysis*** on this sample, it downloads a malicious binary from:
lhs-mhs .org/9uj8n76b5.exe
This binary has a detection rate of 2/54[4] and all those reports indicate that it phones home to:
38.64.199.3 (PSINet, Canada)
I recommend that you -block- traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan."
* https://www.virustotal.com/en/file/5...is/1457426440/
** https://malwr.com/analysis/MjU1N2JkM...JkMjlkOGZlOTk/
Hosts
208.131.141.2
38.64.199.3
184.25.56.34
*** https://www.hybrid-analysis.com/samp...nvironmentId=4
4] https://www.virustotal.com/en/file/b...is/1457426850/
TCP connections
38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
8.253.82.126: https://www.virustotal.com/en/ip-add...6/information/
___
Fake 'Emailing' SPAM - JS attachment leads to Dridex
- http://myonlinesecurity.co.uk/emaili...ads-to-dridex/
8 Mar 2016 - "An email with the subject of 'Emailing: 20121005154449756' pretending to come from Gary Atkinson <Gary@ garrardwindows .co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: Gary Atkinson <Gary@ garrardwindows .co.uk>
Date: Tue 08/03/2016 09:00
Subject: Emailing: 20121005154449756
Attachment:
Please find attached document as requested.
8 March 2016:20121005154449756.zip: Extracts to: UIP3776229406.js - Current Virus total detections 3/56*
MALWR** shows a download of Dridex banking Trojan from http ://lhs-mhs .org/9uj8n76b5.exe
(VirusTotal ***) which is the same binary as THIS post[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1457427965/
** https://malwr.com/analysis/MGZjZDhiN...JlNDVkOWEyNzE/
Hosts
208.131.141.2
38.64.199.3
8.254.249.78
*** https://www.virustotal.com/en/file/b...is/1457427628/
TCP connections
38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
8.253.82.126: https://www.virustotal.com/en/ip-add...6/information/
4] http://myonlinesecurity.co.uk/pay_ad...ads-to-dridex/
- http://blog.dynamoo.com/2016/03/malw...154449756.html
8 Mar 2016 - "This spam does -not- come from Garrard Windows but is instead a simple -forgery- with a malicious attachment:
From Gary Atkinson [Gary@ garrardwindows .co.uk]
Date Tue, 08 Mar 2016 12:09:33 +0300
Subject Emailing: 20121005154449756
Please find attached document as requested.
Attached is a file 20121005154449756.zip which contains a randomly-named script. I have seen two samples so far (VirusTotal results [1]..). The Malwr reports [3].. show the script downloads from the following locations:
jatukarm-30 .com/9uj8n76b5.exe
stopmeagency .free.fr/9uj8n76b5.exe
The downloaded binary appears to be Dridex and is the -same- as found in this spam run*."
1] https://www.virustotal.com/en/file/e...is/1457429537/
2] https://malwr.com/analysis/Y2ZiZTA2Z...hlYzdmYWIyYWI/
Hosts
203.146.251.198
38.64.199.3
23.216.11.120
* http://blog.dynamoo.com/2016/03/malw...003003201.html
___
Fake 'Order' SPAM - doc malware leads to Dridex
- http://myonlinesecurity.co.uk/order-...ads-to-dridex/
8 Mar 2015 - "An email with the subject of 'Order 1307605 (Acknowledgement)' pretending to come from rick.adrio@ booles .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: rick.adrio@ booles .co.uk
Date: Tue 08/03/2016 09:31
Subject: Order 1307605 (Acknowledgement)
Attachment: pm51A.docm
Please find document attached ...
8 March 2016: pm51A.docm Current Virus total detections 5/55*
MALWR** shows a download of Dridex banking Trojan from http ://kyudentyumi .web .fc2 .com/9uj8n76b5.exe
... which is the -same- Dridex Trojan version as described in today’s earlier posts where they are using .JS files inside zips to distribute the malware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1457430327/
** https://malwr.com/analysis/NjZkZjFmM...VkOGE3OTZhOTM/
Hosts
208.71.106.45
38.64.199.3
23.216.11.120
- http://blog.dynamoo.com/2016/03/malw...r-1307605.html
8 Mar 2015 - "This fake financial spam has a malicious attachment:
From rick.adrio@ booles .co.uk
Date Tue, 08 Mar 2016 15:58:07 +0530
Subject Order 1307605 (Acknowledgement)
Please find document attached ...
Attached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:
stopmeagency .free.fr/9uj8n76b5.exe
reclamus .com/9uj8n76b5.exe
lhs-mhs .org/9uj8n76b5.exe
izzy-cars .nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi .web.fc2 .com/9uj8n76b5.exe
The dropped binary has -changed- from earlier and has a detection rate of 2/55*, it phones home to the -same- IP address as seen in this campaign**. It appears to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/1...is/1457433767/
2] https://www.virustotal.com/en/file/0...is/1457433778/
3] https://malwr.com/analysis/MWM1ZmRlY...A5YTlmMzFiYmQ/
Hosts
46.235.47.134
38.64.199.3
13.107.4.50
4] https://malwr.com/analysis/NmIyYzAxM...g2ODFhZGY1MmE/
Hosts
208.131.141.2
38.64.199.3
13.107.4.50
* https://www.virustotal.com/en/file/a...5874/analysis/
TCP connections
38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
131.253.33.50: https://www.virustotal.com/en/ip-add...0/information/
** http://blog.dynamoo.com/2016/03/malw...003003201.html
___
Fake 'FeDex-service' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...ent-fedex.html
8 Mar 2016 - "This -fake- FedEx spam has a malicious attachment:
From: FeDex-service
Date: 8 March 2016 at 11:40
Subject: Samson Floyd agent Fedex
Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.
Label: US45928402845 ...
Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js ... This attempts to download an executable from:
www .fotoleonia .it/files/sample.exe
This has a VirusTotal detection rate of 4/54*. The Malwr report** shows a subsequent download from:
www .claudiocalaprice .com/modules/fedex/pad.exe
This has similar detections*** to the first binary. That Malwr report also indicates the binary POSTing data to:
pdf.repack .bike/new_and/state.php
This is hosted on:
151.80.76.200 (Kitdos, US / OVH, France)
I would suggest that the -entire- 151.80.76.200/29 range is questionable and should be -blocked-. None of the automated tools I ran... gave any insight as to what the malware does, but it is clearly something malicious."
* https://www.virustotal.com/en/file/e...is/1457437544/
** https://malwr.com/analysis/Yjk4NWM3Y...ZhMGMxMDQyNzU/
Hosts
78.83.32.3
172.217.3.35
172.217.0.67
62.149.142.172
129.70.132.34
8.8.4.4
23.100.122.175
151.80.76.200
62.149.142.151
*** https://www.virustotal.com/en/file/b...is/1457438147/
___
Fake 'Compensation' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/compen...ky-ransomware/
8 Mar 2016 - "An email with the subject of 'Compensation – Reference Number #242852' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: Lily Adams <AdamsLily33@ haleandheartymovers .com>
Date: Tue 08/03/2016 12:00
Subject: Compensation – Reference Number #242852
Attachment: SCAN_00_242852.zip
Dear Customer,
The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.
Sincerely,
Lily Adams
Sales Manager ...
8 March 2016: SCAN_00_242852.zip: Extracts to -2- different .JS files: accent.670345320.js
Current Virus total detections 1/56* and email.141350705.js (VirusTotal 1/56**).. MALWR [1][2] shows both download of Locky ransomware from http ://lahmar.choukri.perso.neuf .fr/78hg4wg (VirusTotal ***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1457438201/
** https://www.virustotal.com/en/file/0...is/1457438200/
1] https://malwr.com/analysis/OTdhZjg3Z...M1MGFlNWM0NzE/
Hosts
86.65.123.70
37.235.53.18
2] https://malwr.com/analysis/NWFjMmE1Z...gzMzI2ODkyMjI/
Hosts
86.65.123.70
89.108.85.163
*** https://www.virustotal.com/en/file/0...is/1457439479/
TCP connections
89.108.85.163: https://www.virustotal.com/en/ip-add...3/information/
149.154.157.14: https://www.virustotal.com/en/ip-add...4/information/
- http://blog.dynamoo.com/2016/03/malw...reference.html
8 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Orval Burgess
Date: 8 March 2016 at 11:10
Subject: Compensation - Reference Number #368380
Dear Customer,
The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.
Sincerely,
Orval Burgess
Account Manager
Attached is a file named in a similar format to SCAN_00_368380.zip which contains -TWO- malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1]..) and automated analysis tools [5].. [9].. show binary download locations at:
ministerepuissancejesus .com/o097jhg4g5
ozono. org.es/k7j6h5gf
Those same reports indicate the malware attempts to phone home to the following IPs:
89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196 "
(More detail at the dynamoo URL above.)
1] https://www.virustotal.com/en/file/7...0616/analysis/
5] https://malwr.com/analysis/Y2JkOGM2Z...dhNWFiYmVmOWQ/
9] https://www.hybrid-analysis.com/samp...nvironmentId=4
email.297456567.js
email.931921928.js
email.374106319.js
email.864036956.js
___
Fake 'Invoice #' SPAM - JS malware leads to ransomware
- http://myonlinesecurity.co.uk/fw-inv...to-ransomware/
8 Mar 2016 - "An email with the subject of 'FW: Invoice #733745-2016-03' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads a Locky Ransomware version... The email looks like:
From: Agnes Vaughan <VaughanAgnes08980@ speedy .com.ar>
Date: Tue 08/03/2016 15:12
Subject: FW: Invoice #733745-2016-03
Attachment:
Dear ellie,
Please see attached (scanned document) file for your invoice.
Thank you for your business
Agnes Vaughan
Account Manager
8 March 2016: SCAN_2016_03_733745.zip: Extracts to: -2- slightly different sized .JS files
accent.216401762.js (VT*) and accent.599656717.js (VT**)
.. MALWR [1] [2] both show a download from http ://het-havenhuis .nl/099oj6hg (VirusTotal 15/57***)
... the second MALWR report clearly shows Locky.. Chrome & Firefox but -not- Internet Explorer -block- this site with big red warnings of malware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1457449790/
** https://www.virustotal.com/en/file/4...is/1457449826/
1] https://malwr.com/analysis/YTUyNTRlY...RkYWM5ZjIwN2M/
Hosts
83.137.194.70
212.47.223.19
192.121.16.196
89.108.85.163
2] https://malwr.com/analysis/YWU4ZTZmN...ZlZTFiYmI5NTY/
Hosts
83.137.194.70
212.47.223.19
151.236.14.51
*** https://www.virustotal.com/en/file/d...is/1457450528/
TCP connections
37.235.53.18: https://www.virustotal.com/en/ip-add...8/information/
:fear::fear: :mad:
-
Fake 'Invoice#', 'DOC', 'Voice msg', 'Invoice 2016', 'from Admin' SPAM, AMEX Phish
FYI...
Fake 'Invoice#' SPAM - JS malware leads to Teslacrypt
- http://myonlinesecurity.co.uk/invoic...pt-ransomware/
9 Mar 2016 - "An email with the subject of 'Invoice #96187656 for your Order' [random numbered] pretending to come from Finance Information (random email addresses) with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... The email looks like:
From: Finance Information <root@ free-dreams .nl>
Date: Wed 09/03/2016 07:23
Subject: Invoice #96187656 for your Order
Attachment: invoice_SCAN_yzGbVV.zip
Good day, dear client!
We have recently shipped your parcel at you region post office.
You can find the file bill of your shipment in the attachment. Make sure to check.
Take care.
Order/Invoice number:
96187656
Order/Invoice date:
09.03.2016
Accounts Department
Wavenet Group
Incorporating – Titan Technology, Centralcom and S1 Network Services ...
9 March 2016: invoice_SCAN_yzGbVV.zip: Extracts to: invoice_SCAN_yzGbVV.js - Current Virus total detections 8/57*
MALWR** shows a download of Teslacrypt from http ://howareyouqq .com/25.exe?1 (VirusTotal ***)
NOTE: this also tries to download http ://google .com/25.exe?1 which does not exist and I can only assume that the bad actors have made a mistake in their coding and were probably trying to use the well known open redirect security hole in Google search and other google products... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1457508873/
** https://malwr.com/analysis/NmU4NjllZ...E3MTBlYWZmYzU/
Hosts
185.118.142.154
216.58.219.14
*** https://www.virustotal.com/en/file/2...is/1457503315/
TCP connections
50.87.28.241: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/42...f038/analysis/
___
Fake 'DOC' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...008-idris.html
9 Mar 2016 - "This terse spam has a malicious attachment. There is -no- body text.
From: Idris Mohammed [idrismohammed25@ gmail .com]
Date: 9 March 2016 at 09:55
Subject: DOC-Z21193008
Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4].. shows the macro in these two documents downloading from:
gpcarshop .com.br/system/logs/07yhnt7r64.exe
karnavalnye .com/system/logs/07yhnt7r64.exe
There are no doubt several -other- download locations. This binary has a detection rate of 3/56*. The various reports indicate that it phones home to a server at:
64.76.19.251 (Impsat, Argentina)
I strongly recommend that you -block- traffic to that IP. Payload is likely to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/7...is/1457517657/
2] https://www.virustotal.com/en/file/e...is/1457517660/
3] https://malwr.com/analysis/MmEwMTc4N...EzNmQ0NjVhMDk/
4] https://malwr.com/analysis/Y2Y4ZTQzO...gyZTExN2U4ODE/
* https://www.virustotal.com/en/file/2...is/1457518357/
TCP connections
64.76.19.251
8.253.82.126
- http://myonlinesecurity.co.uk/doc-z2...ads-to-dridex/
9 Mar 2016 - "An email with the subject of 'DOC-Z21193008' pretending to come from Idris Mohammed <idrismohammed29@ gmail .com> (random numbers after idrismohammed) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Idris Mohammed <idrismohammed29@ gmail .com>
Date: Wed 09/03/2016 09:54
Subject: DOC-Z21193008
Attachment: img-DOC-Z21193008.docm
Body content: completely blank
9 March 2016: img-DOC-Z21193008.docm - Current Virus total detections 4/56*
.. MALWR shows a download of Dridex banking Trojan from
http ://karnavalnye .com/system/logs/07yhnt7r64.exe (VirusTotal 3/56**)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1457518626/
** https://www.virustotal.com/en/file/2...is/1457518357/
TCP connections
64.76.19.251
8.253.82.126
___
Fake 'Voice msg' SPAM - JS malware leads to Dridex
- http://myonlinesecurity.co.uk/voice-...ads-to-dridex/
9 Mar 2016 - "An email with the subject of 'Voice Message Attached from +44163311902' – name unavailable [random numbered] pretending to come from voicemail <voicemail@ inclarity .net> with a zip attachment is another one from the current bot runs which downloads Dridex banking malware... The email looks like:
From: voicemail <voicemail@ inclarity .net>
Date:
Subject: Voice Message Attached from +44163311902 – name unavailable
Attachment: 44163311902_20160309_91981473.wav.zip
Time: Wed, 09 Mar 2016 14:51:02 +0530
Click attachment to listen to Voice Message
9 March 2016: 44163311902_20160309_91981473.wav.zip: Extracts to: WED2970789413.js - Current Virustotal detections 3/56*
.. MALWR** shows a download of Dridex banking Trojan from http ://variant13 .ru/system/logs/07yhnt7r64.exe which is the -same- Dridex binary from THIS post***.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1457519130/
** https://malwr.com/analysis/NDQ4MDRkN...QyMDA3NWUyMjk/
Hosts
37.140.192.62
64.76.19.251
13.107.4.50
*** http://myonlinesecurity.co.uk/doc-z2...ads-to-dridex/
___
Fake 'Invoice 2016' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/fw-inv...ky-ransomware/
9 Mar 2016 - "An email saying 'Please find attached 2 invoices for processing' with the subject of 'FW: Invoice 2016-M#184605 [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: Ann Guerrero <GuerreroAnn36420@ ono .com>
Date: Wed 09/03/2016 10:38
Subject: FW: Invoice 2016-M#184605
Attachment: Payment_2016_March_184605.zip
Dear vbygry,
Please find attached 2 invoices for processing.
Yours sincerely,
Ann Guerrero
Account Manager ...
5 March 2016: Payment_2016_March_184605.zip: Extracts to -2- different files:
problem.974210026.js [VT*] see_it.001832901.js [VT**]:
.. MALWR [1] [2] -both- show a download of Locky Ransomware from
http ://planetarchery .com.au/system/logs/q32r45g54 (VirusTotal 5/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1457523481/
** https://www.virustotal.com/en/file/d...is/1457523485/
1] https://malwr.com/analysis/OGE4YjllM...Q4OTVhYjExZWY/
Hosts
103.240.88.28
149.154.157.14
2] https://malwr.com/analysis/OTc5ZDBmM...IxZDVkYzViNzE/
Hosts
103.240.88.28
91.195.12.131
*** https://www.virustotal.com/en/file/a...is/1457524130/
TCP connections
149.154.157.14: https://www.virustotal.com/en/ip-add...4/information/
- http://blog.dynamoo.com/2016/03/malw...ttached-2.html
9 Mar 2016 - "These -fake- financial spam emails come from random sources with different names and reference numbers:
From: Melisa Keller
Date: 9 March 2016 at 12:08
Subject: FW: Invoice 2016-M#111812
Dear server,
Please find attached 2 invoices for processing.
Yours sincerely,
Melisa Keller
Financial Manager ...
Attached is a file with a name similar to Payment_2016_March_111812.zip which contains -two- scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates... there may be other download locations. The Malwr reports indicate that the malware phones home to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)
The payload is the Locky ransomware.
UPDATE: I received the following information from another source (thank you)...
Additional C2s:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18 "
___
Fake 'from Admin' SPAM - JS malware leads to ransomware
- http://myonlinesecurity.co.uk/random...to-ransomware/
9 Mar 2016 - "An email with the subject of 'DOC-AA25400B' [random numbered] pretending to come from -admin- <adm323@ victim_domain .tld> the numbers after adm are random Your-own-email-domain with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: admin <adm323@ victim_domain .tld>
Date: Wed 09/03/2016 12:05
Subject: DOC-AA25400B
Attachment: DOC-AA25400B.zip
Totally -blank- body content
9 March 2016: DOC-AA25400B.zip: Extracts to: JGK9027615101.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky Ransomware from
http ://thietbianninhngocphuoc .com/system/logs/98yhb764d.exe (VirusTotal ***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1457528965/
** https://malwr.com/analysis/ZWI1NzJlM...U0MmRkYzlhNmI/
Hosts
123.30.187.116: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/5b...f15c/analysis/
78.40.108.39
*** https://www.virustotal.com/en/file/f...is/1457528686/
TCP connections
78.40.108.39: https://www.virustotal.com/en/ip-add...9/information/
___
AMEX 'PSK' PHISH
- http://myonlinesecurity.co.uk/americ...-psk-phishing/
9 Mar 2016 - "... a mass run of phishing emails -spoofing- American Express saying 'Please create your Personal Security Key'. There are -3- sites so far discovered that attempt to perform this phishing attack
http ://americanexpressnew2016 .com/login
http ://americanexpressglobal .com/login
http ://axpoglobalverify .com/login
Currently all 3 sites fail to resolve from a UK IP address. They were all registered -yesterday- 8 March 2016 via Todaynic .com using Chinese details which I assume are false. The name servers associated with the domains are DNS1.NEWSITEDNS2 .RU and DNS2.NEWSITEDNS2 .RU
Edit: after a bit of digging around, it appears that the NEWSITEDNS2 .RU has previously been used for Amex and other bank phishing attacks. It is suggested that you -block- their IP numbers to prevent further and future problems:
155.94.169.106 VirusTotal*
104.168.62.233 VirusTotal**
50.2.26.16 VirusTotal***
148.163.173.227
192.210.203.49
Either the DNS has not propagated yet worldwide or the DNS service has pulled the domains. My gut feeling is that the bots have sent the emails too early before the sites were live. The date & time on the emails say Wed 30/09/2015 13:32. I received about -50- copies of these between 03.20 and 03.30 UTC. Be aware and watch out for when these do go live, probably later today...
Screenshot: http://myonlinesecurity.co.uk/wp-con...g-1024x558.png "
* https://www.virustotal.com/en/ip-add...6/information/
** https://www.virustotal.com/en/ip-add...3/information/
*** https://www.virustotal.com/en/ip-add...6/information/
___
Some Tips for Preventing Ransomware
- https://isc.sans.edu/diary.html?storyid=20821
Last Updated: 2016-03-09 - "... 'get asked a lot by clients is "how can I prepare/prevent an infection?"
'Prepare' is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes. Plus it's the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons Learned Incident Handling process (see SANS SEC 504*..)
* https://www.sans.org/course/hacker-t...ident-handling
... best advice is - look at how the infection happens, and make this as difficult as possible for the attacker, the same as you would try to prevent any malware. Most malware these days outsources the delivery mechanism - so Cryptowall is typically delivered by an exploit "kit". These days, that typically means the Angler, Rig, or maybe Nuclear exploit kits (Angler being the most prevalent at the moment). These kits aren't magic, they generally try to exploit -old- versions of Java, Flash, Silverlight or take advantage of -missing- Windows updates... When patches come out, the authors of these kits reverse-the-patches and bolt the exploits into their kit..."
(More detail at the isc-diary URL at the top of this post.)
:fear::fear: :mad:
-
Fake 'random invoice', 'Attached File', 'Unpaid Issue' SPAM
FYI...
Fake 'random invoice' SPAM - doc macro leads to unknown malware
- http://myonlinesecurity.co.uk/random...known-malware/
10 Mar 2016 - "An email with random invoice or bill subjects coming from random names and emails addresses with a malicious word doc attachment is another one from the current bot runs... A high proportion of these are -not- getting caught by the spam or content filters because they pass SPF & DKIM authentication checks. These have a load of different subjects that include:
Re: Important Notice About Created Invoice
Urgent Notification About New Bill
Re: Last Notice About Paid Bill
Fwd: Important Message About Unpaid Invoice
Fwd: Urgent Notice About Paid Bill
Last Notification About Created Bill
Fw: Last Message About Last Bill
Fwd: Urgent Message About New Invoice
Re: Urgent Message About Created Invoice
Fw: Last Notification About Unpaid Invoice
The email looks like:
From: Reece Solis <acc@ hai-van .com>
Date: Thu 10/03/2016 04:58
Subject: Re: Important Notice About Created Invoice
Attachment: 4KEEY46Y.doc
Pls review the report attached.
Reece Solis
-or-
check the invoice attached.
Stuart Sweet
-or
see the report in attachment.
Odysseus Mcmillan
10 March 2016: 4KEEY46Y.doc - Current Virus total detections: [1] [2]..
.. MALWR [3] [4] shows downloads from http ://hoosierpattern .com/a1.jpg?Df1iQh0PABlsu=38 which is a jpg that contains embedded malware that is extracted via the macro & a dropped vbs file to give 339.exe (VirusTotal 4/57*)...
Update: I am reliably informed that this is Dridex banking Trojan and an alternative download location is http ://darrallmacqueen .com/b2.jpg?JzKE5CmWJZnG=
... The jpg it downloads looks like this (screenshot to avoid risks):
> http://myonlinesecurity.co.uk/wp-con...03/hoosier.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/5...is/1457590567/
2] https://www.virustotal.com/en/file/4...is/1457586170/
3] https://malwr.com/analysis/YTRjY2M1Z...ZkNzc0YjAzMDY/
Hosts
172.231.69.95
216.194.172.222: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/ed...43b9/analysis/
4] https://malwr.com/analysis/MTAxMzFhY...AxMjdkYmZkOGE/
Hosts
172.231.69.95
216.194.172.222
* https://www.virustotal.com/en/file/9...is/1457591438/
5] https://www.reverse.it/sample/93747b...nvironmentId=1
6] https://www.reverse.it/sample/93747b...nvironmentId=4
- http://blog.dynamoo.com/2016/03/malw...ut-unpaid.html
10 Mar 2016 - "... examples can be seen here*...
* http://myonlinesecurity.co.uk/random...known-malware/
... the only mitigating step I can think of is to -block- traffic to darrallmacqueen .com which should stop the files downloading."
darrallmacqueen .com: 185.9.51.4: https://www.virustotal.com/en/ip-add...4/information/
hoosierpattern .com: 216.194.172.222: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/ed...43b9/analysis/
___
Fake 'Attached File' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/attach...ads-to-dridex/
10 Mar 2016 - "An email with the subject of 'Attached File / Attached Doc / Attached Document' pretending to come from a scanner or printer at your own domain with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan - EDIT: it is LOCKY ransomware not Dridex... The attachment name is created from the recipients email address and 2 sets of random numbers. So far I have seen these sent from:
epson@ victimdomain .tld
canon@ victimdomain .tld
xerox@ victimdomain .tld
copier@ victimdomain .tld
scanner @victimdomain .tld
The email looks like:
From: epson@ victim domain .tld
Date: Thu 10/03/2016 07:11
Subject: Attached File / Attached Doc / Attached Document
Attachment: xerox.994@ thespykiller .co.uk_385010_151064713.zip
Body content: totally -empty- blank body
10 March 2016: xerox.994@thespykiller.co.uk_385010_151064713.zip: Extracts to: IIE1525816908.js
Current Virus total detections 5/57*
.. MALWR** shows a download of what looks like Dridex banking Trojan from http ://buyfuntees .com/system/logs/7t6f65g.exe (VirusTotal 5/56***) Update: it is Locky ransomware not Dridex. Dynamo’s blog[4] has these additional download locations:
behrozan .ir/system/logs/7t6f65g.exe
fashion-boutique .com.ua/system/logs/7t6f65g.exe
fortyseven .com.ar/system/logs/7t6f65g.exe (VirusTotal 1/56[5])
iwear .md/system/logs/7t6f65g.exe
lady-idol.6te .net/system/logs/7t6f65g.exe
ncrweb .in/system/logs/7t6f65g.exe
xn--b1afonddk2l .xn--p1ai/system/logs/7t6f65g.exe ..."
* https://www.virustotal.com/en/file/5...is/1457597941/
** https://malwr.com/analysis/OWE0MTIyM...FkMzA2MzIwMzk/
Hosts
67.225.233.214
91.219.30.254
*** https://www.virustotal.com/en/file/8...is/1457598134/
TCP connections
91.234.33.149: https://www.virustotal.com/en/ip-add...9/information/
4] http://blog.dynamoo.com/2016/03/malw...ched-file.html
10 Mar 2016 - "This spam has a malicious attachment. It appears to come from within the sender's own-domain. There is no-body-text.
From: canon@ victimdomain .tld
Date: 10 March 2016 at 09:02
Subject: Attached File
... Sender is canon or copier or epson or scanner or xerox at the victim's domain.
Recommended blocklist:
31.184.196.78
78.40.108.39
91.219.30.254
91.234.33.149 "
5] https://www.virustotal.com/en/file/6...is/1457604744/
TCP connections
31.184.196.78: https://www.virustotal.com/en/ip-add...8/information/
___
Fake 'Unpaid Issue' SPAM - JS malware leads to Teslacrypt
- http://myonlinesecurity.co.uk/greenl...to-teslacrypt/
10 Mar 2016 - "An email with the subject of 'GreenLand Consulting Unpaid Issue No. 14599' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: Goldie dawson <dawsonGoldie888@ lamelba .fr>
Date: Thu 10/03/2016 13:28
Subject: GreenLand Consulting Unpaid Issue No. 14599
Attachment: Invoice_ref-99527554.zip
Dear Client!
For the third time we are reminding you about your unpaid debt.
You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 14599. But it has never been paid off.
We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
Otherwise we will have to start a legal action against you.
Respectfully,
Goldie dawson
Chief Accountant ...
10 March 2016: Invoice_ref-99527554.zip: Extracts to: invoice_copy_AczFAX.js - Current Virus total detections 3/57*
.. MALWR** shows a download of Teslacrypt from http ://hellomississmithqq .com/69.exe?1 (VirusTotal ***)
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1457616298/
** https://malwr.com/analysis/ZDAyODliN...MxYjM5ZGU5YjQ/
Hosts
185.118.142.154
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18
78.40.108.39
*** https://www.virustotal.com/en/file/1...is/1457617418/
- http://blog.dynamoo.com/2016/03/malw...onsulting.html
10 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Jennie bowles
Date: 10 March 2016 at 12:27
Subject: GreenLand Consulting – Unpaid Issue No. 58833
Dear Client!
For the third time we are reminding you about your unpaid debt.
You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.
We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
Otherwise we will have to start a legal action against you.
Respectfully,
Jennie bowles
Chief Accountant ...
... scripts attempt to download a malicious binary... Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146 "
:fear::fear::mad: